Intro
今天來分享一個模糊測試工具–ffuf,並詳細介紹它如何使用以及使用場景。
它能用於網站路徑、參數、參數值枚舉及子域名、虛擬主機枚舉等等,但還是推薦子域名/虛擬主機枚舉使用 gobuster就好。ffuf 强大之處在於提供所項匹配/過濾參數選項(HTTP code,regex,size)及其餘功能,那我們話不多説,先上 ffuf 的全部參數使用。
└─$ ffuf --help
Fuzz Faster U Fool - v2.1.0-dev
HTTP OPTIONS:
-H Header `"Name: Value"`, separated by colon. Multiple -H flags are accepted.
-X HTTP method to use
-b Cookie data `"NAME1=VALUE1; NAME2=VALUE2"` for copy as curl functionality.
-cc Client cert for authentication. Client key needs to be defined as well for this to work
-ck Client key for authentication. Client certificate needs to be defined as well for this to work
-d POST data
-http2 Use HTTP2 protocol (default: false)
-ignore-body Do not fetch the response content. (default: false)
-r Follow redirects (default: false)
-raw Do not encode URI (default: false)
-recursion Scan recursively. Only FUZZ keyword is supported, and URL (-u) has to end in it. (default: false)
-recursion-depth Maximum recursion depth. (default: 0)
-recursion-strategy Recursion strategy: "default" for a redirect based, and "greedy" to recurse on all matches (default: default)
-replay-proxy Replay matched requests using this proxy.
-sni Target TLS SNI, does not support FUZZ keyword
-timeout HTTP request timeout in seconds. (default: 10)
-u Target URL
-x Proxy URL (SOCKS5 or HTTP). For example: http://127.0.0.1:8080 or socks5://127.0.0.1:8080
GENERAL OPTIONS:
-V Show version information. (default: false)
-ac Automatically calibrate filtering options (default: false)
-acc Custom auto-calibration string. Can be used multiple times. Implies -ac
-ach Per host autocalibration (default: false)
-ack Autocalibration keyword (default: FUZZ)
-acs Custom auto-calibration strategies. Can be used multiple times. Implies -ac
-c Colorize output. (default: false)
-config Load configuration from a file
-json JSON output, printing newline-delimited JSON records (default: false)
-maxtime Maximum running time in seconds for entire process. (default: 0)
-maxtime-job Maximum running time in seconds per job. (default: 0)
-noninteractive Disable the interactive console functionality (default: false)
-p Seconds of `delay` between requests, or a range of random delay. For example "0.1" or "0.1-2.0"
-rate Rate of requests per second (default: 0)
-s Do not print additional information (silent mode) (default: false)
-sa Stop on all error cases. Implies -sf and -se. (default: false)
-scraperfile Custom scraper file path
-scrapers Active scraper groups (default: all)
-se Stop on spurious errors (default: false)
-search Search for a FFUFHASH payload from ffuf history
-sf Stop when > 95% of responses return 403 Forbidden (default: false)
-t Number of concurrent threads. (default: 40)
-v Verbose output, printing full URL and redirect location (if any) with the results. (default: false)
MATCHER OPTIONS:
-mc Match HTTP status codes, or "all" for everything. (default: 200-299,301,302,307,401,403,405,500)
-ml Match amount of lines in response
-mmode Matcher set operator. Either of: and, or (default: or)
-mr Match regexp
-ms Match HTTP response size
-mt Match how many milliseconds to the first response byte, either greater or less than. EG: >100 or <100
-mw Match amount of words in response
FILTER OPTIONS:
-fc Filter HTTP status codes from response. Comma separated list of codes and ranges
-fl Filter by amount of lines in response. Comma separated list of line counts and ranges
-fmode Filter set operator. Either of: and, or (default: or)
-fr Filter regexp
-fs Filter HTTP response size. Comma separated list of sizes and ranges
-ft Filter by number of milliseconds to the first response byte, either greater or less than. EG: >100 or <100
-fw Filter by amount of words in response. Comma separated list of word counts and ranges
INPUT OPTIONS:
-D DirSearch wordlist compatibility mode. Used in conjunction with -e flag. (default: false)
-e Comma separated list of extensions. Extends FUZZ keyword.
-enc Encoders for keywords, eg. 'FUZZ:urlencode b64encode'
-ic Ignore wordlist comments (default: false)
-input-cmd Command producing the input. --input-num is required when using this input method. Overrides -w.
-input-num Number of inputs to test. Used in conjunction with --input-cmd. (default: 100)
-input-shell Shell to be used for running command
-mode Multi-wordlist operation mode. Available modes: clusterbomb, pitchfork, sniper (default: clusterbomb)
-request File containing the raw http request
-request-proto Protocol to use along with raw request (default: https)
-w Wordlist file path and (optional) keyword separated by colon. eg. '/path/to/wordlist:KEYWORD'
OUTPUT OPTIONS:
-debug-log Write all of the internal logging to the specified file.
-o Write output to file
-od Directory path to store matched results to.
-of Output file format. Available formats: json, ejson, html, md, csv, ecsv (or, 'all' for all formats) (default: json)
-or Don't create the output file if we don't have results (default: false)
EXAMPLE USAGE:
Fuzz file paths from wordlist.txt, match all responses but filter out those with content-size 42.
Colored, verbose output.
ffuf -w wordlist.txt -u https://example.org/FUZZ -mc all -fs 42 -c -v
Fuzz Host-header, match HTTP 200 responses.
ffuf -w hosts.txt -u https://example.org/ -H "Host: FUZZ" -mc 200
Fuzz POST JSON data. Match all responses not containing text "error".
ffuf -w entries.txt -u https://example.org/ -X POST -H "Content-Type: application/json" \
-d '{"name": "FUZZ", "anotherkey": "anothervalue"}' -fr "error"
Fuzz multiple locations. Match only responses reflecting the value of "VAL" keyword. Colored.
ffuf -w params.txt:PARAM -w values.txt:VAL -u https://example.org/?PARAM=VAL -mr "VAL" -c
More information and examples: https://github.com/ffuf/ffuf
基本使用
其實 ffuf 的使用方法非常簡單,只要把它想象成就是把字典檔對應到URL中FUZZ關鍵詞對應的地方做枚舉,所以它才能做包括:
- 路徑枚舉
- 檔案枚舉
- 檔案擴展枚舉
- 合法參數枚舉
- 合法參數值枚舉
- 子域名枚舉
- 虛擬主機枚舉
但在完整介紹這款工具之前,想先引入一種 ffuf 的FUZZ關鍵詞使用方法。在 ffuf 中 FUZZ 是對應要枚舉的位置,在真正枚舉時會被字典檔中的每一行資料替代,而我們也可以使用自定義的關鍵詞而不使用 FUZZ(ffuf默認的)。例如可以通過 -w wordlist.txt:KEYWORD 來避免使用 FUZZ:
ffuf -u http://10.10.119.28/FUZZ -w wordlist.txt
ffuf -u http://10.10.119.28/CUSTOM -w wordlist.txt:CUSTOM
以下是各個枚舉場景的基本使用指令,可以先參考一下,下面會再詳細介紹各個參數及相關參數使用。
# Enumerate directory
ffuf -u http://10.10.111.39/FUZZ -w /usr/share/seclists/Discovery/Web-Content/raft-medium-words-lowercase.txt
# Enumerate file
ffuf -u http://10.10.111.39/FUZZ -w /usr/share/seclists/Discovery/Web-Content/raft-medium-files.txt
# Enumerate file extension (i.e. index.php)
ffuf -u http://10.10.111.39/indexFUZZ -w /usr/share/seclists/Discovery/Web-Content/web-extensions.txt
# Enumerate valid parameter
ffuf -u "http://10.10.111.39/?FUZZ=1" -w /usr/share/seclists/Discovery/Web-Content/burp-parameter-names.txt
# Enumerate valid parameter value
seq 0 255 | ffuf -u "http://10.10.111.39/?id=FUZZ" -w -
# Enumerate subdomains
ffuf -u http://FUZZ.mydomain.com -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt
# Enumerate vhost
ffuf -u http://mydomain.com -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt -H 'Host: FUZZ.mydomain.com'
常用參數
1. 基本參數
-u: URL-w: 字典檔 (-w -表示字典檔通過前面的stdin傳入)-v: verbose-c: 讓結果有色彩標注(多用於directory/subdomain/vhost)-t: threads
2. 匹配/過濾參數
只匹配是 -m 開頭;過濾是 -f 開頭:
-mc/-fc: HTTP Code-mr/-fr: Regex-ms/-fs: HTTP Response size
# 只顯示http response code是200-299的
-mc 200-299
# 不顯示文件名符合/..*的,例如.htaccess.bak
-fr "/\..*"
# 只顯示http response大小符合4000-5000的
-ms 4000-5000
3. 其餘參數
-H: 指定HTTP Header-x: 設置代理,例如想將結果傳送到Burp Suite,可以設置-x http://127.0.0.1:8080-replay-proxy: 設置代理,但只傳送匹配結果給代理-r: follow redirect-o: output file-of: output file format (默認json,支持json/ejson/html/md/csv/ecsv)-mode: 多字典檔的模式(默認clusterbomb,支持clustercomb/pitchfork/sniper)-X: HTTP Method-d: POST data
小結
ffuf 是一款簡單强大的模糊測試/枚舉工具,可以與 gobuster 搭配使用。而有些指令也有一些特殊使用場景和搭配,例如可以在最初對網站分析時先用檔案擴展枚舉來分析網站使用的是什麽架構;或可以在找到合法參數后利用參數值枚舉找出合法的參數值去做進一步的攻擊,算是非常實用,大家如果還沒學會的可以一起學習一下。
謝謝各位看到這邊,如有任何疑問或文章有任何錯漏,歡迎來信與我討論,謝謝!