From 16e0f73b3319840d04dacb1460fb1906109d7ca6 Mon Sep 17 00:00:00 2001
From: Casual <c@sual.in>
Date: Sat, 13 Apr 2024 18:09:16 +0300
Subject: [PATCH] readme updatet

---
 README.md | 17 ++++++++++++-----
 main.go   |  3 +--
 2 files changed, 13 insertions(+), 7 deletions(-)

diff --git a/README.md b/README.md
index fcfce32..e56e73d 100644
--- a/README.md
+++ b/README.md
@@ -1,10 +1,14 @@
 # owncloud_bruteforcer
 
-Simple tool to bruteforce owncloud instance
+Simple tool to bruteforce owncloud instance accounts 
 
 ## Description
 
-Tool make GET request to acquire CSRF token + cookies and make POST request with given username and password wordlist.
+Tool:
+ - make GET request to acquire CSRF token + cookies
+ - make POST request using given username and password wordlist.
+
+A word of caution - tool by default can DOS owncloud instance.
 
 ### Installation
 
@@ -34,9 +38,12 @@ INPUT:
 
 ## Notes (TODO)
 
- - Successful login detected by redirect location after POST request. If user have 2FA, then app will not show found login:password.
- - If there is internet connection problem or WAF/rate-limit/etc blocked you, you may recieve `can't create (POST) request: Post "https://target.com/login": context deadline exceeded (Client.Timeout exceeded while awaiting headers)`
+ - Expect to DOS service (100% CPU) (even if it have bruteforce protection enabled)
+ 	if you prefer not to, set `-t 5` or less (but it will slowdown attack)
+ - Successful login detected by redirect location after POST request. If user have 2FA, then app will not show found login:password. (Detects by redirect location)
+ - Bruteforce protection isn't detected (after hitting limit, response to POST - 403 instead 303)
+ - If there is internet connection problem or WAF/rate-limit/etc blocked you, you may recieve `can't create (POST) request: Post "https://target.com/login": context deadline exceeded (Client.Timeout exceeded while awaiting headers)` and attack will stop without a way to continue
  - There is way to bruteforce administrator account which use different endpoint, possibly can allow to bruteforce admin account in same time without slowing down current version of tool
 
 ## License
-This project is licensed under the MIT License - see the LICENSE file for details. I am not responsible for any actions or damage.
\ No newline at end of file
+This project is licensed under the MIT License - see the LICENSE file for details. I am not responsible for any actions or damage.
diff --git a/main.go b/main.go
index cab01b6..238ae52 100644
--- a/main.go
+++ b/main.go
@@ -228,10 +228,9 @@ func (options Options) bruteforce(user string) {
 				go func() {
 					for ! foundPass {
 						token,cookie := getCSRFtoken(options.URL)
-						// if tryPassword(options.URL,options.Proxy,token,cookie,user,password) {
 						password1,channelClosed := <-pass
 						if ! channelClosed {foundPass = true}
-						// fmt.Printf("try %s\n",password1)
+						
 						if tryPassword(options.URL,options.Proxy,token,cookie,user,password1) {
 							fmt.Printf("[HIT] %s:%s\n",user,password1)
 							foundPass = true