Intruder.py - A powerful tool to customize attacks on websites. Has 4 different options of attacks.
- Sniper: This uses a single set of payloads_sets. It targets each payload position in turn, and places each payload into that position in turn.
- Battering-Ram: Allows only 1 payload, runs on ALL the marked positions in the same time.
- Pitchfork: Uses multiple payload sets. There is a different payload set for each defined position (up to a maximum of 20). The attack iterates through all payload sets simultaneously, and places one payload into each defined position.
- Cluster-Bomb: Allows up to 20 payloads, 1 payload for each position marked. Tries all possible combinations of payloads per position.
- Add the Burpee module provided in the main branch to your modules folder or get it from the source: https://github.com/xscorp/Burpee.
- 'git-clone https://github.com/RhoTau42/Intruder'
- 'cd Intruder/'
- run the program as you like with:
python3 intruder.py [OPTIONS]...
- Create a file with a POST\GET request. (Use BurpSuite and copy+paste the request to an empty file).
- Mark the variables you want to run payloads on Example in the request:
username=var1
. Say i want to run a sniper attack onvar1
. I'll just mark the variable like so:$var1$
.- You can use any kind of sign. Intruder will prompt you to specify which sign you used as a marker (By default, it's set to dollar-signs '$').
- Run the Intruder, give it a payload(s) set(s) and specify other options if you want to. Add the required argument,
request_file
. - A main-menu will be prompted to ask what attack type you would like to use.
- Make your choice and let the program run.
- Finally, a table will be printed to stdout and saved to an output file (By dafault:
'output.txt'
- you can change that with-o
)
intruder.py [-h] -p --payloads_sets PAYLOADS_SETS [PAYLOADS_SETS ...] [-o OUTPUT_PATH] [-s SLEEP] [-v] request_file
-
Intruder is a powerful tool for automating customized attacks against web applications. It can be used to automate all kinds of tasks that may arise during your testing.
-
positional arguments:
- request_file Request file with marked variables (POST or GET).
-
optional arguments:
-h
,--help
show this help message and exit.-p
--payloads_sets
PAYLOADS_SETS [PAYLOADS_SETS ...] Set or multiple sets of payloads_sets to run.-o OUTPUT_PATH
,--output OUTPUT_PATH
Name for the output file. (Default: output.txt)-s SLEEP
,--sleep SLEEP
Sets a sleep timer (in secs) between requests.-v
,--verbose
Verbose mode to show errors.
Example:
python3 intruder.py -p payload_set1 payload_set2 payload_set3 -o ouput.txt -s 0.75 -v POST_request.txt
- Burpee module: https://github.com/xscorp/Burpee
- Python