[M] Forms

Common description

Module using for forms bruteforce. In «raw» mode requests sends by POST method. In «selenium» mode bruteforce doing according to target site logic. Passwords getting from dictionary.

Attack configuration

Config for bruteforce in «raw» mode is POST params with markers «^USER^» and «^PASS^» on relevant places. Result string put in «--conf-str» param. Examples:

  • login=^USER^&password=^PASS^

  • {"login":"^USER^","pwd":"^PASS^"}

After marker string must contains tab-symbol (\t). And after that, put there CSS selector of element. Example:

^USER^ #user
^PASS^ #pass
^SUBMIT^ #submit

With this configuration WS put login in text field id=user, password go to text field id=pass. After that WS will click by element id=submit.

Examples

Simple POST form bruteforce:

./ws.py Forms --url http://simple.polygon.web-scout.online/admin.php --dict bases/demo/dict.txt --conf-str "login=^USER^&password=^PASS^" --false-re "User: " --login admin

Bruteforce form in selenium mode:

./ws.py Forms --url http://selenium.polygon.web-scout.online/admin.php --dict bases/demo/dict.txt --conf-file bases/demo/form-brute.conf --false-re "User: " --login admin --selenium 1 --browser-wait-re "checking"

Options (* - necessary)

Params «-conf-file», «--conf-str» - you must specify one of them. Params «--true-phrase», «--false-phrase», «--false-size» too.

R - available in raw mode S - available in Selenium mode.

Name

By default

R

S

Description

--url *

Yes

Yes

Target URL

--dict *

Yes

Yes

Path to dict

--login *

Yes

Yes

Login

--conf-str *

Yes

No

Raw mode only. Bruteforce config string.

--conf-file *

No

Yes

Bruteforce config file for selenium mode

--true-re *

Yes

Yes

RegEx (python.re), if matching — we got positive answer.

--false-re *

Yes

Yes

RegEx (python.re), if matching — we got negative answer.

--false-size *

Yes

Yes

Response size of negative answer. Remember, this size can be different in different tools. Use test mode for get right size.

--pass-max-len

Yes

Yes

Passwords with length more than this will be skipped.

--pass-min-len

Yes

Yes

Passwords with length less than this will be skipped.

--first-stop

0

Yes

Yes

Stop work after first positive result.

--follow-redirects

1

Yes

No

Raw-mode only. Follow to redirects which server returns. In selenium-mode this is always enabled.

--reload-form-page

0

No

Yes

Selenium-mode Only. This param need for re-open target link after every form send. It may be useful if server not return you to auth form after false try.

--proxies

Yes

Yes

HTTP-proxy list.

--retest-re

Yes

Yes

RegEx (python.re) for check if request repeat is need. For example «Service Temporarily Unavailable».

--retest-codes

Yes

No

Set of status codes (separated by comma) as signature for request re-send.

--headers-file

Yes

No

File with HTTP headers for put it in work requests.

--msymbol

@

Yes

Yes

Mark symbol for search template (--template)

--delay

0

Yes

Yes

Delay in seconds between requests. It`s options not for all threads together, it's for every thread separately.

--threads

10

Yes

Yes

Work threads count.

--parts

0

Yes

Yes

Split on X parts target dict or mask.

--part

0

Yes

Yes

Which part number we using in work?

--test

0

Yes

Yes

Test mode enable

--xml-report

0

Yes

Yes

Path to save xml-report

--selenium

0

No

Yes

Selenium-mode enable

--browser-recreate-re

No

Yes

RegEx (python.re) for detect browser recreation need. If you using proxies, browser select new one.

--browser-wait-re

No

Yes

RegEx (python.re). If match, browser stop working and will wait for match disappear. You may use it for solve captcha by hands or wait for anti-ddos check («wait 5 secs, we check your browser»).