What Intruder does is it modifies a request in the specific positions we tell it to and replaces the values in those positions with the payloads defined in the Payloads section. Payloads may be, among other things:

• Simple list: A list that can be taken from a file, pasted from the clipboard, or written down in the textbox
• Runtime file: Intruder can take the payload from a file being read at runtime, so if the file is very large, it won't be loaded fully into memory
• Numbers: Generates a list of numbers that may be sequential or random and presented in hexadecimal or decimal form
• Username generator: Takes a list of email addresses and extracts possible usernames from it
• Bruteforcer: Takes a character set and uses it to generate all permutations inside the length limits specified

These payloads are sent by Intruder in different ways, which are specified by the attack type in the Positions tab. Attack types differ in the way the payloads are combined and permuted in the payload markers:

• Sniper: With a single set of payloads, it places each payload value in every position marked one at a time.
• Battering ram: Like Sniper, it uses one set of payloads; the difference is that it sets the same value to all positions on each request.
• Pitchfork: Uses multiple payload sets and puts one item of each set in each marked positions. Useful when we have predefined sets of data that should not be mixed, for example testing username/password pairs already known.
• Cluster bomb: Tests multiple payloads one against another so that every possible permutation is tested.

As for the results, we can see that there are a couple of existing files with names matching the ones in the list (account and action) and that there's a directory named admin, which probably contains the pages that perform administrative functions in the application, like adding users or content.