Outline

Deploy the machine (and the AttackBox if you are not using your own attack VM), and let's get started!

No answer needed

What is Repeater?

Familiarise yourself with the Repeater interface.

No answer needed

Repeater Basic Usage

Practice modifying and re-sending the request numerous times.

No answer needed

Repeater Views

Experiment with the available view options.

No answer needed

Which view option displays the response in the same format as your browser would?

Render

Repeater Inspector

Get comfortable with Inspector and practice adding/removing items from the various request sections.

No answer needed

Practical Example

Capture a request to http://10.10.102.69/ in the Proxy and send it to Repeater.

No answer needed

Send the request once from Repeater -- you should see the HTML source code for the page you requested in the response tab.
Try viewing this in one of the other view options (e.g. Rendered).

No answer needed

Using Inspector (or manually, if you prefer), add a header called FlagAuthorised and set it to have a value of True.
Send the request. What is the flag you receive?

THM{Yzg2MWI2ZDhlYzdlNGFiZTUzZTIzMzVi}

Practical Challenge

Capture a request to one of the numeric products endpoints in the Proxy, then forward it to Repeater.

No answer needed

See if you can get the server to error out with a "500 Internal Server Error" code by changing the number at the end of the request to extreme inputs.
What is the flag you receive when you cause a 500 error in the endpoint?

Enter "-1" as the product number and you get the error and the flag. THM{N2MzMzFhMTA1MmZiYjA2YWQ4M2ZmMzhl}

Extra Mile SQLi with Repeater

We know that there is a vulnerability, and we know where it is. Now we just need to exploit it!
Let's start by capturing a request to http://10.10.102.69/about/2 in the Burp Proxy. Once you have captured the request, send it to Repeater with Ctrl + R or by right-clicking and choosing "Send to Repeater".

No answer needed

You should see that the server responds with a "500 Internal Server Error", indicating that we successfully broke the query:

No answer needed

With this information, we can skip over the query column number and table name enumeration steps.

No answer needed

Looking through the returned response, we can see that the first column name (id) has been inserted into the page title:

No answer needed

##Fortunately, we can use our SQLi to group the results. We can still only retrieve one result at a time, but by using the group_concat() function, we can amalgamate all of the column names into a single output:
/about/0 UNION ALL SELECT group_concat(column_name),null,null,null,null FROM information_schema.columns WHERE table_name="people" No answer needed

Hey presto, we have a flag!

No answer needed

Exploit the union SQL injection vulnerability in the site.
What is the flag?

THM{ZGE3OTUyZGMyMzkwNjJmZjg3Mzk1NjJh}

Conclusion Room Conclusion

I can use Burp Suite Repeater!

No answer needed

THM Burp Suite: Repeater - grunt92/IT-Sec-WriteUps GitHub Wiki

Outline

Deploy the machine (and the AttackBox if you are not using your own attack VM), and let's get started!

What is Repeater?

Familiarise yourself with the Repeater interface.

Repeater Basic Usage

Practice modifying and re-sending the request numerous times.

Repeater Views

Experiment with the available view options.

Which view option displays the response in the same format as your browser would?

Repeater Inspector

Get comfortable with Inspector and practice adding/removing items from the various request sections.

Practical Example

Capture a request to http://10.10.102.69/ in the Proxy and send it to Repeater.

Send the request once from Repeater -- you should see the HTML source code for the page you requested in the response tab.
Try viewing this in one of the other view options (e.g. Rendered).

Using Inspector (or manually, if you prefer), add a header called FlagAuthorised and set it to have a value of True.
Send the request. What is the flag you receive?

Practical Challenge

Capture a request to one of the numeric products endpoints in the Proxy, then forward it to Repeater.

See if you can get the server to error out with a "500 Internal Server Error" code by changing the number at the end of the request to extreme inputs.
What is the flag you receive when you cause a 500 error in the endpoint?

Extra Mile SQLi with Repeater

You should see that the server responds with a "500 Internal Server Error", indicating that we successfully broke the query:

With this information, we can skip over the query column number and table name enumeration steps.

Looking through the returned response, we can see that the first column name (id) has been inserted into the page title:

Hey presto, we have a flag!

Exploit the union SQL injection vulnerability in the site.
What is the flag?

Conclusion Room Conclusion

I can use Burp Suite Repeater!

⚠️ GitHub.com Fallback ⚠️

THM Burp Suite: Repeater - grunt92/IT-Sec-WriteUps GitHub Wiki

Outline

Deploy the machine (and the AttackBox if you are not using your own attack VM), and let's get started!

What is Repeater?

Familiarise yourself with the Repeater interface.

Repeater Basic Usage

Practice modifying and re-sending the request numerous times.

Repeater Views

Experiment with the available view options.

Which view option displays the response in the same format as your browser would?

Repeater Inspector

Get comfortable with Inspector and practice adding/removing items from the various request sections.

Practical Example

Capture a request to http://10.10.102.69/ in the Proxy and send it to Repeater.

Send the request once from Repeater -- you should see the HTML source code for the page you requested in the response tab.Try viewing this in one of the other view options (e.g. Rendered).

Using Inspector (or manually, if you prefer), add a header called FlagAuthorised and set it to have a value of True. Send the request. What is the flag you receive?

Practical Challenge

Capture a request to one of the numeric products endpoints in the Proxy, then forward it to Repeater.

See if you can get the server to error out with a "500 Internal Server Error" code by changing the number at the end of the request to extreme inputs.What is the flag you receive when you cause a 500 error in the endpoint?

Extra Mile SQLi with Repeater

You should see that the server responds with a "500 Internal Server Error", indicating that we successfully broke the query:

With this information, we can skip over the query column number and table name enumeration steps.

Looking through the returned response, we can see that the first column name (id) has been inserted into the page title:

Hey presto, we have a flag!

Exploit the union SQL injection vulnerability in the site.What is the flag?

Conclusion Room Conclusion

I can use Burp Suite Repeater!

⚠️ **GitHub.com Fallback** ⚠️

Send the request once from Repeater -- you should see the HTML source code for the page you requested in the response tab.
Try viewing this in one of the other view options (e.g. Rendered).

Using Inspector (or manually, if you prefer), add a header called FlagAuthorised and set it to have a value of True.
Send the request. What is the flag you receive?

See if you can get the server to error out with a "500 Internal Server Error" code by changing the number at the end of the request to extreme inputs.
What is the flag you receive when you cause a 500 error in the endpoint?

Exploit the union SQL injection vulnerability in the site.
What is the flag?

⚠️ GitHub.com Fallback ⚠️