ffuf 是集成式的模糊测试工具,提供目录发现、虚拟主机发现、GET/POST参数模糊测试、集成Radamsa自动生成测试用例、请求响应自动筛选、响应时间、响应码、正则表达式等匹配,还有诸多功能。
0x01 工具用法 1、典型的目录发现: 通过在URL末尾使用FUZZ关键字 : -uffuf -w /path/to/wordlist -u https://target/FUZZ
2、虚拟主机发现(无 DNS 记录) 假设默认的虚拟主机响应大小为 4242 字节,我们可以过滤掉该大小() 的所有响应,同时模糊化 Host - 标头:-fs 4242ffuf -w /path/to/vhost/wordlist -u https://target -H "Host: FUZZ" -fs 4242
3、GET 参数模糊测试 GET 参数名称模糊测试与目录发现非常相似,其工作原理是将关键字定义为 URL 的一部分。这也假定无效的 GET 参数名称的响应大小为 4242 字节 如果参数名称已知,则可以以相同的方式对值进行模糊处理。此示例假定返回 HTTP 响应代码 401 的错误参数值。
4、开机自检数据模糊测试 这是一个非常简单的操作,同样通过使用关键字。此示例仅模糊处理 POST 请求的一部分。我们再次过滤掉 401 响应。 5、使用外部突变器生成测试用例 对于此示例,我们将模糊通过 POST 发送的 JSON 数据。Radamsa 用作突变器。
使用时,ffuf 将显示匹配项作为其位置。相同的位置值将作为环境变量提供给被调用方。我们将使用此位置值作为突变子的种子。 文件 example1.txt 和 example2.txt 包含有效的 JSON 有效负载。我们正在匹配所有响应,但过滤掉响应代码:--input-cmd$FFUF_NUM400 - Bad request 当然,为每个有效载荷调用突变器并不是很有效,所以我们也可以预生成有效载荷,仍然使用 Radamsa 作为示例: 0x02 工具用法参数 要定义ffuf的测试用例,请在 URL、请求头或 POST 数据中任意位置使用关键字。 ffuf -w /path/to/paramnames.txt -u https://target/script.php?FUZZ=test_value -fs 4242
ffuf -w /path/to/values.txt -u https://target/script.php?valid_name=FUZZ -fc 401
ffuf -w /path/to/postdata.txt -X POST -d "username=admin\&password=FUZZ" -u https://target/login.php -fc 401
ffuf --input-cmd 'radamsa --seed $FFUF_NUM example1.txt example2.txt' -H "Content-Type: application/json" -X POST -u https://ffuf.io.fi/FUZZ -mc all -fc 400
# Generate 1000 example payloads
radamsa -n 1000 -o %n.txt example1.txt example2.txt
# This results into files 1.txt ... 1000.txt
# Now we can just read the payload data in a loop from file for ffuf
ffuf --input-cmd 'cat $FFUF_NUM.txt' -H "Content-Type: application/json" -X POST -u https://ffuf.io.fi/ -mc all -fc 400
Fuzz Faster U Fool - v2.0.0
HTTP OPTIONS:
-H Header `"Name: Value"`, separated by colon. Multiple -H flags are accepted.
-X HTTP method to use
-b Cookie data `"NAME1=VALUE1; NAME2=VALUE2"` for copy as curl functionality.
-d POST data
-http2 Use HTTP2 protocol (default: false)
-ignore-body Do not fetch the response content. (default: false)
-r Follow redirects (default: false)
-recursion Scan recursively. Only FUZZ keyword is supported, and URL (-u) has to end in it. (default: false)
-recursion-depth Maximum recursion depth. (default: 0)
-recursion-strategy Recursion strategy: "default" for a redirect based, and "greedy" to recurse on all matches (default: default)
-replay-proxy Replay matched requests using this proxy.
-sni Target TLS SNI, does not support FUZZ keyword
-timeout HTTP request timeout in seconds. (default: 10)
-u Target URL
-x Proxy URL (SOCKS5 or HTTP). For example: http://127.0.0.1:8080 or socks5://127.0.0.1:8080
GENERAL OPTIONS:
-V Show version information. (default: false)
-ac Automatically calibrate filtering options (default: false)
-acc Custom auto-calibration string. Can be used multiple times. Implies -ac
-ach Per host autocalibration (default: false)
-ack Autocalibration keyword (default: FUZZ)
-acs Autocalibration strategy: "basic" or "advanced" (default: basic)
-c Colorize output. (default: false)
-config Load configuration from a file
-json JSON output, printing newline-delimited JSON records (default: false)
-maxtime Maximum running time in seconds for entire process. (default: 0)
-maxtime-job Maximum running time in seconds per job. (default: 0)
-noninteractive Disable the interactive console functionality (default: false)
-p Seconds of `delay` between requests, or a range of random delay. For example "0.1" or "0.1-2.0"
-rate Rate of requests per second (default: 0)
-s Do not print additional information (silent mode) (default: false)
-sa Stop on all error cases. Implies -sf and -se. (default: false)
-scraperfile Custom scraper file path
-scrapers Active scraper groups (default: all)
-se Stop on spurious errors (default: false)
-search Search for a FFUFHASH payload from ffuf history
-sf Stop when > 95% of responses return 403 Forbidden (default: false)
-t Number of concurrent threads. (default: 40)
-v Verbose output, printing full URL and redirect location (if any) with the results. (default: false)
MATCHER OPTIONS:
-mc Match HTTP status codes, or "all" for everything. (default: 200,204,301,302,307,401,403,405,500)
-ml Match amount of lines in response
-mmode Matcher set operator. Either of: and, or (default: or)
-mr Match regexp
-ms Match HTTP response size
-mt Match how many milliseconds to the first response byte, either greater or less than. EG: >100 or <100
-mw Match amount of words in response
FILTER OPTIONS:
-fc Filter HTTP status codes from response. Comma separated list of codes and ranges
-fl Filter by amount of lines in response. Comma separated list of line counts and ranges
-fmode Filter set operator. Either of: and, or (default: or)
-fr Filter regexp
-fs Filter HTTP response size. Comma separated list of sizes and ranges
-ft Filter by number of milliseconds to the first response byte, either greater or less than. EG: >100 or <100
-fw Filter by amount of words in response. Comma separated list of word counts and ranges
INPUT OPTIONS:
-D DirSearch wordlist compatibility mode. Used in conjunction with -e flag. (default: false)
-e Comma separated list of extensions. Extends FUZZ keyword.
-ic Ignore wordlist comments (default: false)
-input-cmd Command producing the input. --input-num is required when using this input method. Overrides -w.
-input-num Number of inputs to test. Used in conjunction with --input-cmd. (default: 100)
-input-shell Shell to be used for running command
-mode Multi-wordlist operation mode. Available modes: clusterbomb, pitchfork, sniper (default: clusterbomb)
-request File containing the raw http request
-request-proto Protocol to use along with raw request (default: https)
-w Wordlist file path and (optional) keyword separated by colon. eg. '/path/to/wordlist:KEYWORD'
OUTPUT OPTIONS:
-debug-log Write all of the internal logging to the specified file.
-o Write output to file
-od Directory path to store matched results to.
-of Output file format. Available formats: json, ejson, html, md, csv, ecsv (or, 'all' for all formats) (default: json)
-or Don't create the output file if we don't have results (default: false)
EXAMPLE USAGE:
Fuzz file paths from wordlist.txt, match all responses but filter out those with content-size 42.
Colored, verbose output.
ffuf -w wordlist.txt -u https://example.org/FUZZ -mc all -fs 42 -c -v
Fuzz Host-header, match HTTP 200 responses.
ffuf -w hosts.txt -u https://example.org/ -H "Host: FUZZ" -mc 200
Fuzz POST JSON data. Match all responses not containing text "error".
ffuf -w entries.txt -u https://example.org/ -X POST -H "Content-Type: application/json" \
-d '{"name": "FUZZ", "anotherkey": "anothervalue"}' -fr "error"
Fuzz multiple locations. Match only responses reflecting the value of "VAL" keyword. Colored.
ffuf -w params.txt:PARAM -w values.txt:VAL -u https://example.org/?PARAM=VAL -mr "VAL" -c
More information and examples: https://github.com/ffuf/ffuf
0x03 交互模式 通过在ffuf执行期间按下,进程将暂停,用户将进入类似shell的交互模式:ENTER 在此模式下,可以重新配置筛选器、管理队列并将当前状态保存到磁盘。
在此模式下,可以重新配置筛选器、管理队列并将当前状态保存到磁盘。
可以使用命令打印出匹配项的新状态,该命令将打印出所有匹配项,就像它们一样 会被找到(show ffuf)。
由于“负”匹配项不会存储到内存中,因此放宽筛选器无法恢复丢失的匹配项。 对于这种情况,用户可以使用命令 ,该命令重置状态并启动当前 从一开始就工作。(restart)entering interactive mode
type "help" for a list of commands, or ENTER to resume.
> help
available commands:
afc [value] - append to status code filter
fc [value] - (re)configure status code filter
afl [value] - append to line count filter
fl [value] - (re)configure line count filter
afw [value] - append to word count filter
fw [value] - (re)configure word count filter
afs [value] - append to size filter
fs [value] - (re)configure size filter
aft [value] - append to time filter
ft [value] - (re)configure time filter
rate [value] - adjust rate of requests per second (active: 0)
queueshow - show job queue
queuedel [number] - delete a job in the queue
queueskip - advance to the next queued job
restart - restart and resume the current ffuf job
resume - resume current ffuf job (or: ENTER)
show - show results for the current job
savejson [filename] - save current matches to a file
help - you are looking at it
>
下载地址: https://github.com/ffuf/ffuf
声明:该公众号大部分文章来自作者日常学习笔记,也有部分文章是经过作者授权和其他公众号白名单转载,未经授权,严禁转载,如需转载,联系开白名单。 请勿利用文章内的相关技术从事非法测试,如因此产生的一切不良后果与本公众号无关。 ✦ ✦
原文始发于微信公众号(白帽学子):基于Go的web模糊测试工具
- 我的微信
- 微信扫一扫
-
- 我的微信公众号
- 微信扫一扫
-
评论