timwhitez starred fuzzuli
2022-12-28 11:55:9 Author: github.com(查看原文) 阅读量:24 收藏

fuzzuli is a url fuzzing tool that aims to find critical backup files by creating a dynamic wordlist based on the domain.

In my application security testing journey that i have been doing for years, i found a lot critical backup files kept in externally accessible directories. While naming these files, common preferred words were used. (such as backup.zip, db.rar, conf.tar.gz etc). However, most of these files were named using the domain name where the application was located. Let's suppose we have a domain address fuzzuli.musana.net If the developer keeps critical backup files in the accessible directory, the possible file names will be like this.

fuzzuli.net.rar
fuzzuli.net.zip
fuzzuli.net.tar.gz
...
other file compression extensions
...
fuzzulinet.rar
fuzzulinet.zip
...
fuzzulimusana.rar
fuzzulimusana.7z
...
musana.fuzzuli.zip
musanafuzzuli.rar
...
so on
...

It is not possible to find these files in the traditional wordlist approach.

When naming these files, the domain name is often taken as a reference. I've encountered scenarios when naming these files where the dots in the domain are deleted, vowel letters are deleted, or the domain name is used as is. I took this into account when developing this tool. Therefore, when creating a domain-based wordlist, I took the variants without dots, without vowels, both without dots and without vowels. Then the domain passes from the following function after removing dots, vowel letters both dot and vowel letter.

It goes through the below function after domain is reversed in reverse method.

mixed method changes position of each subdomain. Then results goes through the below function.

Mathematical equation is like this.

shuffle method just shuffle subdomains and removes dots, vowel letters both dots and vowel letters. It does not itarate over each char in domain string.

fuzzuli consists of two main parts. One of them creates a wordlist dynamically. The other sends the HTTP request and checks the response for backup/sensitive file.

Flow chart of fuzzuli is the following.

fuzzuli is using 7 different methods for creating wordlists. Let's see results for fuzzuli.musana.net

all uses all methods then removes duplicates. It will generate 7777 word for fuzzuli.musana.net

fuzzuli requires go1.17 to install successfully. Run the following command to install.

┌──(root㉿kali)-[/root/fuzzuli]
└─# fuzzuli -h

  __                               _   _
 / _|                             | | (_)
| |_   _   _   ____  ____  _   _  | |  _
|  _| | | | | |_  / |_  / | | | | | | | |
| |   | |_| |  / /   / /  | |_| | | | | |
|_|    \__,_| /___| /___|  \__,_| |_| |_|

musana.net | @musana
--------------------------------------------
fuzzuli is a fuzzing tool that aims to find critical backup files by creating a dynamic wordlist based on the domain.

Usage:
  fuzzuli [flags]

Flags:
GENERAL OPTIONS:
   -w int      worker count (default 16)
   -f string   input file containing list of host/domain
   -pt string  paths. separate with commas to use multiple paths. e.g. /,/db/,/old/ (default "/")
   -p          print urls that is sent request
   -v          print version
   -help       print this
   -banner     print banner

WORDLIST OPTIONS:
   -mt string  methods. avaible methods: regular, withoutdots, withoutvowels, reverse, mixed, withoutdv, shuffle
   -sf string  suffix
   -pf string  prefix
   -ex string  file extension. default (rar, zip, tar.gz, tar, gz, jar, 7z, bz2, sql, backup, war)
   -rp string  replace specified char
   -rm string  remove specified char

DOMAIN OPTIONS:
   -es string  exclude domain that contains specified string or char. e.g. for OR operand google|bing|yahoo (default "#")
   -dl int     match domain length that specified. (default 40)

MATCHER OPTIONS:
   -ct string  match response with specified content type
   -sc int     match response with specified status code (default 200)
   -cl int     match response with specified minimum content length. e.g. >100 (default 100)

HTTP OPTIONS:
   -to int     timeout in seconds. (default 10)
   -ua string  user agent (default "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:100.0) Gecko/20100101 Firefox/100.0")
   -hm string  HTTP Method. (default "HEAD")
   -px string  http proxy to use
┌──(root㉿kali)-[/root/fuzzuli]
└─# cat domains.txt
https://play.google.com
https://code.facebook.com
https://blog.twitter.com
https://help.instagram.com
https://tesla.com
https://yandex.com

┌──(root㉿kali)-[/root/fuzzuli]
└─# fuzzuli -f domains.txt -w 32 -ex .rar,.zip -es "tesla|twitter" -dl 11 -p

  __                               _   _
 / _|                             | | (_)
| |_   _   _   ____  ____  _   _  | |  _
|  _| | | | | |_  / |_  / | | | | | | | |
| |   | |_| |  / /   / /  | |_| | | | | |
|_|    \__,_| /___| /___|  \__,_| |_| |_|

musana.net | @musana
--------------------------------------------
[*] Scan starting time: 2022-06-22 21:07:58
[-] https://yandex.com/yandex.rar
[-] https://yandex.com/yandex.zip
[-] https://yandex.com/yndx.rar
[-] https://yandex.com/yndx.zip
[-] https://yandex.com/yandex.com.rar
[-] https://yandex.com/yandex.com.zip
[-] https://yandex.com/yndx.cm.rar
[-] https://yandex.com/yndx.cm.zip
[-] https://yandex.com/yandexcom.rar
[-] https://yandex.com/yandexcom.zip
[-] https://yandex.com/yndxcm.rar
[-] https://yandex.com/yndxcm.zip

┌──(root㉿kali)-[/root/fuzzuli]
└─# fuzzuli -f domains.txt -w 32 -ex .rar,.zip -p

  __                               _   _
 / _|                             | | (_)
| |_   _   _   ____  ____  _   _  | |  _
|  _| | | | | |_  / |_  / | | | | | | | |
| |   | |_| |  / /   / /  | |_| | | | | |
|_|    \__,_| /___| /___|  \__,_| |_| |_|

musana.net | @musana
--------------------------------------------
[*] Scan starting time: 2022-06-22 21:00:34
[-] https://code.facebook.com/code.rar
[-] https://tesla.com/tesla.rar
[-] https://blog.twitter.com/blog.rar
[-] https://yandex.com/yandex.rar
[-] https://play.google.com/play.rar
[-] https://help.instagram.com/help.rar
[-] https://play.google.com/play.zip
[-] https://help.instagram.com/help.zip
[-] https://blog.twitter.com/blog.zip
[-] https://play.google.com/ply.rar
[-] https://code.facebook.com/code.zip
[-] https://yandex.com/yandex.zip
[-] https://help.instagram.com/hlp.rar
[-] https://tesla.com/tesla.zip
[-] https://play.google.com/ply.zip
[-] https://help.instagram.com/hlp.zip
[-] https://blog.twitter.com/blg.rar
[-] https://code.facebook.com/cd.rar
[-] https://play.google.com/play.google.rar
[-] https://yandex.com/yndx.rar

文章来源: https://github.com/musana/fuzzuli
如有侵权请联系:admin#unsafe.sh