# ffuf **Repository Path**: jonathon11/ffuf ## Basic Information - **Project Name**: ffuf - **Description**: 用 Go 编写的快速 Web 模糊测试。 该工具用途广泛,可用于多种用途。一些用途: • 目录发现,可选择在 URL 中的任何位置进行模糊测试。 • 子域名发现 • 使用各种 HTTP 方法进行模糊测试。 - **Primary Language**: Unknown - **License**: MIT - **Default Branch**: master - **Homepage**: None - **GVP Project**: No ## Statistics - **Stars**: 0 - **Forks**: 0 - **Created**: 2024-12-10 - **Last Updated**: 2024-12-10 ## Categories & Tags **Categories**: Uncategorized **Tags**: None ## README ffuf - Fuzz Faster 用 Go 编写的快速 Web 模糊测试程序。 从 releases 页面下载预构建的二进制文件,解压并运行! 或 如果你在 macOS 上使用 homebrew,则可以使用以下命令安装 ffuf:brew install ffuf 或 如果您最近安装了 go 编译器:(相同的命令适用于更新)go install github.com/ffuf/ffuf/v2@latest 或 git clone https://github.com/ffuf/ffuf ; cd ffuf ; go get ; go build Ffuf 依赖于 Go 1.16 或更高版本。 用法示例 下面的使用示例仅显示了您可以使用 完成的最简单的任务。ffuf 更详细的文档,它通过许多功能并提供了大量示例 可在 FFUF Wiki 中找到,网址为 https://github.com/ffuf/ffuf/wiki 有关更广泛的文档,以及实际使用示例和提示,请务必查看很棒的指南: “关于 FFUF 你需要知道的一切” 作者 迈克尔·斯凯尔顿 (@codingo)。 您还可以使用 docker container https://github.com/adamtlangley/ffufme 在本地针对具有不同课程和用例的实时主持人练习 ffuf 扫描,或者针对 Adam Langley @adamtlangley 在 http://ffuf.me 创建的实时托管版本进行练习。 典型目录发现 ASCII 卡斯特 通过在 URL 末尾使用 FUZZ 关键字 ():-u ffuf -w /path/to/wordlist -u https://target/FUZZ 虚拟主机发现(无 DNS 记录) ASCII 卡斯特 假设默认的 virtualhost 响应大小为 4242 字节,我们可以过滤掉该大小 () 的所有响应,同时对 Host - 标头进行模糊测试:-fs 4242 ffuf -w /path/to/vhost/wordlist -u https://target -H "Host: FUZZ" -fs 4242 GET 参数模糊测试 GET 参数名称模糊测试与目录发现非常相似,其工作原理是将关键字定义为 URL 的一部分。这也假定无效的 GET 参数名称的响应大小为 4242 字节。FUZZ ffuf -w /path/to/paramnames.txt -u https://target/script.php?FUZZ=test_value -fs 4242 如果参数名称已知,则可以采用相同的方式对值进行模糊测试。此示例假定返回 HTTP 响应代码 401 的错误参数值。 ffuf -w /path/to/values.txt -u https://target/script.php?valid_name=FUZZ -fc 401 POST 数据模糊测试 这是一个非常简单的操作,同样通过使用关键字。此示例仅对 POST 请求的一部分进行模糊测试。我们再次筛选掉 401 响应。FUZZ ffuf -w /path/to/postdata.txt -X POST -d "username=admin\&password=FUZZ" -u https://target/login.php -fc 401 最长执行时间 如果您不希望 ffuf 无限期运行,可以使用 .这会在给定时间 (以秒为单位) 后停止整个过程。-maxtime ffuf -w /path/to/wordlist -u https://target/FUZZ -maxtime 60 使用递归时,您可以使用 .这将在给定时间 (以秒为单位) 后停止当前作业并继续下一个作业。当递归功能检测到子目录时,将创建新作业。-maxtime-job ffuf -w /path/to/wordlist -u https://target/FUZZ -maxtime-job 60 -recursion -recursion-depth 2 还可以组合使用这两个标志来限制每个作业的最大执行时间以及总体执行时间。如果不使用递归,则两个标志的行为相同。 使用外部 mutator 生成测试用例 在此示例中,我们将对通过 POST 发送的 JSON 数据进行模糊测试。Radamsa 用作 mutator。 使用时,ffuf 将显示匹配项作为其位置。此相同的 position 值将作为 环境变量 提供给被调用方。我们将使用这个 position 值作为 mutator 的种子。文件 example1.txt 和 example2.txt 包含有效的 JSON 负载。我们匹配了所有响应,但过滤掉了响应代码 :--input-cmd$FFUF_NUM400 - Bad request ffuf --input-cmd 'radamsa --seed $FFUF_NUM example1.txt example2.txt' -H "Content-Type: application/json" -X POST -u https://ffuf.io.fi/FUZZ -mc all -fc 400 当然,为每个 payload 调用 mutator 不是很有效,因此我们也可以预先生成 payloads,仍然以 Radamsa 为例: # Generate 1000 example payloads radamsa -n 1000 -o %n.txt example1.txt example2.txt # This results into files 1.txt ... 1000.txt # Now we can just read the payload data in a loop from file for ffuf ffuf --input-cmd 'cat $FFUF_NUM.txt' -H "Content-Type: application/json" -X POST -u https://ffuf.io.fi/ -mc all -fc 400 配置文件 运行 ffuf 时,它首先检查是否存在默认配置文件。文件的默认路径为 。您可以在此文件中配置一个或多个选项,它们将应用于 每个后续的 FFUF 作业。可以在此处找到 ffufrc 文件的示例。ffufrc$XDG_CONFIG_HOME/ffuf/ffufrc 有关配置文件位置的更详细说明,请参阅 wiki:https://github.com/ffuf/ffuf/wiki/Configuration 命令行上提供的配置选项将覆盖从默认文件加载的配置选项。 注意:这不适用于可以多次提供的 CLI 标志。其中一个示例是 (header) flag。 在这种情况下,命令行上提供的值将附加到配置文件中的值。ffufrc-H-H Additionally, in case you wish to use bunch of configuration files for different use cases, you can do this by defining the configuration file path using command line flag that takes the file path to the configuration file as its parameter.-config 用法 要定义 ffuf 的测试用例,请在 URL ()、headers () 或 POST data () 中的任意位置使用关键字。FUZZ-u-H-d Fuzz Faster U Fool - v2.1.0 HTTP OPTIONS: -H Header `"Name: Value"`, separated by colon. Multiple -H flags are accepted. -X HTTP method to use -b Cookie data `"NAME1=VALUE1; NAME2=VALUE2"` for copy as curl functionality. -cc Client cert for authentication. Client key needs to be defined as well for this to work -ck Client key for authentication. Client certificate needs to be defined as well for this to work -d POST data -http2 Use HTTP2 protocol (default: false) -ignore-body Do not fetch the response content. (default: false) -r Follow redirects (default: false) -raw Do not encode URI (default: false) -recursion Scan recursively. Only FUZZ keyword is supported, and URL (-u) has to end in it. (default: false) -recursion-depth Maximum recursion depth. (default: 0) -recursion-strategy Recursion strategy: "default" for a redirect based, and "greedy" to recurse on all matches (default: default) -replay-proxy Replay matched requests using this proxy. -sni Target TLS SNI, does not support FUZZ keyword -timeout HTTP request timeout in seconds. (default: 10) -u Target URL -x Proxy URL (SOCKS5 or HTTP). For example: http://127.0.0.1:8080 or socks5://127.0.0.1:8080 GENERAL OPTIONS: -V Show version information. (default: false) -ac Automatically calibrate filtering options (default: false) -acc Custom auto-calibration string. Can be used multiple times. Implies -ac -ach Per host autocalibration (default: false) -ack Autocalibration keyword (default: FUZZ) -acs Custom auto-calibration strategies. Can be used multiple times. Implies -ac -c Colorize output. (default: false) -config Load configuration from a file -json JSON output, printing newline-delimited JSON records (default: false) -maxtime Maximum running time in seconds for entire process. (default: 0) -maxtime-job Maximum running time in seconds per job. (default: 0) -noninteractive Disable the interactive console functionality (default: false) -p Seconds of `delay` between requests, or a range of random delay. For example "0.1" or "0.1-2.0" -rate Rate of requests per second (default: 0) -s Do not print additional information (silent mode) (default: false) -sa Stop on all error cases. Implies -sf and -se. (default: false) -scraperfile Custom scraper file path -scrapers Active scraper groups (default: all) -se Stop on spurious errors (default: false) -search Search for a FFUFHASH payload from ffuf history -sf Stop when > 95% of responses return 403 Forbidden (default: false) -t Number of concurrent threads. (default: 40) -v Verbose output, printing full URL and redirect location (if any) with the results. (default: false) MATCHER OPTIONS: -mc Match HTTP status codes, or "all" for everything. (default: 200-299,301,302,307,401,403,405,500) -ml Match amount of lines in response -mmode Matcher set operator. Either of: and, or (default: or) -mr Match regexp -ms Match HTTP response size -mt Match how many milliseconds to the first response byte, either greater or less than. EG: >100 or <100 -mw Match amount of words in response FILTER OPTIONS: -fc Filter HTTP status codes from response. Comma separated list of codes and ranges -fl Filter by amount of lines in response. Comma separated list of line counts and ranges -fmode Filter set operator. Either of: and, or (default: or) -fr Filter regexp -fs Filter HTTP response size. Comma separated list of sizes and ranges -ft Filter by number of milliseconds to the first response byte, either greater or less than. EG: >100 or <100 -fw Filter by amount of words in response. Comma separated list of word counts and ranges INPUT OPTIONS: -D DirSearch wordlist compatibility mode. Used in conjunction with -e flag. (default: false) -e Comma separated list of extensions. Extends FUZZ keyword. -enc Encoders for keywords, eg. 'FUZZ:urlencode b64encode' -ic Ignore wordlist comments (default: false) -input-cmd Command producing the input. --input-num is required when using this input method. Overrides -w. -input-num Number of inputs to test. Used in conjunction with --input-cmd. (default: 100) -input-shell Shell to be used for running command -mode Multi-wordlist operation mode. Available modes: clusterbomb, pitchfork, sniper (default: clusterbomb) -request File containing the raw http request -request-proto Protocol to use along with raw request (default: https) -w Wordlist file path and (optional) keyword separated by colon. eg. '/path/to/wordlist:KEYWORD' OUTPUT OPTIONS: -debug-log Write all of the internal logging to the specified file. -o Write output to file -od Directory path to store matched results to. -of Output file format. Available formats: json, ejson, html, md, csv, ecsv (or, 'all' for all formats) (default: json) -or Don't create the output file if we don't have results (default: false) EXAMPLE USAGE: Fuzz file paths from wordlist.txt, match all responses but filter out those with content-size 42. Colored, verbose output. ffuf -w wordlist.txt -u https://example.org/FUZZ -mc all -fs 42 -c -v Fuzz Host-header, match HTTP 200 responses. ffuf -w hosts.txt -u https://example.org/ -H "Host: FUZZ" -mc 200 Fuzz POST JSON data. Match all responses not containing text "error". ffuf -w entries.txt -u https://example.org/ -X POST -H "Content-Type: application/json" \ -d '{"name": "FUZZ", "anotherkey": "anothervalue"}' -fr "error" Fuzz multiple locations. Match only responses reflecting the value of "VAL" keyword. Colored. ffuf -w params.txt:PARAM -w values.txt:VAL -u https://example.org/?PARAM=VAL -mr "VAL" -c More information and examples: https://github.com/ffuf/ffuf 交互模式 通过在 ffuf 执行期间按下,进程将暂停,并且用户将进入类似 shell 的交互模式:ENTER entering interactive mode type "help" for a list of commands, or ENTER to resume. > help available commands: afc [value] - append to status code filter fc [value] - (re)configure status code filter afl [value] - append to line count filter fl [value] - (re)configure line count filter afw [value] - append to word count filter fw [value] - (re)configure word count filter afs [value] - append to size filter fs [value] - (re)configure size filter aft [value] - append to time filter ft [value] - (re)configure time filter rate [value] - adjust rate of requests per second (active: 0) queueshow - show job queue queuedel [number] - delete a job in the queue queueskip - advance to the next queued job restart - restart and resume the current ffuf job resume - resume current ffuf job (or: ENTER) show - show results for the current job savejson [filename] - save current matches to a file help - you are looking at it > 在此模式下,可以重新配置过滤器、管理队列并将当前状态保存到磁盘。 当(重新)配置过滤器时,它们会在死后应用,并且所有误报都来自内存 将被新添加的过滤器 GET DELETED 过滤掉。 可以使用命令打印出匹配项的新状态,该命令将打印出所有匹配项,就像它们一样 会被 找到。showffuf 由于 “负” 匹配项不会存储到内存中,因此很遗憾,放宽过滤器无法恢复丢失的匹配项。 对于这种情况,用户可以使用命令 ,该命令重置状态并启动当前 Job 从头开始。restart