1

I am trying to penetrate a password on my own website using hydra. Let's say that I know login and password and i just put both there like in sample below:

hydra -l admin -p password 123.123.123.123 http-form-post "/index.php:userinput=^USER^&passwordinput=^PASS^:password is wrong"

After attack like this, hydra says that all the passwords are correct even if i put a wrong one... I think the last part might be wrong but my website says "password is wrong" when i fail to login. So what is the problem then?

EDIT: In addition, when i change 

:password is wrong

into

:S=password is correct

It this time gives me always falses. No matter if I give a correct one or not. How do i understand that?

EDIT NEW: I have logged in on website and added the cookie to the code:

:H=Cookie: ASP.NET_SessionId=cookievalue
Terrorizer
  • 31
  • 3
  • @schroeder I actually have read this topic 20 times and It do not help me so I guess thats not a duplicate. – Terrorizer Jan 20 '15 at 21:03
  • It all boils down to the server response. You will have to look at the actual syntax of the response, including case. – schroeder Jan 20 '15 at 21:57
  • @schroeder I am working on it for a week now. I feel so hopeless... How do i check the exact response? Hydra just says I have found a valid password – Terrorizer Jan 20 '15 at 22:02

0 Answers0