ffuf安装与使用教程
ffuf的安装go环境安装需要在kali linux下安装go环境下载安装包wget -c https://golang.google.cn/dl/go1.16.2.linux-amd64.tar.gzwget -c https://golang.google.cn/dl/go1.16.2.linux-amd64.tar.gzwget -c https://golang.google.cn/dl/
·
转载至https://www.iculture.cc/cybersecurity/pig=210
ffuf的安装
go环境安装
需要在kali linux下安装go环境
下载安装包
wget -c https ://golang.google.cn/dl/go1.16.2.linux-amd64.tar.gzwget -c https://golang.google.cn/dl/go1.16.2.linux-amd64.tar.gzwget -c https://golang.google.cn/dl/go1.16.2.linux-amd64.tar.gz
进行解压缩
tar -xzvf go1. 16 . 2 . linux -amd64. tar . gztar -xzvf go1.16.2.linux-amd64.tar.gztar -xzvf go1.16.2.linux-amd64.tar.gz
拷贝到指定目录
我这里将他拷贝到了usr/local目录下
cp -r go /usr/localcp -r go /usr/localcp -r go /usr/local
设置环境变量
编辑环境变量,不同的环境略有不同。
有的是bashrc,有的是zshrc
我这里是后者,请自行修改
vim ~/.zshrcvim ~/.zshrcvim ~/.zshrc
在最下方添加
export PATH=$PATH:/usr/local/go/binexport GO111MODULE=onexport GOPROXY=https ://goproxy.cnexport PATH=$PATH:/usr/local/go/bin export GO111MODULE=on export GOPROXY=https://goproxy.cnexport PATH=$PATH:/usr/local/go/bin export GO111MODULE=on export GOPROXY=https://goproxy.cn
使其立即生效
source ~/.zshrcsource ~/.zshrcsource ~/.zshrc
查看go环境是否安装成功
go versiongo versiongo version
提示是1.16.2的版本,说明环境已经配置好了
┌── ( FancyPig ) - [ /home/FancyPig/桌面 ]└ ─# go versiongo version go1. 16 . 2 linux/amd64┌──(FancyPig)-[/home/FancyPig/桌面] └─# go version go version go1.16.2 linux/amd64┌──(FancyPig)-[/home/FancyPig/桌面] └─# go version go version go1.16.2 linux/amd64
ffuf的安装
下载并安装ffuf
下载ffuf
go get -u github. com /ffuf/ffufgo get -u github.com/ffuf/ffufgo get -u github.com/ffuf/ffuf
进行build
go buildgo buildgo build
然后返回上一层,将ffuf拷贝到/usr/local
cd ..cp -r ffuf /usr/localcd .. cp -r ffuf /usr/localcd .. cp -r ffuf /usr/local
设置ffuf环境变量
设置环境变量
vim ~/.zshrcvim ~/.zshrcvim ~/.zshrc
在最下方添加
export PATH=$PATH:/usr/local/ffufexport PATH=$PATH:/usr/local/ffufexport PATH=$PATH:/usr/local/ffuf
使其立即生效
source ~/.zshrcsource ~/.zshrcsource ~/.zshrc
ffuf的使用
目录扫描(Directory Brute Force)
创建字典库文件
在目录下创建wordlist-admin.txt字典库文件,这里是使用的kali linux里自带的后台目录
account.html
account.php
adm
adm/admloginuser.php
adm_auth.php
adm.html
admin
admin2/index.php
admin2/login.php
admin2.php
admin/account.html
admin/account.php
admin/admin.html
admin/admin_login.html
admin/admin-login.html
admin/adminLogin.html
admin/admin_login.php
admin/admin-login.php
admin/adminLogin.php
admin/admin.php
admin_area
adminarea
admin_area/admin.html
adminarea/admin.html
admin_area/admin.php
adminarea/admin.php
admin_area/index.html
adminarea/index.html
admin_area/index.php
adminarea/index.php
admin_area/login.html
adminarea/login.html
admin_area/login.php
adminarea/login.php
admincontrol.html
admincontrol/login.html
admincontrol/login.php
admin/controlpanel.html
admin/controlpanel.php
admincontrol.php
admin/cp.html
admincp/index.asp
admincp/index.html
admincp/login.asp
admin/cp.php
adm/index.html
adm/index.php
admin/home.html
admin/home.php
admin.html
admin/index.html
admin/index.php
administrator
administrator/account.html
administrator/account.php
administrator.html
administrator/index.html
administrator/index.php
administratorlogin
administrator/login.html
administrator/login.php
administrator.php
adminLogin
admin_login.html
admin-login.html
admin/login.html
adminLogin.html
admin_login.php
admin-login.php
admin/login.php
adminLogin.php
adminpanel.html
adminpanel.php
admin.php
admloginuser.php
adm.php
affiliate.php
bb-admin
bb-admin/admin.html
bb-admin/admin.php
bb-admin/index.html
bb-admin/index.php
bb-admin/login.html
bb-admin/login.php
controlpanel.html
controlpanel.php
cp.html
cp.php
home.html
home.php
instadmin
joomla/administrator
login.html
login.php
memberadmin
modelsearch/admin.html
modelsearch/admin.php
modelsearch/index.html
modelsearch/index.php
modelsearch/login.html
modelsearch/login.php
moderator
moderator/admin.html
moderator/admin.php
moderator.html
moderator/login.html
moderator/login.php
moderator.php
nsw/admin/login.php
pages/admin/admin-login.html
pages/admin/admin-login.php
panel-administracion/
panel-administracion/admin.html
panel-administracion/admin.php
panel-administracion/index.html
panel-administracion/index.php
panel-administracion/login.html
panel-administracion/login.php
rcjakar/admin/login.php
siteadmin/index.php
siteadmin/login.html
siteadmin/login.php
user.html
user.php
webadmin
webadmin/admin.html
webadmin/admin.php
webadmin.html
webadmin/index.html
webadmin/index.php
webadmin/login.html
webadmin/login.php
webadmin.php
wp-login.php
当然,你也可以使用系统自带的字典库文件,Kali Linux自带的字典库文件在/usr/share/wordlists/目录下
或者使用github大佬提供的https://github.com/danielmiessler/SecLists/
里面按场景将字典库进行了分类,方便使用
进行扫描
使用字典库扫描指定站点的目录,一般可以通过该命令查询后台地址
ffuf -w wordlist-admin. txt -u https ://test.iculture.cc/FUZZffuf -w wordlist-admin.txt -u https://test.iculture.cc/FUZZffuf -w wordlist-admin.txt -u https://test.iculture.cc/FUZZ
查看结果
┌── ( root@FancyPig ) - [ /home/FancyPig/桌面 ]└ ─# ffuf -w wordlist-admin.txt -u https://test.iculture.cc/FUZZ/ '___\ /' ___\ /'___\/\ \__/ /\ \__/ __ __ /\ \__/\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/\ \_\ \ \_\ \ \____/ \ \_\\/_/ \/_/ \/___/ \/_/v1. 3 . 0 -git________________________________________________:: Method : GET:: URL : https ://test.iculture.cc/FUZZ:: Wordlist : FUZZ: wordlist-admin. txt:: Follow redirects : false:: Calibration : false:: Timeout : 10:: Threads : 40:: Matcher : Response status: 200 , 204 , 301 , 302 , 307 , 401 , 403 , 405________________________________________________admin. php [ Status: 200 , Size: 6 , Words: 1 , Lines: 1 ]webadmin [ Status: 301 , Size: 162 , Words: 5 , Lines: 8 ]:: Progress: [ 134 / 134 ] :: Job [ 1 / 1 ] :: 0 req/sec :: Duration: [ 0 : 00 : 00 ] :: Errors: 0 ::┌──(root@FancyPig)-[/home/FancyPig/桌面] └─# ffuf -w wordlist-admin.txt -u https://test.iculture.cc/FUZZ /'___\ /'___\ /'___\ /\ \__/ /\ \__/ __ __ /\ \__/ \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\ \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/ \ \_\ \ \_\ \ \____/ \ \_\ \/_/ \/_/ \/___/ \/_/ v1.3.0-git ________________________________________________ :: Method : GET :: URL : https://test.iculture.cc/FUZZ :: Wordlist : FUZZ: wordlist-admin.txt :: Follow redirects : false :: Calibration : false :: Timeout : 10 :: Threads : 40 :: Matcher : Response status: 200,204,301,302,307,401,403,405 ________________________________________________ admin.php [Status: 200, Size: 6, Words: 1, Lines: 1] webadmin [Status: 301, Size: 162, Words: 5, Lines: 8] :: Progress: [134/134] :: Job [1/1] :: 0 req/sec :: Duration: [0:00:00] :: Errors: 0 ::┌──(root@FancyPig)-[/home/FancyPig/桌面] └─# ffuf -w wordlist-admin.txt -u https://test.iculture.cc/FUZZ /'___\ /'___\ /'___\ /\ \__/ /\ \__/ __ __ /\ \__/ \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\ \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/ \ \_\ \ \_\ \ \____/ \ \_\ \/_/ \/_/ \/___/ \/_/ v1.3.0-git ________________________________________________ :: Method : GET :: URL : https://test.iculture.cc/FUZZ :: Wordlist : FUZZ: wordlist-admin.txt :: Follow redirects : false :: Calibration : false :: Timeout : 10 :: Threads : 40 :: Matcher : Response status: 200,204,301,302,307,401,403,405 ________________________________________________ admin.php [Status: 200, Size: 6, Words: 1, Lines: 1] webadmin [Status: 301, Size: 162, Words: 5, Lines: 8] :: Progress: [134/134] :: Job [1/1] :: 0 req/sec :: Duration: [0:00:00] :: Errors: 0 ::
可以扫描出根目录下的webadmin目录和根目录下的admin.php文件
递归扫描(Recursion)
如果我们想使用原有的字典库搜索到/webadmin/admin或者/webadmin/admin目录下的admin.php文件呢?
这时,我们可以通过递归的方式进行搜索
ffuf -w wordlist-admin. txt -u https ://test.iculture.cc/FUZZ -recursionffuf -w wordlist-admin.txt -u https://test.iculture.cc/FUZZ -recursionffuf -w wordlist-admin.txt -u https://test.iculture.cc/FUZZ -recursion
查看结果
┌── ( root@FancyPig ) - [ /home/FancyPig/桌面 ]└ ─# ffuf -w wordlist-admin.txt -u https://test.iculture.cc/FUZZ -recursion/ '___\ /' ___\ /'___\/\ \__/ /\ \__/ __ __ /\ \__/\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/\ \_\ \ \_\ \ \____/ \ \_\\/_/ \/_/ \/___/ \/_/v1. 3 . 0 -git________________________________________________:: Method : GET:: URL : https ://test.iculture.cc/FUZZ:: Wordlist : FUZZ: wordlist-admin. txt:: Follow redirects : false:: Calibration : false:: Timeout : 10:: Threads : 40:: Matcher : Response status: 200 , 204 , 301 , 302 , 307 , 401 , 403 , 405________________________________________________admin. php [ Status: 200 , Size: 6 , Words: 1 , Lines: 1 ]webadmin [ Status: 301 , Size: 162 , Words: 5 , Lines: 8 ][ INFO ] Adding a new job to the queue: https ://test.iculture.cc/webadmin/FUZZadmin [ Status: 301 , Size: 162 , Words: 5 , Lines: 8 ][ INFO ] Adding a new job to the queue: https ://test.iculture.cc/webadmin/admin/FUZZadmin/admin. php [ Status: 200 , Size: 7 , Words: 1 , Lines: 1 ]admin. php [ Status: 200 , Size: 7 , Words: 1 , Lines: 1 ]:: Progress: [ 134 / 134 ] :: Job [ 3 / 3 ] :: 0 req/sec :: Duration: [ 0 : 00 : 00 ] :: Errors: 0 ::┌──(root@FancyPig)-[/home/FancyPig/桌面] └─# ffuf -w wordlist-admin.txt -u https://test.iculture.cc/FUZZ -recursion /'___\ /'___\ /'___\ /\ \__/ /\ \__/ __ __ /\ \__/ \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\ \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/ \ \_\ \ \_\ \ \____/ \ \_\ \/_/ \/_/ \/___/ \/_/ v1.3.0-git ________________________________________________ :: Method : GET :: URL : https://test.iculture.cc/FUZZ :: Wordlist : FUZZ: wordlist-admin.txt :: Follow redirects : false :: Calibration : false :: Timeout : 10 :: Threads : 40 :: Matcher : Response status: 200,204,301,302,307,401,403,405 ________________________________________________ admin.php [Status: 200, Size: 6, Words: 1, Lines: 1] webadmin [Status: 301, Size: 162, Words: 5, Lines: 8] [INFO] Adding a new job to the queue: https://test.iculture.cc/webadmin/FUZZ admin [Status: 301, Size: 162, Words: 5, Lines: 8] [INFO] Adding a new job to the queue: https://test.iculture.cc/webadmin/admin/FUZZ admin/admin.php [Status: 200, Size: 7, Words: 1, Lines: 1] admin.php [Status: 200, Size: 7, Words: 1, Lines: 1] :: Progress: [134/134] :: Job [3/3] :: 0 req/sec :: Duration: [0:00:00] :: Errors: 0 ::┌──(root@FancyPig)-[/home/FancyPig/桌面] └─# ffuf -w wordlist-admin.txt -u https://test.iculture.cc/FUZZ -recursion /'___\ /'___\ /'___\ /\ \__/ /\ \__/ __ __ /\ \__/ \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\ \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/ \ \_\ \ \_\ \ \____/ \ \_\ \/_/ \/_/ \/___/ \/_/ v1.3.0-git ________________________________________________ :: Method : GET :: URL : https://test.iculture.cc/FUZZ :: Wordlist : FUZZ: wordlist-admin.txt :: Follow redirects : false :: Calibration : false :: Timeout : 10 :: Threads : 40 :: Matcher : Response status: 200,204,301,302,307,401,403,405 ________________________________________________ admin.php [Status: 200, Size: 6, Words: 1, Lines: 1] webadmin [Status: 301, Size: 162, Words: 5, Lines: 8] [INFO] Adding a new job to the queue: https://test.iculture.cc/webadmin/FUZZ admin [Status: 301, Size: 162, Words: 5, Lines: 8] [INFO] Adding a new job to the queue: https://test.iculture.cc/webadmin/admin/FUZZ admin/admin.php [Status: 200, Size: 7, Words: 1, Lines: 1] admin.php [Status: 200, Size: 7, Words: 1, Lines: 1] :: Progress: [134/134] :: Job [3/3] :: 0 req/sec :: Duration: [0:00:00] :: Errors: 0 ::
我们发现除了之前的目录,还有/webadmin/admin目录和/webadmin/admin/admin.php文件
模糊扫描(Fuzzing Multiple Locations)
参数
如果我们想要扫描多个网站的后台目录,就可以定义多个变量,如W1、W2
W1使用我们设置的网站列表site.txt
W2使用我们设置的后台目录字典库wordlist-admin.txt
命令
ffuf -u https ://W1/W2 -w site.txt:W1,wordlist-admin.txt:W2ffuf -u https://W1/W2 -w site.txt:W1,wordlist-admin.txt:W2ffuf -u https://W1/W2 -w site.txt:W1,wordlist-admin.txt:W2
结果
┌──(root@FancyPig)-[/home/FancyPig/桌面]
└─# ffuf -u https://W1/W2 -w site.txt:W1,wordlist-admin.txt:W2
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v1.3.0-git
________________________________________________
:: Method : GET
:: URL : https://W1/W2
:: Wordlist : W1: site.txt
:: Wordlist : W2: wordlist-admin.txt
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200,204,301,302,307,401,403,405
________________________________________________
[Status: 200, Size: 6, Words: 1, Lines: 1]
* W2: admin.php
* W1: test.iculture.cc
[Status: 200, Size: 12789, Words: 1535, Lines: 302]
* W1: www.ddgbr.com
* W2: admin-login.html
[Status: 200, Size: 9341, Words: 495, Lines: 168]
* W1: www.longkouquan.com
* W2: admin-login.html
[Status: 200, Size: 2431, Words: 106, Lines: 60]
* W1: www.longkouquan.com
* W2: admin.php
[Status: 301, Size: 162, Words: 5, Lines: 8]
* W1: test.iculture.cc
* W2: webadmin
[Status: 200, Size: 2502, Words: 106, Lines: 60]
* W1: www.ddgbr.com
* W2: admin.php
[Status: 200, Size: 12314, Words: 634, Lines: 255]
* W1: www.longkouquan.com
* W2: home.php
[Status: 200, Size: 27351, Words: 1295, Lines: 679]
* W1: www.ddgbr.com
* W2: home.php
:: Progress: [402/402] :: Job [1/1] :: 0 req/sec :: Duration: [0:00:00] :: Errors: 0 ::
这里我们扫描了三个网站的后台目录,可以看到具体的结果。
思考:如何防止被检测或者拦截
如果这里运行上千个网站,上千个目录,同时跑一个网站的目录,很有可能就被检测或者拦截了。
如何能够避免被检测或者拦截呢?
扫描顺序问题
这里的执行顺序,是先扫所以网站的字典库的第一个目录,然后第二个目录,第三个目录……
ffuf -u https ://W1/W2 -w site.txt:W1,wordlist-admin.txt:W2ffuf -u https://W1/W2 -w site.txt:W1,wordlist-admin.txt:W2ffuf -u https://W1/W2 -w site.txt:W1,wordlist-admin.txt:W2
不建议使用的命令
如果你的命令是这样的话,会先扫描第一个网站的全部字典库内容,然后第二个网站,第三个网站……
ffuf -u https ://W1/W2 -w wordlist-admin.txt:W2,site.txt:W1ffuf -u https://W1/W2 -w wordlist-admin.txt:W2,site.txt:W1ffuf -u https://W1/W2 -w wordlist-admin.txt:W2,site.txt:W1
结果,可以与第一个命令结果做对比,就很清晰的可以看出来二者执行顺序的区别了。
┌──(root@FancyPig)-[/home/FancyPig/桌面]
└─# ffuf -u https://W1/W2 -w wordlist-admin.txt:W2,site.txt:W1
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v1.3.0-git
________________________________________________
:: Method : GET
:: URL : https://W1/W2
:: Wordlist : W2: wordlist-admin.txt
:: Wordlist : W1: site.txt
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200,204,301,302,307,401,403,405
________________________________________________
[Status: 200, Size: 6, Words: 1, Lines: 1]
* W2: admin.php
* W1: test.iculture.cc
[Status: 301, Size: 162, Words: 5, Lines: 8]
* W2: webadmin
* W1: test.iculture.cc
[Status: 200, Size: 12789, Words: 1535, Lines: 302]
* W1: www.ddgbr.com
* W2: admin-login.html
[Status: 200, Size: 2502, Words: 106, Lines: 60]
* W2: admin.php
* W1: www.ddgbr.com
[Status: 200, Size: 27351, Words: 1295, Lines: 679]
* W2: home.php
* W1: www.ddgbr.com
[Status: 200, Size: 2431, Words: 106, Lines: 60]
* W2: admin.php
* W1: www.longkouquan.com
[Status: 200, Size: 9341, Words: 495, Lines: 168]
* W2: admin-login.html
* W1: www.longkouquan.com
[Status: 200, Size: 12314, Words: 634, Lines: 255]
* W2: home.php
* W1: www.longkouquan.com
:: Progress: [402/402] :: Job [1/1] :: 1845 req/sec :: Duration: [0:00:01] :: Errors: 0 ::
因此,如果你的量足够大,那就可以用第一种扫描顺序,等待时间足够长,不容易被检测或者拦截。
静默模式输出(Using Silent Mode for Passing Results)
通过加入-s只输出结果,方便在目录较多的情况下进行观察。
命令
ffuf -w wordlist-admin. txt -u https ://test.iculture.cc/FUZZ -sffuf -w wordlist-admin.txt -u https://test.iculture.cc/FUZZ -sffuf -w wordlist-admin.txt -u https://test.iculture.cc/FUZZ -s
结果
┌── ( root@FancyPig ) - [ /home/FancyPig/桌面 ]└ ─# ffuf -w wordlist-admin.txt -u https://test.iculture.cc/FUZZ -sadmin. phpwebadmin┌──(root@FancyPig)-[/home/FancyPig/桌面] └─# ffuf -w wordlist-admin.txt -u https://test.iculture.cc/FUZZ -s admin.php webadmin┌──(root@FancyPig)-[/home/FancyPig/桌面] └─# ffuf -w wordlist-admin.txt -u https://test.iculture.cc/FUZZ -s admin.php webadmin
模糊测试(fuzzing)
获取响应大小
curl命令
curl -s -H "test.iculture.cc" https ://test.iculture.cc | wc -ccurl -s -H "test.iculture.cc" https://test.iculture.cc | wc -ccurl -s -H "test.iculture.cc" https://test.iculture.cc | wc -c
结果
575575575
GET请求
这里的wordlist-mod.txt文件里需要导入常见模块名称的字典库
ffuf -w wordlist-mod. txt -u https ://test.iculture.cc/script.php?FUZZ=test_value -fs 575ffuf -w wordlist-mod.txt -u https://test.iculture.cc/script.php?FUZZ=test_value -fs 575ffuf -w wordlist-mod.txt -u https://test.iculture.cc/script.php?FUZZ=test_value -fs 575
如果找到对应的575响应大小的,就说明这个变量名称是正确的。然后可以在对变量后面的值进行模糊测试,下面的valid_name是上面找到的正确的变量名称,并过滤掉401返回值
ffuf -w /path/to/values. txt -u https ://test.iculture.cc/script.php?valid_name=FUZZ -fc 401ffuf -w /path/to/values.txt -u https://test.iculture.cc/script.php?valid_name=FUZZ -fc 401ffuf -w /path/to/values.txt -u https://test.iculture.cc/script.php?valid_name=FUZZ -fc 401
POST请求
通过模糊测试POST请求,实际上可以实现暴力破解。这里需要在password.txt里导入常见的密码字典库,并过滤掉401返回值
ffuf -w password. txt -X POST -d "username=admin\&password=FUZZ" -u https ://test.iculture.cc/login.php -fc 401ffuf -w password.txt -X POST -d "username=admin\&password=FUZZ" -u https://test.iculture.cc/login.php -fc 401ffuf -w password.txt -X POST -d "username=admin\&password=FUZZ" -u https://test.iculture.cc/login.php -fc 401
更多推荐
1
0- 0
已为社区贡献4条内容
所有评论(0)