存档

文章标签 ‘web-form’

linux下审计web http login form口令强度的工具

2010年6月25日 6 条评论

hydra的http-{get|post}-form模块,hydra漏报率太高了。

http[s]-form-{get|post}
                 specifies the page and the parameters for the web form.
                 the keyword “^USER^” is replaced with the login and
                 ^PASS^ with the password.
                 syntax:   <url>:<form parameters>:<failure string>
                 e.g.: /login.php:user=^USER^&pass=^PASS^&mid=123:incorrect

The hydra form can be used to carry out a brute-force attack on simple
web-based login forms that require username and password variables via
either a GET or POST request.

The module works similarly to the HTTP basic auth module and will honour
proxy mode (with authenticaion) as well as SSL. The module can be invoked
with the service names of “http-get-form”, “http-post-form”,
“https-get-form” and “https-post-form”.

Here’s a couple of examples: –

./hydra -l “<userID>” -P pass.txt 10.221.64.12 http-post-form
“/irmlab2/testsso-auth.do:ID=^USER^&Password=^PASS^:Invalid Password”

./hydra -s 443 -l “<username>” -P pass.txt 10.221.64.2 https-get-form
“/irmlab1/vulnapp.php:username=^USER^&pass=^PASS^:incorrect”

The option field (following the service field) takes three “:” seperated
values, the first is the page on the server to GET or POST to, the second is
the POST/GET variables (taken from either the browser, or a proxy such as
PAROS) with the varying usernames and passwords in the “^USER^” and “^PASS^”
placeholders and the third is the string that it checks for an *invalid*
login – any exception to this is counted as a success.

If you specify the verbose flag (-v) it will show you the response from the
HTTP server which is useful for checking the result of a failed login to
find something to pattern match against.

medusa的web-form模块,看某个模块的帮助的命令是medusa -M web-form -q

Usage example: “-M web-form -m USER-AGENT:”g3rg3 gerg” -m FORM:”webmail/index.php” -m DENY-SIGNAL:”deny!” -m FORM-DATA:”post?user=&pass=&submit=True”

Available module options:
  USER-AGENT:?       User-agent value. Default: “I’m not Mozilla, I’m Ming Mong”.
  FORM:?             Target form to request. Default: “/”
  DENY-SIGNAL:?      Authentication failure message. Attempt flagged as successful if text is not present in
                     server response. Default: “Login incorrect”
  FORM-DATA:<METHOD>?<FIELDS>
                     Methods and fields to send to web service. Valid methods are GET and POST. The actual form
                     data to be submitted should also be defined here. Specifically, the fields: username and
                     password. The username field must be the first, followed by the password field.
                     Default: “post?username=&password=”

linux下的东西的好处是可以用脚本控制输出数据产生报表。我YY了很久的风险监控中很快就要出内测版了。

另外windows下的auxtenx(可能拼写错误)那个web扫描器也可以