Burp Suite User Forum

Hydra (http-get-form) + Burp = Missing GET parameters

g0tmi1k | Last updated: Sep 08, 2015 04:39PM UTC

## Issue * When using `http-get-form` with `HYDRA_PROXY_HTTP` set and using Burp as the proxy, the GET parameters are not being passed on. * Using other proxies (such as ZAP), or not using a proxy at all, the GET requests are correct. The issue only happens when you use burp. **Summary** ``` export HYDRA_PROXY_HTTP=http://127.0.0.1:8080 hydra -l admin -p password -e ns -F -t 1 -w 5 -v -V 127.0.0.1 http-get-form "/dvwa/vulnerabilities/brute/:username=^USER^&password=^PASS^&Login=Login:S=value_that_will_never_been_there.:H=Cookie\: security=low; PHPSESSID=incorrect_value" 127.0.0.1 - - [08/Sep/2015:17:31:01 +0100] "GET /dvwa/vulnerabilities/brute/ HTTP/1.0" 302 333 "-" "Mozilla/5.0 (Hydra Proxy)" 127.0.0.1 - - [08/Sep/2015:17:31:01 +0100] "GET /dvwa/vulnerabilities/brute/../../login.php HTTP/1.0" 200 1515 "-" "Mozilla/5.0 (Hydra Proxy)" 127.0.0.1 - - [08/Sep/2015:17:31:01 +0100] "GET /dvwa/vulnerabilities/brute/ HTTP/1.0" 302 333 "-" "Mozilla/5.0 (Hydra Proxy)" 127.0.0.1 - - [08/Sep/2015:17:31:01 +0100] "GET /dvwa/vulnerabilities/brute/../../login.php HTTP/1.0" 200 1515 "-" "Mozilla/5.0 (Hydra Proxy)" 127.0.0.1 - - [08/Sep/2015:17:31:01 +0100] "GET /dvwa/vulnerabilities/brute/ HTTP/1.0" 302 333 "-" "Mozilla/5.0 (Hydra Proxy)" 127.0.0.1 - - [08/Sep/2015:17:31:01 +0100] "GET /dvwa/vulnerabilities/brute/../../login.php HTTP/1.0" 200 1515 "-" "Mozilla/5.0 (Hydra Proxy)" ``` ## Setup * OS: `Kali 2.0 x64` * Proxy: Burp Suite Proxy (Free) - Kali package: `1.6.01-0kali0` & Latest at the time of writing - `burpsuite_free_v1.6.25.jar` * Hydra: v8.1 (Kali package: `8.1-1~kali1`) * Target: DVWA v1.8 [6040830] ~ https://github.com/RandomStorm/DVWA ## Test 1 (Without proxy) **This will be 'sucessful' with it making a request.** ```bash [root:~]# hydra -l admin -p password -e ns -F -t 1 -w 5 -v -V 127.0.0.1 http-get-form "/dvwa/vulnerabilities/brute/:username=^USER^&password=^PASS^&Login=Login:S=value_that_will_never_been_there.:H=Cookie\: security=low; PHPSESSID=incorrect_value" Hydra v8.1 (c) 2014 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes. Hydra (http://www.thc.org/thc-hydra) starting at 2015-09-08 17:03:37 [INFORMATION] escape sequence \: detected in module option, no parameter verification is performed. [DATA] max 1 task per 1 server, overall 64 tasks, 3 login tries (l:1/p:3), ~0 tries per task [DATA] attacking service http-get-form on port 80 [VERBOSE] Resolving addresses ... done [ATTEMPT] target 127.0.0.1 - login "admin" - pass "admin" - 1 of 3 [child 0] [VERBOSE] Page redirected to http://127.0.0.1/dvwa/vulnerabilities/brute/../../login.php [ATTEMPT] target 127.0.0.1 - login "admin" - pass "" - 2 of 3 [child 0] [VERBOSE] Page redirected to http://127.0.0.1/dvwa/vulnerabilities/brute/../../login.php [ATTEMPT] target 127.0.0.1 - login "admin" - pass "password" - 3 of 3 [child 0] [VERBOSE] Page redirected to http://127.0.0.1/dvwa/vulnerabilities/brute/../../login.php [STATUS] attack finished for 127.0.0.1 (waiting for children to complete tests) 1 of 1 target completed, 0 valid passwords found Hydra (http://www.thc.org/thc-hydra) finished at 2015-09-08 17:03:37 [root:~]# [root:~]# tail -f /var/log/apache2/access.log 127.0.0.1 - - [08/Sep/2015:17:03:37 +0100] "GET /dvwa/vulnerabilities/brute/ HTTP/1.0" 302 333 "-" "Mozilla/5.0 (Hydra)" 127.0.0.1 - - [08/Sep/2015:17:03:37 +0100] "GET /dvwa/vulnerabilities/brute/?username=admin&password=admin&Login=Login HTTP/1.0" 302 333 "-" "Mozilla/5.0 (Hydra)" 127.0.0.1 - - [08/Sep/2015:17:03:37 +0100] "GET /dvwa/vulnerabilities/brute/../../login.php HTTP/1.0" 200 1515 "-" "Mozilla/5.0 (Hydra)" 127.0.0.1 - - [08/Sep/2015:17:03:37 +0100] "GET /dvwa/vulnerabilities/brute/ HTTP/1.0" 302 333 "-" "Mozilla/5.0 (Hydra)" 127.0.0.1 - - [08/Sep/2015:17:03:37 +0100] "GET /dvwa/vulnerabilities/brute/?username=admin&password=&Login=Login HTTP/1.0" 302 333 "-" "Mozilla/5.0 (Hydra)" 127.0.0.1 - - [08/Sep/2015:17:03:37 +0100] "GET /dvwa/vulnerabilities/brute/../../login.php HTTP/1.0" 200 1515 "-" "Mozilla/5.0 (Hydra)" 127.0.0.1 - - [08/Sep/2015:17:03:37 +0100] "GET /dvwa/vulnerabilities/brute/ HTTP/1.0" 302 333 "-" "Mozilla/5.0 (Hydra)" 127.0.0.1 - - [08/Sep/2015:17:03:37 +0100] "GET /dvwa/vulnerabilities/brute/?username=admin&password=password&Login=Login HTTP/1.0" 302 333 "-" "Mozilla/5.0 (Hydra)" 127.0.0.1 - - [08/Sep/2015:17:03:37 +0100] "GET /dvwa/vulnerabilities/brute/../../login.php HTTP/1.0" 200 1515 "-" "Mozilla/5.0 (Hydra)" ``` ## Test 2 (With Burp) ![](http://i.imgur.com/D0t2uX0.png) ## Test 3 (With ZAP) ![](http://i.imgur.com/l7vMJdu.png)

PortSwigger Agent | Last updated: Sep 09, 2015 02:17PM UTC

From a quick look at your logs, it seems that the URL parameters are not being stripped when passing through Burp. Rather, the requests containing the query string are not even being issued at all. Do you see any error messages in the Burp alerts tab, on the command line from where you launch Burp, or anywhere else, when you run the traffic through Burp?

Burp User | Last updated: Sep 10, 2015 02:04PM UTC

Checking the alerts tab really helped... Enabling ‘invisible proxy support’ fixes the issue =). Thanks for the assist!

PortSwigger Agent | Last updated: Sep 14, 2015 08:21AM UTC

Thanks for the update. It sounds like Hydra isn't sending standards-compliant HTTP requests in proxy-style format in some situations. Glad you got things workng.

You need to Log in to post a reply. Or register here, for free.