sec

1. 字典使用kali自带的rockyou.txt， 它的位置在/usr/share/wordlists/rockyou.txt.gz
2. 使用burp捕获提交的form
3. hydra -U http-post-form查看http-post-form参数设置
Syntax: <url>:<form parameters>:<condition string>[:<optional>[:<optional>]
First is the page on the server to GET or POST to (URL).
Second is the POST/GET variables (taken from either the browser, proxy, etc.
with usernames and passwords being replaced in the "^USER^" and "^PASS^"
placeholders (FORM PARAMETERS)
Third is the string that it checks for an *invalid* login (by default)
Invalid condition login check can be preceded by "F=", successful condition
login check must be preceded by "S=".
This is where most people get it wrong. You have to check the webapp what a
failed string looks like and put it in this parameter!
The following parameters are optional:
C=/page/uri to define a different page to gather initial cookies from
H=My-Hdr: foo to send a user defined HTTP header with each request
^USER^ and ^PASS^ can also be put into these headers!
这里有2点需要注意:
1）url必须以"/"/开始，否则报错
2）form paramters中可以是提交form中所有变量，除了username和password