Posted: 2015-05-24 16:40:48 (ohai)
In this video we brute force (lol, no, dictionary attack!) a web form (from Damn Vulnerable Web App) to get the admin password using Burp Intruder. EDIT: I'll see about writing up a quick python way to do this as well.
First thing to notice, is the error message on a bad login. Key in on 'incorrect'. Fire up burp proxy and try again. In burp we send the request to Intruder. Inside Intruder, we set the variables we want to run our list against. In this case, the $_GET password and set to 'Battering ram' because, well, battering rams are cool. On the Payloads tab we load up our password list (shamelessly stolen from jtr here) and then on the Options tab we grep for output containing the word 'incorrect' as we noticed earlier was displayed on incorrect logins. While the attack is running, simply monitor for a result that doesn't have a checkmark for 'incorrect'. That's the password we want.
I totally forgot to filter those results to get rid of the clutter
Now, login with the correct credentials. Insta-Admin.