Web应用模糊测试完全指南

Fuzzing Web Apps Full Guide

前言

在这篇博客中，我将解释如何使用ffuf进行目录发现、子域名枚举、暴力破解攻击、参数挖掘等操作。

速查表

ffuf

• FUZZ：放置payload的位置
• -u：目标URL
• -w：字典文件
• -fc：过滤响应头
• -fs：过滤响应大小
• -mc：匹配响应代码
• -p：请求之间的暂停秒数
• -t：线程数

字典
我将使用seclists进行所有枚举操作。

目标
我们的目标网站：http://ffuf.me

基础内容发现

我们将进行基本的目录和文件枚举

ffuf -u http://ffuf.me/cd/basic/FUZZ -w /usr/share/wordlists/seclists/Discovery/Web-Content/common.txt

/'___\  /'___\           /'___\              
/\ \__/ /\ \__/  __  __  /\ \__/              
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\              
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/              
\ \_\   \ \_\  \ \____/  \ \_\                \/_/    \/_/   \/___/    \/_/              
v2.1.0-dev
________________________________________________:: Method           : GET:: URL              : http://ffuf.me/cd/basic/FUZZ:: Wordlist         : FUZZ: /usr/share/wordlists/seclists/Discovery/Web-Content/common.txt:: Follow redirects : false:: Calibration      : false:: Timeout          : 10:: Threads          : 40:: Matcher          : Response status: 200-299,301,302,307,401,403,405,500
________________________________________________class                   [Status: 200, Size: 19, Words: 4, Lines: 1, Duration: 68ms]
development.log         [Status: 200, Size: 19, Words: 4, Lines: 1, Duration: 63ms]
:: Progress: [4727/4727] :: Job [1/1] :: 543 req/sec :: Duration: [0:00:08] :: Errors: 0 ::

我们找到了/class和/development.log。

递归模糊测试

ffuf -u http://ffuf.me/cd/recursion/FUZZ -w /usr/share/wordlists/seclists/Discovery/Web-Content/common.txt -recursion

/'___\  /'___\           /'___\              
/\ \__/ /\ \__/  __  __  /\ \__/              
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\              
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/              
\ \_\   \ \_\  \ \____/  \ \_\                \/_/    \/_/   \/___/    \/_/              
v2.1.0-dev
________________________________________________:: Method           : GET:: URL              : http://ffuf.me/cd/recursion/FUZZ:: Wordlist         : FUZZ: /usr/share/wordlists/seclists/Discovery/Web-Content/common.txt:: Follow redirects : false:: Calibration      : false:: Timeout          : 10:: Threads          : 40:: Matcher          : Response status: 200-299,301,302,307,401,403,405,500
________________________________________________admin                   [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 65ms]
[INFO] Adding a new job to the queue: http://ffuf.me/cd/recursion/admin/FUZZ
[INFO] Starting queued job on target: http://ffuf.me/cd/recursion/admin/FUZZ
users                   [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 67ms]
[INFO] Adding a new job to the queue: http://ffuf.me/cd/recursion/admin/users/FUZZ
[INFO] Starting queued job on target: http://ffuf.me/cd/recursion/admin/users/FUZZ
96                      [Status: 200, Size: 19, Words: 4, Lines: 1, Duration: 76ms]
:: Progress: [4727/4727] :: Job [3/3] :: 330 req/sec :: Duration: [0:00:08] :: Errors: 0 ::

我们找到了/admin/users/96。

添加扩展名

当我们访问/logs时得到403，所以我们将尝试模糊测试日志文件。

ffuf -u http://ffuf.me/cd/ext/logs/FUZZ -e .log -w /usr/share/wordlists/seclists/Discovery/Web-Content/common.txt

/'___\  /'___\           /'___\              
/\ \__/ /\ \__/  __  __  /\ \__/              
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\              
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/              
\ \_\   \ \_\  \ \____/  \ \_\                \/_/    \/_/   \/___/    \/_/              
v2.1.0-dev
________________________________________________:: Method           : GET:: URL              : http://ffuf.me/cd/ext/logs/FUZZ:: Wordlist         : FUZZ: /usr/share/wordlists/seclists/Discovery/Web-Content/common.txt:: Extensions       : .log :: Follow redirects : false:: Calibration      : false:: Timeout          : 10:: Threads          : 40:: Matcher          : Response status: 200-299,301,302,307,401,403,405,500
________________________________________________users.log               [Status: 200, Size: 19, Words: 4, Lines: 1, Duration: 70ms]
:: Progress: [9454/9454] :: Job [1/1] :: 581 req/sec :: Duration: [0:00:17] :: Errors: 0

非404页面

这次不存在的页面返回200，所以我们可以通过状态码进行过滤。

ffuf -u http://ffuf.me/cd/no404/FUZZ -e .log -w /usr/share/wordlists/seclists/Discovery/Web-Content/common.txt -fs 669

/'___\  /'___\           /'___\              
/\ \__/ /\ \__/  __  __  /\ \__/              
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\              
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/              
\ \_\   \ \_\  \ \____/  \ \_\                \/_/    \/_/   \/___/    \/_/              
v2.1.0-dev
________________________________________________:: Method           : GET:: URL              : http://ffuf.me/cd/no404/FUZZ:: Wordlist         : FUZZ: /usr/share/wordlists/seclists/Discovery/Web-Content/common.txt:: Extensions       : .log :: Follow redirects : false:: Calibration      : false:: Timeout          : 10:: Threads          : 40:: Matcher          : Response status: 200-299,301,302,307,401,403,405,500:: Filter           : Response size: 669
________________________________________________secret                  [Status: 200, Size: 25, Words: 4, Lines: 1, Duration: 94ms]

参数挖掘

这次页面因为缺少参数而返回400

ffuf -u "http://ffuf.me/cd/param/data/?FUZZ=data" -w /usr/share/wordlists/seclists/Discovery/Web-Content/burp-parameter-names.txt

/'___\  /'___\           /'___\              
/\ \__/ /\ \__/  __  __  /\ \__/              
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\              
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/              
\ \_\   \ \_\  \ \____/  \ \_\                \/_/    \/_/   \/___/    \/_/              
v2.1.0-dev
________________________________________________:: Method           : GET:: URL              : http://ffuf.me/cd/param/data/?FUZZ=data:: Wordlist         : FUZZ: /usr/share/wordlists/seclists/Discovery/Web-Content/burp-parameter-names.txt:: Follow redirects : false:: Calibration      : false:: Timeout          : 10:: Threads          : 40:: Matcher          : Response status: 200-299,301,302,307,401,403,405,500
________________________________________________debug                   [Status: 200, Size: 24, Words: 3, Lines: 1, Duration: 77ms]

速率限制

这次端点有每秒50个请求的速率限制，超过后我们会收到429状态码。

所以我将启动50个线程，并在每个线程的每个请求后暂停1秒。这样我们总共每秒有50个请求。

我将只显示200和429状态码。

ffuf -u http://ffuf.me/cd/rate/FUZZ -p 1 -t 50 -mc 200,429  -w /usr/share/wordlists/seclists/Discovery/Web-Content/common.txt

/'___\  /'___\           /'___\              
/\ \__/ /\ \__/  __  __  /\ \__/              
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\              
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/              
\ \_\   \ \_\  \ \____/  \ \_\                \/_/    \/_/   \/___/    \/_/              
v2.1.0-dev
________________________________________________:: Method           : GET:: URL              : http://ffuf.me/cd/rate/FUZZ:: Wordlist         : FUZZ: /usr/share/wordlists/seclists/Discovery/Web-Content/common.txt:: Follow redirects : false:: Calibration      : false:: Timeout          : 10:: Threads          : 50:: Delay            : 1.00 seconds:: Matcher          : Response status: 200,429
________________________________________________oracle                  [Status: 200, Size: 19, Words: 4, Lines: 1, Duration: 74ms]

管道

我们将测试几个用户的IDOR漏洞。

首先我们将迭代1到1000

seq 1 1000 | ffuf -u http://ffuf.me/cd/pipes/user?id=FUZZ -w -

/'___\  /'___\           /'___\              
/\ \__/ /\ \__/  __  __  /\ \__/              
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\              
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/              
\ \_\   \ \_\  \ \____/  \ \_\                \/_/    \/_/   \/___/    \/_/              
v2.1.0-dev
________________________________________________:: Method           : GET:: URL              : http://ffuf.me/cd/pipes/user?id=FUZZ:: Wordlist         : FUZZ: -:: Follow redirects : false:: Calibration      : false:: Timeout          : 10:: Threads          : 40:: Matcher          : Response status: 200-299,301,302,307,401,403,405,500
________________________________________________657                     [Status: 200, Size: 13, Words: 3, Lines: 1, Duration: 64ms]
:: Progress: [1000/1000] :: Job [1/1] :: 571 req/sec :: Duration: [0:00:02] :: Errors: 0 ::

如果需要，我们也可以对数字进行base64编码

seq 1 1000 | hashit b64 | ffuf -w - -u http://ffuf.me/cd/pipes/user2?id=FUZZ

或者进行md5哈希

seq 1 1000 | hashit md5 | ffuf -w - -u http://ffuf.me/cd/pipes/user3?id=FUZZ

虚拟主机发现

简单来说，虚拟主机是在单个服务器上托管多个域的方法。

我们试图发现在我们目标服务器上可能托管了哪些其他服务器，从而扩大我们的攻击面。

我们可以通过模糊测试Host头来实现这一点，因为它负责确定我们试图访问哪个服务器，并过滤响应大小。

ffuf -u http://ffuf.me/ -H "Host: FUZZ.ffuf.me" -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-20000.txt -fs 1495

/'___\  /'___\           /'___\              
/\ \__/ /\ \__/  __  __  /\ \__/              
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\              
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/              
\ \_\   \ \_\  \ \____/  \ \_\                \/_/    \/_/   \/___/    \/_/              
v2.1.0-dev
________________________________________________:: Method           : GET:: URL              : http://ffuf.me/:: Wordlist         : FUZZ: /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-20000.txt:: Header           : Host: FUZZ.ffuf.me:: Follow redirects : false:: Calibration      : false:: Timeout          : 10:: Threads          : 40:: Matcher          : Response status: 200-299,301,302,307,401,403,405,500:: Filter           : Response size: 1495
________________________________________________redhat                  [Status: 200, Size: 15, Words: 2, Lines: 1, Duration: 89ms]

暴力破解攻击

捕获请求

POST /login HTTP/1.1
Host: 10.10.10.10
Content-Length: 37
Accept: application/json, text/plain, */*
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.54 Safari/537.36
Content-Type: application/json
Origin: http://10.10.10.10
Referer: http://10.10.10.10/
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Connection: close{"username":"USERFUZZ","password":"PASSFUZZ"}

用占位符文本替换字段

有不同的攻击模式，类似于burp的intruder

ffuf -request request.txt -request-proto http -mode clusterbomb -w /path/to/users/file.txt:USERFUZZ -w /path/to/password/file.txt:PASSFUZZ -mc 200

更多精彩内容 请关注我的个人公众号 公众号（办公AI智能小助手）
对网络安全、黑客技术感兴趣的朋友可以关注我的安全公众号（网络安全技术点滴分享）

公众号二维码

公众号二维码