From cef9d52adcb77b210c7ed79c7ea36a853b5abd92 Mon Sep 17 00:00:00 2001 From: ajuaristi Date: Sun, 19 Oct 2014 13:15:49 +0200 Subject: [PATCH 1/5] Added TODO for commiter Strunk18. --- TODO.STRUNK | 14 ++++++++++++++ 1 file changed, 14 insertions(+) create mode 100644 TODO.STRUNK diff --git a/TODO.STRUNK b/TODO.STRUNK new file mode 100644 index 0000000..96a28b5 --- /dev/null +++ b/TODO.STRUNK @@ -0,0 +1,14 @@ +Fix issues with escape characters +================================= +Cmd line: + -l aaa -p aaa -t 2 -w 30 -d 'http-form-get://81.169.244.210:80/test.php:user=^USER^&pass=^PASS^&mid=123:incorrect:h=XXX\: YYY:H=User-Agent\: Foobar' +Result: + +Cmd line: + -l aaa -p aaa -t 2 -w 30 -d 'http-form-get://81.169.244.210:80/test.php:user=^USER^&pass=^PASS^&mid=123:incorrect:h=XXX: YYY:H=User-Agent\: Foobar' +Result: + GET /test.php HTTP/1.0 + XXX: YYY + User-Agent\: Foobar: + Host:81.169.244.210 + User-Agent:Mozilla/5.0 (Hydra) \ No newline at end of file From 9b1b6094c39ce492c440f6fed7f08040cf5e91ea Mon Sep 17 00:00:00 2001 From: ajuaristi Date: Mon, 20 Oct 2014 19:16:57 +0200 Subject: [PATCH 2/5] Added TODO list for user strunk --- TODO.STRUNK | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/TODO.STRUNK b/TODO.STRUNK index 96a28b5..f7fb6e4 100644 --- a/TODO.STRUNK +++ b/TODO.STRUNK @@ -3,6 +3,10 @@ Fix issues with escape characters Cmd line: -l aaa -p aaa -t 2 -w 30 -d 'http-form-get://81.169.244.210:80/test.php:user=^USER^&pass=^PASS^&mid=123:incorrect:h=XXX\: YYY:H=User-Agent\: Foobar' Result: + GET /test.php HTTP/1.0 + XXX\: YYY:H=User-Agent: Foobar + Host:81.169.244.210 + User-Agent:Mozilla/5.0 (Hydra) Cmd line: -l aaa -p aaa -t 2 -w 30 -d 'http-form-get://81.169.244.210:80/test.php:user=^USER^&pass=^PASS^&mid=123:incorrect:h=XXX: YYY:H=User-Agent\: Foobar' From 2d7e1fc1d0dbba1f6358799566455d2e542ed2bd Mon Sep 17 00:00:00 2001 From: strunk Date: Tue, 21 Oct 2014 23:13:19 +0200 Subject: [PATCH 3/5] Colons must be escaped when they're part of optional parameters (\:). --- hydra-http-form.c | 41 ++++++++++++++++++++++++++++------------- 1 file changed, 28 insertions(+), 13 deletions(-) diff --git a/hydra-http-form.c b/hydra-http-form.c index e2d0a8e..9388b26 100644 --- a/hydra-http-form.c +++ b/hydra-http-form.c @@ -229,7 +229,7 @@ char *stringify_headers(ptr_header_node * ptr_head) { int ttl_size = 0; for (; cur_ptr; cur_ptr = cur_ptr->next) - ttl_size += strlen(cur_ptr->header) + strlen(cur_ptr->value) + 3; + ttl_size += strlen(cur_ptr->header) + strlen(cur_ptr->value) + 4; headers_str = (char *) malloc(ttl_size + 1); @@ -237,7 +237,7 @@ char *stringify_headers(ptr_header_node * ptr_head) { memset(headers_str, 0, ttl_size + 1); for (cur_ptr = *ptr_head; cur_ptr; cur_ptr = cur_ptr->next) { strcat(headers_str, cur_ptr->header); - strcat(headers_str, ":"); + strcat(headers_str, ": "); strcat(headers_str, cur_ptr->value); strcat(headers_str, "\r\n"); } @@ -568,6 +568,9 @@ int start_http_form(int s, char *ip, int port, unsigned char options, char *misc } } + if (debug) + hydra_report_debug(stdout, "HTTP request sent:\n%s\n", http_request); + found = analyze_server_response(s); if (auth_flag) { // we received a 401 error - user using wrong module @@ -917,7 +920,11 @@ ptr_header_node initialize(char *ip, unsigned char options, char *miscptr) { success_cond = 0; } - while ( /*(optional1 = strtok(NULL, ":")) != NULL */ *optional1 != 0) { + /* + * Parse the user-supplied options. + * Beware of the backslashes (\)! + */ + while (*optional1 != 0) { switch (optional1[0]) { case 'c': // fall through case 'C': @@ -931,11 +938,15 @@ ptr_header_node initialize(char *ip, unsigned char options, char *miscptr) { break; case 'h': // add a new header at the end - ptr = optional1 + 2; - while (*ptr != 0 && (*ptr != ':' || *(ptr - 1) == '\\')) - ptr++; - if (*ptr != 0) - *ptr++ = 0; + ptr = optional1 + 2; + while (*ptr != 0 && *ptr != ':') + ptr++; + if (*(ptr - 1) == '\\') + *(ptr - 1) = 0; + if (*ptr != 0){ + *ptr = 0; + ptr += 2; + } ptr2 = ptr; while (*ptr2 != 0 && (*ptr2 != ':' || *(ptr2 - 1) == '\\')) ptr2++; @@ -956,11 +967,15 @@ ptr_header_node initialize(char *ip, unsigned char options, char *miscptr) { return NULL; case 'H': // add a new header, or replace an existing one's value - ptr = optional1 + 2; - while (*ptr != 0 && (*ptr != ':' || *(ptr - 1) == '\\')) - ptr++; - if (*ptr != 0) - *ptr++ = 0; + ptr = optional1 + 2; + while (*ptr != 0 && *ptr != ':') + ptr++; + if (*(ptr - 1) == '\\') + *(ptr - 1) = 0; + if (*ptr != 0){ + *ptr = 0; + ptr += 2; + } ptr2 = ptr; while (*ptr2 != 0 && (*ptr2 != ':' || *(ptr2 - 1) == '\\')) ptr2++; From 145f7de8d5ef31833d9bdf82327056d6b16c3469 Mon Sep 17 00:00:00 2001 From: strunk Date: Tue, 21 Oct 2014 23:16:36 +0200 Subject: [PATCH 4/5] Deleted TODO list for Strunk --- TODO.STRUNK | 18 ------------------ 1 file changed, 18 deletions(-) delete mode 100644 TODO.STRUNK diff --git a/TODO.STRUNK b/TODO.STRUNK deleted file mode 100644 index f7fb6e4..0000000 --- a/TODO.STRUNK +++ /dev/null @@ -1,18 +0,0 @@ -Fix issues with escape characters -================================= -Cmd line: - -l aaa -p aaa -t 2 -w 30 -d 'http-form-get://81.169.244.210:80/test.php:user=^USER^&pass=^PASS^&mid=123:incorrect:h=XXX\: YYY:H=User-Agent\: Foobar' -Result: - GET /test.php HTTP/1.0 - XXX\: YYY:H=User-Agent: Foobar - Host:81.169.244.210 - User-Agent:Mozilla/5.0 (Hydra) - -Cmd line: - -l aaa -p aaa -t 2 -w 30 -d 'http-form-get://81.169.244.210:80/test.php:user=^USER^&pass=^PASS^&mid=123:incorrect:h=XXX: YYY:H=User-Agent\: Foobar' -Result: - GET /test.php HTTP/1.0 - XXX: YYY - User-Agent\: Foobar: - Host:81.169.244.210 - User-Agent:Mozilla/5.0 (Hydra) \ No newline at end of file From c300b323a2d03a4527317964d0ca6140d792b2d8 Mon Sep 17 00:00:00 2001 From: strunk Date: Thu, 23 Oct 2014 01:04:44 +0200 Subject: [PATCH 5/5] Updated usage description of modules http-form-get and http-form-post. --- hydra.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/hydra.c b/hydra.c index 29c3ba6..35f82b4 100644 --- a/hydra.c +++ b/hydra.c @@ -563,17 +563,21 @@ void module_usage() { " failed string looks like and put it in this parameter!\n" "The following parameters are optional:\n" " C=/page/uri to define a different page to gather initial cookies from\n" - " (h|H)=My-Hdr: foo to send a user defined HTTP header with each request\n" + " (h|H)=My-Hdr\\: foo to send a user defined HTTP header with each request\n" " ^USER^ and ^PASS^ can also be put into these headers!\n" " Note: 'h' will add the user-defined header at the end\n" " regardless it's already being sent by Hydra or not.\n" " 'H' will replace the value of that header if it exists, by the\n" " one supplied by the user, or add the header at the end\n" + "Note that if you are going to put colons (:) in your headers you should escape them with a backslash (\).\n" + " All colons that are not option separators should be escaped (see the examples above and below).\n" + " You can specify a header without escaping the colons, but that way you will not be able to put colons\n" + " in the header value itself, as they will be interpreted by hydra as option separators.\n" "\nExamples:\n" " \"/login.php:user=^USER^&pass=^PASS^:incorrect\"\n" " \"/login.php:user=^USER^&pass=^PASS^&colon=colon\\:escape:S=authlog=.*success\"\n" " \"/login.php:user=^USER^&pass=^PASS^&mid=123:authlog=.*failed\"\n" - " \"/:user=^USER&pass=^PASS^:failed:H=Authorization: Basic dT1w:H=Cookie: sessid=aaaa:h=X-User: ^USER^\"\n" + " \"/:user=^USER&pass=^PASS^:failed:H=Authorization\\: Basic dT1w:H=Cookie\\: sessid=aaaa:h=X-User\\: ^USER^\"\n" " \"/exchweb/bin/auth/owaauth.dll:destination=http%%3A%%2F%%2F%%2Fexchange&flags=0&username=%%5C^USER^&password=^PASS^&SubmitCreds=x&trusted=0:reason=:C=/exchweb\"\n", hydra_options.service); find = 1;