⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⢀⡤⠐⠢⠀⠀⠀⠀⠀⠀
⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⡠⠉⠀⠀⠀⠱⠀⠀⠀⠀⠀
⠀⠀⠀⣀⣀⣤⣤⣤⣶⣶⣿⣿⣿⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⣮⣑⠡⡀⡀⠀⢀⡇⠀⠀⠀⠀
⢰⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⠀⠀⢰⣶⣶⣶⣶⣶⣶⣶⣶⣶⡄⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⢠⣿⣄⠈⣌⠪⡄⢰⢡⠀⠀⠀⠀
⢸⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⠀⠀⠈⠉⠉⣿⣿⡟⠉⠉⣿⣿⡇⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠈⢿⣾⣀⠈⢂⠃⡈⠘⣄⠀⠀⠀
⢸⣿⣿⣏⠉⠙⣿⣿⠉⠉⣿⣿⣿⠀⠀⢠⣤⣤⣿⣿⣧⣤⣤⣿⣿⡇⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⢘⣿⣷⣄⠤⢢⠁⡠⠂⠢⡀⠀
⢸⣿⣿⣿⣆⠀⠸⠃⢀⣾⣿⣿⣿⠀⠀⠸⠿⠿⣿⣿⡿⠿⠿⣿⣿⡇⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⢰⠏⣸⡿⠟⣾⠓⠉⡖⠀⠀⠈⢂
⢸⣿⣿⣿⣿⠆⠀⠀⢾⣿⣿⣿⣿⠀⠀⠀⠀⠀⣿⣿⡇⠀⠀⣿⣿⡇⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⣆⡏⢸⠟⠀⣾⠀⠈⢡⡠⠂⠀⠈
⢸⣿⣿⣿⠏⠀⣰⡄⠀⢿⣿⣿⣿⠀⠀⢰⣶⣶⣿⣿⣷⣶⣶⣿⣿⡇⠀⠀⠀⣦⣀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⢀⡼⡀⡇⢈⠐⠠⡟⠀⠀⢞⡿⢅⠄⢀
⢸⣿⣿⣃⣀⣰⣿⣷⣀⣀⣻⣿⣿⠀⠀⠘⠛⠛⣿⣿⡟⠛⠛⣿⣿⡇⠀⠀⠀⠹⣿⣷⣦⡀⠀⠀⠀⠀⠀⠀⠀⠀⢀⠜⠊⢛⡃⠘⠀⠀⡇⠀⡈⠶⠄⠒⠂⡔
⢸⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⠀⠀⢀⣀⣀⣿⣿⣧⣀⣀⣿⣿⡇⠀⠀⠀⠀⠘⣿⣿⣿⣷⣄⣀⠀⠤⡠⡤⠒⠫⠱⠀⣼⠧⠀⠀⠀⢁⠠⢱⠤⠒⠒⣠⠇
⠸⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⠀⠀⠸⠿⠿⠿⠿⠿⠿⠿⠿⠿⠃⠀⠀⠀⠀⠀⠘⢿⣿⣿⣿⣾⡷⡋⣞⠔⡣⠎⠙⠂⠘⠒⠲⡖⡒⠒⡶⢙⠀⠈⠉⣸⠀
⠀⠀⠀⠉⠉⠛⠛⠛⠿⠿⣿⣿⣿⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠉⠻⣿⣿⡿⣿⣿⣯⠪⡖⠤⠤⠔⣀⣤⡃⠀⠀⡁⠀⣀⠄⠊⡜⠀
⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠈⠛⢿⡌⠙⢿⣾⡫⠅⠂⠉⠀⠀⠁⠪⢁⠈⠉⠀⠀⣸⠀⠀
⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠙⠚⠉⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠈⠀⠀⠀⠉⠀⠀
Make Excel Fuzzing Simpler
Sheet Intruder is a Burp Suite extension designed to simplify the process of fuzzing for Excel file uploads. It works by representing the content of an Excel file as a tag, which can then be integrated into various locations. This tag then allows configuration such as replacements for fuzzing targets.
-
Seamless Integration: Sheet Intruder seamlessly integrates into Burp Suite's Intruder, Scanner, and Repeater tools, allowing for efficient and comprehensive Excel file manipulation during different stages of testing.
-
Both .xls and .xlsx file formats are supported
-
Value Replacement Mode: Use the
<$SheetIntruder>tag to define value replacements within the Excel file. This mode allows you to search for specific values within cells and replace them with desired substitutions. -
Cell Replacement Mode: Use the
<$SheetIntruderCell>tag to perform cell-based replacements. You can replace cells either by referencing their cell number (e.g., "A1", "B1") or by specifying cell ranges (e.g., "A1:B12", "CustomSheet! A1:D5").
- Choose your Excel file (.xls and .xlsx supported)
- The selected file is loaded into the extension
- In Repeater, Proxy, Scanner or Intruder you are now able to include the tags described below
- Before sending the request the provided Excel file is read and the requested modifications made
This mode searches for specific values within cells and replaces them with the desired substitutions in the Excel file.
<$SheetIntruder>
{
"valueToReplace": "replacement",
"valueToReplace2": "replacement2"
}
</$SheetIntruder>
This mode replaces cells referenced by their cell number with the given substitution. Examples:
<$SheetIntruderCell>
{
"A1": "replacement",
"B1": "replacement2"
}
</$SheetIntruderCell>
<$SheetIntruderCell>
{
"A1": "replacement",
"CustomSheet!B21": "otherSheetB21"
}
</$SheetIntruderCell>
<$SheetIntruderCell>
{
"A1:B12": "rangeReplacement",
"CustomSheet!A1:D5": "otherSheetRange"
}
</$SheetIntruderCell>
$ gradle build shadowJar
A test server is provided and can be built using the docker file. It's only purpose is to simulate a file upload, and store the uploaded files for diagnostics.
$ docker build -t sheetintruder-testserver:latest .
$ docker run -p 5000:5000 -v $(pwd):/output sheetintruder-testserver