DZONERZY

PyJFuzz to the next level

October 20, 2016 Daniele

What is PyJFuzz

In the previous post i wrote about PyJFuzz a project of mine focused on JSON fuzzing, it was developed entirely in Python based on radamsa general-purpose fuzzer. As I promised in this post I will talk about real-life fuzzing using PyJFuzz and Burp Suite. PyJFuzz is modular, easy-to-use, easy-to-extend and easy-to-integrate JSON fuzzer, using it you will be able to fuzz almost everything JSON based with a small effort.

Burp Suite a love story

As a pentester you should know about Burp Suite, but if you don't, let me explain it to you. Brup Suite is HTTP and HTTPS proxy that allows you to intercept and modify real-time requestes and responses. Burp Suite it's entirly written in Java and was developed by Portswigger, it comes bundled with a lot of useful tools such as:

  • Proxy
  • Repeter
  • Sequencer
  • Intruder
  • Decoder
  • Comparer
  • Extender

And much more...

A nice feature of Burp Suite is given by the Extender it allows to extend Burp functionality using both Python and Java, another interesting feature is given by the Intruder it allows to reapeat the same request many times changing only some parameters, for example this is used when we need to bruteforce sessions or cookies or in order to guess admin password, in order to accomplish our objective we'll use both features.

Setup the environment

In order to make PyJFuzz work we need to install some dependencies such as:

  • Radamsa
  • Jython
  • PyJFuzz
  • Burp-PyJFuzz

Below the needed steps to install them correctly.

Radamsa

Radamsa's installation it's pretty trivial and can be done with a single line

git clone https://github.com/aoh/radamsa && cd radamsa && make && sudo make install

Once done radamsa should be installed.

Jython

Jython is a wrapper between Python and Java , is used by Burp Suite in order to load extension writte in Python. You can download the standalone Jar from here , once downloaded put the jar path inside Burp Extender > Options > Python Environment .

PyJFuzz

In order to install PyJFuzz you should just clone the project and install it using this commands

git clone https://github.com/mseclab/PyJFuzz.git && cd PyJFuzz && python setup.py install

Burp-PyJFuzz

As per Radamsa you just have to clone and import Burp-PyJFuzz, you can download it using

git clone https://github.com/mseclab/Burp-PyJFuzz.git

Module installation

When everything is ready you can import your module on Burp Suite, so go to Extender > Extension and select Add, a window should popup, there select Extension Type => Python , insert the path to Burp-PyJFuzz and click Next to load extension, if everything was ok you should see a new tab called PyJFuzz.

Image description

Fuzzing in real-life

I wanted to make a poc about using Burp-PyJFuzz so i make a vulnerable page using JSON parameters and i'm gonna fuzz it using PyJFuzz, "How-to use Burp" is not in this post's scope so i'll not talk about it and i assume you already know the basics.

Once we've identified our request we'll send it the Intruder in order to select the payload position, we need to modify the payload position in order to fit just the JSON object like following

Image description

After setting the payload post we need to instruct Burp Suite to generate all the test-case using our plugin, so go to Intruder > Payloads on set Payload Type => Extension generated , then click on generators and select PyJFuzz JSON Fuzzer like following

Image description

Again on Intruder > Payloads at the bottom uncheck URL-encode these characters since we're fuzzing post request, when done go to the PyJFuzz tab, since we know that my vulnerable application strictly parse JSON set the Fuzz Factor to 2 and use all techniques (on by default)

Image description

We're ready to start, so on the menu on top click Intruder > Start Attack , a new window will popup showing all the fuzzed requestes, after some minutes of fuzzing I noticed something strange a request was reporting a different response lenght (myabe something goes wrong)!?

Image description

So looking ad the payload used by PyJFuzz a noticed it was a test for Remote Command Execution

{"picture":"||cmd.&id||pic.jp\u000a;","name":"test","password":"test2"}

The response was pretty clear!

Image description

The End

I hope you enjoyed PyJFuzz and its Burp Suite plugin for any comment or questions write below!

Bye #dzonerzy