This plugin only inserts single quotes, no other blind injections, and the returned results need manual intervention to determine whether there is injection. If you need to test all injections, please forward the burp traffic to xray.
- burp plugin.
- Add a single quotation mark, two single quotation marks after each parameter, if the value is a pure number, add one more -1, -0.
- Since you don't know java, and it's written in java, the code is too bad, don't spray it. `
- List of thanks: Moonlit, Amao Agou, Shincehor, Xm17
- Returning
✔️means that the length of two single quotes is inconsistent with the length of one single quote,indicating that there may be injection. - return
✔️ ==> ?means that the length of the original packet is the same as the length of two single quotes and different from the length of one single quote,indicates that it is likely to be injected. - Return
diy payloadrepresenting the custom payload. - Returning
time > 3means that the time to visit the website is greater than 3 seconds. You can use this function to test thetime blind notewith the custom payload function. - Supports json format, V1.9 and above
supports json multi-layer nesting. - The supported parameter values are
pure numbers -1, -0. - Support
Send to plugin scan by right-clicking(even if it has been scanned before, you can still scan it again by right-clicking) Remarks: A response packet must be sent to right-click, otherwise it cannot be sent, so that the length of the original data packet can be compared. - Support for
custom payload. - Support parameter value
nullin custom payload. - Monitor Proxy traffic.
- Monitor Repeater traffic.
- The same data packet is scanned only once, algorithm:
MD5 (url without parameters + parameter name + POST/GET).
- Added a new status column,
run...indicates that the relevant payload is being sent,end!indicates that the scan has been completed, andend! ✔️indicates that the scan is completed and the result may be injected.
- Optimize proxy mode and sometimes the traffic does not come to the problem.
- Under optimized Proxy and Repeater modes, static resources are not processed. Suffix: jpg, png, gif, css, js, pdf, mp3, mp4, avi
(right-click sending does not affect)
- Added empty parameter value in custom payload
- UI interface optimization
- Add custom payload function
- If the custom payload accesses the website for more than 3 seconds, time > 3 will be displayed.
- Support json multi-level nesting
- New column: time, used to update the custom payload later, you can view the time used by each data packet.
- Added right click to send to plugin scan
- Optimized the return speed of data packets in Monitor Repeater mode.
- Fix the bug of displaying content in poxry mode under burp2.x version
- Update the algorithm that the same data packet is scanned only once, algorithm: MD5 (url without parameters + parameter name + POST/GET)
- Uncheck "Monitor Repeater" by default, and increase the default check "If the value is a number, perform -1, -0".
- Change the monitoring proxy mode to passive mode to improve the interactive experience.
- Added the same data packets are scanned only once. Algorithm: MD5 (url + parameter name), if it is a post package, the value change will not be rescanned, and the parameter name change will be required to scan again.
- Updated an option to perform -1, -0 if the value is a pure number
- Updated the length of the original package to return ✔️ ==> ?
- Updated to support json format
- Updated serial number
- Updated with changes tick
- Updated to ignore if that packet has no parameters. In this way, the proxy mode will not be a bunch of packages.
