github/thc-hydra
1
0
Fork 0
mirror of https://github.com/vanhauser-thc/thc-hydra.git synced 2025-08-20 05:13:51 -07:00
Code Issues Projects Releases Packages Wiki Activity Actions

fix http-...-form help

Browse source
This commit is contained in:
vanhauser-thc 2022-09-29 10:01:56 +02:00
commit 882a1a3aac
2 changed files with 25 additions and 26 deletions
Download patch file Download diff file Expand all files Collapse all files

3
CHANGES
View file

@ -2,7 +2,8 @@ Changelog for hydra
------------------- -------------------
Release 9.5-dev Release 9.5-dev
* ... your patch? :) * The help for http forms was wrong. the condition variable must always be
the *last* parameter, not the third
Release 9.4 Release 9.4

48
hydra-http-form.c
View file

@ -1434,27 +1434,26 @@ void usage_http_form(const char *service) {
"redirections in\n" "redirections in\n"
"a row. It always gathers a new cookie from the same URL without " "a row. It always gathers a new cookie from the same URL without "
"variables\n" "variables\n"
"The parameters take three \":\" separated values, plus optional " "The parameters requires three \":\" separated values, plus optional "
"values.\n" "values.\n"
"(Note: if you need a colon in the option string as value, escape it " "(Note: if you need a colon in the option string as value, escape it "
"with \"\\:\", but do not escape a \"\\\" with \"\\\\\".)\n" "with \"\\:\", but do not escape a \"\\\" with \"\\\\\".)\n"
"\nSyntax: <url>:<form parameters>:<condition " "\nSyntax: <url>:<form parameters>[:<optional>[:<optional>]:<condition string>\n"
"string>[:<optional>[:<optional>]\n" "\nFirst is the page on the server to GET or POST to (URL), e.g. \"/login\".\n"
"First is the page on the server to GET or POST to (URL).\n" "Second is the POST/GET variables (taken from either the browser, proxy, etc.)\n"
"Second is the POST/GET variables (taken from either the browser, proxy, " " without the initial '?' character and the usernames and passwords being\n"
"etc.\n" " replaced with \"^USER^\" (\"^USER64^\" for base64 encodings) and \"^PASS^\"\n"
" with url-encoded (resp. base64-encoded) usernames and passwords being " " (\"^PASS64^\" for base64 encodings).\n"
"replaced in the\n" "Third are optional parameters (see below)\n"
" \"^USER^\" (resp. \"^USER64^\") and \"^PASS^\" (resp. \"^PASS64^\") " "Last is the string that it checks for an *invalid* login (by default).\n"
"placeholders (FORM PARAMETERS)\n" " Invalid condition login check can be preceded by \"F=\", successful condition\n"
"Third is the string that it checks for an *invalid* login (by default)\n"
" Invalid condition login check can be preceded by \"F=\", successful "
"condition\n"
" login check must be preceded by \"S=\".\n" " login check must be preceded by \"S=\".\n"
" This is where most people get it wrong. You have to check the webapp " " This is where most people get it wrong! You have to check the webapp what a\n"
"what a\n" " failed string looks like and put it in this parameter! Add the -d switch to see\n"
" failed string looks like and put it in this parameter! Add the -d switch to see\nthe sent/received data!\n" " the sent/received data!\n"
"\nThe following parameters are optional:\n" " Note that using invalid login condition checks can result in false positives!\n"
"\nThe following parameters are optional and are put between the form parameters\n"
" and the condition string; seperate them too with colons:\n"
" 2= 302 page forward return codes identify a successful attempt\n" " 2= 302 page forward return codes identify a successful attempt\n"
" (c|C)=/page/uri to define a different page to gather initial " " (c|C)=/page/uri to define a different page to gather initial "
"cookies from\n" "cookies from\n"
@ -1469,17 +1468,16 @@ void usage_http_form(const char *service) {
"exists, by the\n" "exists, by the\n"
" one supplied by the user, or add the header at the " " one supplied by the user, or add the header at the "
"end\n" "end\n"
"\nNote that if you are going to put colons (:) in your headers you should escape them with a backslash (\\).\n" "\nNote that if you are going to put colons (:) in your headers you should escape\n"
" All colons that are not option separators should be escaped (see the " "them with a backslash (\\). All colons that are not option separators should be\n"
"examples above and below).\n" "escaped (see the examples above and below).\n"
" You can specify a header without escaping the colons, but that way you " "You can specify a header without escaping the colons, but that way you will not\n"
"will not be able to put colons\n" "be able to put colons in the header value itself, as they will be interpreted by\n"
" in the header value itself, as they will be interpreted by hydra as " "hydra as option separators.\n"
"option separators.\n"
"\nExamples:\n" "\nExamples:\n"
" \"/login.php:user=^USER^&pass=^PASS^:incorrect\"\n" " \"/login.php:user=^USER^&pass=^PASS^:incorrect\"\n"
" \"/" " \"/"
"login.php:user=^USER64^&pass=^PASS64^&colon=colon\\:escape:S=authlog=.*" "login.php:user=^USER64^&pass=^PASS64^&colon=colon\\:escape:S=result="
"success\"\n" "success\"\n"
" \"/login.php:user=^USER^&pass=^PASS^&mid=123:authlog=.*failed\"\n" " \"/login.php:user=^USER^&pass=^PASS^&mid=123:authlog=.*failed\"\n"
" \"/:user=^USER&pass=^PASS^:failed:H=Authorization\\: Basic " " \"/:user=^USER&pass=^PASS^:failed:H=Authorization\\: Basic "