Page cover

🕸️Ffuf

ffuf es una herramienta de fuzzing de código abierto que se utiliza para descubrir vulnerabilidades en aplicaciones web al enviar solicitudes HTTP manipuladas

ffuf utiliza una lista de palabras clave o diccionario para generar solicitudes HTTP manipuladas y ver cómo responde la aplicación.

Donde indiquemos el parámetro FUZZ probará todas las palabras del diccionario

Fuzzing con ffuf

Fuzzing de directorios

ffuf -w /usr/share/wordlists/rockyou.txt -u http://example.com/FUZZ
ffuf -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt:FUZZ -u https://inlanefreight.com/FUZZ -mc 200,301,302

        /'___\  /'___\           /'___\       
       /\ \__/ /\ \__/  __  __  /\ \__/       
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\      
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/      
         \ \_\   \ \_\  \ \____/  \ \_\       
          \/_/    \/_/   \/___/    \/_/       

       v2.1.0-dev
________________________________________________

 :: Method           : GET
 :: URL              : https://inlanefreight.com/FUZZ
 :: Wordlist         : FUZZ: /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200,301,302
________________________________________________

wp-content              [Status: 301, Size: 329, Words: 20, Lines: 10, Duration: 36ms]
wp-includes             [Status: 301, Size: 330, Words: 20, Lines: 10, Duration: 36ms]
wp-admin                [Status: 301, Size: 327, Words: 20, Lines: 10, Duration: 50ms]

Fuzzing buscando archivos específicos

ffuf -w /usr/share/wordlists/rockyou.txt -u http://example.com/FUZZ -e .jpg,.pdf

El parámetro -e sirve para filtrar por tipo de archivo

Fuzzing de subdominios

ffuf -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt:FUZZ -u https://FUZZ.kali.org/   

        /'___\  /'___\           /'___\       
       /\ \__/ /\ \__/  __  __  /\ \__/       
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\      
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/      
         \ \_\   \ \_\  \ \____/  \ \_\       
          \/_/    \/_/   \/___/    \/_/       

       v2.1.0-dev
________________________________________________

 :: Method           : GET
 :: URL              : https://FUZZ.kali.org/
 :: Wordlist         : FUZZ: /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200-299,301,302,307,401,403,405,500
________________________________________________

old                     [Status: 200, Size: 2920, Words: 113, Lines: 18, Duration: 105ms]
www                     [Status: 200, Size: 45355, Words: 2637, Lines: 72, Duration: 511ms]
images                  [Status: 301, Size: 162, Words: 5, Lines: 8, Duration: 526ms]
download                [Status: 301, Size: 162, Words: 5, Lines: 8, Duration: 520ms]
forums                  [Status: 200, Size: 10277, Words: 1179, Lines: 170, Duration: 503ms]
docs                    [Status: 301, Size: 162, Words: 5, Lines: 8, Duration: 519ms]
image                   [Status: 301, Size: 162, Words: 5, Lines: 8, Duration: 508ms]
archive                 [Status: 200, Size: 2170, Words: 86, Lines: 13, Duration: 104ms]
tools                   [Status: 301, Size: 162, Words: 5, Lines: 8, Duration: 529ms]
git                     [Status: 301, Size: 162, Words: 5, Lines: 8, Duration: 496ms]
downloads               [Status: 301, Size: 162, Words: 5, Lines: 8, Duration: 503ms]

Niveles de profundidad

ffuf -w rockyou.txt -u http://example.com/FUZZ -recursion -recursion-depth 2

El parámetro -recursion sirve para hacer escaneo profundo dentro de cada directorio encontrado

Respuestas con un código de estado HTTP 200

ffuf -w rockyou.txt -u http://example.com/FUZZ -mc 200

Descubrir Vhosts

ffuf -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt:FUZZ -u http://94.237.48.48:54645/ -H 'Host: FUZZ.example.com' -ms 0
ffuf -u http://example.com -H "Host:FUZZ.example.com" -w /usr/share/seclists/Discovery/DNS/bitquark-subdomains-top100000.txt:FUZZ -fs 612

        /'___\  /'___\           /'___\       
       /\ \__/ /\ \__/  __  __  /\ \__/       
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\      
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/      
         \ \_\   \ \_\  \ \____/  \ \_\       
          \/_/    \/_/   \/___/    \/_/       

       v2.1.0-dev
________________________________________________

 :: Method           : GET
 :: URL              : http://example.com
 :: Wordlist         : FUZZ: /usr/share/seclists/Discovery/DNS/bitquark-subdomains-top100000.txt
 :: Header           : Host: FUZZ.example.com
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200-299,301,302,307,401,403,405,500
 :: Filter           : Response words: 12
________________________________________________

web                     [Status: 200, Size: 15949, Words: 6243, Lines: 518, Duration: 64ms]
m                       [Status: 200, Size: 15949, Words: 6243, Lines: 518, Duration: 65ms]
mail1                   [Status: 200, Size: 15949, Words: 6243, Lines: 518, Duration: 65ms]
gw                      [Status: 200, Size: 15949, Words: 6243, Lines: 518, Duration: 66ms]
dev                     [Status: 200, Size: 15949, Words: 6243, Lines: 518, Duration: 87ms]
secure                  [Status: 200, Size: 15949, Words: 6243, Lines: 518, Duration: 86ms]
mail2                   [Status: 200, Size: 15949, Words: 6243, Lines: 518, Duration: 90ms]
ww1                     [Status: 200, Size: 15949, Words: 6243, Lines: 518, Duration: 90ms]
ww42                    [Status: 200, Size: 15949, Words: 6243, Lines: 518, Duration: 87ms]
owa                     [Status: 200, Size: 15949, Words: 6243, Lines: 518, Duration: 90ms]
server                  [Status: 200, Size: 15949, Words: 6243, Lines: 518, Duration: 90ms]
webmail                 [Status: 200, Size: 15949, Words: 6243, Lines: 518, Duration: 90ms]
crm                     [Status: 200, Size: 6360, Words: 397, Lines: 150, Duration: 98ms]

Fuzzing de extensiones

ffuf -w /usr/share/seclists/Discovery/Web-Content/web-extensions.txt -u http://faculty.academy.htb:40053/indexFUZZ  

Fuzzing de parámetros de URL

Método GET

ffuf -w /usr/share/seclists/Discovery/Web-Content/burp-parameter-names.txt:FUZZ -u http://admin.academy.htb:PORT/admin/admin.php?FUZZ=key -fs 774

Método POST

ffuf -w /usr/share/seclists/Discovery/Web-Content/burp-parameter-names.txt:FUZZ -u http://admin.academy.htb:PORT/admin/admin.php -X POST -d 'FUZZ=key' -H 'Content-Type: application/x-www-form-urlencoded' -fs 774
ffuf -w rockyou.txt -u http://example.com/FUZZ -H "Cookie: sessionid=123456"

Guardar resultados en HTML

ffuf -w rockyou.txt -u http://example.com/FUZZ -o output.txt -of html

Fuzzing avanzado con ffuf

Utilizar varios diccionarios simultáneamente

ffuf -u http://IP_VICTIM/W1/W2 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt:W1 -w /usr/share/seclists/Fuzzing/LFI/LFI-Jhaddix.txt:W2

Utilizar :W1 y :W2 después de la ruta para establecer los diccionarios

Fuzzing de USER o PASSWORD en Login

  • Capturar request de login con burpsuite y guardar archivo request-burp

  • Editar archivo con un editor de texto como (gedit o nano) cambiando los parámetros que queramos fuzzear por FUZZ o :W1 y :W2 si usamos varios diccionarios

ffuf -request request-burp -w /usr/share/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-small.txt

Ffuf Cheatsheet

Comando

Descripción

ffuf -w /opt/useful/SecLists/Discovery/Web-Content/burp-parameter-names.txt:FUZZ -u 'http://<SERVER_IP>:<PORT>/index.php?FUZZ=value' -fs 2287

Fuzzing de parámetros en una URL

ffuf -w /opt/useful/SecLists/Fuzzing/LFI/LFI-Jhaddix.txt:FUZZ -u 'http://<SERVER_IP>:<PORT>/index.php?language=FUZZ' -fs 2287

Fuzzing con LFI payloads

ffuf -w /opt/useful/SecLists/Discovery/Web-Content/default-web-root-directory-linux.txt:FUZZ -u 'http://<SERVER_IP>:<PORT>/index.php?language=../../../../FUZZ/index.php' -fs 2287

Fuzzing de webroot path

ffuf -w ./LFI-WordList-Linux:FUZZ -u 'http://<SERVER_IP>:<PORT>/index.php?language=../../../../FUZZ' -fs 2287

Fuzzing de configuraciones de servidor

Última actualización

¿Te fue útil?