ffuf
v2.1.0
用 Go 编写的快速网络模糊器。
从发布页面下载预构建的二进制文件,解压并运行!
或者
如果您使用的是自制软件 macOS,则可以使用以下命令安装 ffuf: brew install ffuf
或者
如果您最近安装了 go 编译器: go install github.com/ffuf/ffuf/v2@latest (相同的命令适用于更新)
或者
git clone https://github.com/ffuf/ffuf ; cd ffuf ; go get ; go build
FFuf 依赖于 Go 1.16 或更高版本。
下面的用法示例仅显示了使用ffuf可以完成的最简单的任务。
ffuf wiki 中提供了更详细的文档,其中包含许多功能和示例,网址为:https://github.com/ffuf/ffuf/wiki
如需更详细的文档以及现实生活中的使用示例和提示,请务必查看精彩指南:Michael Skelton (@codingo) 撰写的“关于 FFUF 您需要了解的一切”。
您还可以通过不同的课程和用例在本地使用 docker 容器 https://github.com/adamtlangley/ffufme 或针对 http://ffuf.me 创建的实时托管版本练习 ffuf 扫描。作者:亚当·兰利@adamtlangley。
通过在 URL 末尾使用 FUZZ 关键字 ( -u ):
ffuf -w /path/to/wordlist -u https://target/FUZZ
假设默认的虚拟主机响应大小为 4242 字节,我们可以在模糊 Host - 标头时过滤掉该大小的所有响应( -fs 4242 ):
ffuf -w /path/to/vhost/wordlist -u https://target -H "Host: FUZZ" -fs 4242
GET 参数名称模糊测试与目录发现非常相似,通过将FUZZ关键字定义为 URL 的一部分来工作。这还假设无效 GET 参数名称的响应大小为 4242 字节。
ffuf -w /path/to/paramnames.txt -u https://target/script.php?FUZZ=test_value -fs 4242
如果参数名称已知,则可以以相同的方式对值进行模糊测试。此示例假设错误的参数值返回 HTTP 响应代码 401。
ffuf -w /path/to/values.txt -u https://target/script.php?valid_name=FUZZ -fc 401
这是一个非常简单的操作,再次使用FUZZ关键字。此示例仅模糊 POST 请求的一部分。我们再次过滤掉 401 响应。
ffuf -w /path/to/postdata.txt -X POST -d "username=admin&password=FUZZ" -u https://target/login.php -fc 401
如果您不希望 ffuf 无限期地运行,可以使用-maxtime 。这将在给定时间(以秒为单位)后停止整个过程。
ffuf -w /path/to/wordlist -u https://target/FUZZ -maxtime 60
使用递归时,您可以使用-maxtime-job控制每个作业的最大时间。这将在给定时间(以秒为单位)后停止当前作业并继续下一个作业。当递归功能检测到子目录时,就会创建新作业。
ffuf -w /path/to/wordlist -u https://target/FUZZ -maxtime-job 60 -recursion -recursion-depth 2
还可以组合两个标志来限制每个作业的最大执行时间以及总体执行时间。如果不使用递归,则两个标志的行为相同。
在此示例中,我们将对通过 POST 发送的 JSON 数据进行模糊测试。 Radamsa 被用作突变子。
当使用--input-cmd时,ffuf 将显示匹配项作为其位置。相同的位置值将作为环境变量$FFUF_NUM可供被调用者使用。我们将使用这个位置值作为变异器的种子。文件 example1.txt 和 example2.txt 包含有效的 JSON 负载。我们匹配所有响应,但过滤掉响应代码400 - Bad request :
ffuf --input-cmd 'radamsa --seed $FFUF_NUM example1.txt example2.txt' -H "Content-Type: application/json" -X POST -u https://ffuf.io.fi/FUZZ -mc all -fc 400
当然,为每个有效负载调用 mutator 的效率不是很高,因此我们也可以预先生成有效负载,仍然以 Radamsa 为例:
# Generate 1000 example payloads
radamsa -n 1000 -o %n.txt example1.txt example2.txt
# This results into files 1.txt ... 1000.txt
# Now we can just read the payload data in a loop from file for ffuf
ffuf --input-cmd 'cat $FFUF_NUM.txt' -H "Content-Type: application/json" -X POST -u https://ffuf.io.fi/ -mc all -fc 400
运行 ffuf 时,它首先检查默认配置文件是否存在。 ffufrc文件的默认路径是$XDG_CONFIG_HOME/ffuf/ffufrc 。您可以在此文件中配置一个或多个选项,它们将应用于后续的每个 ffuf 作业。 ffufrc 文件的示例可以在此处找到。
有关配置文件位置的更详细描述可以在 wiki 中找到:https://github.com/ffuf/ffuf/wiki/Configuration
命令行上提供的配置选项会覆盖从默认ffufrc文件加载的配置选项。注意:这不适用于可以多次提供的 CLI 标志。这样的示例之一是-H (标头)标志。在这种情况下,命令行上提供的-H值将被附加到配置文件中的值。
此外,如果您希望针对不同的用例使用一堆配置文件,您可以通过使用-config命令行标志定义配置文件路径来实现此目的,该标志将配置文件的文件路径作为其参数。
要定义 ffuf 的测试用例,请在 URL ( -u )、标头 ( -H ) 或 POST 数据 ( -d ) 中的任意位置使用关键字FUZZ 。
Fuzz Faster U Fool - v2.1.0
HTTP OPTIONS:
-H Header `"Name: Value"`, separated by colon. Multiple -H flags are accepted.
-X HTTP method to use
-b Cookie data `"NAME1=VALUE1; NAME2=VALUE2"` for copy as curl functionality.
-cc Client cert for authentication. Client key needs to be defined as well for this to work
-ck Client key for authentication. Client certificate needs to be defined as well for this to work
-d POST data
-http2 Use HTTP2 protocol (default: false)
-ignore-body Do not fetch the response content. (default: false)
-r Follow redirects (default: false)
-raw Do not encode URI (default: false)
-recursion Scan recursively. Only FUZZ keyword is supported, and URL (-u) has to end in it. (default: false)
-recursion-depth Maximum recursion depth. (default: 0)
-recursion-strategy Recursion strategy: "default" for a redirect based, and "greedy" to recurse on all matches (default: default)
-replay-proxy Replay matched requests using this proxy.
-sni Target TLS SNI, does not support FUZZ keyword
-timeout HTTP request timeout in seconds. (default: 10)
-u Target URL
-x Proxy URL (SOCKS5 or HTTP). For example: http://127.0.0.1:8080 or socks5://127.0.0.1:8080
GENERAL OPTIONS:
-V Show version information. (default: false)
-ac Automatically calibrate filtering options (default: false)
-acc Custom auto-calibration string. Can be used multiple times. Implies -ac
-ach Per host autocalibration (default: false)
-ack Autocalibration keyword (default: FUZZ)
-acs Custom auto-calibration strategies. Can be used multiple times. Implies -ac
-c Colorize output. (default: false)
-config Load configuration from a file
-json JSON output, printing newline-delimited JSON records (default: false)
-maxtime Maximum running time in seconds for entire process. (default: 0)
-maxtime-job Maximum running time in seconds per job. (default: 0)
-noninteractive Disable the interactive console functionality (default: false)
-p Seconds of `delay` between requests, or a range of random delay. For example "0.1" or "0.1-2.0"
-rate Rate of requests per second (default: 0)
-s Do not print additional information (silent mode) (default: false)
-sa Stop on all error cases. Implies -sf and -se. (default: false)
-scraperfile Custom scraper file path
-scrapers Active scraper groups (default: all)
-se Stop on spurious errors (default: false)
-search Search for a FFUFHASH payload from ffuf history
-sf Stop when > 95% of responses return 403 Forbidden (default: false)
-t Number of concurrent threads. (default: 40)
-v Verbose output, printing full URL and redirect location (if any) with the results. (default: false)
MATCHER OPTIONS:
-mc Match HTTP status codes, or "all" for everything. (default: 200-299,301,302,307,401,403,405,500)
-ml Match amount of lines in response
-mmode Matcher set operator. Either of: and, or (default: or)
-mr Match regexp
-ms Match HTTP response size
-mt Match how many milliseconds to the first response byte, either greater or less than. EG: >100 or <100
-mw Match amount of words in response
FILTER OPTIONS:
-fc Filter HTTP status codes from response. Comma separated list of codes and ranges
-fl Filter by amount of lines in response. Comma separated list of line counts and ranges
-fmode Filter set operator. Either of: and, or (default: or)
-fr Filter regexp
-fs Filter HTTP response size. Comma separated list of sizes and ranges
-ft Filter by number of milliseconds to the first response byte, either greater or less than. EG: >100 or <100
-fw Filter by amount of words in response. Comma separated list of word counts and ranges
INPUT OPTIONS:
-D DirSearch wordlist compatibility mode. Used in conjunction with -e flag. (default: false)
-e Comma separated list of extensions. Extends FUZZ keyword.
-enc Encoders for keywords, eg. 'FUZZ:urlencode b64encode'
-ic Ignore wordlist comments (default: false)
-input-cmd Command producing the input. --input-num is required when using this input method. Overrides -w.
-input-num Number of inputs to test. Used in conjunction with --input-cmd. (default: 100)
-input-shell Shell to be used for running command
-mode Multi-wordlist operation mode. Available modes: clusterbomb, pitchfork, sniper (default: clusterbomb)
-request File containing the raw http request
-request-proto Protocol to use along with raw request (default: https)
-w Wordlist file path and (optional) keyword separated by colon. eg. '/path/to/wordlist:KEYWORD'
OUTPUT OPTIONS:
-debug-log Write all of the internal logging to the specified file.
-o Write output to file
-od Directory path to store matched results to.
-of Output file format. Available formats: json, ejson, html, md, csv, ecsv (or, 'all' for all formats) (default: json)
-or Don't create the output file if we don't have results (default: false)
EXAMPLE USAGE:
Fuzz file paths from wordlist.txt, match all responses but filter out those with content-size 42.
Colored, verbose output.
ffuf -w wordlist.txt -u https://example.org/FUZZ -mc all -fs 42 -c -v
Fuzz Host-header, match HTTP 200 responses.
ffuf -w hosts.txt -u https://example.org/ -H "Host: FUZZ" -mc 200
Fuzz POST JSON data. Match all responses not containing text "error".
ffuf -w entries.txt -u https://example.org/ -X POST -H "Content-Type: application/json"
-d '{"name": "FUZZ", "anotherkey": "anothervalue"}' -fr "error"
Fuzz multiple locations. Match only responses reflecting the value of "VAL" keyword. Colored.
ffuf -w params.txt:PARAM -w values.txt:VAL -u https://example.org/?PARAM=VAL -mr "VAL" -c
More information and examples: https://github.com/ffuf/ffuf
在 ffuf 执行期间按ENTER ,进程将暂停,用户将进入类似 shell 的交互模式:
entering interactive mode
type "help" for a list of commands, or ENTER to resume.
> help
available commands:
afc [value] - append to status code filter
fc [value] - (re)configure status code filter
afl [value] - append to line count filter
fl [value] - (re)configure line count filter
afw [value] - append to word count filter
fw [value] - (re)configure word count filter
afs [value] - append to size filter
fs [value] - (re)configure size filter
aft [value] - append to time filter
ft [value] - (re)configure time filter
rate [value] - adjust rate of requests per second (active: 0)
queueshow - show job queue
queuedel [number] - delete a job in the queue
queueskip - advance to the next queued job
restart - restart and resume the current ffuf job
resume - resume current ffuf job (or: ENTER)
show - show results for the current job
savejson [filename] - save current matches to a file
help - you are looking at it
>
在此模式下,可以重新配置过滤器、管理队列并将当前状态保存到磁盘。
当(重新)配置过滤器时,它们会在死后应用,并且内存中本应被新添加的过滤器过滤掉的所有误报匹配都将被删除。
可以使用命令show打印出匹配的新状态,该命令将打印出所有匹配,就像ffuf找到它们一样。
由于“负”匹配不会存储到内存中,因此放松过滤器无法不幸地找回丢失的匹配。对于这种情况,用户可以使用命令restart ,该命令重置状态并从头开始当前作业。
ffuf 是根据 MIT 许可发布的。请参阅许可证。
