We'll use the WackoPicko admin section login to test this attack:
- First, we set up Burp Suite as a proxy to our browser.
- Browse to http://192.168.56.102/WackoPicko/admin/index.php?page=login.
- We will see a login form. Let's try test for both username and password.
- Now, go to Proxy's history and look for the POST request we just made with the login attempt and send it to Intruder.
- Click on Clear § to clear the pre-selected insertion positions.
- Now, we add insertion positions on the values of the two POST parameters (adminname and password) by highlighting the value of the parameter and clicking Add §:
- As we want our list of passwords to be tried against all users, we select Cluster bomb as the attack type:
- The next step is to define the values that Intruder is going to test against the inputs we selected. Go to the Payloads tab.
- In the textbox in the Payload Options [Simple list] section, add the following names:
- user
- john
- admin
- alice
- bob
- administrator
- Now, select list 2 from the Payload set box. This list will be our password list and we'll use the 25 most common passwords of 2017 for this exercise (http://time.com/5071176/worst-passwords-2017/):
- Start the attack. We can see that all responses seem to have the same length apart from one: the admin/admin combination has a status 303 (a redirection) and a minor length. If we check it, we can see that it's a redirection to the admin's home page: