sec

1. 字典使用kali自带的rockyou.txt， 它的位置在/usr/share/wordlists/rockyou.txt.gz
2. 使用burp捕获提交的form
3. hydra -U http-post-form查看http-post-form参数设置
   Syntax:   <url>:<form parameters>:<condition string>[:<optional>[:<optional>]
   First is the page on the server to GET or POST to (URL).
   Second is the POST/GET variables (taken from either the browser, proxy, etc.
    with usernames and passwords being replaced in the "^USER^" and "^PASS^"
    placeholders (FORM PARAMETERS)
   Third is the string that it checks for an *invalid* login (by default)
    Invalid condition login check can be preceded by "F=", successful condition
    login check must be preceded by "S=".
    This is where most people get it wrong. You have to check the webapp what a
    failed string looks like and put it in this parameter!
    The following parameters are optional:
    C=/page/uri     to define a different page to gather initial cookies from
    H=My-Hdr: foo   to send a user defined HTTP header with each request
                 ^USER^ and ^PASS^ can also be put into these headers!
   这里有2点需要注意:
      1）url必须以"/"/开始，否则报错
      2）form paramters中可以是提交form中所有变量，除了username和password