Find page name with url rewrite
#1
This thing is making me crazy... Let's assume I have to bruteforce a form, but I can't figure out the right page because of the url rewrite:

"http://mysite.com/administrator/login" ---> it's something like this

How could I retrieve the name of the page?
Reply
#2
Would'nt you just be able to inspect the elements at the login form? And get something like "<form id="1" action="login.php" ... Etc, more data here </form>" whereas login.php is what you're lookig for, being located in the folder form is located, thus /administrator/login/login.php.

But I guess i don't know much about it without any more information, an idea for you is to use a plugin such as live http headers or tamperdata to inspect the traffic requests when you send information through the form. Might contain some info there.
Reply
#3
(07-01-2016, 11:30 PM)Insider Wrote: Would'nt you just be able to inspect the elements at the login form? And get something like "<form id="1" action="login.php" ... Etc, more data here </form>" whereas login.php is what you're lookig for, being located in the folder form is located, thus /administrator/login/login.php.

But I guess i don't know much about it without any more information, an idea for you is to use a plugin such as live http headers or tamperdata to inspect the traffic requests when you send information through the form. Might contain some info there.

The form points at the same page "http://mysite.com/administrator/login", already checked with TamperData.
I only found a redirect page from
"http://mysite.com/administrator/index.html"
to
"http://mysite.com/administrator/login"
Nothing else... :/
Reply
#4
1. What makes you think there is a url rewrite happening? Just because there is no extension doesn't mean a url rewrite is taking place. Have you checked to see if you can determine the directory index? for all you know it's simply posting to index.php or index.asp or something.

2. You have a form - with a URL that the values are being posted to... why exactly can you not brute force it? how is this magical page you're looking for, going to be any different?

3. If there is a url rewrite going on... IF they've set it up as a 301 or redirect - you should see an http response saying as much, with the new URL. However, if they are rewriting for clarity and privacy... they aren't likely to do that.

in which case you're essentially shit out of luck. there is absolutely no reason to indicate to the public user (you) where a resource on a server is being provided from. While for simplicity's sake, a URL has historically had some file system relevance to it... that doesn't need to be the case. You accessing /administration/login could just as well be delivered from /var/www/yo/mommas/pussy.smells for all you know. And the server isn't about to tell you that in any which way or form. Whats in the url... file names, or extensions, does not necessarily have anything to do with whats being presented in the actual content/script. Literally, it's just code that says if value is x, show y. doesn't need to tell the browser where the file is on the server or what is processing that file on the back end. the server just gives the output the server can read.
Reply
#5
(07-04-2016, 05:01 PM)MuddyBucket Wrote: 1. What makes you think there is a url rewrite happening? Just because there is no extension doesn't mean a url rewrite is taking place. Have you checked to see if you can determine the directory index? for all you know it's simply posting to index.php or index.asp or something.

1. I think there's a url rewrite, because of the folder I found during a scan on the domain: in the main directory there is a folder named "admin", so I begin to test the full path directly into the browser; after testing "index.php","main.php" and other pages , I saw that the "http://mysite.com/administrator/index.html" url, redirects to the login page.

(07-04-2016, 05:01 PM)MuddyBucket Wrote: 2. You have a form - with a URL that the values are being posted to... why exactly can you not brute force it? how is this magical page you're looking for, going to be any different?

2. Bruteforcing the form using hydra is not working, because it keeps saying that all the first 16 passwords used are correct.
Code:
hydra -v -V -l admin -P /password.txt -t 16 <IP_ADDR> http-form-post "/administrator/login:Username=^USER^&Password=^PASS^"

(07-04-2016, 05:01 PM)MuddyBucket Wrote: 3. If there is a url rewrite going on... IF they've set it up as a 301 or redirect - you should see an http response saying as much, with the new URL. However, if they are rewriting for clarity and privacy... they aren't likely to do that.

3. Nothing visualized using TamperData.

I know how servers work, that's why I asked if someone maybe knew a way to do it, a bug or something else.
BTW the server used is nginx 1.2.1.
Reply
#6
(07-05-2016, 10:25 PM)overfl0wN Wrote: 1. I think there's a url rewrite, because of the folder I found during a scan on the domain: in the main directory there is a folder named "admin", so I begin to test the full path directly into the browser; after testing "index.php","main.php" and other pages , I saw that the "http://mysite.com/administrator/index.html" url, redirects to the login page.

This really isn't clear. How did you get from a folder named /admin, to a folder named /administrator? And did you do the same tests on /administrator/login? did you try /administrator/login/index.php for example?

(07-05-2016, 10:25 PM)overfl0wN Wrote: 2. Bruteforcing the form using hydra is not working, because it keeps saying that all the first 16 passwords used are correct.
Code:
hydra -v -V -l admin -P /password.txt -t 16 <IP_ADDR> http-form-post "/administrator/login:Username=^USER^&Password=^PASS^"

If it's returning all users/passwords as correct, then you simply haven't adequately configured hydra. For example, what have you specified to hydra what is considered a success, and what is a failure? how does it know? it defaults to assuming a new page, is a success, unless you tell it otherwise. So if a failed attempt is taken to a new page, it's gonna return 'hey, we were successful at something'. It doesn't know that it's not what you want. Or at least I can't see anything set in the above example command that does any tests for a specific failure.

But as i've said... you have a url that you can post data to, just as if you were the form. there is nothing to indicate that the problems you are encountering are a result of url rewrites, and some evidence to suggest mere ignorance of how to utilise hydra properly to accomplish your goals.
Reply
#7
Ok , let's forgive for a moment the url rewrite problem, I missed a part of the hydra command. I used this:

Code:
hydra -v -V -l admin -P /password.txt -t 16 <IP_ADDR> http-form-post "/administrator/login:Username=^USER^&Password=^PASS^:<Error message>"

<Error message> is the message visualized in the login page with the wrong credentials.
but this way it returns all passwords correct;
using this:
Code:
hydra -v -V -l admin -P /password.txt -t 16 <IP_ADDR> http-form-post "/administrator/login:Username=^USER^&Password=^PASS^:<IP_ADDR>/administrator/login"

it keeps hanging on the first passwords used and nothing else.

Btw it's the first time I need to use it, so maybe I'm wrong with the sintax.
Isn't it correct?
Reply


Possibly Related Threads…
Thread Author Replies Views Last Post
  You will earn a +1 Rep if you find the problem :D beard 9 5,962 11-11-2015, 04:50 AM
Last Post: beard