brute forcing a simple CGI web form log in with expect...




Posts: 4

Joined: Thu Jan 27, 2011 7:02 pm

Post Thu Mar 31, 2011 3:38 pm

brute forcing a simple CGI web form log in with expect...

hey. im in a hacking class and i feel pretty pathetic right now.

i have a simple page made that has a user name and password field... I am trying to construct a script to brute force it until it gets the right password.

The only thing I am having trouble with getting started is how can I engage the web form with a script in order to input the values for the password? At first I thought about making a Perl script that puts in a password and cycles through the possibilities... but I would have to click 'Submit' each time...

I figure I could just throw the correct http POST headers to the recieving cgi script on the server but I'm not exactly sure how I could do that.

Is there way to Telnet to a webpage that has a form on it? Or could I do this with expect some how? I just need to figure out the easiest way to interface with the form input fields through a script.



Posts: 1134

Joined: Sun Nov 09, 2008 11:00 am

Location: Mile High City

Post Thu Mar 31, 2011 9:01 pm

Re: brute forcing a simple CGI web form log in with expect...

Post example on the very bottom: http://docs.python.org/library/httplib.html

You can then parse the results and evaluate success based on responses (i.e. finding the string "incorrect" would indicated that the attempted failed, so when you get a response that doesn't contain it, you can assume it succeeded). The number of bytes received could also be reviewed because they may be significantly different between successful and failed login responses.
The day you stop learning is the day you start becoming obsolete.

Return to Web Applications

Who is online

Users browsing this forum: No registered users and 1 guest

Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software