{"id":16748963,"url":"https://github.com/n1md7/nimda.py","last_synced_at":"2025-03-16T03:42:04.558Z","repository":{"id":55415531,"uuid":"118616767","full_name":"n1md7/nimda.py","owner":"n1md7","description":null,"archived":false,"fork":false,"pushed_at":"2021-01-01T12:48:28.000Z","size":163,"stargazers_count":1,"open_issues_count":0,"forks_count":2,"subscribers_count":1,"default_branch":"master","last_synced_at":"2025-01-22T16:24:24.890Z","etag":null,"topics":["brute-force","python","tool"],"latest_commit_sha":null,"homepage":null,"language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/n1md7.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2018-01-23T13:50:33.000Z","updated_at":"2024-09-15T09:31:30.000Z","dependencies_parsed_at":"2022-08-14T23:50:39.588Z","dependency_job_id":null,"html_url":"https://github.com/n1md7/nimda.py","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/n1md7%2Fnimda.py","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/n1md7%2Fnimda.py/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/n1md7%2Fnimda.py/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/n1md7%2Fnimda.py/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/n1md7","download_url":"https://codeload.github.com/n1md7/nimda.py/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":243822304,"owners_count":20353499,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["brute-force","python","tool"],"created_at":"2024-10-13T02:23:26.234Z","updated_at":"2025-03-16T03:42:04.527Z","avatar_url":"https://github.com/n1md7.png","language":"Python","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Nimda.py, github download \u003ca href=\"https://github.com/bichiko/nimda.py\"\u003elink\u003c/a\u003e\n**NIMDA.py is a Bruteforcing tool for any login page.\nYou just need to provide necessary details and it is ready to go.**\n\n\u003cimg src=\"./img/3.png\" \u003e\n\n## Parameters:\n\n- *url* \n- *delay* \n- *username* \n- *password* \n- *post-data* \n- *csrf-selector* \n- *csrf-token-name* \n- *content-text* \n- *not-content-text* \n- *content-header* \n- *not-content-header* \n- *first-match* \n- *status-code* \n- *show-response-html* \n- *show-response-header* \n- *progress-bar* \n- *verbose* \n- *redirect-check* \n- *cookies* \n- *user-agent* \n- *method* \n\n\n## Explanation\n\n**help** -\u003e Display help\n\n**delay** -\u003e Delay in milliseconds per request\n\n**url** -\u003e Set target url for submission post request\nexample: `python nimda.py url='http://exmpl.cm/lg.php'` \n\n**username** -\u003e Set username details with HTML form name and its value\nexample: `\u003cinput type=\"text\" value=\"site_admin\" name=\"pg_user\"\u003e`\n\nthen: `python nimda.py username='pg_user=site_admin'`\n\n**password** -\u003e Set dictionary file\nexample: `\u003cinput type=\"password\" value=\"\" name=\"pg_passwd\"\u003e`\n\nDict file: `./lsts/passwords.lst`\n\nthen: `python nimda.py password='pg_passwd=./lsts/passwords.lst'`\n\n\nSome login forms are protected with CSRF TOKENS.\nWeb page generates a token, injects in login page and expects that value for the next login request.\nIf it's not there or is incorrect value then server blocks current request.\nBut we can bypass it by specifying csrf-token-name and csrf-selector\nexample: `\u003cinput type=\"hidden\" value=\"GFHKJ4576jhasldL:IUGBVCRTU\" name=\"cstf_hid_token\"\u003e`\nthen: `csrf-token-name='cstf_hid_token'`\nAnd `csrf-selector` is `document.querySelector` syntax in order to find this value inside response HTML and send it back.\n\nthen: `csrf-selector='input[name=\"cstf_hid_token\"]'`\nso result looks like:\n```\npython nimda.py url='http://exmpl.cm/lg.php' username='pg_user=site_admin' password='pg_passwd=./lsts/passwords.lst' csrf-token-name='cstf_hid_token' csrf-selector='input[name=\"cstf_hid_token\"]'\n```\n\n\n**post-data** -\u003e it is all post data parameters+value except csrf-token username and password\nexample: \n```\n\u003cinput type=\"submit\" name=\"login\" value=\"Sign In\"\u003e\n\u003cinput type=\"hidden\" name=\"error\" value=\"0\"\u003e\n```\nthen: `data='login=Sign In\u0026error=0'`\n\n\n**content-text** -\u003e Set unique text that contains only if page has successful authentication response\nLike: **Welcome**, **Successful login** and etc.\n\n\n**not-content-text** -\u003e Set unique text that contains unsuccessful authentication response and isn't display in success response\nLike: **Wrong**, **Incorrect login** and etc.\n\n**content-header** and **not-content-header** are working likwise\n\n**progress-bar** -\u003e Display progress\n\n**verbose** -\u003e display more text\n\n**first-match** -\u003e Stop when program finds first match combination \n\n**status-code** -\u003e Return correct if status code matches passed value of code\n\n**cookies** -\u003e Set custom cookies \n\n**user-agent** -\u003e Set custom user-agent \n\n**method** -\u003e Set request method type. default is POST \n\n**redirect-check** -\u003e Enable or disable redirect checking. Default is True ( option False) \n\n\n# Example of brute-forcing *phpmyadmin*\n\nHTML form: \n```\n \u003cform method=\"post\" action=\"index.php\" name=\"login_form\" class=\"disableAjax login hide js-show\"\u003e\n    \u003cfieldset\u003e\n    \t\u003clegend\u003eLog in\u003ca href=\"./doc/html/index.html\" target=\"documentation\"\u003e\u003cimg src=\"themes/dot.gif\" title=\"Documentation\" alt=\"Documentation\" class=\"icon ic_b_help\" /\u003e\u003c/a\u003e\n        \u003c/legend\u003e\n        \u003cdiv class=\"item\"\u003e\n            \u003clabel for=\"input_username\"\u003eUsername:\u003c/label\u003e\n            \u003cinput type=\"text\" name=\"pma_username\" id=\"input_username\" value=\"\" size=\"24\" class=\"textfield\"/\u003e\n        \u003c/div\u003e\n        \u003cdiv class=\"item\"\u003e\n            \u003clabel for=\"input_password\"\u003ePassword:\u003c/label\u003e\n            \u003cinput type=\"password\" name=\"pma_password\" id=\"input_password\" value=\"\" size=\"24\" class=\"textfield\" /\u003e\n        \u003c/div\u003e\n        \u003cinput type=\"hidden\" name=\"server\" value=\"1\" /\u003e\n    \u003c/fieldset\u003e\n    \u003cfieldset class=\"tblFooters\"\u003e\n        \u003cinput value=\"Go\" type=\"submit\" id=\"input_go\" /\u003e\n        \u003cinput type=\"hidden\" name=\"target\" value=\"index.php\" /\u003e\n        \u003cinput type=\"hidden\" name=\"token\" value=\"4d604030d09328d67c268585d47134b9\" /\u003e\n    \u003c/fieldset\u003e\n    \u003c/form\u003e\n```\n\nPost data:\n```\npma_username=root\u0026pma_password=blahblah\u0026server=1\u0026target=index.php\u0026token=4d604030d09328d67c268585d47134b9\n```\n*token* is CSRF protection \n\nDisplays Error : `Access denied for user` which is only if authentication fails\n\nOur Code for Brute-forcing is:\n\n```\npython nimda.py delay='10' url='http://localhost/phpmyadmin/index.php' username='pma_username=root,admin,nimda,ttu' password='pma_password=./small.txt' csrf-token-name='token' csrf-selector='input[name=\"token\"]' post-data='server=1\u0026target=index.php' not-content-text='Access denied for user'\n```\n\u003cimg src=\"./img/1.png\"\u003e\n\n\n```\npython nimda.py url='http://localhost/phpmyadmin/index.php' username='pma_username=root,admin,ttu,nimda' password='pma_password=./small.txt' csrf-token-name='token' csrf-selector='input[name=\"token\"]' post-data='server=1\u0026target=index.php' content-text='information_schema' progress-bar\n```\n\u003cimg src=\"./img/2.png\"\u003e\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fn1md7%2Fnimda.py","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fn1md7%2Fnimda.py","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fn1md7%2Fnimda.py/lists"}