knavesec
commented
2 weeks ago Awesome plugin man, thanks for the addition! One small request to update the readme with the new plugin (and adding yourself to the credits if desired)
Closed moreirapenna2 closed 2 weeks ago
knavesec
commented
2 weeks ago Awesome plugin man, thanks for the addition! One small request to update the readme with the new plugin (and adding yourself to the credits if desired)
moreirapenna2
commented
2 weeks ago Thank you for the feedback! I updated the readme and it should be all good now :)
knavesec
commented
2 weeks ago @moreirapenna2 Thanks for the contribution! Any chance you'd be willing to write up a quick blurb on usage for the wiki since this is a more custom module? Doesn't need to be super lengthy, but would definitely be helpful. If you just wrote it up in markdown and dropped it in this PR I can upload it to the wiki
Will merge this anyways, we should be able to keep chatting once it's closed
moreirapenna2
commented
1 week ago @moreirapenna2 Thanks for the contribution! Any chance you'd be willing to write up a quick blurb on usage for the wiki since this is a more custom module? Doesn't need to be super lengthy, but would definitely be helpful. If you just wrote it up in markdown and dropped it in this PR I can upload it to the wiki
Will merge this anyways, we should be able to keep chatting once it's closed
Sorry for the delay! Here's the wiki page with notes on the module parameters, feel free to edit as needed!
This module allows for generic HTTP POST request brute-forcing. This module has not been tested to the fullest, if there are bugs please submit an issue/PR.
This module allows for the following command line options:
... --plugin httppost --url https://example.com/loginSets the target URL.
--content-type
... --plugin httppost --url https://example.com/login --content-type jsonCan be set to either form or json.
form will set the content-type header to application/x-www-form-urlencoded, and body to username={USER}&password={PASS} as default.
json will set the content-type header to application/json and body to {"username":"{USER}","password":"{PASS}"} as default.
The content-type header can be changed as needed via the custom header options.
... --plugin httppost --url https://example.com/login --content-type json --body '{"login":"{USER}","pass":"{PASS}"}'Uses a custom body on the POST requests. MUST contain {USER} and {PASS}, which will be replaced during runtime.
Throttle settings may depend on a per-application basis. Use at your own discretion.
credmaster.py <usual arguments> --plugin httppost --url https://example.com/endpoint/to/test --content-type json --body '{"login":"{USER}","pass":"{PASS}"}'
Added HTTP POST plugin (httppost), where the user can combine custom body data and custom headers to spray most web forms and APIs.