Real 8
Real 8
For this one, im assuming: 1.You have access to a server in which you can run php scripts with cURL installed. 2.You have some knowledge on php. 3.You want to learn, not just steal other peoples work.
Ok, so there is 3 main steps to this bruteforcer: -take password -test it -echo answer
We need a dictionary on passwords, you can get them here: http://www.outpost9.com/files/WordLists.html
get a wordlist, name it dic1.txt and upload it to your server, in the same dir as your php script will be.
( 1 ) To select each word we need to use a loop. We will use !feof(). This mean 'Not end of file'. Before this we must open to the file and assign this to a variable:
$fh = fopen("dic1.txt", "r");
The "r" parameter means its read-only.So, after weve opened this, we need to start the loop:
$fh = fopen($dic, "r"); while(!feof($fh)) { $pass = fgets($fh,1024);
[CODE HERE]
}
The fgets function justs gets the line of the file.
( 2 )Now we need to test the passwords on the url: http://www.hellboundhackers.org/challenges/real8/admin.php
To do this we use the functions included in cURL. If this isnt installed on your box, just ask your server admin nicely :)
I dont want to give this challenge away so im going to leave this bit to you, although i will give you this bit of help:
$curlPost="uname=admin&pword=$pass&Submitted=True";
( 3 ) We must find some words that distinguish a bad login from a successful one, in this case its "Incorrect Username/Password", but "Incorrect" will be enough.
To search the contents of our received page will use the eregi() function where $data is the contents of the retrieved page.
$result = eregi("Incorrect", $data); if ( $result == 0 ) { echo "$pass3 is the password!"; break; }
the break statement cancels the while loop, because we dont want to keep searching even after we've found the pass.
Ok, so i hope i havent given too much away. This can be adapted to brute force many web-based login systems. Of course, there are other ways to do this, but this is just the way i did it.
I hope this helped,
Thanks, Will.
ghost 19 years ago
mistake: echo "$pass3 is the password!"; should read: echo "$pass is the password!";
ghost 19 years ago
thats why i didnt give them the cURL stuff, i gave them the opportunity to learn these special functions.
ghost 18 years ago
At first I did the buffer overflow not knowing this was possible, then I got curl working and did it this way. Great article. :)
Death_metal666 13 years ago
at first i had completed it by using buffer overflow attack. After reading this article i try this way too 100% working. nice article man