casual/owncloud_bruteforcer
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

readme updatet

Browse Source
This commit is contained in:
Casual 2024-04-13 18:09:16 +03:00
parent 15aa148040
commit 16e0f73b33
2 changed files with 13 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
README.md
View File

@ -1,10 +1,14 @@
# owncloud_bruteforcer # owncloud_bruteforcer
Simple tool to bruteforce owncloud instance Simple tool to bruteforce owncloud instance accounts
## Description ## Description
Tool make GET request to acquire CSRF token + cookies and make POST request with given username and password wordlist. Tool:
- make GET request to acquire CSRF token + cookies
- make POST request using given username and password wordlist.
A word of caution - tool by default can DOS owncloud instance.
### Installation ### Installation
@ -34,8 +38,11 @@ INPUT:
## Notes (TODO) ## Notes (TODO)
- Successful login detected by redirect location after POST request. If user have 2FA, then app will not show found login:password. - Expect to DOS service (100% CPU) (even if it have bruteforce protection enabled)
- If there is internet connection problem or WAF/rate-limit/etc blocked you, you may recieve `can't create (POST) request: Post "https://target.com/login": context deadline exceeded (Client.Timeout exceeded while awaiting headers)` if you prefer not to, set `-t 5` or less (but it will slowdown attack)
- Successful login detected by redirect location after POST request. If user have 2FA, then app will not show found login:password. (Detects by redirect location)
- Bruteforce protection isn't detected (after hitting limit, response to POST - 403 instead 303)
- If there is internet connection problem or WAF/rate-limit/etc blocked you, you may recieve `can't create (POST) request: Post "https://target.com/login": context deadline exceeded (Client.Timeout exceeded while awaiting headers)` and attack will stop without a way to continue
- There is way to bruteforce administrator account which use different endpoint, possibly can allow to bruteforce admin account in same time without slowing down current version of tool - There is way to bruteforce administrator account which use different endpoint, possibly can allow to bruteforce admin account in same time without slowing down current version of tool
## License ## License

3
main.go
View File

@ -228,10 +228,9 @@ func (options Options) bruteforce(user string) {
go func() { go func() {
for ! foundPass { for ! foundPass {
token,cookie := getCSRFtoken(options.URL) token,cookie := getCSRFtoken(options.URL)
// if tryPassword(options.URL,options.Proxy,token,cookie,user,password) {
password1,channelClosed := <-pass password1,channelClosed := <-pass
if ! channelClosed {foundPass = true} if ! channelClosed {foundPass = true}
// fmt.Printf("try %s\n",password1)
if tryPassword(options.URL,options.Proxy,token,cookie,user,password1) { if tryPassword(options.URL,options.Proxy,token,cookie,user,password1) {
fmt.Printf("[HIT] %s:%s\n",user,password1) fmt.Printf("[HIT] %s:%s\n",user,password1)
foundPass = true foundPass = true