Infosec Institute CTF2 Practical Web Hacking Level 12
Vulnerability Dictionary Attack
For almost all levels I will be using Burpsuite. Burpsuite is an interception proxy that lets us modify the HTTP request
/ response by intercepting the data between the browser and the web server.
Let’s be good boys and listen to the web page talking! Googling “filetype:lst password” takes us to
Download the password list in our local directory.
This time we are not going to use Burpsuite, because Burpsuite’s Intruder feature is being throttled in the free edition of Burp.
Instead we are going to use a tool called wfuzz. The syntax is as follows:
‘-c’ is used for color output, ‘-z’ for payload type that’s why it’s follow by “file” and the name of the file “password-2011.lst”
that we just downloaded. ‘-d’ is for POST data, we can get that either by looking at the request with Burp or the source code of the
submission form. And at the end we need to send our request to the correct URL and php page intended for the form.
Wfuzz is going to start using each of the words in our dictionary file in place of the keyword ‘FUZZ’ which we placed
in the POST data of the request.
We can see that even incorrect passwords return 200OK HTTP response code, so the trick here would be to look for
returned pages with unusual character count. If you notice each of the passwords used returns a page with character count of
4880, except password “princess” which returned a page with 4731 characters, so let’s try that !