diff --git a/CHANGES b/CHANGES index 2111ce2..3d61f77 100644 --- a/CHANGES +++ b/CHANGES @@ -2,7 +2,8 @@ Changelog for hydra ------------------- Release 9.5-dev -* ... your patch? :) +* The help for http forms was wrong. the condition variable must always be + the *last* parameter, not the third Release 9.4 diff --git a/hydra-http-form.c b/hydra-http-form.c index a864088..93953dc 100644 --- a/hydra-http-form.c +++ b/hydra-http-form.c @@ -1434,27 +1434,26 @@ void usage_http_form(const char *service) { "redirections in\n" "a row. It always gathers a new cookie from the same URL without " "variables\n" - "The parameters take three \":\" separated values, plus optional " + "The parameters requires three \":\" separated values, plus optional " "values.\n" "(Note: if you need a colon in the option string as value, escape it " "with \"\\:\", but do not escape a \"\\\" with \"\\\\\".)\n" - "\nSyntax: :
:[:[:]\n" - "First is the page on the server to GET or POST to (URL).\n" - "Second is the POST/GET variables (taken from either the browser, proxy, " - "etc.\n" - " with url-encoded (resp. base64-encoded) usernames and passwords being " - "replaced in the\n" - " \"^USER^\" (resp. \"^USER64^\") and \"^PASS^\" (resp. \"^PASS64^\") " - "placeholders (FORM PARAMETERS)\n" - "Third is the string that it checks for an *invalid* login (by default)\n" - " Invalid condition login check can be preceded by \"F=\", successful " - "condition\n" + "\nSyntax: :[:[:]:\n" + "\nFirst is the page on the server to GET or POST to (URL), e.g. \"/login\".\n" + "Second is the POST/GET variables (taken from either the browser, proxy, etc.)\n" + " without the initial '?' character and the usernames and passwords being\n" + " replaced with \"^USER^\" (\"^USER64^\" for base64 encodings) and \"^PASS^\"\n" + " (\"^PASS64^\" for base64 encodings).\n" + "Third are optional parameters (see below)\n" + "Last is the string that it checks for an *invalid* login (by default).\n" + " Invalid condition login check can be preceded by \"F=\", successful condition\n" " login check must be preceded by \"S=\".\n" - " This is where most people get it wrong. You have to check the webapp " - "what a\n" - " failed string looks like and put it in this parameter! Add the -d switch to see\nthe sent/received data!\n" - "\nThe following parameters are optional:\n" + " This is where most people get it wrong! You have to check the webapp what a\n" + " failed string looks like and put it in this parameter! Add the -d switch to see\n" + " the sent/received data!\n" + " Note that using invalid login condition checks can result in false positives!\n" + "\nThe following parameters are optional and are put between the form parameters\n" + " and the condition string; seperate them too with colons:\n" " 2= 302 page forward return codes identify a successful attempt\n" " (c|C)=/page/uri to define a different page to gather initial " "cookies from\n" @@ -1469,17 +1468,16 @@ void usage_http_form(const char *service) { "exists, by the\n" " one supplied by the user, or add the header at the " "end\n" - "\nNote that if you are going to put colons (:) in your headers you should escape them with a backslash (\\).\n" - " All colons that are not option separators should be escaped (see the " - "examples above and below).\n" - " You can specify a header without escaping the colons, but that way you " - "will not be able to put colons\n" - " in the header value itself, as they will be interpreted by hydra as " - "option separators.\n" + "\nNote that if you are going to put colons (:) in your headers you should escape\n" + "them with a backslash (\\). All colons that are not option separators should be\n" + "escaped (see the examples above and below).\n" + "You can specify a header without escaping the colons, but that way you will not\n" + "be able to put colons in the header value itself, as they will be interpreted by\n" + "hydra as option separators.\n" "\nExamples:\n" " \"/login.php:user=^USER^&pass=^PASS^:incorrect\"\n" " \"/" - "login.php:user=^USER64^&pass=^PASS64^&colon=colon\\:escape:S=authlog=.*" + "login.php:user=^USER64^&pass=^PASS64^&colon=colon\\:escape:S=result=" "success\"\n" " \"/login.php:user=^USER^&pass=^PASS^&mid=123:authlog=.*failed\"\n" " \"/:user=^USER&pass=^PASS^:failed:H=Authorization\\: Basic "