基于Go的web模糊测试工具

admin

141928
文章

117
评论

2023年3月15日11:01:46评论18 views字数 7146阅读23分49秒阅读模式

ffuf 是集成式的模糊测试工具，提供目录发现、虚拟主机发现、GET/POST参数模糊测试、集成Radamsa自动生成测试用例、请求响应自动筛选、响应时间、响应码、正则表达式等匹配，还有诸多功能。

0x01 工具用法

1、典型的目录发现：

通过在URL末尾使用FUZZ关键字 : -u

ffuf -w /path/to/wordlist -u https://target/FUZZ

2、虚拟主机发现（无 DNS 记录）

假设默认的虚拟主机响应大小为 4242 字节，我们可以过滤掉该大小() 的所有响应，同时模糊化 Host - 标头：-fs 4242

ffuf -w /path/to/vhost/wordlist -u https://target -H "Host: FUZZ" -fs 4242

3、GET 参数模糊测试

GET 参数名称模糊测试与目录发现非常相似，其工作原理是将关键字定义为 URL 的一部分。这也假定无效的 GET 参数名称的响应大小为 4242 字节

ffuf -w /path/to/paramnames.txt -u https://target/script.php?FUZZ=test_value -fs 4242

如果参数名称已知，则可以以相同的方式对值进行模糊处理。此示例假定返回 HTTP 响应代码 401 的错误参数值。

ffuf -w /path/to/values.txt -u https://target/script.php?valid_name=FUZZ -fc 401

4、开机自检数据模糊测试

这是一个非常简单的操作，同样通过使用关键字。此示例仅模糊处理 POST 请求的一部分。我们再次过滤掉 401 响应。

ffuf -w /path/to/postdata.txt -X POST -d "username=admin\&password=FUZZ" -u https://target/login.php -fc 401

5、使用外部突变器生成测试用例

对于此示例，我们将模糊通过 POST 发送的 JSON 数据。Radamsa 用作突变器。

使用时，ffuf 将显示匹配项作为其位置。相同的位置值将作为环境变量提供给被调用方。我们将使用此位置值作为突变子的种子。

ffuf --input-cmd 'radamsa --seed $FFUF_NUM example1.txt example2.txt' -H "Content-Type: application/json" -X POST -u https://ffuf.io.fi/FUZZ -mc all -fc 400

文件 example1.txt 和 example2.txt 包含有效的 JSON 有效负载。我们正在匹配所有响应，但过滤掉响应代码：--input-cmd$FFUF_NUM400 - Bad request

当然，为每个有效载荷调用突变器并不是很有效，所以我们也可以预生成有效载荷，仍然使用 Radamsa 作为示例：

# Generate 1000 example payloads
radamsa -n 1000 -o %n.txt example1.txt example2.txt

# This results into files 1.txt ... 1000.txt
# Now we can just read the payload data in a loop from file for ffuf

ffuf --input-cmd 'cat $FFUF_NUM.txt' -H "Content-Type: application/json" -X POST -u https://ffuf.io.fi/ -mc all -fc 400

0x02 工具用法参数

要定义ffuf的测试用例，请在 URL、请求头或 POST 数据中任意位置使用关键字。

Fuzz Faster U Fool - v2.0.0

HTTP OPTIONS:
  -H                  Header `"Name: Value"`, separated by colon. Multiple -H flags are accepted.
  -X                  HTTP method to use
  -b                  Cookie data `"NAME1=VALUE1; NAME2=VALUE2"` for copy as curl functionality.
  -d                  POST data
  -http2              Use HTTP2 protocol (default: false)
  -ignore-body        Do not fetch the response content. (default: false)
  -r                  Follow redirects (default: false)
  -recursion          Scan recursively. Only FUZZ keyword is supported, and URL (-u) has to end in it. (default: false)
  -recursion-depth    Maximum recursion depth. (default: 0)
  -recursion-strategy Recursion strategy: "default" for a redirect based, and "greedy" to recurse on all matches (default: default)
  -replay-proxy       Replay matched requests using this proxy.
  -sni                Target TLS SNI, does not support FUZZ keyword
  -timeout            HTTP request timeout in seconds. (default: 10)
  -u                  Target URL
  -x                  Proxy URL (SOCKS5 or HTTP). For example: http://127.0.0.1:8080 or socks5://127.0.0.1:8080

GENERAL OPTIONS:
  -V                  Show version information. (default: false)
  -ac                 Automatically calibrate filtering options (default: false)
  -acc                Custom auto-calibration string. Can be used multiple times. Implies -ac
  -ach                Per host autocalibration (default: false)
  -ack                Autocalibration keyword (default: FUZZ)
  -acs                Autocalibration strategy: "basic" or "advanced" (default: basic)
  -c                  Colorize output. (default: false)
  -config             Load configuration from a file
  -json               JSON output, printing newline-delimited JSON records (default: false)
  -maxtime            Maximum running time in seconds for entire process. (default: 0)
  -maxtime-job        Maximum running time in seconds per job. (default: 0)
  -noninteractive     Disable the interactive console functionality (default: false)
  -p                  Seconds of `delay` between requests, or a range of random delay. For example "0.1" or "0.1-2.0"
  -rate               Rate of requests per second (default: 0)
  -s                  Do not print additional information (silent mode) (default: false)
  -sa                 Stop on all error cases. Implies -sf and -se. (default: false)
  -scraperfile        Custom scraper file path
  -scrapers           Active scraper groups (default: all)
  -se                 Stop on spurious errors (default: false)
  -search             Search for a FFUFHASH payload from ffuf history
  -sf                 Stop when > 95% of responses return 403 Forbidden (default: false)
  -t                  Number of concurrent threads. (default: 40)
  -v                  Verbose output, printing full URL and redirect location (if any) with the results. (default: false)

MATCHER OPTIONS:
  -mc                 Match HTTP status codes, or "all" for everything. (default: 200,204,301,302,307,401,403,405,500)
  -ml                 Match amount of lines in response
  -mmode              Matcher set operator. Either of: and, or (default: or)
  -mr                 Match regexp
  -ms                 Match HTTP response size
  -mt                 Match how many milliseconds to the first response byte, either greater or less than. EG: >100 or <100
  -mw                 Match amount of words in response

FILTER OPTIONS:
  -fc                 Filter HTTP status codes from response. Comma separated list of codes and ranges
  -fl                 Filter by amount of lines in response. Comma separated list of line counts and ranges
  -fmode              Filter set operator. Either of: and, or (default: or)
  -fr                 Filter regexp
  -fs                 Filter HTTP response size. Comma separated list of sizes and ranges
  -ft                 Filter by number of milliseconds to the first response byte, either greater or less than. EG: >100 or <100
  -fw                 Filter by amount of words in response. Comma separated list of word counts and ranges

INPUT OPTIONS:
  -D                  DirSearch wordlist compatibility mode. Used in conjunction with -e flag. (default: false)
  -e                  Comma separated list of extensions. Extends FUZZ keyword.
  -ic                 Ignore wordlist comments (default: false)
  -input-cmd          Command producing the input. --input-num is required when using this input method. Overrides -w.
  -input-num          Number of inputs to test. Used in conjunction with --input-cmd. (default: 100)
  -input-shell        Shell to be used for running command
  -mode               Multi-wordlist operation mode. Available modes: clusterbomb, pitchfork, sniper (default: clusterbomb)
  -request            File containing the raw http request
  -request-proto      Protocol to use along with raw request (default: https)
  -w                  Wordlist file path and (optional) keyword separated by colon. eg. '/path/to/wordlist:KEYWORD'

OUTPUT OPTIONS:
  -debug-log          Write all of the internal logging to the specified file.
  -o                  Write output to file
  -od                 Directory path to store matched results to.
  -of                 Output file format. Available formats: json, ejson, html, md, csv, ecsv (or, 'all' for all formats) (default: json)
  -or                 Don't create the output file if we don't have results (default: false)

EXAMPLE USAGE:
  Fuzz file paths from wordlist.txt, match all responses but filter out those with content-size 42.
  Colored, verbose output.
    ffuf -w wordlist.txt -u https://example.org/FUZZ -mc all -fs 42 -c -v

  Fuzz Host-header, match HTTP 200 responses.
    ffuf -w hosts.txt -u https://example.org/ -H "Host: FUZZ" -mc 200

  Fuzz POST JSON data. Match all responses not containing text "error".
    ffuf -w entries.txt -u https://example.org/ -X POST -H "Content-Type: application/json" \
      -d '{"name": "FUZZ", "anotherkey": "anothervalue"}' -fr "error"

  Fuzz multiple locations. Match only responses reflecting the value of "VAL" keyword. Colored.
    ffuf -w params.txt:PARAM -w values.txt:VAL -u https://example.org/?PARAM=VAL -mr "VAL" -c

  More information and examples: https://github.com/ffuf/ffuf

0x03 交互模式

通过在ffuf执行期间按下，进程将暂停，用户将进入类似shell的交互模式:ENTER

entering interactive mode
type "help" for a list of commands, or ENTER to resume.
> help

available commands:
 afc  [value]             - append to status code filter 
 fc   [value]             - (re)configure status code filter 
 afl  [value]             - append to line count filter 
 fl   [value]             - (re)configure line count filter 
 afw  [value]             - append to word count filter 
 fw   [value]             - (re)configure word count filter 
 afs  [value]             - append to size filter 
 fs   [value]             - (re)configure size filter 
 aft  [value]             - append to time filter 
 ft   [value]             - (re)configure time filter 
 rate [value]             - adjust rate of requests per second (active: 0)
 queueshow                - show job queue
 queuedel [number]        - delete a job in the queue
 queueskip                - advance to the next queued job
 restart                  - restart and resume the current ffuf job
 resume                   - resume current ffuf job (or: ENTER) 
 show                     - show results for the current job
 savejson [filename]      - save current matches to a file
 help                     - you are looking at it
>

在此模式下，可以重新配置筛选器、管理队列并将当前状态保存到磁盘。

可以使用命令打印出匹配项的新状态，该命令将打印出所有匹配项，就像它们一样会被找到(show ffuf)。

由于“负”匹配项不会存储到内存中，因此放宽筛选器无法恢复丢失的匹配项。对于这种情况，用户可以使用命令，该命令重置状态并启动当前从一开始就工作。(restart)

下载地址：

https://github.com/ffuf/ffuf

声明：该公众号大部分文章来自作者日常学习笔记，也有部分文章是经过作者授权和其他公众号白名单转载，未经授权，严禁转载，如需转载，联系开白名单。

请勿利用文章内的相关技术从事非法测试，如因此产生的一切不良后果与本公众号无关。

✦

原文始发于微信公众号（白帽学子）：基于Go的web模糊测试工具

免责声明:文章中涉及的程序(方法)可能带有攻击性，仅供安全研究与教学之用，读者将其信息做其他用途，由读者承担全部法律及连带责任，本站不承担任何法律及连带责任；如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截，联系方式见首页)，望知悉。

左青龙
微信扫一扫

右白虎
微信扫一扫

基于Go的web模糊测试工具

【DDDD二开】修复bug 新增指纹poc 新增功能

一款开源免费的漏洞扫描工具-Sirius

渗透测试必备:SQLMap常用命令清单

【蓝队】主机入侵防御系统（HIPS）apptable

10款被严重低估的渗透测试工具

应急响应工具 - QDoctor

神秘的黑客工具：IDA Pro（逆向工程的宇宙战舰！）

Sqlmap之tamper脚本

Ransom.Cryakl勒索病毒

工具推荐 | 最新开源多人协作红队渗透C2工具

发表评论

在线咨询

微信