FFUF
get parameters are usually passed right after the URL, with a ? symbol
GET REQUEST PARAMETER FUZZING
root@oco:~$ find / -iname *parameter* -type f 2>/dev/null
* seclists/Discovery/Web-Content/burp-parameter-names.txt#subdomain fuzzing
root@oco:~$ ffuf -w /opt/useful/seclists/Discovery/DNS/subdomains-top1million-5000.txt:FUZZ -u https://FUZZ.{targetSite.tld}:{port}/
* ALT: root@oco:~$ ffuf -w /opt/useful/seclists/Discovery/DNS/subdomains-top1million-5000.txt:FUZZ -u http://{targetSite.tld}:{port}/ -H 'Host: FUZZ.{targetSite.tld}'
- if subdomain fuzzing shows no results, fuzz for vhost as the target might not be using public DNS
* admin.academy.htb, test.academy.htb
#fuzz for extensions
root@oco:~$ ffuf -w /opt/useful/seclists/Discovery/Web-Content/web-extensions.txt:FUZZ -u http://{targetSite}:{port}/*FUZZ
* php, phps
#enumerate directories
root@oco:~$ ffuf -w /opt/useful/seclists/Discovery/Web-Content/directory-list-2.3-small.txt:FUZZ -u http://{targetSite.tld}:{port}/FUZZ -t 100 -ic
* /blog, /forum, /admin
#enumerate pages
root@oco:~$ ffuf -w /opt/useful/seclists/Discovery/Web-Content/directory-list-2.3-small.txt:FUZZ -u http://{targetSite}:{port}/{directory}/FUZZ.php -t 100 -ic
* /blog/home.php, /blog/index.php
* /admin/index.php, /admin/admin.php
#get request parameter fuzzing
root@oco:~$ ffuf -w /opt/useful/seclists/Discovery/Web-Content/burp-parameter-names.txt:FUZZ -u http://{subdomain}.{targetSite.tld}:{port}/{directory}/{page}.php?FUZZ=key
* identify the identical response sizes and use it as filter
root@oco:~$ ffuf -w /opt/useful/seclists/Discovery/Web-Content/burp-parameter-names.txt:FUZZ -u http://{subdomain}.{targetSite.tld}:{port}/{directory}/{page}.php?FUZZ=key -fs {responseSize}
* the -fs option filters out the response based on response size
* found ?user
* the -fs {798} is the size in bytes. this cmd excludes any responses that are
exactly 798 bytes in size
- this can be useful for excluding responses that are not helpful, such as
error pages or default responses.
root@oco:~$ BROWSER > http://admin.academy.htb/admin/admin.php?user=keyMETHOD 2:
#perform parameter fuzzing
root@htb:~$ find / -iname burp-parameter* 2>/dev/null
/usr/share/seclists/Discovery/Web-Content/burp-parameter-names.txt
root@oco:~$ cp /usr/share/seclists/Discovery/Web-Content/burp-parameter-names.txt .
root@oco:~$ ffuf -w burp-parameter-names.txt -u 'http://{targetSite:port}:3002/wsdl?FUZZ' -fs 0 -mc 200
...
WSDL [Status: 200, Size: 4461, Words: 967, Lines: 186, Duration: 10ms]
wsdl [Status: 200, Size: 4461, Words: 967, Lines: 186, Duration: 8ms]
:: Progress: [6453/6453] :: Job [1/1] :: 4761 req/sec :: Duration: [0:00:01] :: Errors: 0 ::
* the -fs 0 filters out empty responses (size = 0)
* the -mc 200 matches HTTP 200 responses.
POST REQUEST PARAMETER FUZZING
POST requests are not passed with the URL & can't be appended after a ? symbol. POST requests are passed in the data field within the HTTP request. In PHP, "POST" data "content-type" can only accept "application/x-www-form-urlencoded". this can be set in "ffuf" with "-H 'Content-Type: application/x-www-form-urlencoded'"
#post request fuzzing
root@oco:~$ ffuf -w /opt/useful/seclists/Discovery/Web-Content/burp-parameter-names.txt:FUZZ -u http://{subdomain}.{targetSite.tld}:{port}/{directory}/{page}.{extension} -X POST -d 'FUZZ=key' -H 'Content-Type: application/x-www-form-urlencoded'
root@oco:~$ ffuf -w /opt/useful/seclists/Discovery/Web-Content/burp-parameter-names.txt:FUZZ -u http://{subdomain}.{targetSite.tld}:{port}/{directory}/{page}.{extension} -X POST -d 'FUZZ=key' -H 'Content-Type: application/x-www-form-urlencoded' -fs {responseSize}
* id, user
root@oco:~$ curl http://{subdomain}.{targetSite.tld}:{port}/{directory}/{page}.{extension} -X POST -d 'id=key' -H 'Content-Type: application/x-www-form-urlencoded'
* <div class='center'><p>Invalid id!</p></div>Last updated