Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/Redguard/Sheet-Intruder

Enables transparent use of Excel files in Burp Suite
https://github.com/Redguard/Sheet-Intruder

burp-extensions burp-plugin burpsuite excel montoya-api penetration-testing

Last synced: 2 months ago
JSON representation

Enables transparent use of Excel files in Burp Suite

Awesome Lists containing this project

README 

        
# Sheet Intruder

```

⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⢀⡤⠐⠢⠀⠀⠀⠀⠀⠀

⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⡠⠉⠀⠀⠀⠱⠀⠀⠀⠀⠀

⠀⠀⠀⣀⣀⣤⣤⣤⣶⣶⣿⣿⣿⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⣮⣑⠡⡀⡀⠀⢀⡇⠀⠀⠀⠀

⢰⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⠀⠀⢰⣶⣶⣶⣶⣶⣶⣶⣶⣶⡄⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⢠⣿⣄⠈⣌⠪⡄⢰⢡⠀⠀⠀⠀

⢸⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⠀⠀⠈⠉⠉⣿⣿⡟⠉⠉⣿⣿⡇⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠈⢿⣾⣀⠈⢂⠃⡈⠘⣄⠀⠀⠀

⢸⣿⣿⣏⠉⠙⣿⣿⠉⠉⣿⣿⣿⠀⠀⢠⣤⣤⣿⣿⣧⣤⣤⣿⣿⡇⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⢘⣿⣷⣄⠤⢢⠁⡠⠂⠢⡀⠀

⢸⣿⣿⣿⣆⠀⠸⠃⢀⣾⣿⣿⣿⠀⠀⠸⠿⠿⣿⣿⡿⠿⠿⣿⣿⡇⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⢰⠏⣸⡿⠟⣾⠓⠉⡖⠀⠀⠈⢂

⢸⣿⣿⣿⣿⠆⠀⠀⢾⣿⣿⣿⣿⠀⠀⠀⠀⠀⣿⣿⡇⠀⠀⣿⣿⡇⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⣆⡏⢸⠟⠀⣾⠀⠈⢡⡠⠂⠀⠈

⢸⣿⣿⣿⠏⠀⣰⡄⠀⢿⣿⣿⣿⠀⠀⢰⣶⣶⣿⣿⣷⣶⣶⣿⣿⡇⠀⠀⠀⣦⣀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⢀⡼⡀⡇⢈⠐⠠⡟⠀⠀⢞⡿⢅⠄⢀

⢸⣿⣿⣃⣀⣰⣿⣷⣀⣀⣻⣿⣿⠀⠀⠘⠛⠛⣿⣿⡟⠛⠛⣿⣿⡇⠀⠀⠀⠹⣿⣷⣦⡀⠀⠀⠀⠀⠀⠀⠀⠀⢀⠜⠊⢛⡃⠘⠀⠀⡇⠀⡈⠶⠄⠒⠂⡔

⢸⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⠀⠀⢀⣀⣀⣿⣿⣧⣀⣀⣿⣿⡇⠀⠀⠀⠀⠘⣿⣿⣿⣷⣄⣀⠀⠤⡠⡤⠒⠫⠱⠀⣼⠧⠀⠀⠀⢁⠠⢱⠤⠒⠒⣠⠇

⠸⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⠀⠀⠸⠿⠿⠿⠿⠿⠿⠿⠿⠿⠃⠀⠀⠀⠀⠀⠘⢿⣿⣿⣿⣾⡷⡋⣞⠔⡣⠎⠙⠂⠘⠒⠲⡖⡒⠒⡶⢙⠀⠈⠉⣸⠀

⠀⠀⠀⠉⠉⠛⠛⠛⠿⠿⣿⣿⣿⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠉⠻⣿⣿⡿⣿⣿⣯⠪⡖⠤⠤⠔⣀⣤⡃⠀⠀⡁⠀⣀⠄⠊⡜⠀

⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠈⠛⢿⡌⠙⢿⣾⡫⠅⠂⠉⠀⠀⠁⠪⢁⠈⠉⠀⠀⣸⠀⠀

⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠙⠚⠉⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠈⠀⠀⠀⠉⠀⠀

```



_Make Excel Fuzzing Simpler_



## Introduction



Sheet Intruder is a Burp Suite extension designed to simplify the process of fuzzing for Excel file uploads.

It works by representing the content of an Excel file as a tag, which can then be integrated into various locations.

This tag then allows configuration such as replacements for fuzzing targets.



## Features



- Seamless Integration: Sheet Intruder seamlessly integrates into Burp Suite's Intruder, Scanner, and Repeater tools,

  allowing for efficient and comprehensive Excel file manipulation during different stages of testing.



- Both .xls and .xlsx file formats are supported



- Value Replacement Mode: Use the `<$SheetIntruder>` tag to define value replacements within the Excel file. This

  mode allows you to search for specific values within cells and replace them with desired substitutions.



- Cell Replacement Mode: Use the `<$SheetIntruderCell>` tag to perform cell-based replacements. You can replace cells

  either by referencing their cell number (e.g., "A1", "B1") or by specifying cell ranges (e.g., "A1:B12", "CustomSheet!

  A1:D5").



## Workflow



1. Choose your Excel file (.xls and .xlsx supported)

2. The selected file is loaded into the extension

3. In Repeater, Proxy, Scanner or Intruder you are now able to include the tags described below

4. Before sending the request the provided Excel file is read and the requested modifications made



### Value Replacement Mode Tag

This mode searches for specific values within cells and replaces them with the desired substitutions in the Excel file.



```

<$SheetIntruder>

{

    "valueToReplace": "replacement",

    "valueToReplace2": "replacement2"

}

$SheetIntruder>

```



### Cell Replacement Mode Tag

This mode replaces cells referenced by their cell number with the given substitution.

Examples:



```

<$SheetIntruderCell>

{

   "A1": "replacement",

   "B1": "replacement2"

}

$SheetIntruderCell>



<$SheetIntruderCell>

{

   "A1": "replacement",

   "CustomSheet!B21": "otherSheetB21"

}

$SheetIntruderCell>



<$SheetIntruderCell>

{

   "A1:B12": "rangeReplacement",

   "CustomSheet!A1:D5": "otherSheetRange"

}

$SheetIntruderCell>



```



--- 



### Building from source

```

$ gradle build shadowJar

```



### Testing

A test server is provided and can be built using the docker file. It's only purpose is to simulate a file upload,

and store the uploaded files for diagnostics.

```bash

$ docker build -t sheetintruder-testserver:latest .

$ docker run -p 5000:5000 -v $(pwd):/output sheetintruder-testserver

```