Simple tool to bruteforce owncloud instance
|
|
||
|---|---|---|
| go.mod | ||
| go.sum | ||
| LICENSE | ||
| main.go | ||
| options.go | ||
| README.md | ||
owncloud_bruteforcer
Simple tool to bruteforce owncloud instance
Description
Tool make GET request to acquire CSRF token + cookies and make POST request with given username and password wordlist.
Installation
go install git.sual.in/casual/owncloud_bruteforcer@latest
Example
owncloud_bruteforce -u "https://target.com/login" -P ./rockyou.txt
Help
Owncloud_bruteforcer - tool to bruteforce user
Usage:
owncloud_bruteforcer [flags]
Flags:
INPUT:
-url, -u string target's url to login page. Example "https://example.com/index.php/login, http://example.com/login "
-login, -l string username to bruteforce (default "admin")
-login-wordlist, -L string username wordlist
-password-wordlist, -P string password wordlist
-proxy, -x string HTTP proxy for packet inspection (Burp/Caidu/ZAP) (for example http://127.0.0.1:8080). But be aware, if you enable inspection then attack will fail because of delays
-threads, -t int threads to bruteforce (default 10)
Notes (TODO)
- Successful login detected by redirect location after POST request. If user have 2FA, then app will not show found login:password.
- If there is internet connection problem or WAF/rate-limit/etc blocked you, you may recieve
can't create (POST) request: Post "https://target.com/login": context deadline exceeded (Client.Timeout exceeded while awaiting headers) - There is way to bruteforce administrator account which use different endpoint, possibly can allow to bruteforce admin account in same time without slowing down current version of tool
License
This project is licensed under the MIT License - see the LICENSE file for details. I am not responsible for any actions or damage.