Fuzzing Web Apps Full Guide
前言
在这篇博客中,我将解释如何使用ffuf进行目录发现、子域名枚举、暴力破解攻击、参数挖掘等操作。
速查表
ffuf
FUZZ:放置payload的位置-u:目标URL-w:字典文件-fc:过滤响应头-fs:过滤响应大小-mc:匹配响应代码-p:请求之间的暂停秒数-t:线程数
字典 我将使用seclists进行所有枚举操作。
目标 我们的目标网站:ffuf.me
基础内容发现
我们将进行基本的目录和文件枚举
ffuf -u http://ffuf.me/cd/basic/FUZZ -w /usr/share/wordlists/seclists/Discovery/Web-Content/common.txt
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v2.1.0-dev
________________________________________________
:: Method : GET
:: URL : http://ffuf.me/cd/basic/FUZZ
:: Wordlist : FUZZ: /usr/share/wordlists/seclists/Discovery/Web-Content/common.txt
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200-299,301,302,307,401,403,405,500
________________________________________________
class [Status: 200, Size: 19, Words: 4, Lines: 1, Duration: 68ms]
development.log [Status: 200, Size: 19, Words: 4, Lines: 1, Duration: 63ms]
:: Progress: [4727/4727] :: Job [1/1] :: 543 req/sec :: Duration: [0:00:08] :: Errors: 0 ::
我们找到了/class和/development.log。
递归模糊测试
ffuf -u http://ffuf.me/cd/recursion/FUZZ -w /usr/share/wordlists/seclists/Discovery/Web-Content/common.txt -recursion
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v2.1.0-dev
________________________________________________
:: Method : GET
:: URL : http://ffuf.me/cd/recursion/FUZZ
:: Wordlist : FUZZ: /usr/share/wordlists/seclists/Discovery/Web-Content/common.txt
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200-299,301,302,307,401,403,405,500
________________________________________________
admin [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 65ms]
[INFO] Adding a new job to the queue: http://ffuf.me/cd/recursion/admin/FUZZ
[INFO] Starting queued job on target: http://ffuf.me/cd/recursion/admin/FUZZ
users [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 67ms]
[INFO] Adding a new job to the queue: http://ffuf.me/cd/recursion/admin/users/FUZZ
[INFO] Starting queued job on target: http://ffuf.me/cd/recursion/admin/users/FUZZ
96 [Status: 200, Size: 19, Words: 4, Lines: 1, Duration: 76ms]
:: Progress: [4727/4727] :: Job [3/3] :: 330 req/sec :: Duration: [0:00:08] :: Errors: 0 ::
我们找到了/admin/users/96。
添加扩展名
当我们访问/logs时得到403,所以我们将尝试模糊测试日志文件。
ffuf -u http://ffuf.me/cd/ext/logs/FUZZ -e .log -w /usr/share/wordlists/seclists/Discovery/Web-Content/common.txt
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v2.1.0-dev
________________________________________________
:: Method : GET
:: URL : http://ffuf.me/cd/ext/logs/FUZZ
:: Wordlist : FUZZ: /usr/share/wordlists/seclists/Discovery/Web-Content/common.txt
:: Extensions : .log
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200-299,301,302,307,401,403,405,500
________________________________________________
users.log [Status: 200, Size: 19, Words: 4, Lines: 1, Duration: 70ms]
:: Progress: [9454/9454] :: Job [1/1] :: 581 req/sec :: Duration: [0:00:17] :: Errors: 0
非404页面
这次不存在的页面返回200,所以我们可以通过状态码进行过滤。
ffuf -u http://ffuf.me/cd/no404/FUZZ -e .log -w /usr/share/wordlists/seclists/Discovery/Web-Content/common.txt -fs 669
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v2.1.0-dev
________________________________________________
:: Method : GET
:: URL : http://ffuf.me/cd/no404/FUZZ
:: Wordlist : FUZZ: /usr/share/wordlists/seclists/Discovery/Web-Content/common.txt
:: Extensions : .log
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200-299,301,302,307,401,403,405,500
:: Filter : Response size: 669
________________________________________________
secret [Status: 200, Size: 25, Words: 4, Lines: 1, Duration: 94ms]
参数挖掘
这次页面因为缺少参数而返回400
ffuf -u "http://ffuf.me/cd/param/data/?FUZZ=data" -w /usr/share/wordlists/seclists/Discovery/Web-Content/burp-parameter-names.txt
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v2.1.0-dev
________________________________________________
:: Method : GET
:: URL : http://ffuf.me/cd/param/data/?FUZZ=data
:: Wordlist : FUZZ: /usr/share/wordlists/seclists/Discovery/Web-Content/burp-parameter-names.txt
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200-299,301,302,307,401,403,405,500
________________________________________________
debug [Status: 200, Size: 24, Words: 3, Lines: 1, Duration: 77ms]
速率限制
这次端点有每秒50个请求的速率限制,超过后我们会收到429状态码。
所以我将启动50个线程,并在每个线程的每个请求后暂停1秒。这样我们总共每秒有50个请求。
我将只显示200和429状态码。
ffuf -u http://ffuf.me/cd/rate/FUZZ -p 1 -t 50 -mc 200,429 -w /usr/share/wordlists/seclists/Discovery/Web-Content/common.txt
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v2.1.0-dev
________________________________________________
:: Method : GET
:: URL : http://ffuf.me/cd/rate/FUZZ
:: Wordlist : FUZZ: /usr/share/wordlists/seclists/Discovery/Web-Content/common.txt
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 50
:: Delay : 1.00 seconds
:: Matcher : Response status: 200,429
________________________________________________
oracle [Status: 200, Size: 19, Words: 4, Lines: 1, Duration: 74ms]
管道
我们将测试几个用户的IDOR漏洞。
首先我们将迭代1到1000
seq 1 1000 | ffuf -u http://ffuf.me/cd/pipes/user?id=FUZZ -w -
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v2.1.0-dev
________________________________________________
:: Method : GET
:: URL : http://ffuf.me/cd/pipes/user?id=FUZZ
:: Wordlist : FUZZ: -
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200-299,301,302,307,401,403,405,500
________________________________________________
657 [Status: 200, Size: 13, Words: 3, Lines: 1, Duration: 64ms]
:: Progress: [1000/1000] :: Job [1/1] :: 571 req/sec :: Duration: [0:00:02] :: Errors: 0 ::
如果需要,我们也可以对数字进行base64编码
seq 1 1000 | hashit b64 | ffuf -w - -u http://ffuf.me/cd/pipes/user2?id=FUZZ
或者进行md5哈希
seq 1 1000 | hashit md5 | ffuf -w - -u http://ffuf.me/cd/pipes/user3?id=FUZZ
虚拟主机发现
简单来说,虚拟主机是在单个服务器上托管多个域的方法。
我们试图发现在我们目标服务器上可能托管了哪些其他服务器,从而扩大我们的攻击面。
我们可以通过模糊测试Host头来实现这一点,因为它负责确定我们试图访问哪个服务器,并过滤响应大小。
ffuf -u http://ffuf.me/ -H "Host: FUZZ.ffuf.me" -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-20000.txt -fs 1495
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v2.1.0-dev
________________________________________________
:: Method : GET
:: URL : http://ffuf.me/
:: Wordlist : FUZZ: /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-20000.txt
:: Header : Host: FUZZ.ffuf.me
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200-299,301,302,307,401,403,405,500
:: Filter : Response size: 1495
________________________________________________
redhat [Status: 200, Size: 15, Words: 2, Lines: 1, Duration: 89ms]
暴力破解攻击
捕获请求
POST /login HTTP/1.1
Host: 10.10.10.10
Content-Length: 37
Accept: application/json, text/plain, */*
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.54 Safari/537.36
Content-Type: application/json
Origin: http://10.10.10.10
Referer: http://10.10.10.10/
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Connection: close
{"username":"USERFUZZ","password":"PASSFUZZ"}
用占位符文本替换字段
有不同的攻击模式,类似于burp的intruder
ffuf -request request.txt -request-proto http -mode clusterbomb -w /path/to/users/file.txt:USERFUZZ -w /path/to/password/file.txt:PASSFUZZ -mc 200
