Thread Contributor: scriptssBrute forcing badly made login forms
#1
Most php login forms pass your login credentials to the login form itself as a post request when you click the login button, depending on how much effort the developer has put into the form depends on whether you can brute force it, This is quite good for small gaming websites and things like that.

Things you will need - 
  • google chrome
  • https://www.hurl.it (open in a web browser)
  • some common sense
  • Some form of programming knowledge to create a brute force tool (ruby, python, java, .NET, C#, C++, etc)
  • a valid working account on the site with the login form you want to brute force

So firstly go to your login form in chrome, I will be using http://www.soulplayps.com/ucp/ as an example, its a popular runescape private server and the ingame currency is worth a fair amount

[Image: 8f504e0405198ed4e24f1fe08b0718c8.png]

as you can see it is a fairly simple login form without a captcha/recaptcha


Now you want to open up chromes developer tools by clicking on the three bars in the top right hand corner of the browser and then by going to "more tools" and then "developer tools"


once you are on the login form and you have the developer tools open click on the "network" tab 

[Image: 827a3fd4288209db45c573bf3780e673.png]


the network tab is useful for viewing the post requests the form makes, login to the login form and you will see all of the post requests come up in the network tab

[Image: 82cce74f8a2191a3e0304070098c50af.png]


as you can see over 40 requests where made, the one your looking for is usually the top one on the list, click on the top result and it should look something like this - 

[Image: fdc9f8dc56d3f2d167cd3f8959423526.png]


as you can see it says "request method: post" which means this is the right result.

you should also see it says "request url: https://www.soulplayps.com/ucp/"

this is the address you will be sending the post request to




scroll down within the network result tab and you should see the fields the post request requires like so - 

[Image: 5a55c765d6dcb4a489a927b61c7bd621.png]

as you can see it says - 
username: lol
password: lol
user_login:

these are the 3 parameters the form requires to verify if a user exists.


now open up http://hurl.it and fill out the information with your request url and parameters like so - 

[Image: 3d4b1a159a51d5a7dcec2b654b0b1211.png]

as you can see ive set the request type to "post", the destination to the post url i got before and the 3 parameters as well.


now send the request by clicking "launch request" and you should get something similar to this - 

[Image: 51f9178f5794660618a9a4c2d204be5a.png]

as you can see it says "302 moved temporarily" which is the response code.


go back to your login form and click on the post request you made and you should see something that says "status code" like so - 

[Image: 64f5ce9b287278a20af5355514706748.png]

as you can see it says "302" which is the same as the hurl.it reponse I got, this means the login page is vulnerable to attacks from outside of its own website.


all you have to do now is write a simple app that loads a password list and tries each username/password by sending post requests to the url until it gets a 302 response.



I will mebe create a video of doing this if it gets enough interest as it's hard to demonstrate in writing and pictures



~ Scriptss
#2
I'm the type that enjoys following along with text/images more so than with a video. These tutorials take more work to build, but they're much more straightforward in my opinion. Nice tutorial - additional props for providing a solid use case.
Reply
#3
(07-12-2016, 03:03 AM)Albus Wrote: I'm the type that enjoys following along with text/images more so than with a video. These tutorials take more work to build, but they're much more straightforward in my opinion. Nice tutorial - additional props for providing a solid use case.

thanks ^_^
Reply
#4
I can't get it to work but I'm such a noob at those things, Anyways Nice post and a really HQ Post. Keep it up!
Reply
#5
(07-15-2016, 08:13 PM)Coddr Wrote: I can't get it to work but I'm such a noob at those things, Anyways Nice post and a really HQ Post. Keep it up!

if you need any help or want me to ho through it with you just drop me your skype and il show you over teamviewer or something :)
Reply
#6
I can agree with Albus on that, but I like your tutorial a lot and will keep this saved - nice post and thanks for sharing!
Reply
#7
(07-17-2016, 06:45 PM)Coddr Wrote: ...
(07-17-2016, 06:41 PM)Soap Wrote: ...


Alright, time to stop, guys. This is turning ugly.

No flaming, or giving warning to Dox, abuse or carry out any activities based on but not limited to racism, and or personal abuse which may harm one's respect & moral values.
Trying to threaten a user is a offense and we take user's privacy very seriously.


@Coddr, please understand that @Soap did not reveal any more information than what you seemingly have made public for our users by the virtue of your website. There is personal information present on there, such as your name, age, country of residence and other than that. I personally would agree with you and consider it leaking if the material was not originally on Ubers, and @Soap purposely shared information about you from external resources. However, that's not the case.

@All - Guys, including myself, if we do not want people to know certain things I'd advise us not to share it in the first place. We need to remember that we're not dealing with bakers and chefs here, there are a lot of technical people who might low-key have malicious intentions, or just be nosy; and I'm not accusing anybody of anything but it's worthwhile to keep that in mind when giving away personal details on platforms like these.


If you need to further discuss this, I advise you to use the PM system. Don't show each others' toxicity in public like this.
Reply
#8
This thread got off topic - don't let it happen again.
Reply


Forum Jump:


Users browsing this thread: 1 Guest(s)