Head to the Brute Force section of the DVWA app.
Start up burpsuite and intercept the login page.
Send the request to intruder.
Use the clear button to remove and set the username and password fields with the add button. Head to the payload position and choose cluster bomb attack (multiple payloads)
Set 2 payloads one for the username and the other for the password.
Here I have used a simple payload list for both fields
Start the attack and observe the length of the requests. If the length of the request is different from the others head to the request data to view the results.
Head to intercept and change the fields of the username and password and forward the request.
Admin access gained.