Introduction
We covered the basics of the Repeater in Burp Suite and we presented an example using SQL injection scenario. This was part of TryHackMe JR Penetration Tester pathway.
We will be covering how to use Repeater to manipulate and arbitrarily resend captured requests, as well as looking at some of the niftier options available in this awesome tool. Finally, we will encounter a series of examples, including a real-world, extra-mile exercise which we will use to consolidate the more theoretical aspects of the room.
If you have not used Burp Suite before and have not completed the Burp Basics room, you may wish to do so now before continuing, as this room builds on the foundations covered there.
In short: Burp Suite Repeater allows us to craft and/or relay intercepted requests to a target at will. In layman’s terms, it means we can take a request captured in the Proxy, edit it, and send the same request repeatedly as many times as we wish. Alternatively, we could craft requests by hand, much as we would from the CLI (Command Line Interface), using a tool such as cURL to build and send requests.
This ability to edit and resend the same request multiple times makes Repeater ideal for any kind of manual poking around at an endpoint, providing us with a nice Graphical User Interface (GUI) for writing the request payload and numerous views (including a rendering engine for a graphical view) of the response so that we can see the results of our handiwork in action.
Finding a Flag with a Custom Header
In the first challenge, I had to find a flag by adding a custom HTTP header to my request. I sent a normal request to the main page to Repeater and then added a new header: flag_authorized: true
.
A key trick here, and something that can trip you up, is that you need to make sure there are two blank lines at the very end of your request after adding the header. Without this proper formatting, the server won’t process it correctly. Once I added the header and the blank lines and sent the request, the flag appeared right in the response.
Triggering a 500 Error
The next challenge was to cause a “500 Internal Server Error.” I targeted the products page, which used a numerical ID in the URL to identify different products. I tried a bunch of things: non-existent IDs, special characters, and even used a web fuzzer called ffuf
to automate the process. None of that worked.
The solution turned out to be surprisingly simple: I just needed to enter a negative number (like -1) as the product ID. The application wasn’t expecting a negative value, which caused it to crash and throw a 500 error, revealing the next flag in the error message.
Fun with SQL Injection
For the final challenge, I targeted the “about” page, which displayed team members based on an ID in the URL. This immediately screamed “SQL database” to me.
- Finding the Vulnerability: I started by sending a single apostrophe (
'
) as the ID. This classic trick caused a 500 error and, helpfully, the error message dumped the entire SQL query the server was trying to run. This gave me the table name (people
) and a list of column names. - Dumping All Columns: To see if there were any other interesting columns, I crafted a
UNION ALL SELECT
query. I usedGROUP_CONCAT(column_name)
to pull all column names from theinformation_schema.columns
table for thepeople
table. This query revealed a hiddennotes
column. - Getting the Flag: I knew the CEO’s ID was
1
, and now I knew about thenotes
column. So, I put together my final SQL injection payload:0 UNION ALL SELECT notes, NULL, NULL, NULL, NULL FROM people WHERE id = 1
. This query tricked the database into returning the contents of thenotes
column for the CEO instead of the normal information. And, of course, the CEO’s notes contained the final flag.
Technical Commands
Here are the ffuf
commands I ran in my terminal during the second challenge:
ffuf -x get -w /usr/share/wordlists/seclists/Fuzzing/local_ports.txt -fc 200 http://<IP_ADDRESS>/products/FUZZ
ffuf -x get -w /usr/share/wordlists/seclists/Fuzzing/uri_hex.txt -fc 500 http://<IP_ADDRESS>/products/FUZZ
TryHackMe Room Answers
Which view option displays the response in the same format as your browser would?
Send the request. What is the flag you receive?
What is the flag you receive when you cause a 500 error in the endpoint?
Exploit the union SQL injection vulnerability in the site.
What is the flag?