模糊(Fuzzing)
术语模糊化是指一种测试技术,它将各种类型的用户输入发送到某个接口,以研究其反应。如果我们对SQL注入漏洞进行模糊处理,我们将发送随机的特殊字符,并查看服务器的反应。如果我们对缓冲区溢出进行模糊处理,我们将发送长字符串并增加它们的长度,以查看二进制文件是否以及何时会中断。
我们通常会为每种类型的网络模糊测试使用预定义的常用术语词汇表,看看网络服务器是否会接受它们。这样做是因为web服务器通常不会提供所有可用链接和域的目录(除非进行了严格的配置),因此我们必须检查各种链接,并查看哪些链接返回页面。
一些最常用的单词列表可以在GitHub SecLists 存储库中找到,该存储库将单词列表分类为各种类型的模糊,甚至包括常用的密码,这些密码稍后将用于密码强制。
Ffuf
usage
ffuf -h
HTTP OPTIONS:
-H Header `"Name: Value"`, separated by colon. Multiple -H flags are accepted.
-X HTTP method to use (default: GET)
-b Cookie data `"NAME1=VALUE1; NAME2=VALUE2"` for copy as curl functionality.
-d POST data
-recursion Scan recursively. Only FUZZ keyword is supported, and URL (-u) has to end in it. (default: false)
-recursion-depth Maximum recursion depth. (default: 0)
-u Target URL
...SNIP...
MATCHER OPTIONS:
-mc Match HTTP status codes, or "all" for everything. (default: 200,204,301,302,307,401,403)
-ms Match HTTP response size
...SNIP...
FILTER OPTIONS:
-fc Filter HTTP status codes from response. Comma separated list of codes and ranges
-fs Filter HTTP response size. Comma separated list of sizes and ranges
...SNIP...
INPUT OPTIONS:
...SNIP...
-w Wordlist file path and (optional) keyword separated by colon. eg. '/path/to/wordlist:KEYWORD'
OUTPUT OPTIONS:
-o Write output to file
...SNIP...
EXAMPLE USAGE:
Fuzz file paths from wordlist.txt, match all responses but filter out those with content-size 42.
Colored, verbose output.
ffuf -w wordlist.txt -u https://example.org/FUZZ -mc all -fs 42 -c -v
...SNIP...
目录模糊化(Directory Fuzzing)
正如我们从上面的例子中看到的,主要的两个选项是-w表示单词列表,-u表示URL。我们可以将一个关键字分配给一个单词列表,以便在我们想要模糊的地方引用它。例如,我们可以选择我们的单词列表,并通过在其后面添加:FUZZ来为其分配关键字FUZZ:
ffuf -w /opt/useful/SecLists/Discovery/Web-Content/directory-list-2.3-small.txt:FUZZ
接下来,由于我们想对web目录进行模糊处理,我们可以将FUZZ关键字放置在URL中目录所在的位置,其中:
ffuf -w <SNIP> -u http://SERVER_IP:PORT/FUZZ
现在,让我们从下面的问题中开始我们的目标,并对其运行我们的最终命令:
ffuf -w /opt/useful/SecLists/Discovery/Web-Content/directory-list-2.3-small.txt:FUZZ -u http://SERVER_IP:PORT/FUZZ
如果我们很着急,我们甚至可以通过将线程数量增加到200来加快速度,例如使用-t 200,但不建议这样做,尤其是在远程网站上使用时,因为这可能会中断它,导致拒绝服务,或者在严重情况下导致您的互联网连接中断。
^tips: 我们得到一个空页面,表明目录没有专用页面,但也表明我们没有访问它的权限,因为我们没有得到HTTP代码404 not Found或403 access Denied。在下一节中,我们将在该目录下查找页面,看看它是否真的是空的,或者是否有隐藏的文件和页面。
practice
target:
ip:143.110.174.175:32434
除了我们在上面找到的目录之外,还可以找到另一个目录。它是什么?
kali:
ffuf -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-small.txt:FUZZ -u http://143.110.174.175:32434/FUZZ
页面模糊(Page Fuzzing)
我们现在通过使用单词表和关键字来了解ffuf的基本用法。接下来,我们将学习如何定位页面。
扩展名模糊(Extension Fuzzing)
在上一节中,我们发现我们可以访问/blog,但目录返回了一个空页面,我们无法手动定位任何链接或页面。因此,我们将再次利用web模糊来查看目录是否包含任何隐藏页面。然而,在我们开始之前,我们必须了解网站使用的页面类型,如.html、.aspx、.php或其他类型。
一种常见的识别方法是通过HTTP响应头查找服务器类型并猜测扩展名。例如,如果服务器是apache,那么它可能是.php,或者如果是IIS,那么它可以是.asp或.aspx,等等。不过,这种方法不是很实用。因此,我们将再次使用ffuf来模糊扩展,类似于我们对目录的模糊处理。我们不把FUZZ关键字放在目录名所在的位置,而是把它放在扩展名所在的地方.FUZZ,并为常见的扩展名使用单词列表。我们可以使用SecLists中的以下单词列表进行扩展:
ffuf -w /opt/useful/SecLists/Discovery/Web-Content/web-extensions.txt:FUZZ <SNIP>
在我们开始模糊化之前,我们必须指定扩展名将位于哪个文件的末尾!我们总是可以使用两个单词列表,每个单词列表都有一个唯一的关键字,然后对这两个单词都进行FUZZ_1.FUZZ_2模糊处理。然而,在大多数网站上,我们总能找到一个文件,那就是index.*,所以我们会用它作为我们的文件,并对其进行模糊扩展。
ffuf -w /opt/useful/SecLists/Discovery/Web-Content/web-extensions.txt:FUZZ -u http://SERVER_IP:PORT/blog/indexFUZZ
页面模糊(Page Fuzzing)
现在,我们将使用与ffuf相同的关键字概念,使用.php作为扩展名,将FUZZ关键字放在文件名所在的位置,并使用与模糊目录相同的单词列表:
ffuf -w /opt/useful/SecLists/Discovery/Web-Content/directory-list-2.3-small.txt:FUZZ -u http://SERVER_IP:PORT/blog/FUZZ.php
practice
target:143.110.174.175:32434
试着用你在这一节学到的东西来模糊'/blog'目录并找到所有页面。其中一个应该包含flag。flag是什么?
kali:
┌──(root💀kali)-[/usr/share/seclists]
└─# ffuf -w /usr/share/seclists/Discovery/Web-Content/web-extensions.txt:FUZZ -u http://143.110.174.175:32434/blog/indexFUZZ -ic
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v1.3.1 Kali Exclusive <3
________________________________________________
:: Method : GET
:: URL : http://143.110.174.175:32434/blog/indexFUZZ
:: Wordlist : FUZZ: /usr/share/seclists/Discovery/Web-Content/web-extensions.txt
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200,204,301,302,307,401,403,405
________________________________________________
:: Progress: [40/40] :: Job [1/1] :: 0 req/sec :: Duration: [0:00:00] :: Errors: 0 .php [Status: 200, Size: 0, Words: 1, Lines: 1]
:: Progress: [40/40] :: Job [1/1] :: 0 req/sec :: Duration: [0:00:00] :: Errors: 0 .phps [Status: 403, Size: 283, Words: 20, Lines: 10]
:: Progress: [40/40] :: Job [1/1] :: 0 req/sec :: Duration: [0:00:00] :: Errors: 0 :: Progress: [40/40] :: Job [1/1] :: 21 req/sec :: Duration: [0:00:04] :: Errors: 0 ::
发现.php 和 .phpx后缀可用
先查看php后缀:
ffuf -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-small.txt:FUZZ -u http://143.110.174.175:32434/blog/FUZZ.php -ic
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v1.3.1 Kali Exclusive <3
________________________________________________
:: Method : GET
:: URL : http://143.110.174.175:32434/blog/FUZZ.php
:: Wordlist : FUZZ: /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-small.txt
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200,204,301,302,307,401,403,405
________________________________________________
:: Progress: [40/87651] :: Job [1/1] :: 0 req/sec :: Duration: [0:00:00] :: Errors::: Progress: [40/87651] :: Job [1/1] :: 0 req/sec :: Duration: [0:00:00] :: Errors::: Progress: [40/87651] :: Job [1/1] :: 0 req/sec :: Duration: [0:00:00] :: Errors::: Progress: [40/87651] :: Job [1/1] :: 0 req/sec :: Duration: [0:00:00] :: Errors::: Progress: [40/87651] :: Job [1/1] :: 0 req/sec :: Duration: [0:00:00] :: Errors: [Status: 403, Size: 283, Words: 20, Lines: 10]
:: Progress: [52/87651] :: Job [1/1] :: 0 req/sec :: Duration: [0:00:00] :: Errors:home [Status: 200, Size: 1046, Words: 438, Lines: 58]
发现一个home.php
访问http://143.110.174.175:32434/blog/home.php得到flag。
递归模糊(Recursive Fuzzing)
到目前为止,我们一直在对目录进行模糊处理,然后进入这些目录,然后对文件进行模糊处理。然而,如果我们有几十个目录,每个目录都有自己的子目录和文件,这将需要很长时间才能完成。为了能够自动化这一点,我们将使用所谓的递归模糊。
递归标志
当我们递归扫描时,它会自动在页面上任何新识别的目录下开始另一次扫描,直到它模糊了主网站及其所有子目录。
一些网站可能有一棵大树的子目录,比如/login/user/content/uploads/。。。等等,并且这将扩展扫描树并且可能需要很长时间来扫描它们。这就是为什么我们总是建议为递归扫描指定一个深度,这样它就不会扫描比该深度更深的目录。一旦我们模糊了第一个目录,我们就可以选择最感兴趣的目录,并运行另一个扫描来更好地指导我们的扫描。
在ffuf中,我们可以使用-recursion标志启用递归扫描,并且可以使用-递归深度标志指定深度。如果我们指定-recursion depth 1,它将只模糊主目录及其直接子目录。如果标识了任何子目录(如/login/user,则不会对页面进行模糊处理)。当在ffuf中使用递归时,我们可以用-e.php指定我们的扩展
最后,我们还将添加标志-v来输出完整的URL。否则,可能很难判断哪个.php文件位于哪个目录下。
递归扫描
让我们重复我们使用的第一个命令,在指定.php作为扩展名的同时向其添加递归标志
ffuf -w /opt/useful/SecLists/Discovery/Web-Content/directory-list-2.3-small.txt:FUZZ -u http://SERVER_IP:PORT/FUZZ -recursion -recursion-depth 1 -e .php -v
practice
Target: 143.110.174.175:32434
Q:试着重复你到目前为止学到的内容,以找到更多的文件/目录。其中一个应该给你flag。flag的内容是什么?
kali:
ffuf -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-small.txt:FUZZ -u http://165.232.46.252:32335/FUZZ -recursion -recursion-depth 1 -e .php -v -t 60
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v1.3.1 Kali Exclusive <3
________________________________________________
:: Method : GET
:: URL : http://165.232.46.252:32335/FUZZ
:: Wordlist : FUZZ: /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-small.txt
:: Extensions : .php
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 60
:: Matcher : Response status: 200,204,301,302,307,401,403,405
________________________________________________
[Status: 200, Size: 986, Words: 423, Lines: 56]
| URL | http://165.232.46.252:32335/# directory-list-2.3-small.txt
* FUZZ: # directory-list-2.3-small.txt
[Status: 200, Size: 986, Words: 423, Lines: 56]
| URL | http://165.232.46.252:32335/# on at least 3 different hosts.php
* FUZZ: # on at least 3 different hosts.php
[Status: 200, Size: 986, Words: 423, Lines: 56]
| URL | http://165.232.46.252:32335/# Attribution-Share Alike 3.0 License. To view a copy of this.php
* FUZZ: # Attribution-Share Alike 3.0 License. To view a copy of this.php
[Status: 301, Size: 324, Words: 20, Lines: 10]
| URL | http://165.232.46.252:32335/blog
| --> | http://165.232.46.252:32335/blog/
* FUZZ: blog
[INFO] Adding a new job to the queue: http://165.232.46.252:32335/blog/FUZZ
[Status: 403, Size: 282, Words: 20, Lines: 10]
| URL | http://165.232.46.252:32335/.php
* FUZZ: .php
[Status: 301, Size: 325, Words: 20, Lines: 10]
| URL | http://165.232.46.252:32335/forum
| --> | http://165.232.46.252:32335/forum/
* FUZZ: forum
扫出了很多目录,这里不多赘述和展现,直接结果上走——扫描这个forum目录:
ffuf -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-small.txt:FUZZ -u http://165.232.46.252:32335/forum/FUZZ -recursion -recursion-depth 1 -e .php -v -t 60
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v1.3.1 Kali Exclusive <3
________________________________________________
:: Method : GET
:: URL : http://165.232.46.252:32335/forum/FUZZ
:: Wordlist : FUZZ: /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-small.txt
:: Extensions : .php
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 60
:: Matcher : Response status: 200,204,301,302,307,401,403,405
________________________________________________
[Status: 200, Size: 0, Words: 1, Lines: 1]
| URL | http://165.232.46.252:32335/forum/# This work is licensed under the Creative Commons
* FUZZ: # This work is licensed under the Creative Commons
[Status: 200, Size: 0, Words: 1, Lines: 1]
| URL | http://165.232.46.252:32335/forum/#.php
* FUZZ: #.php
[Status: 200, Size: 0, Words: 1, Lines: 1]
| URL | http://165.232.46.252:32335/forum/# directory-list-2.3-small.txt
* FUZZ: # directory-list-2.3-small.txt
[Status: 200, Size: 0, Words: 1, Lines: 1]
| URL | http://165.232.46.252:32335/forum/#.php
* FUZZ: #.php
[Status: 200, Size: 0, Words: 1, Lines: 1]
| URL | http://165.232.46.252:32335/forum/#
* FUZZ: #
[Status: 200, Size: 0, Words: 1, Lines: 1]
| URL | http://165.232.46.252:32335/forum/# Attribution-Share Alike 3.0 License. To view a copy of this
* FUZZ: # Attribution-Share Alike 3.0 License. To view a copy of this
[Status: 200, Size: 0, Words: 1, Lines: 1]
| URL | http://165.232.46.252:32335/forum/# Priority-ordered case-sensitive list, where entries were found
* FUZZ: # Priority-ordered case-sensitive list, where entries were found
[Status: 200, Size: 0, Words: 1, Lines: 1]
| URL | http://165.232.46.252:32335/forum/
* FUZZ:
[Status: 200, Size: 0, Words: 1, Lines: 1]
| URL | http://165.232.46.252:32335/forum/# on at least 3 different hosts
* FUZZ: # on at least 3 different hosts
[Status: 200, Size: 0, Words: 1, Lines: 1]
| URL | http://165.232.46.252:32335/forum/# This work is licensed under the Creative Commons.php
* FUZZ: # This work is licensed under the Creative Commons.php
[Status: 200, Size: 0, Words: 1, Lines: 1]
| URL | http://165.232.46.252:32335/forum/# on at least 3 different hosts.php
* FUZZ: # on at least 3 different hosts.php
[Status: 200, Size: 0, Words: 1, Lines: 1]
| URL | http://165.232.46.252:32335/forum/# Suite 300, San Francisco, California, 94105, USA..php
* FUZZ: # Suite 300, San Francisco, California, 94105, USA..php
[Status: 200, Size: 0, Words: 1, Lines: 1]
| URL | http://165.232.46.252:32335/forum/# Suite 300, San Francisco, California, 94105, USA.
* FUZZ: # Suite 300, San Francisco, California, 94105, USA.
[Status: 200, Size: 0, Words: 1, Lines: 1]
| URL | http://165.232.46.252:32335/forum/#
* FUZZ: #
[Status: 200, Size: 0, Words: 1, Lines: 1]
| URL | http://165.232.46.252:32335/forum/# Copyright 2007 James Fisher
* FUZZ: # Copyright 2007 James Fisher
[Status: 200, Size: 0, Words: 1, Lines: 1]
| URL | http://165.232.46.252:32335/forum/# license, visit http://creativecommons.org/licenses/by-sa/3.0/.php
* FUZZ: # license, visit http://creativecommons.org/licenses/by-sa/3.0/.php
[Status: 200, Size: 0, Words: 1, Lines: 1]
| URL | http://165.232.46.252:32335/forum/index.php
* FUZZ: index.php
[Status: 200, Size: 0, Words: 1, Lines: 1]
| URL | http://165.232.46.252:32335/forum/# directory-list-2.3-small.txt.php
* FUZZ: # directory-list-2.3-small.txt.php
[Status: 200, Size: 0, Words: 1, Lines: 1]
| URL | http://165.232.46.252:32335/forum/# Priority-ordered case-sensitive list, where entries were found.php
* FUZZ: # Priority-ordered case-sensitive list, where entries were found.php
[Status: 200, Size: 0, Words: 1, Lines: 1]
| URL | http://165.232.46.252:32335/forum/# Copyright 2007 James Fisher.php
* FUZZ: # Copyright 2007 James Fisher.php
[Status: 200, Size: 0, Words: 1, Lines: 1]
| URL | http://165.232.46.252:32335/forum/# or send a letter to Creative Commons, 171 Second Street,.php
* FUZZ: # or send a letter to Creative Commons, 171 Second Street,.php
[Status: 200, Size: 0, Words: 1, Lines: 1]
| URL | http://165.232.46.252:32335/forum/#.php
* FUZZ: #.php
[Status: 200, Size: 0, Words: 1, Lines: 1]
| URL | http://165.232.46.252:32335/forum/# license, visit http://creativecommons.org/licenses/by-sa/3.0/
* FUZZ: # license, visit http://creativecommons.org/licenses/by-sa/3.0/
[Status: 403, Size: 282, Words: 20, Lines: 10]
| URL | http://165.232.46.252:32335/forum/.php
* FUZZ: .php
[Status: 200, Size: 0, Words: 1, Lines: 1]
| URL | http://165.232.46.252:32335/forum/# or send a letter to Creative Commons, 171 Second Street,
* FUZZ: # or send a letter to Creative Commons, 171 Second Street,
[Status: 200, Size: 0, Words: 1, Lines: 1]
| URL | http://165.232.46.252:32335/forum/#
* FUZZ: #
[Status: 200, Size: 0, Words: 1, Lines: 1]
| URL | http://165.232.46.252:32335/forum/#
* FUZZ: #
[Status: 200, Size: 0, Words: 1, Lines: 1]
| URL | http://165.232.46.252:32335/forum/# Attribution-Share Alike 3.0 License. To view a copy of this.php
* FUZZ: # Attribution-Share Alike 3.0 License. To view a copy of this.php
[Status: 200, Size: 0, Words: 1, Lines: 1]
| URL | http://165.232.46.252:32335/forum/#.php
* FUZZ: #.php
[Status: 200, Size: 21, Words: 1, Lines: 1]
| URL | http://165.232.46.252:32335/forum/flag.php
* FUZZ: flag.php
很明显,就在这个flag里面了
至此,basic fuzz先告一段落.
备忘录
Ffuf
| Command | Description |
|---|---|
ffuf -h |
ffuf help |
ffuf -w wordlist.txt:FUZZ -u http://SERVER_IP:PORT/FUZZ |
Directory Fuzzing |
ffuf -w wordlist.txt:FUZZ -u http://SERVER_IP:PORT/indexFUZZ |
Extension Fuzzing |
ffuf -w wordlist.txt:FUZZ -u http://SERVER_IP:PORT/blog/FUZZ.php |
Page Fuzzing |
ffuf -w wordlist.txt:FUZZ -u http://SERVER_IP:PORT/FUZZ -recursion -recursion-depth 1 -e .php -v |
Recursive Fuzzing |
ffuf -w wordlist.txt:FUZZ -u https://FUZZ.hackthebox.eu/ |
Sub-domain Fuzzing |
ffuf -w wordlist.txt:FUZZ -u http://academy.htb:PORT/ -H 'Host: FUZZ.academy.htb' -fs xxx |
VHost Fuzzing |
ffuf -w wordlist.txt:FUZZ -u http://admin.academy.htb:PORT/admin/admin.php?FUZZ=key -fs xxx |
Parameter Fuzzing - GET |
ffuf -w wordlist.txt:FUZZ -u http://admin.academy.htb:PORT/admin/admin.php -X POST -d 'FUZZ=key' -H 'Content-Type: application/x-www-form-urlencoded' -fs xxx |
Parameter Fuzzing - POST |
ffuf -w ids.txt:FUZZ -u http://admin.academy.htb:PORT/admin/admin.php -X POST -d 'id=FUZZ' -H 'Content-Type: application/x-www-form-urlencoded' -fs xxx |
Value Fuzzing |
Wordlists
| Command | Description |
|---|---|
/opt/useful/SecLists/Discovery/Web-Content/directory-list-2.3-small.txt |
Directory/Page Wordlist |
/opt/useful/SecLists/Discovery/Web-Content/web-extensions.txt |
Extensions Wordlist |
/opt/useful/SecLists/Discovery/DNS/subdomains-top1million-5000.txt |
Domain Wordlist |
/opt/useful/SecLists/Discovery/Web-Content/burp-parameter-names.txt |
Parameters Wordlist |
Misc
| Command | Description |
|---|---|
sudo sh -c 'echo "SERVER_IP academy.htb" >> /etc/hosts' |
Add DNS entry |
for i in $(seq 1 1000); do echo $i >> ids.txt; done |
Create Sequence Wordlist |
curl http://admin.academy.htb:PORT/admin/admin.php -X POST -d 'id=key' -H 'Content-Type: application/x-www-form-urlencoded' |
curl w/ POST |
[^注意]: