Burp Suite: Repeater (Old)

This guide contains the answer and steps necessary to get to them for the Burp Suite: Repeater room.

[!Note] Please note the BurpSuite rooms have been updated to reflect a newer version. As such some of these answers might not be correct anymore. Most of them still are but can be out of order of the new room.

Table of contents

• Repeater Basic Usage
• Repeater Views
• Repeater Inspector
• Practical Example
• Practical Challenge
• Extra Mile SQLi with Repeater
• Conclusion Room Conclusion

Repeater Basic Usage

Capture a request to http://10.10.34.19 in the Proxy and send it to Repeater.

Practice modifying and re-sending the request numerous times.

First we enable FoxyProxy in Firefox and capture the request from the website.

Then we can send this request to repeater and send it to get a response. Note the connection argument.

Now we can change the connection argument and see the difference in response when we send it again.

Repeater Views

1. Which view option displays the response in the same format as your browser would?

   THe answers can be found in the text.

   Click for answer

   Render

Practical Example

1. Send the request. What is the flag you receive?

   First we enable FoxyProxy in Firefox and capture the request from the website.

   

   Then we can send this request to repeater and send it to get a response. Note the connection argument.

   

   Now add the following argument at the bottom of the request and add two blank lines.

   cmd

   Copy

   FlagAuthorised: True
   

   

   Click for answer

   THM{Yzg2MWI2ZDhlYzdlNGFiZTUzZTIzMzVi}

Practical Challenge

See if you can get the server to error out with a "500 Internal Server Error" code by changing the number at the end of the request to extreme inputs.

1. What is the flag you receive when you cause a 500 error in the endpoint?

   On the product page, we can see an ID nr being used to display the current product.

   

   Lets intercept this request in Burpsuite and send it to Repeater.

   

   Now we can try different values for the ID nr to see if we can get an error. The following values were tried and all but one worked.

   cmd

   Copy

   0
   10000
   999999999999999999
   aaaaaaadasdas
   qwe134@#!
   -0
   -1
   

   

   Click for answer

   THM{N2MzMzFhMTA1MmZiYjA2YWQ4M2ZmMzhl}

Extra Mile SQLi with Repeater

Exploit the union SQL injection vulnerability in the site.

1. What is the flag?

   Lets capture the request again in Burpsuite and send it to Repeater.

   

   No quickly check for sql injection vulnerabilities we can add an ' after the ID. Looks like there is.

   

   Next thing we need to do is enumerate the people table for column names. We should change the ID to a non-existant number to avoid any output.

   cmd

   Copy

   UNION all SELECT column_name,null,null,null,null FROM information_schema.columns WHERE table_name="people"
   

   

   We see one column name, but we wan't them all. We can use concat to get them all.

   cmd

   Copy

   UNION all SELECT group_concat(column_name),null,null,null,null FROM information_schema.columns WHERE table_name="people"
   

   

   Now we get all the column names in the people table. We probably want to read the notes column. Looking at the website, we can find the corrensponding ID for the CEO (1).

   

   cmd

   Copy

   UNION all SELECT notes,null,null,null,null FROM people WHERE id=1
   

   

   Click for answer

   THM{ZGE3OTUyZGMyMzkwNjJmZjg3Mzk1NjJh}