You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This extension provides a way to use file contents as custom Intruder payloads.
Suppose you need to test a file upload request with your library of carefully crafted files, such as gifar, php files, jpeg, jpegs with embedded php, stuff with wrong magic numbers, etc. You can paste those binaries contents on the Repeater one by one but that is boring.
Instead you can use the Intruder configured to the payloads generated by this extension. The extension just needs to be pointed to the file payloads folder.
Choosing the input files:
Configuring the Intruder:
The source includes the Netbeans project stuff. You can use the native Netbeans GUI to modify the Extension Tab layout.
Usage
load the extension: a new PayloadTab should appear
at the PayloadTab, choose the payload folder
the extensions reads all files recursively and lists them
in the payloads tab of the Intruder tool:
select Extension-generated at Payload Sets -> Payload Type
select File as Payload or Filename as Payload at Payload Options
disable the "URL-encode these characters" option, at Payloads -> Payload Encoding (specially for multipart POST requests)
If you just need to use the file contents as payload, select File as Payload.
If you need both the content and filename then choose Pitchfork as the Attack type and use File as Payload for one Payload set and Filename as Payload for the other.
TODO
exclude files like .DS_Store
button to disable the "URL-encode these characters" option
verify file read permissions upon folder selection
