-input-cmd Expects FUZZ Keyword

[ngkogkos]

Hi there,

Thank you for working on ffuf, it's an exciting tool! I am not sure if I am missing something, but it appears that ffuf needs the FUZZ keyword in the POST data to be defined when giving it data with -input-cmd which I guess makes sense:

If I also supply -d "FUZZ" in the arguments and intercept the requests, all of them are blank. It seems that -data doesn't play along with -input-cmd I believe.

Additionally, what advantage does -input-cmd offer over just creating multiple fuzz payloads with radamsa and appending them to a file and using this with -w?

PS: I tried from both Linux/Windows boxes, but only intercepted on Windows using PowerShell. Manually testing my -input-cmd command reads the file's content fine.

[joohoi]

Thank you for working on ffuf, it's an exciting tool! I am not sure if I am missing something, but it appears that ffuf needs the FUZZ keyword in the POST data to be defined when giving it data with -input-cmd which I guess makes sense.

Thanks for your kind words! The FUZZ keyword is always needed in order for ffuf to figure out where to put the input data from either a wordlist or --input-cmd.

If I also supply -d "FUZZ" in the arguments and intercept the requests, all of them are blank. It seems that -data doesn't play along with -input-cmd I believe.

I'll have to test it out, but it should work, did you define -X POST on command line too?

Additionally, what advantage does -input-cmd offer over just creating multiple fuzz payloads with radamsa and appending them to a file and using this with -w?

The biggest thing I can think of are probably multiline payloads.

[ngkogkos]

Hmm I just noticed in my output above there is no -X POST. I'll test it again now, I thought I did, but let me see. Thanks for the response!

[ngkogkos]

Right, so I just tried this again now with -X POST and it has the same behavior.

It seems that ffuf does not add the radamsa input in the POST DATA. So if I run something like this:

ffuf -d "FUZZ" --input-cmd 'radamsa --seed 1 fuzz_json1.txt' -X POST -H <HEADERS_HERE> -u 'https://site.com/api/something' -x http://192.168.1.10:8081

and intercept the requests, all of them have an empty POST section, while I would expect them be populated with whatever radamsa generates.

I hope this makes sense.

[joohoi]

I'm not able to reproduce this issue, the POST data gets populated just fine for me. Are you sure that the test case generated by radamsa with --seed 1 is not empty itself?

While the example command is probably not the real-life test case, and you are most likely aware of this: If you provide radamsa with a static seed, you will get exactly same test cases out of it on every run. You should probably be using environmental variable $FFUF_NUM instead.

[joohoi]

Also make sure that radamsa is on your $PATH or provide a full directory path to the radamsa executable.

[ngkogkos]

Hi @joohoi I tried again and it seems to be working fine!

It must have been combination of something missing from $PATH or wrong CWD and my blindness.

Interestingly enough, I also tried --input-cmd 'cat json.txt' and it was failing as I changed folder and it couldn't find the file. I guess it would be useful if you could find a way of displaying these errors, although it may be tricky.

Please feel free to close this issue and thanks for your help!

[rajkamal7404]

`ffuf` -w wordlist.txt -u https://example.org/FUZZ -mc all -fs 42 -c -v

enter command error

bash: ffuf: command not found