Fuff – Cheat Sheet

by Bharath Narayanasamy

Sharing is caring

Views: 42

Table of Contents

Ffuf commands

Command	Description
`ffuf -h`	ffuf help
`ffuf -w wordlist.txt:FUZZ -u http://SERVER_IP:PORT/FUZZ`	Directory Fuzzing
`ffuf -w wordlist.txt:FUZZ -u http://SERVER_IP:PORT/indexFUZZ`	Extension Fuzzing
`ffuf -w wordlist.txt:FUZZ -u http://SERVER_IP:PORT/blog/FUZZ.php`	Page Fuzzing
`ffuf -w wordlist.txt:FUZZ -u http://SERVER_IP:PORT/FUZZ -recursion -recursion-depth 1 -e .php -v`	Recursive Fuzzing
`ffuf -w wordlist.txt:FUZZ -u https://FUZZ.nlabs.local/`	Sub-domain Fuzzing
`ffuf -w wordlist.txt:FUZZ -u http://nlabs.local:PORT/ -H 'Host: FUZZ.academy.htb' -fs xxx`	VHost Fuzzing
`ffuf -w wordlist.txt:FUZZ -u http://admin.nlabs.local:PORT/admin/admin.php?FUZZ=key -fs xxx`	Parameter Fuzzing – GET
`ffuf -w wordlist.txt:FUZZ -u http://admin.nlabs.local:PORT/admin/admin.php -X POST -d 'FUZZ=key' -H 'Content-Type: application/x-www-form-urlencoded' -fs xxx`	Parameter Fuzzing – POST
`ffuf -w ids.txt:FUZZ -u http://admin.nlabs.local:PORT/admin/admin.php -X POST -d 'id=FUZZ' -H 'Content-Type: application/x-www-form-urlencoded' -fs xxx`	Value Fuzzing

The key difference between VHosts and sub-domains is that a VHost is basically a ‘sub-domain’ served on the same server and has the same IP, such that a single IP could be serving two or more different websites.

VHosts may or may not have public DNS records.

Options

Basics

-u: the target URL
-c: add color to output
-r: follow redirects
-t: timeout in seconds (default 10)
-x: send through a proxy

Types of Requests

-d: data you’re going to send over POST
-H: the header value(s) you’re sending (multiple allowed)
-b: send cookie values

Useful Filters

-mc: match for certain HTTP codes
-ml: match based on the number of lines in the response
-ms: match based on the size of the response
-mw: match based on the number of words in the response

Miscellaneous

-e: add additional FUZZ keywords
-request: a file containing a raw request
-o: write the output to a file
-mw: match based on the number of words in the response

Wordlists

Get SecLists

git clone https://github.com/danielmiessler/SecLists.git

Command	Description
`/path/to/SecLists/Discovery/Web-Content/directory-list-2.3-small.txt`	Directory/Page Wordlist
`/path/to/SecLists/Discovery/Web-Content/web-extensions.txt`	Extensions Wordlist
`/path/to/SecLists/Discovery/DNS/subdomains-top1million-5000.txt`	Domain Wordlist
`/path/to/SecLists/Discovery/Web-Content/burp-parameter-names.txt`	Parameters Wordlist

Misc

Command	Description
`sudo sh -c 'echo "SERVER_IP academy.htb" >> /etc/hosts'`	Add DNS entry
`for i in $(seq 1 1000); do echo $i >> ids.txt; done`	Create Sequence Wordlist
`curl http://admin.nlabs.local:PORT/admin/admin.php -X POST -d 'id=key' -H 'Content-Type: application/x-www-form-urlencoded'`	curl w/ POST

Fuzzing Values

We can use -w - which tells ffuf to read a wordlist from stdout. This will allow us to generate a list of integers with a command of our choice then pipe the output to ffuf. Below is a list of 5 different ways to generate numbers 0 – 255.

$ ruby -e '(0..255).each{|i| puts i}' | ffuf -u 'http://10.10.196.129/sqli-labs/Less-1/?id=FUZZ' -c -w - -fw 33
$ ruby -e 'puts (0..255).to_a' | ffuf -u 'http://10.10.196.129/sqli-labs/Less-1/?id=FUZZ' -c -w - -fw 33
$ for i in {0..255}; do echo $i; done | ffuf -u 'http://10.10.196.129/sqli-labs/Less-1/?id=FUZZ' -c -w - -fw 33
$ seq 0 255 | ffuf -u 'http://10.10.196.129/sqli-labs/Less-1/?id=FUZZ' -c -w - -fw 33
$ cook '[0-255]' | ffuf -u 'http://10.10.196.129/sqli-labs/Less-1/?id=FUZZ' -c -w - -fw 33

Related