From df5ec9ea308f5f1099e81953e764e76d48bd937a Mon Sep 17 00:00:00 2001 From: petrock6 Date: Sat, 20 May 2017 02:58:47 -0500 Subject: [PATCH] Bugfix for issue 121 -- increased URL/POST/cookie data size to 6096 bytes from 1000 bytes. --- hydra-http-form.c | 25 +++++++++++++------------ hydra-mod.c | 9 +++++++-- hydra.c | 4 ++-- 3 files changed, 22 insertions(+), 16 deletions(-) diff --git a/hydra-http-form.c b/hydra-http-form.c index 116e463..c07a4aa 100644 --- a/hydra-http-form.c +++ b/hydra-http-form.c @@ -84,7 +84,7 @@ char cookie[4096] = "", cmiscptr[1024]; extern char *webtarget; extern char *slash; int webport, freemischttpform = 0; -char bufferurl[1024], cookieurl[1024] = "", userheader[1024] = "", *url, *variables, *optional1; +char bufferurl[6096+24], cookieurl[6096+24] = "", userheader[6096+24] = "", *url, *variables, *optional1; #define MAX_REDIRECT 8 #define MAX_CONTENT_LENGTH 20 @@ -678,8 +678,8 @@ int start_http_form(int s, char *ip, int port, unsigned char options, char *misc snprintf(content_length, MAX_CONTENT_LENGTH - 1, "%d", (int) strlen(upd3variables)); if (header_exists(&ptr_head, "Content-Length", HEADER_TYPE_DEFAULT)) hdrrepv(&ptr_head, "Content-Length", content_length); - else - add_header(&ptr_head, "Content-Length", content_length, HEADER_TYPE_DEFAULT); + else + add_header(&ptr_head, "Content-Length", content_length, HEADER_TYPE_DEFAULT); if (!header_exists(&ptr_head, "Content-Type", HEADER_TYPE_DEFAULT)) add_header(&ptr_head, "Content-Type", "application/x-www-form-urlencoded", HEADER_TYPE_DEFAULT); cookie_header = stringify_cookies(ptr_cookie); @@ -1056,7 +1056,7 @@ ptr_header_node initialize(char *ip, unsigned char options, char *miscptr) { else webport = PORT_HTTP_SSL; - sprintf(bufferurl, "%.1000s", miscptr); + sprintf(bufferurl, "%.6096s", miscptr); url = bufferurl; ptr = url; while (*ptr != 0 && (*ptr != ':' || *(ptr - 1) == '\\')) @@ -1162,14 +1162,15 @@ ptr_header_node initialize(char *ip, unsigned char options, char *miscptr) { case 'H': // add a new header, or replace an existing one's value ptr = optional1 + 2; - while (*ptr != 0 && *ptr != ':') - ptr++; - if (*(ptr - 1) == '\\') - *(ptr - 1) = 0; - if (*ptr != 0){ - *ptr = 0; - ptr += 2; - } + while (*ptr != 0 && *ptr != ':') ptr++; + + if (*(ptr - 1) == '\\') + *(ptr - 1) = 0; + + if (*ptr != 0) { + *ptr = 0; + ptr += 2; + } ptr2 = ptr; while (*ptr2 != 0 && (*ptr2 != ':' || *(ptr2 - 1) == '\\')) ptr2++; diff --git a/hydra-mod.c b/hydra-mod.c index 00dc99a..83a65be 100644 --- a/hydra-mod.c +++ b/hydra-mod.c @@ -1040,8 +1040,13 @@ int make_to_lower(char *buf) { char *hydra_strrep(char *string, char *oldpiece, char *newpiece) { int str_index, newstr_index, oldpiece_index, end, new_len, old_len, cpy_len; - char *c, oldstring[1024], newstring[1024]; - static char finalstring[1024]; + char *c, oldstring[6096], newstring[6096]; //updated due to issue 192 on github. + static char finalstring[6096]; + + if(strlen(string) > 6096) { + hydra_report(stderr, "[ERROR] Supplied URL or POST data too large. Max limit is 6096 characters.\n"); + exit(-1); + } if (string == NULL || oldpiece == NULL || newpiece == NULL || strlen(string) >= sizeof(oldstring) - 1 || (strlen(string) + strlen(newpiece) - strlen(oldpiece) >= sizeof(newstring) - 1 && strlen(string) > strlen(oldpiece))) diff --git a/hydra.c b/hydra.c index e394fbd..520ef59 100644 --- a/hydra.c +++ b/hydra.c @@ -3249,7 +3249,7 @@ int main(int argc, char *argv[]) { if (strcmp(hydra_options.service, "http-get-form") == 0 || strcmp(hydra_options.service, "http-post-form") == 0 || strcmp(hydra_options.service, "https-get-form") == 0 || strcmp(hydra_options.service, "https-post-form") == 0) { - char bufferurl[1024], *url, *variables, *cond, *optional1; + char bufferurl[6096+24], *url, *variables, *cond, *optional1; //6096 comes from issue 192 on github. Extra 24 bytes for null padding. if (strncmp(hydra_options.service, "http-", 5) == 0) { i = 1; @@ -3284,7 +3284,7 @@ int main(int argc, char *argv[]) { if (strstr(hydra_options.miscptr, "\\:") != NULL) { fprintf(stderr, "[INFORMATION] escape sequence \\: detected in module option, no parameter verification is performed.\n"); } else { - sprintf(bufferurl, "%.1000s", hydra_options.miscptr); + sprintf(bufferurl, "%.6096s", hydra_options.miscptr); url = strtok(bufferurl, ":"); variables = strtok(NULL, ":"); cond = strtok(NULL, ":");