burito
burito copied to clipboard
PaulSec
# Deprecated # Burito, Hydra-like tool to audit Web application using forms containing server-side generated params.
Burito
Burito is a Hydra-like tool allowing you to audit Web applications using forms with server-side generated parameters.
Feel free to use it (GPLv3) for non-commercial use and report any bug as soon as you experience it.
1. Basic example
(...)
< input type="text" name="login" value="">
< input type="password" name="password" value="">
(...)
Command line
python burito.py --dico --file=passwords.txt --u="http://www.example.com/login.php" login=admin --p=password
2. Burito and Cookies ?
Same code as previous example.
The actual login form is only accessible for authenticated users.
python burito.py --dico --file=passwords.txt --u="http://www.example.com/login.php" login=admin --p=password --cookie="SESSIONID=ab7cde9c"
3. Password is only digits.
Same code as previous example.
If we know that the actual password only contains digits and the length of the password is 4 then :
python burito.py --brute --min=4 --max=4 -u "http://www.example.com/login.php" login=admin --p=password --cookie="SESSIONID=ab7cde9c" --Charset="[0-9]"
4. Web app checking User Agent
Same code as previous example.
Some web apps check the User-Agent and redirect scripts if it doesn't fit a proper User-Agent.
Per default, User-Agent is : "Burito Scanner"
python burito.py --dico --file=passwords.txt --u="http://www.example.com/login.php" login=admin --p=password --user_agent=="My Specific User Agent"
5. Generated values in form
Imagine a form containing this :
(...)
< input type="text" name="login" value="">
< input type="password" name="password" value="">
< input type="hidden" name="csrf_token" value="ab7def894bcd24">
(...)
Some parameters can be generated directly when form got loaded. Burito script is connecting to the page, gathering all the informations (cookies, forms inputs..) and creating the specified request.
python burito.py --dico --file=passwords.txt --u="http://www.example.com/login.php" login=admin --p=password --user_agent="My Specific User Agent" --g
6. Mastering the status code !
During my audits, I got confronted with some web applications redirecting people (HTTP Redirect 302) when the login failed. However, with Python, if the status code is not a 200, it's raised as an exception. An option has been implemented to manage those status code.
Use case : When login failed, redirect user to /loginForm
python burito.py --dico --file=passwords.txt --u="http://www.example.com/login.php" login=admin --p=password --status-code=302
If I want to continue with different status code, just separate them with a comma ','
python burito.py --dico --file=passwords.txt --u="http://www.example.com/login.php" login=admin --p=password --status-code=302
7. Gimme more threads !
If you're machine looks like a Super Cosmic Monkey, you can specify the number of threads you want to run on the machine.
Example : 50 threads ?
python burito.py --dico --file=passwords.txt --u="http://www.example.com/login.php" login=admin --p=password --t=50
8. Log my session.
You can specify a file where you want to log the ouput.
If none, it will be displayed in the terminal itself.
python burito.py --dico --file=passwords.txt --u="http://www.example.com/login.php" login=admin --p=password --log=SessionExample.com.txt
PaulSec