fix http-...-form help

2025-07-05 20:41:39 -07:00 · 2022-09-29 10:01:56 +02:00 · 2022-09-29 10:01:56 +02:00 · 882a1a3aac
commit 882a1a3aac
parent 3332b3c366
2 changed files with 25 additions and 26 deletions
--- a/3
+++ b/3
@ -2,7 +2,8 @@ Changelog for hydra
 -------------------

 Release 9.5-dev
-* ... your patch? :)
+* The help for http forms was wrong. the condition variable must always be
+  the *last* parameter, not the third


 Release 9.4
--- a/hydra-http-form.c
+++ b/hydra-http-form.c
@ -1434,27 +1434,26 @@ void usage_http_form(const char *service) {
         "redirections in\n"
         "a row. It always gathers a new cookie from the same URL without "
         "variables\n"
-         "The parameters take three \":\" separated values, plus optional "
+         "The parameters requires three \":\" separated values, plus optional "
         "values.\n"
         "(Note: if you need a colon in the option string as value, escape it "
         "with \"\\:\", but do not escape a \"\\\" with \"\\\\\".)\n"
-         "\nSyntax:   <url>:<form parameters>:<condition "
-         "string>[:<optional>[:<optional>]\n"
-         "First is the page on the server to GET or POST to (URL).\n"
-         "Second is the POST/GET variables (taken from either the browser, proxy, "
-         "etc.\n"
-         " with url-encoded (resp. base64-encoded) usernames and passwords being "
-         "replaced in the\n"
-         " \"^USER^\" (resp. \"^USER64^\") and \"^PASS^\" (resp. \"^PASS64^\") "
-         "placeholders (FORM PARAMETERS)\n"
-         "Third is the string that it checks for an *invalid* login (by default)\n"
-         " Invalid condition login check can be preceded by \"F=\", successful "
-         "condition\n"
+         "\nSyntax: <url>:<form parameters>[:<optional>[:<optional>]:<condition string>\n"
+         "\nFirst is the page on the server to GET or POST to (URL), e.g. \"/login\".\n"
+         "Second is the POST/GET variables (taken from either the browser, proxy, etc.)\n"
+         " without the initial '?' character and the usernames and passwords being\n"
+         " replaced with \"^USER^\" (\"^USER64^\" for base64 encodings) and \"^PASS^\"\n"
+         " (\"^PASS64^\" for base64 encodings).\n"
+         "Third are optional parameters (see below)\n"
+         "Last is the string that it checks for an *invalid* login (by default).\n"
+         " Invalid condition login check can be preceded by \"F=\", successful condition\n"
         " login check must be preceded by \"S=\".\n"
-         " This is where most people get it wrong. You have to check the webapp "
-         "what a\n"
-         " failed string looks like and put it in this parameter! Add the -d switch to see\nthe sent/received data!\n"
-         "\nThe following parameters are optional:\n"
+         " This is where most people get it wrong! You have to check the webapp what a\n"
+         " failed string looks like and put it in this parameter! Add the -d switch to see\n"
+         " the sent/received data!\n"
+         " Note that using invalid login condition checks can result in false positives!\n"
+         "\nThe following parameters are optional and are put between the form parameters\n"
+         "  and the condition string; seperate them too with colons:\n"
         " 2=                  302 page forward return codes identify a successful attempt\n"
         " (c|C)=/page/uri     to define a different page to gather initial "
         "cookies from\n"
@ -1469,17 +1468,16 @@ void usage_http_form(const char *service) {
         "exists, by the\n"
         "                 one supplied by the user, or add the header at the "
         "end\n"
-         "\nNote that if you are going to put colons (:) in your headers you should escape them with a backslash (\\).\n"
-         " All colons that are not option separators should be escaped (see the "
-         "examples above and below).\n"
-         " You can specify a header without escaping the colons, but that way you "
-         "will not be able to put colons\n"
-         " in the header value itself, as they will be interpreted by hydra as "
-         "option separators.\n"
+         "\nNote that if you are going to put colons (:) in your headers you should escape\n"
+         "them with a backslash (\\). All colons that are not option separators should be\n"
+         "escaped (see the examples above and below).\n"
+         "You can specify a header without escaping the colons, but that way you will not\n"
+         "be able to put colons in the header value itself, as they will be interpreted by\n"
+         "hydra as option separators.\n"
         "\nExamples:\n"
         " \"/login.php:user=^USER^&pass=^PASS^:incorrect\"\n"
         " \"/"
-         "login.php:user=^USER64^&pass=^PASS64^&colon=colon\\:escape:S=authlog=.*"
+         "login.php:user=^USER64^&pass=^PASS64^&colon=colon\\:escape:S=result="
         "success\"\n"
         " \"/login.php:user=^USER^&pass=^PASS^&mid=123:authlog=.*failed\"\n"
         " \"/:user=^USER&pass=^PASS^:failed:H=Authorization\\: Basic "