Search

SearchSearch

Ffuf ๐Ÿณ

Nov 15, 20244 min read

Basic Fuzzing

Directory Fuzzing

ffuf -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-small.txt:FUZZ -u http://SERVER_IP:PORT/FUZZ
  • Make it faster by adding -t 200 (==not recommended because can cause a Denial of Service==)

Page Fuzzing

Extension Fuzzing

In the previous section, we found that we had access toย /blog, but the directory returned an empty page, and we cannot manually locate any links or pages. So, we will once again utilize web fuzzing to see if the directory contains any hidden pages. However, before we start, we must find out what types of pages the website uses, likeย .html,ย .aspx,ย .php, or something else.

One common way to identify that is by finding the server type through the HTTP response headers and guessing the extension. For example, if the server isย apache, then it may beย .php, or if it wasย IIS, then it could beย .aspย orย .aspx, and so on. This method is not very practical, though.

Before we start fuzzing, we must specify which file that extension would be at the end of! We can always use two wordlists and have a unique keyword for each, and then doย FUZZ_1.FUZZ_2ย to fuzz for both. However, there is one file we can always find in most websites, which isย index.*, so we will use it as our file and fuzz extensions on it.

ffuf -w /usr/share/wordlists/SecLists/Discovery/Web-Content/web-extensions.txt:FUZZ -u http://SERVER_IP:PORT/blog/indexFUZZ
  • Once found the extension type, perform the following:
ffuf -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-small.txt:FUZZ -u http://SERVER_IP:PORT/blog/FUZZ.php

Recursive Fuzzing

When we scan recursively, it automatically starts another scan under any newly identified directories that may have on their pages until it has fuzzed the main website and all of its subdirectories.

Some websites may have a big tree of sub-directories, like /login/user/content/uploads/โ€ฆetc, and this will expand the scanning tree and may take a very long time to scan them all. This is why it is always advised to specify a depth to our recursive scan, such that it will not scan directories that are deeper than that depth. Once we fuzz the first directories, we can then pick the most interesting directories and run another scan to direct our scan better.

ffuf -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-small.txt:FUZZ -u http://SERVER_IP:PORT/FUZZ -recursion -recursion-depth 1 -e .php -v

Domain Fuzzing

Sub-domain Fuzzing

A sub-domain is any website underlying another domain. For example,ย https://photos.google.comย is theย photosย sub-domain ofย google.com.

ffuf -w /usr/share/wordlists/SecLists/Discovery/DNS/subdomains-top1million-5000.txt:FUZZ -u https://FUZZ.inlanefreight.com/

vHost Fuzzing

To scan for VHosts, without manually adding the entire wordlist to ourย /etc/hosts, we will be fuzzing HTTP headers, specifically theย Host:ย header. To do that, we can use theย -Hย flag to specify a header and will use theย FUZZย keyword within it, as follows:

ffuf -w /usr/share/wordlists/SecLists/Discovery/DNS/subdomains-top1million-5000.txt:FUZZ -u http://academy.htb:PORT/ -H 'Host: FUZZ.academy.htb'

Filtering results

  • Filter by size:
ffuf -w /usr/share/wordlists/SecLists/Discovery/DNS/subdomains-top1million-5000.txt:FUZZ -u http://academy.htb:PORT/ -H 'Host: FUZZ.academy.htb' -fs 900

Parameter Fuzzing - GET

Tip

Fuzzing parameters may expose unpublished parameters that are publicly accessible. Such parameters tend to be less tested and less secured, so it is important to test such parameters for the web vulnerabilities we discuss in other modules.

GET Request Fuzzing

ffuf -w /usr/share/wordlists/SecLists/Discovery/Web-Content/burp-parameter-names.txt:FUZZ -u http://admin.academy.htb:PORT/admin/admin.php?FUZZ=key -fs xxx

Parameter Fuzzing - POST

Tip

In PHP, โ€œPOSTโ€ data โ€œcontent-typeโ€ can only accept โ€œapplication/x-www-form-urlencodedโ€. So, we can set that in โ€œffufโ€ with โ€œ-H โ€˜Content-Type: application/x-www-form-urlencodedโ€™โ€œ.

ffuf -w /usr/share/wordlists/SecLists/Discovery/Web-Content/burp-parameter-names.txt:FUZZ -u http://admin.academy.htb:PORT/admin/admin.php -X POST -d 'FUZZ=key' -H 'Content-Type: application/x-www-form-urlencoded' -fs xxx
curl http://admin.academy.htb:PORT/admin/admin.php -X POST -d 'id=key' -H 'Content-Type: application/x-www-form-urlencoded'

Value Fuzzing

After fuzzing a working parameter, we now have to fuzz the correct value that would return theย flagย content we need.

Custom Wordlist

When it comes to fuzzing parameter values, we may not always find a pre-made wordlist that would work for us, as each parameter would expect a certain type of value.

There are many ways to create this wordlist, from manually typing the IDs in a file, or scripting it using Bash or Python. The simplest way is to use the following command in Bash that writes all numbers from 1-1000 to a file:

for i in $(seq 1 1000); do echo $i >> ids.txt; done

Value Fuzzing

ffuf -w ids.txt:FUZZ -u http://admin.academy.htb:PORT/admin/admin.php -X POST -d 'id=FUZZ' -H 'Content-Type: application/x-www-form-urlencoded' -fs xxx

Graph View

Backlinks