Closed moreirapenna2 closed 2 weeks ago
Awesome plugin man, thanks for the addition! One small request to update the readme with the new plugin (and adding yourself to the credits if desired)
Thank you for the feedback! I updated the readme and it should be all good now :)
@moreirapenna2 Thanks for the contribution! Any chance you'd be willing to write up a quick blurb on usage for the wiki since this is a more custom module? Doesn't need to be super lengthy, but would definitely be helpful. If you just wrote it up in markdown and dropped it in this PR I can upload it to the wiki
Will merge this anyways, we should be able to keep chatting once it's closed
@moreirapenna2 Thanks for the contribution! Any chance you'd be willing to write up a quick blurb on usage for the wiki since this is a more custom module? Doesn't need to be super lengthy, but would definitely be helpful. If you just wrote it up in markdown and dropped it in this PR I can upload it to the wiki
Will merge this anyways, we should be able to keep chatting once it's closed
Sorry for the delay! Here's the wiki page with notes on the module parameters, feel free to edit as needed!
This module allows for generic HTTP POST request brute-forcing. This module has not been tested to the fullest, if there are bugs please submit an issue/PR.
This module allows for the following command line options:
... --plugin httppost --url https://example.com/login
Sets the target URL.
--content-type
... --plugin httppost --url https://example.com/login --content-type json
Can be set to either form
or json
.
form
will set the content-type header to application/x-www-form-urlencoded
, and body to username={USER}&password={PASS}
as default.
json
will set the content-type header to application/json
and body to {"username":"{USER}","password":"{PASS}"}
as default.
The content-type header can be changed as needed via the custom header options.
... --plugin httppost --url https://example.com/login --content-type json --body '{"login":"{USER}","pass":"{PASS}"}'
Uses a custom body on the POST requests. MUST contain {USER}
and {PASS}
, which will be replaced during runtime.
Throttle settings may depend on a per-application basis. Use at your own discretion.
credmaster.py <usual arguments> --plugin httppost --url https://example.com/endpoint/to/test --content-type json --body '{"login":"{USER}","pass":"{PASS}"}'
Added HTTP POST plugin (httppost), where the user can combine custom body data and custom headers to spray most web forms and APIs.