8

I'm using Hydra and I have trouble with this command:

hydra 123.123.123.123 http-form-post \
    "/se/login:j_username^USER^&j_password=^PASS^&submit=Log+in:/se/invalidLogin" \
    -L /root/Desktop/users -P /root/Desktop/list`

There are three passwords in the list. One is correct, the others are not.

When the password is incorrect, the user is redirected to /se/invalidLogin.
How can I add this to the above, as the command right now is wrong?
It says every password is valid.

xorist
  • 870
  • 4
  • 15
k1308517
  • 1,272
  • 14
  • 27
  • Maybe the list you are using doesn't have the correct password to any accounts. – xorist Mar 11 '16 at 19:58
  • No. There are 3 passwords in the list, one of them is correct. Hydra seems to think every password is correct. I need to be shown how to continue when redirect is /se/invalidLogin... – k1308517 Mar 14 '16 at 09:16
  • See what happens if you take "&submit=Log+in" out of your command. Also, change "/se/invalidLogin" to something that's on the page text. i.e., "Bad login". – xorist Mar 14 '16 at 17:58

1 Answers1

2

Replace /se/invalidLogin with some page text that's encountered when the login is wrong.

e.g. "Incorrect password"

Hydra will check the text on the redirect target.

SilverlightFox
  • 33,408
  • 6
  • 67
  • 178
  • I did that but sadly it didn't work :-( Also found a bug myself: j_username^USER^ is missing = , so should be j_username=^USER^ – k1308517 Mar 16 '16 at 10:33