You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
When the remote server issues a cookie via "Set-Cookie", hydra replays all the output that follows the "Set-Cookie" header, instead of stopping at "\r\n". I can confirm this bug in hydra v8.1-dev and hydra v7.4.2. I've followed these steps to reproduce it:
Wireshark traces (Right click --> Follow TCP Stream)
First GET request, which is supposed to retrieve the cookies:
GET /test.php HTTP/1.0
Host: 81.169.244.210
User-Agent: Mozilla/5.0 (Hydra)
HTTP/1.1 200 OK
Date: Tue, 29 Jul 2014 17:57:48 GMT
Server: BHS :D
Set-Cookie: mycookie=myvalue
Vary: Accept-Encoding
Content-Length: 32
Connection: close
Content-Type: text/html
User and password are undefined.
Subsequent POST requests (actual password cracking):
POST /test.php HTTP/1.0
Host: 81.169.244.210
User-Agent: Mozilla/5.0 (Hydra)
Content-Type: application/x-www-form-urlencoded
Content-Length: 23
Cookie: mycookie=myvalue
Vary: Accept-Encoding
Content-Length: 32
Connection: close
Content-Type: text/html
User and password are undefined.
user=ander&pass=ezekielHTTP/1.1 413 Request Entity Too Large
Date: Tue, 29 Jul 2014 17:57:48 GMT
Server: BHS :D
Connection: close
Content-Type: text/html; charset=iso-8859-1
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>413 Request Entity Too Large</title>
</head><body>
<h1>Request Entity Too Large</h1>
The requested resource<br />/test.php<br />
does not allow request data with POST requests, or the amount of data provided in
the request exceeds the capacity limit.
</body></html>
User and password are undefined.
The text was updated successfully, but these errors were encountered:
I'm working on a new feature for Hydra and I discovered this bug by chance. This new feature should be finished by tomorrow, so I'll fix this bug along with it.
When the remote server issues a cookie via "Set-Cookie", hydra replays all the output that follows the "Set-Cookie" header, instead of stopping at "\r\n". I can confirm this bug in hydra v8.1-dev and hydra v7.4.2. I've followed these steps to reproduce it:
My test.php has the following code:
My users.txt file:
And my pass.txt file:
Hydra reports 8 valid passwords found, which is incorrect:
Wireshark traces (Right click --> Follow TCP Stream)
First GET request, which is supposed to retrieve the cookies:
Subsequent POST requests (actual password cracking):
The text was updated successfully, but these errors were encountered: