Views: 53
Ffuf commands
Command | Description |
---|---|
ffuf -h | ffuf help |
ffuf -w wordlist.txt:FUZZ -u http://SERVER_IP:PORT/FUZZ | Directory Fuzzing |
ffuf -w wordlist.txt:FUZZ -u http://SERVER_IP:PORT/indexFUZZ | Extension Fuzzing |
ffuf -w wordlist.txt:FUZZ -u http://SERVER_IP:PORT/blog/FUZZ.php | Page Fuzzing |
ffuf -w wordlist.txt:FUZZ -u http://SERVER_IP:PORT/FUZZ -recursion -recursion-depth 1 -e .php -v | Recursive Fuzzing |
ffuf -w wordlist.txt:FUZZ -u https://FUZZ.nlabs.local/ | Sub-domain Fuzzing |
ffuf -w wordlist.txt:FUZZ -u http:// | VHost Fuzzing |
ffuf -w wordlist.txt:FUZZ -u http://admin. | Parameter Fuzzing – GET |
ffuf -w wordlist.txt:FUZZ -u http://admin. | Parameter Fuzzing – POST |
ffuf -w ids.txt:FUZZ -u http://admin. | Value Fuzzing |
The key difference between VHosts and sub-domains is that a VHost is basically a ‘sub-domain’ served on the same server and has the same IP, such that a single IP could be serving two or more different websites.
VHosts may or may not have public DNS records.
Options
Basics
-u: the target URL
-c: add color to output
-r: follow redirects
-t: timeout in seconds (default 10)
-x: send through a proxy
Types of Requests
-d: data you’re going to send over POST
-H: the header value(s) you’re sending (multiple allowed)
-b: send cookie values
Useful Filters
-mc: match for certain HTTP codes
-ml: match based on the number of lines in the response
-ms: match based on the size of the response
-mw: match based on the number of words in the response
Miscellaneous
-e: add additional FUZZ keywords
-request: a file containing a raw request
-o: write the output to a file
-mw: match based on the number of words in the response
Wordlists
Get SecLists
git clone https://github.com/danielmiessler/SecLists.git
Command | Description |
---|---|
/path/to/SecLists/Discovery/Web-Content/directory-list-2.3-small.txt | Directory/Page Wordlist |
| Extensions Wordlist |
| Domain Wordlist |
| Parameters Wordlist |
Misc
Command | Description |
---|---|
sudo sh -c 'echo "SERVER_IP academy.htb" >> /etc/hosts' | Add DNS entry |
for i in $(seq 1 1000); do echo $i >> ids.txt; done | Create Sequence Wordlist |
curl http://admin. | curl w/ POST |
Fuzzing Values
We can use -w -
which tells ffuf to read a wordlist from stdout. This will allow us to generate a list of integers with a command of our choice then pipe the output to ffuf. Below is a list of 5 different ways to generate numbers 0 – 255.
$ ruby -e '(0..255).each{|i| puts i}' | ffuf -u 'http://10.10.196.129/sqli-labs/Less-1/?id=FUZZ' -c -w - -fw 33
$ ruby -e 'puts (0..255).to_a' | ffuf -u 'http://10.10.196.129/sqli-labs/Less-1/?id=FUZZ' -c -w - -fw 33
$ for i in {0..255}; do echo $i; done | ffuf -u 'http://10.10.196.129/sqli-labs/Less-1/?id=FUZZ' -c -w - -fw 33
$ seq 0 255 | ffuf -u 'http://10.10.196.129/sqli-labs/Less-1/?id=FUZZ' -c -w - -fw 33
$ cook '[0-255]' | ffuf -u 'http://10.10.196.129/sqli-labs/Less-1/?id=FUZZ' -c -w - -fw 33