Introduction
Introduction
Web Fuzzing
Fuzzing
Wordlists
Tip: 注意一些词典开头的版权信息之类的东西,会影响爆破结果,可以在使用ffuf的时候加上-ic来去掉它们
Basic Fuzzing
Directory Fuzzing
Ffuf
Directory Fuzzing
# ffuf -w /opt/useful/SecLists/Discovery/Web-Content/directory-list-2.3-small.txt:FUZZ -u http://SERVER_IP:PORT/FUZZ
# -t选项可指定线程数,默认的40最好,200可能导致dos
Page Fuzzing
Extension Fuzzing
# ffuf -w /opt/useful/SecLists/Discovery/Web-Content/web-extensions.txt:FUZZ -u http://SERVER_IP:PORT/blog/indexFUZZ
Page Fuzzing
# ffuf -w /opt/useful/SecLists/Discovery/Web-Content/directory-list-2.3-small.txt:FUZZ -u http://SERVER_IP:PORT/blog/FUZZ.php
Recursive Fuzzing
Recursive Flags
Recursive Scanning
# ffuf -w /opt/useful/SecLists/Discovery/Web-Content/directory-list-2.3-small.txt:FUZZ -u http://SERVER_IP:PORT/FUZZ -recursion -recursion-depth 1 -e .php -v
# -v :输出完整url
Domain Fuzzing
DNS Records
/etc/hosts
Sub-domain Fuzzing
Sub-domains
# ffuf -w /opt/useful/SecLists/Discovery/DNS/subdomains-top1million-5000.txt:FUZZ -u https://FUZZ.hackthebox.eu/
# 注意,这里用http与https的结果是有所不同的
about public DNS:(没有找到子域不代表没有子域,可能是因为公共dns服务器没有子域对应的ip记录,并且/etc/hosts中也没有其对应ip记录,即使/etc/hosts中有其主域的ip记录)
Vhost Fuzzing
Vhosts vs. Sub-domains
VHost 和子域之间的主要区别在于,VHost 基本上是在同一台服务器上提供服务的“子域”,并且具有相同的 IP,因此单个 IP 可以服务于两个或多个不同的网站。
Once again, if we use the sub-domain fuzzing, we would only be able to identify public sub-domains but will not identify any sub-domains that are not public.
This is where we utilize VHosts Fuzzing on an IP we already have. We will run a scan and test for scans on the same IP, and then we will be able to identify both public and non-public sub-domains and VHosts.
Vhosts Fuzzing
# ffuf -w /opt/useful/SecLists/Discovery/DNS/subdomains-top1million-5000.txt:FUZZ -u http://academy.htb:PORT/ -H 'Host: FUZZ.academy.htb'
Filtering Results
Filtering
# ffuf -w /opt/useful/SecLists/Discovery/DNS/subdomains-top1million-5000.txt:FUZZ -u http://academy.htb:PORT/ -H 'Host: FUZZ.academy.htb' -fs 900
Parameter Fuzzing
Parameter Fuzzing-GET
GET Request Fuzzing
# ffuf -w /opt/useful/SecLists/Discovery/Web-Content/burp-parameter-names.txt:FUZZ -u http://admin.academy.htb:PORT/admin/admin.php?FUZZ=key -fs xxx
Parameter Fuzzing-POST
既要模糊测试出参数的名字(parameter),又要模糊测试出参数的值(value)
# ffuf -w /opt/useful/SecLists/Discovery/Web-Content/burp-parameter-names.txt:FUZZ -u http://admin.academy.htb:PORT/admin/admin.php -X POST -d 'FUZZ=key' -H 'Content-Type: application/x-www-form-urlencoded' -fs xxx
# curl http://admin.academy.htb:PORT/admin/admin.php -X POST -d 'id=key' -H 'Content-Type: application/x-www-form-urlencoded'
Value Fuzzing
Custom Wordlist
# for i in $(seq 1 1000); do echo $i >> ids.txt; done
Value Fuzzing
# ffuf -w ids.txt:FUZZ -u http://admin.academy.htb:PORT/admin/admin.php -X POST -d 'id=FUZZ' -H 'Content-Type: application/x-www-form-urlencoded' -fs xxx
Skills Assessment
Skill Assessment-Web Fuzzing
第一题
# vim /etc/hosts
将 134.122.107.187 academy.htb 加在里面
重启网络
# ffuf -w subdomains-top1mil-5000.txt:FUZZ -u http://academy.htb:30032 -ic -H 'Host: FUZZ.academy.htb'
# ffuf -w subdomains-top1mil-5000.txt:FUZZ -u http://academy.htb:30032 -ic -H 'Host: FUZZ.academy.htb' -fs 985
没有结束!没有结束!没有结束!没有结束!没有结束!没有结束!没有结束!没有结束!没有结束!没有结束!没有结束!没有结束!没有结束!没有结束!没有结束!没有结束!没有结束!没有结束!没有结束!没有结束!没有结束!没有结束!没有结束!没有结束!没有结束!没有结束!没有结束!没有结束!没有结束!没有结束!没有结束!没有结束!没有结束!
# vim /etc/hosts
将 134.122.107.187 test.academy.htb archive.academy.htb faculty.academy.htb 加在里面
重启网络
现在的/etc/hosts:
第二题
# ffuf -w extensions_common.txt:FUZZ1 -u http://academy.htb:30032/indexFUZZ1 -v
# ffuf -w extensions_common.txt:FUZZ1 -u http://test.academy.htb:30032/indexFUZZ1 -v
# ffuf -w extensions_common.txt:FUZZ1 -u http://archive.academy.htb:30032/indexFUZZ1 -v
# ffuf -w extensions_common.txt:FUZZ1 -u http://faculty.academy.htb:30032/indexFUZZ1 -v
上面模糊测试的结果就是.php .phps .php7
第三题
# ffuf -w directory-list-2.3-medium.txt:FUZZ -u http://faculty.academy.htb:30032/FUZZ -ic -t 200
# ffuf -w directory-list-2.3-medium.txt:FUZZ -u http://archive.academy.htb:30032/FUZZ -ic -t 200
# ffuf -w directory-list-2.3-medium.txt:FUZZ -u http://test.academy.htb:30032/FUZZ -ic -t 200
# ffuf -w directory-list-2.3-medium.txt:FUZZ -u http://academy.htb:30032/FUZZ -ic -t 200
上面模糊测试的结果是:
只有archive.academy.htb与faculty.academy.htb有子目录courses
# ffuf -w directory-list-2.3-medium.txt:FUZZ -u http://archive.academy.htb:30032/courses/FUZZ.php -ic -t 200
# ffuf -w directory-list-2.3-medium.txt:FUZZ -u http://archive.academy.htb:30032/courses/FUZZ.php -ic -t 200
# ffuf -w directory-list-2.3-medium.txt:FUZZ -u http://archive.academy.htb:30032/courses/FUZZ.phps -ic -t 200
# ffuf -w directory-list-2.3-medium.txt:FUZZ -u http://archive.academy.htb:30032/courses/FUZZ.phps -ic -t 200
# ffuf -w directory-list-2.3-medium.txt:FUZZ -u http://archive.academy.htb:30032/courses/FUZZ.php7 -ic -t 200
# ffuf -w directory-list-2.3-medium.txt:FUZZ -u http://faculty.academy.htb:30032/courses/FUZZ.php7 -ic -t 200
上面模糊测试的结果是:
只有faculty.academy.htb:30032/courses/FUZZ.php7/ 下有文件linux-security.php7 并且访问 faculty.academy.htb:30032/courses/FUZ… 确实会返回“You don't hava access!”
注意一下linux-security.php7没有访问权限时的size:774
第四题
# ffuf -w burp-parameter-names.txt:FUZZ -u http://faculty.academy.htb:30032/courses/linux-security.php7?FUZZ=key
Size为774的页面就是linux-security.php7没有访问权限时的size
# ffuf -w burp-parameter-names.txt:FUZZ -u http://faculty.academy.htb:30032/courses/linux-security.php7?FUZZ=key -fs 774
# curl http://faculty.academy.htb:30032/courses/linux-security.php7?user=key
页面改变了,证明user确实是一个parameter(但不代表其value是key,因为我刚刚试了,value的位置传任何值都是同样的结果:
# ffuf -w burp-parameter-names.txt:FUZZ -u http://faculty.academy.htb:30032/courses/linux-security.php7 -X POST -d 'FUZZ=key' -H 'Content-Type: application/x-www-form-urlencoded'
774,说明还是那个"You don't hava access"的页面
# ffuf -w burp-parameter-names.txt:FUZZ -u http://faculty.academy.htb:30032/courses/linux-security.php7 -X POST -d 'FUZZ=key' -H 'Content-Type: application/x-www-form-urlencoded' -fs 774
注意780与781
# curl http://faculty.academy.htb:30032/courses/linux-security.php7 -X POST -d 'username=key' -H 'Content-Type: application/x-www-form-urlencoded'
curl的便是size为781的页面
显然是username的value错了
第五题
# ffuf -w names.txt:FUZZ -u http://faculty.academy.htb:30032/courses/linux-security.php7 -X POST -d 'username=FUZZ' -H 'Content-Type: application/x-www-form-urlencoded' -t 200
# ffuf -w names.txt:FUZZ -u http://faculty.academy.htb:30032/courses/linux-security.php7 -X POST -d 'username=FUZZ' -H 'Content-Type: application/x-www-form-urlencoded' -t 200 -fs 781
# curl http://faculty.academy.htb:30032/courses/linux-security.php7 -X POST -d 'username=Harry' -H 'Content-Type: application/x-www-form-urlencoded'
总结
- 拿到一个ip与其对应的域名,如果其不存在于公共dns服务器,那么向/etc/hosts中添加
- 对域名进行Sub-domain Fuzzing与Vhost Fuzzing,找到子域名,并向/etc/hosts中添加
- 对原来的域名与其子域名进行Extension Fuzzing,多利用indexFUZZ
- 对原来的域名与其子域名进行Directory Fuzzing,找到一些子目录
- 利用测试到的extension、sub-domain、directory进行Page Fuzzing
- 若测试到的一些page显示没有权限,则对其进行Parameter Fuzzing-Get,value一般先用key
- 用测试到的parameter对page进行curl
- 若method被弃用,对其进行Parameter Fuzzing-Post,value一般先用key
- 用测试到的parameter对page进行Value Fuzzing
- 用测试到的value对page进行curl
常用字典
- subdomain: /usr/share/wordlists/amass/subdomains-top1mil-5000.txt
- extension: /usr/share/wordlists/dirb/extensions_common.txt(我自己对其进行了完善,比如.php7这种)
- directory: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
- parameter: /usr/share/wordlists/burp-parameter-names.txt(自己从HTB里抄下来的)
- value: /usr/share/wordlists/dirb/others/names.txt(针对username)
