Home

Awesome

Sheet Intruder

⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⢀⡤⠐⠢⠀⠀⠀⠀⠀⠀
⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⡠⠉⠀⠀⠀⠱⠀⠀⠀⠀⠀
⠀⠀⠀⣀⣀⣤⣤⣤⣶⣶⣿⣿⣿⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⣮⣑⠡⡀⡀⠀⢀⡇⠀⠀⠀⠀
⢰⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⠀⠀⢰⣶⣶⣶⣶⣶⣶⣶⣶⣶⡄⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⢠⣿⣄⠈⣌⠪⡄⢰⢡⠀⠀⠀⠀
⢸⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⠀⠀⠈⠉⠉⣿⣿⡟⠉⠉⣿⣿⡇⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠈⢿⣾⣀⠈⢂⠃⡈⠘⣄⠀⠀⠀
⢸⣿⣿⣏⠉⠙⣿⣿⠉⠉⣿⣿⣿⠀⠀⢠⣤⣤⣿⣿⣧⣤⣤⣿⣿⡇⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⢘⣿⣷⣄⠤⢢⠁⡠⠂⠢⡀⠀
⢸⣿⣿⣿⣆⠀⠸⠃⢀⣾⣿⣿⣿⠀⠀⠸⠿⠿⣿⣿⡿⠿⠿⣿⣿⡇⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⢰⠏⣸⡿⠟⣾⠓⠉⡖⠀⠀⠈⢂
⢸⣿⣿⣿⣿⠆⠀⠀⢾⣿⣿⣿⣿⠀⠀⠀⠀⠀⣿⣿⡇⠀⠀⣿⣿⡇⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⣆⡏⢸⠟⠀⣾⠀⠈⢡⡠⠂⠀⠈
⢸⣿⣿⣿⠏⠀⣰⡄⠀⢿⣿⣿⣿⠀⠀⢰⣶⣶⣿⣿⣷⣶⣶⣿⣿⡇⠀⠀⠀⣦⣀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⢀⡼⡀⡇⢈⠐⠠⡟⠀⠀⢞⡿⢅⠄⢀
⢸⣿⣿⣃⣀⣰⣿⣷⣀⣀⣻⣿⣿⠀⠀⠘⠛⠛⣿⣿⡟⠛⠛⣿⣿⡇⠀⠀⠀⠹⣿⣷⣦⡀⠀⠀⠀⠀⠀⠀⠀⠀⢀⠜⠊⢛⡃⠘⠀⠀⡇⠀⡈⠶⠄⠒⠂⡔
⢸⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⠀⠀⢀⣀⣀⣿⣿⣧⣀⣀⣿⣿⡇⠀⠀⠀⠀⠘⣿⣿⣿⣷⣄⣀⠀⠤⡠⡤⠒⠫⠱⠀⣼⠧⠀⠀⠀⢁⠠⢱⠤⠒⠒⣠⠇
⠸⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⠀⠀⠸⠿⠿⠿⠿⠿⠿⠿⠿⠿⠃⠀⠀⠀⠀⠀⠘⢿⣿⣿⣿⣾⡷⡋⣞⠔⡣⠎⠙⠂⠘⠒⠲⡖⡒⠒⡶⢙⠀⠈⠉⣸⠀
⠀⠀⠀⠉⠉⠛⠛⠛⠿⠿⣿⣿⣿⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠉⠻⣿⣿⡿⣿⣿⣯⠪⡖⠤⠤⠔⣀⣤⡃⠀⠀⡁⠀⣀⠄⠊⡜⠀
⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠈⠛⢿⡌⠙⢿⣾⡫⠅⠂⠉⠀⠀⠁⠪⢁⠈⠉⠀⠀⣸⠀⠀
⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠙⠚⠉⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠈⠀⠀⠀⠉⠀⠀

Make Excel Fuzzing Simpler

Introduction

Sheet Intruder is a Burp Suite extension designed to simplify the process of fuzzing for Excel file uploads. It works by representing the content of an Excel file as a tag, which can then be integrated into various locations. This tag then allows configuration such as replacements for fuzzing targets.

Features

Workflow

  1. Choose your Excel file (.xls and .xlsx supported)
  2. The selected file is loaded into the extension
  3. In Repeater, Proxy, Scanner or Intruder you are now able to include the tags described below
  4. Before sending the request the provided Excel file is read and the requested modifications made

Value Replacement Mode Tag

This mode searches for specific values within cells and replaces them with the desired substitutions in the Excel file.

<$SheetIntruder>
{
    "valueToReplace": "replacement",
    "valueToReplace2": "replacement2"
}
</$SheetIntruder>

Cell Replacement Mode Tag

This mode replaces cells referenced by their cell number with the given substitution. Examples:

<$SheetIntruderCell>
{
   "A1": "replacement",
   "B1": "replacement2"
}
</$SheetIntruderCell>

<$SheetIntruderCell>
{
   "A1": "replacement",
   "CustomSheet!B21": "otherSheetB21"
}
</$SheetIntruderCell>

<$SheetIntruderCell>
{
   "A1:B12": "rangeReplacement",
   "CustomSheet!A1:D5": "otherSheetRange"
}
</$SheetIntruderCell>


Building from source

$ gradle build shadowJar

Testing

A test server is provided and can be built using the docker file. It's only purpose is to simulate a file upload, and store the uploaded files for diagnostics.

$ docker build -t sheetintruder-testserver:latest .
$ docker run -p 5000:5000 -v $(pwd):/output sheetintruder-testserver