From 1dce42a0ccab0fa8946741e71be8bdf7fb16e9f4 Mon Sep 17 00:00:00 2001 From: andraxin Date: Fri, 29 Sep 2023 00:06:49 +0200 Subject: [PATCH] Update hydra-http-form.c Fix handling web forms that may return 401. --- hydra-http-form.c | 26 ++++++++++++++++++++------ 1 file changed, 20 insertions(+), 6 deletions(-) diff --git a/hydra-http-form.c b/hydra-http-form.c index a8e59221..b6f888eb 100644 --- a/hydra-http-form.c +++ b/hydra-http-form.c @@ -66,6 +66,7 @@ int32_t success_cond = 0; int32_t getcookie = 1; int32_t auth_flag = 0; int32_t code_302_is_success = 0; +int32_t code_401_is_failure = 0; char cookie[4096] = "", cmiscptr[1024]; @@ -437,6 +438,14 @@ int32_t parse_options(char *miscptr, ptr_header_node *ptr_head) { sprintf(cookieurl, "%.1000s", hydra_strrep(miscptr + 2, "\\:", ":")); miscptr = ptr; break; + case '1': + code_401_is_failure = 1; + char *tmp = strchr(miscptr, ':'); + if (tmp) + miscptr = tmp + 1; + else + miscptr += strlen(miscptr); + break; case '2': code_302_is_success = 1; char *tmp = strchr(miscptr, ':'); @@ -971,12 +980,17 @@ int32_t start_http_form(int32_t s, char *ip, int32_t port, unsigned char options found = success_cond; } - if (auth_flag) { // we received a 401 error - user is using wrong module - hydra_report(stderr, - "[ERROR] the target is using HTTP auth, not a web form, received HTTP " - "error code 401. Use module \"http%s-get\" instead.\n", - (options & OPTION_SSL) > 0 ? "s" : ""); - return 2; + if (auth_flag) { // we received a 401 error - user may be using wrong module + if (code_401_is_failure) { // apparently they don't think so -- treat 401 as failure + hydra_completed_pair(); + return 1; + } else { + hydra_report(stderr, + "[ERROR] received HTTP error code 401. The target may be using HTTP auth, " + "not a web form. Use module \"http%s-get\" instead, or set \"1=\".\n", + (options & OPTION_SSL) > 0 ? "s" : ""); + return 2; + } } if (strlen(cookie) > 0)