Closed davehouser1 closed 3 years ago
You need to quote &
and learn a bit more on how to use bash :)
In the meantime try this:
patator http_fuzz url='http://192.168.131.145/openemr/interface/main/main_screen.php?auth=login&site=default' method=POST body='new_login_session_management=1&authProvider=Default&authUser=admin&clearPass=FILE0&languageChoice=1' 0=/usr/share/wordlists/rockyou.txt follow=1 accept_cookie=1 -x=ignore:code=200
Good luck
Problem: patator http_fuzz keeps showing "-bash: 0=/usr/share/wordlists/rockyou.txt: No such file or directory", and I dont understand why.
Expected behavior: patator will use the rockyou.txt word list, brute force just the password while using "admin" for the username each round, and ignore status code 200 from the system each time.
Command:
Output:
No matter what I try I see two things 1)
bash: 0=/usr/share/wordlists/rockyou.txt: No such file or directory
Not sure if this is related but cant tell if patator is actually using my wordlists. Confirmed that word list exists. 2) Cant tell but it seems patator is not ignoring status code 200Burp suite: You can see that when a login is performed many GET requests are sent after the POST. Not sure if I need to craft this http_fuzz a specific way
POST with response:
Actual page that shows status:
So the site appears to redirect to a GET request with status code 200 for each request that fails.
What am I doing wrong here?