前提
今天在给客户做资产收集的时候,由于没有工具,倒腾了半天
然后发现了ffuf这款工具,但是在百度搜出来的教程都让我十分茫然,于是我决定自己写一篇!
还有:
我写的技术文档一般不太喜欢照顾小白从而写清楚每一步命令是什么意思。
0x01 安装与环境配置
这款工具要用到go,因此先做go的安装与环境配置
go
1、wget -c https://golang.google.cn/dl/go1.16.2.linux-amd64.tar.gz
2、tar -xzvf go1.16.2.linux-amd64.tar.gz
3、cp -r go /usr/local
4、vim ~/.zshrc(也可能是bashrc)
添加如下内容:
export PATH=$PATH:/usr/local/go/bin
export GO111MODULE=on
export GOPROXY=https://goproxy.cn
5、source ~/.zshrc(也可能是bashrc)
6、验证:go version
我这里版本不一样是因为我已经装过一个大的版本了。
ffuf
1、git clone https://github.com/ffuf/ffuf.git
2、cd ffuf && go build
3、cd .. && cp -r ffuf /usr/local
4、vim ~/.zshrc(也可能是bashrc)
添加以下内容:
export PATH=$PATH:/usr/local/ffuf
5、source ~/.zshrc(也可能是bashrc)
6、验证:ffuf
0x02 使用说明
1、目录爆破
ffuf -w ../wordlist-admin.txt -u https://test.iculture.cc/FUZZ
-w 是字典的位置及名称
-u url地址
FUZZ 要测试的地方
也可以通过递归的方式进行搜索
ffuf -w wordlist-admin.txt -u https://test.iculture.cc/FUZZ -recursion
模糊查询
ffuf -u https://W1/W2 -w site.txt:W1,wordlist-admin.txt:W2
W1 使用我们设置的网站列表site.txt
W2 使用我们设置的后台目录字典库wordlist-admin.txt
静默模式
ffuf -w ../wordlist-admin.txt -u https://test.iculture.cc/FUZZ -s
2、POST/GET请求
ffuf -w password.txt -X POST -d "username=admin\&password=FUZZ" -u https://test.iculture.cc/login.php -fc 401
ffuf -w wordlist-mod.txt -u https://test.iculture.cc/script.php?FUZZ=test_value -fs 575
ffuf -w /path/to/values.txt -u https://test.iculture.cc/script.php?valid_name=FUZZ -fc 401
如果找到对应的575响应大小的,就说明这个变量名称是正确的。然后可以在对变量后面的值进行模糊测试,valid_name
是上面找到的正确的变量名称,并过滤掉401返回值
获得响应大小:
curl -s -H "test.iculture.cc" https://test.iculture.cc | wc -c
结果:
575
0x03 自带help
Fuzz Faster U Fool - v2.0.0
HTTP OPTIONS:
-H Header `"Name: Value"`, separated by colon. Multiple -H flags are accepted.
-X HTTP method to use
-b Cookie data `"NAME1=VALUE1; NAME2=VALUE2"` for copy as curl functionality.
-d POST data
-http2 Use HTTP2 protocol (default: false)
-ignore-body Do not fetch the response content. (default: false)
-r Follow redirects (default: false)
-recursion Scan recursively. Only FUZZ keyword is supported, and URL (-u) has to end in it. (default: false)
-recursion-depth Maximum recursion depth. (default: 0)
-recursion-strategy Recursion strategy: "default" for a redirect based, and "greedy" to recurse on all matches (default: default)
-replay-proxy Replay matched requests using this proxy.
-sni Target TLS SNI, does not support FUZZ keyword
-timeout HTTP request timeout in seconds. (default: 10)
-u Target URL
-x Proxy URL (SOCKS5 or HTTP). For example: http://127.0.0.1:8080 or socks5://127.0.0.1:8080
GENERAL OPTIONS:
-V Show version information. (default: false)
-ac Automatically calibrate filtering options (default: false)
-acc Custom auto-calibration string. Can be used multiple times. Implies -ac
-ach Per host autocalibration (default: false)
-ack Autocalibration keyword (default: FUZZ)
-acs Autocalibration strategy: "basic" or "advanced" (default: basic)
-c Colorize output. (default: false)
-config Load configuration from a file
-json JSON output, printing newline-delimited JSON records (default: false)
-maxtime Maximum running time in seconds for entire process. (default: 0)
-maxtime-job Maximum running time in seconds per job. (default: 0)
-noninteractive Disable the interactive console functionality (default: false)
-p Seconds of `delay` between requests, or a range of random delay. For example "0.1" or "0.1-2.0"
-rate Rate of requests per second (default: 0)
-s Do not print additional information (silent mode) (default: false)
-sa Stop on all error cases. Implies -sf and -se. (default: false)
-scraperfile Custom scraper file path
-scrapers Active scraper groups (default: all)
-se Stop on spurious errors (default: false)
-search Search for a FFUFHASH payload from ffuf history
-sf Stop when > 95% of responses return 403 Forbidden (default: false)
-t Number of concurrent threads. (default: 40)
-v Verbose output, printing full URL and redirect location (if any) with the results. (default: false)
MATCHER OPTIONS:
-mc 匹配HTTP状态码,或者匹配所有内容的“all”(default: 200,204,301,302,307,401,403,405,500)
比如:`ffuf -w php.txt -u https://test.com/h5/FUZZ -mc 200,301,302`
-ml Match amount of lines in response
-mmode Matcher set operator. Either of: and, or (default: or)
-mr Match regexp
-ms Match HTTP response size
-mt Match how many milliseconds to the first response byte, either greater or less than. EG: >100 or <100
-mw Match amount of words in response
FILTER OPTIONS:
-fc Filter HTTP status codes from response. Comma separated list of codes and ranges
-fl Filter by amount of lines in response. Comma separated list of line counts and ranges
-fmode Filter set operator. Either of: and, or (default: or)
-fr Filter regexp
-fs 过滤HTTP响应大小。大小和范围列表,以逗号分隔
比如:`ffuf -w admin.txt -u https://test.com/h5/ -fs 42 `
-ft Filter by number of milliseconds to the first response byte, either greater or less than. EG: >100 or <100
-fw Filter by amount of words in response. Comma separated list of word counts and ranges
INPUT OPTIONS:
-D DirSearch wordlist compatibility mode. Used in conjunction with -e flag. (default: false)
-e Comma separated list of extensions. Extends FUZZ keyword.
-ic Ignore wordlist comments (default: false)
-input-cmd Command producing the input. --input-num is required when using this input method. Overrides -w.
-input-num Number of inputs to test. Used in conjunction with --input-cmd. (default: 100)
-input-shell Shell to be used for running command
-mode Multi-wordlist operation mode. Available modes: clusterbomb, pitchfork, sniper (default: clusterbomb)
-request File containing the raw http request
-request-proto Protocol to use along with raw request (default: https)
-w Wordlist file path and (optional) keyword separated by colon. eg. '/path/to/wordlist:KEYWORD'
OUTPUT OPTIONS:
-debug-log Write all of the internal logging to the specified file.
-o Write output to file
-od Directory path to store matched results to.
-of Output file format. Available formats: json, ejson, html, md, csv, ecsv (or, 'all' for all formats) (default: json)
-or Don't create the output file if we don't have results (default: false)
EXAMPLE USAGE:
Fuzz file paths from wordlist.txt, match all responses but filter out those with content-size 42.
Colored, verbose output.
ffuf -w wordlist.txt -u https://example.org/FUZZ -mc all -fs 42 -c -v
Fuzz Host-header, match HTTP 200 responses.
ffuf -w hosts.txt -u https://example.org/ -H "Host: FUZZ" -mc 200
Fuzz POST JSON data. Match all responses not containing text "error".
ffuf -w entries.txt -u https://example.org/ -X POST -H "Content-Type: application/json" \
-d '{"name": "FUZZ", "anotherkey": "anothervalue"}' -fr "error"
Fuzz multiple locations. Match only responses reflecting the value of "VAL" keyword. Colored.
ffuf -w params.txt:PARAM -w values.txt:VAL -u https://example.org/?PARAM=VAL -mr "VAL" -c
More information and examples: https://github.com/ffuf/ffuf
显示中文为已使用并翻译。
这个后边用到了再慢慢更新