Tips & Tricks

How to Route Public Python Exploit Code Through Burp Suite

When you come across public exploit code written in Python, it is sometimes easiest to just route the exploit through Burpsuite so you can understand what it’s doing — especially in cases where the code interacts with web applications.

To do this, we can simple add some code that instructs the script to use a proxy.


First, make sure that the Requests module is already being called by the script. Check for the following line of code:
import requests

As long as that is present, we can add a Proxy variable at the top of the exploit, but after the Requests module is imported. If the application uses HTTPS instead of HTTP, then you’d want to use https in the below line.
proxies = {'http': 'http://127.0.0.1:8080'}

Next, we need to look through the code for any .get or .post requests and add the following to the end of it.
, proxies=proxies

For example, let’s say you have a line of code that looks like this:
s.get(SERVER_URL, verify=False)

You will want to modify it so that it looks like this:
s.get(SERVER_URL, verify=False, proxies=proxies)

Just make sure to do this throughout the entire exploit. The easiest way to find them all may be to search for “requests” and look for any time a .get or .post is added to that.

Now you can spin up Burp Intercept and run the exploit! This will allow you to interact with the exploit through Burp and gives you much more visibility into the requests being made.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s