FFUF value/parameter scanning

Hello everybody, I have a problem with ffuf for scanning all parameters in a web site (Module: “Attacking Web Application with Fuff” ). I ran first this command (for search for all pages .php):

ffuf -w /opt/useful/SecLists/Discovery/Web-Content/directory-list-2.3-small.txt -u http://138.68.182.108:32425/FUZZ -recursion -v -e .php

Later this: ffuf -w /opt/useful/SecLists/Discovery/Web-Content/burp-parameter-names.txt:FUZZ -u http://ip/dir/page.php?FUZZ=key -fs xxx

The problem is this: I get all parameters name with status 403 I filter them and there isn’t a good paramenter, Where did I make mistakes?

I would say if you’re getting 403 on everything, it’s a typo in the URL. See if you can access the page without any params.

Thanks, I tried it and when I search the page it gives me 403 “Forbidden”, now I think that I missed some webpages or directories

Hi, im stuck in the last question of assessment.

Try fuzzing the parameters you identified for working values. One of them should return a flag. What is the content of the flag?

I already got the param “user” but not working my values fuzzing (i think wrong wordlist) can someone help me pls!

Thanks.

GitHub - ffuf/ffuf: Fast web fuzzer written in Go you might need to tweak things.
I remember playing with that module a bit but can’t recall the fix. There are a few ways to use FFUF, read over the section on params.

Hi, did you finally make it? I’m getting frustrated with this. In the first place everytime I fuzz recursively I get 3 results like /index.php , /blog and /forum. From neither of them I can fuzz parameters or values.

Well when I run…

ffuf -w /opt/useful/SecLists/Discovery/Web-Content/burp-parameter-names.txt:FUZZ -u http://178.62.44.230:32059/index.php?FUZZ=key

…I get plenty of parameters. But this is not suposse to be like this, right?

I am stuck…

Any help would be appreciated, please.

make sure you’ve added admin.academy.htb to your hosts file and not just academy.htb

i was stuck here for a bit, but once I fixed that, everything went smoothly

1 Like

hey did you ever find the right wordlist? tried almost everything and nothing will hit.

hey man im having trouble with what wordlist to use for the last assessment question. any nudge would be appreciated.

check the lists at: /SecLists/Usernames/

it will probably be a small one since they likely aren’t wanting us spending considerable amount of time brute forcing

hey thanks man i was able to find it. my termainal font is jumbled together so i was completely overlooking one of the wordlists in that section lol.

If anyone is struggling with this module. here’s what i found that might help

-make sure you filter by size not words,
-make sure you curl POST when you find the paramaters


What did I do wrong? The output seems unusable for me. Gobuster gives the correct details so the VM is ok.

Could someone please provide some insight into this matter?

I have made several attempts, but I am unable to locate the specific parameter on the following IP address: 159.65.48.156:32035.

Fuzzing Parameters

I have used the following command to perform parameter fuzzing:

bashCopy code

ffuf -w /usr/share/wordlists/secLists/Discovery/Web-Content/burp-parameter-names.txt:FUZZ -u 'http://159.65.48.156:32035/index.php?FUZZ=value' -fs 2287

Fuzzing for PHP files

In order to fuzz for PHP files, I have used the following commands:

bashCopy code

ffuf -w /usr/share/wordlists/secLists/Discovery/Web-Content/directory-list-2.3-small.txt:FUZZ -u http://159.65.48.156:32035/FUZZ.php

ffuf -w /usr/share/wordlists/secLists/Fuzzing/LFI/LFI-Jhaddix.txt:FUZZ -u 'http://159.65.48.156:32035/index.php?language=FUZZ' -fs 2287

ffuf -w /usr/share/wordlists/secLists/Fuzzing/LFI/LFI-Jhaddix.txt:FUZZ -u 'http://159.65.48.156:32035/index.php?language=FUZZ' -fs 2287

ffuf -w /usr/share/wordlists/secLists/Fuzzing/LFI/LFI-LFISuite-pathtotest-huge.txt:FUZZ -u 'http://159.65.48.156:32035/index.php?view=FUZZ' -fs 1935

Additionally, I tried using the following cURL command to read the php.ini file:

arduinoCopy code

curl "http://159.65.48.156:32035/index.php?language=php://filter/read=convert.base64-encode/resource=../../../../etc/php/7.4/apache2/php.ini"

It is evident that there are some language-related issues present in these modules, as the lack of proper English is quite noticeable.

1 Like

For those that are wasting so much time finding the right username value for the *

“Try fuzzing the parameters you identified for working values. One of them should return a flag. What is the content of the flag?”

question, there is asmaller list in /SecLists/Usernames/names that will do the trick.

You’ll get it eventually by using the larger lists in /SecLists/Usernames/ as well.

Also, make sure that your -X POST -d is properly capitalised in the command. Otherwise, ffuf will still run but won’t return a hit.

1 Like

Hey guys, I see some people in here writing about the skill asessment. My question is about the question in the module “Parameter fuzzing - GET”. I cannot find the parameter. I am sorting by response size. I found the following php scripts on the target. Maybe I haven’t found all of them?
/index.php
/blog/home.php
/blog/index.php
/forum/index.php
/forum/flag.php
Or if these are indeed all php files, where could I be going wrong? Thanks a lot in advance!

first u have to sudo sh -c ‘echo “ip admin.academy.htb” >> /etc/hosts’ then use the same method in the example.and one more tip do the fuzzing without the -fs 900 and see the result first then use -fs on the size u get to filter.(ip is the target u have without the port).