Add unauthorized vulnerability to result · vanhauser-thc/thc-hydra#667

(1 comment) (0 reactions) (0 assignees)C (8,689 stars) (1,913 forks)batch import

enhancementhelp wanted

説明

For example

hydra redis://127.0.0.1:6379 -P top1000.txt -o out-hydra.json -b json
Hydra v9.2 (c) 2021 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2021-06-21 16:15:22
[DATA] max 16 tasks per 1 server, overall 16 tasks, 1056 login tries (l:1/p:1056), ~66 tries per task
[DATA] attacking redis://127.0.0.1:6379/
[!] The server 127.0.0.1 does not require password.

Got a unauthorized redis vulnerability

Do not have this info in result file

{ "generator": {
	"software": "Hydra", "version": "v9.2", "built": "2021-06-21 16:18:02",
	"server": "127.0.0.1", "service": "redis", "jsonoutputversion": "1.00",
	"commandline": "hydra -P top1000.txt -o out-hydra.json -b json redis://127.0.0.1:6379"
	},
"results": [
	],
"success": false,
"errormessages": [ "[ERROR] unexpected result connecting to target 127.0.0.1 port 6379" ],
"quantityfound": 0   }

コントリビューターガイド

技術スタック: c
領域: clisecurity
Issue 種別: feature
難度: 2
推定時間: 1-3 hours
活動状況: stale
明確さ: clear
前提条件: C programmingHydra codebaseJSON output format
初心者向け度: 60
調査方針: Examine the JSON output generation code in hydra json.c (or similar file). Currently, when the server does not require password, it logs a message but does not record it in the JSON output. Add a field like 'unauthorized' to the results array or to the top level output. Ensure the change handles both the case where no password is required and the case where it is. Test with a Redis instance that has no authentication.