Closed ngkogkos closed 4 years ago
Thank you for working on ffuf, it's an exciting tool! I am not sure if I am missing something, but it appears that ffuf needs the FUZZ keyword in the POST data to be defined when giving it data with -input-cmd which I guess makes sense.
Thanks for your kind words! The FUZZ
keyword is always needed in order for ffuf to figure out where to put the input data from either a wordlist or --input-cmd
.
If I also supply -d "FUZZ" in the arguments and intercept the requests, all of them are blank. It seems that -data doesn't play along with -input-cmd I believe.
I'll have to test it out, but it should work, did you define -X POST
on command line too?
Additionally, what advantage does -input-cmd offer over just creating multiple fuzz payloads with radamsa and appending them to a file and using this with -w?
The biggest thing I can think of are probably multiline payloads.
Hmm I just noticed in my output above there is no -X POST
. I'll test it again now, I thought I did, but let me see. Thanks for the response!
Right, so I just tried this again now with -X POST
and it has the same behavior.
It seems that ffuf does not add the radamsa input in the POST DATA. So if I run something like this:
ffuf -d "FUZZ" --input-cmd 'radamsa --seed 1 fuzz_json1.txt' -X POST -H <HEADERS_HERE> -u 'https://site.com/api/something' -x http://192.168.1.10:8081
and intercept the requests, all of them have an empty POST section, while I would expect them be populated with whatever radamsa generates.
I hope this makes sense.
I'm not able to reproduce this issue, the POST
data gets populated just fine for me. Are you sure that the test case generated by radamsa
with --seed 1
is not empty itself?
While the example command is probably not the real-life test case, and you are most likely aware of this:
If you provide radamsa
with a static seed, you will get exactly same test cases out of it on every run. You should probably be using environmental variable $FFUF_NUM
instead.
Also make sure that radamsa
is on your $PATH
or provide a full directory path to the radamsa
executable.
Hi @joohoi I tried again and it seems to be working fine!
It must have been combination of something missing from $PATH or wrong CWD and my blindness.
Interestingly enough, I also tried --input-cmd 'cat json.txt'
and it was failing as I changed folder and it couldn't find the file. I guess it would be useful if you could find a way of displaying these errors, although it may be tricky.
Please feel free to close this issue and thanks for your help!
`ffuf` -w wordlist.txt -u https://example.org/FUZZ -mc all -fs 42 -c -v
enter command error
bash: ffuf: command not found
Hi there,
Thank you for working on ffuf, it's an exciting tool! I am not sure if I am missing something, but it appears that ffuf needs the FUZZ keyword in the POST data to be defined when giving it data with -input-cmd which I guess makes sense:
If I also supply
-d "FUZZ"
in the arguments and intercept the requests, all of them are blank. It seems that -data doesn't play along with -input-cmd I believe.Additionally, what advantage does -input-cmd offer over just creating multiple fuzz payloads with radamsa and appending them to a file and using this with -w?
PS: I tried from both Linux/Windows boxes, but only intercepted on Windows using PowerShell. Manually testing my -input-cmd command reads the file's content fine.