Posts Tagged ‘web-form’

linux下审计web http login form口令强度的工具

June 25th, 2010 6 comments


                 specifies the page and the parameters for the web form.
                 the keyword “^USER^” is replaced with the login and
                 ^PASS^ with the password.
                 syntax:   <url>:<form parameters>:<failure string>
                 e.g.: /login.php:user=^USER^&pass=^PASS^&mid=123:incorrect

The hydra form can be used to carry out a brute-force attack on simple
web-based login forms that require username and password variables via
either a GET or POST request.

The module works similarly to the HTTP basic auth module and will honour
proxy mode (with authenticaion) as well as SSL. The module can be invoked
with the service names of “http-get-form”, “http-post-form”,
“https-get-form” and “https-post-form”.

Here’s a couple of examples: –

./hydra -l “<userID>” -P pass.txt http-post-form
“/irmlab2/^USER^&Password=^PASS^:Invalid Password”

./hydra -s 443 -l “<username>” -P pass.txt https-get-form

The option field (following the service field) takes three “:” seperated
values, the first is the page on the server to GET or POST to, the second is
the POST/GET variables (taken from either the browser, or a proxy such as
PAROS) with the varying usernames and passwords in the “^USER^” and “^PASS^”
placeholders and the third is the string that it checks for an *invalid*
login – any exception to this is counted as a success.

If you specify the verbose flag (-v) it will show you the response from the
HTTP server which is useful for checking the result of a failed login to
find something to pattern match against.

medusa的web-form模块,看某个模块的帮助的命令是medusa -M web-form -q

Usage example: “-M web-form -m USER-AGENT:”g3rg3 gerg” -m FORM:”webmail/index.php” -m DENY-SIGNAL:”deny!” -m FORM-DATA:”post?user=&pass=&submit=True”

Available module options:
  USER-AGENT:?       User-agent value. Default: “I’m not Mozilla, I’m Ming Mong”.
  FORM:?             Target form to request. Default: “/”
  DENY-SIGNAL:?      Authentication failure message. Attempt flagged as successful if text is not present in
                     server response. Default: “Login incorrect”
                     Methods and fields to send to web service. Valid methods are GET and POST. The actual form
                     data to be submitted should also be defined here. Specifically, the fields: username and
                     password. The username field must be the first, followed by the password field.
                     Default: “post?username=&password=”