Open kerszl opened 9 months ago
joohoi
commented
9 months ago This looks like a case where ffuf should work just as expected, but you didn't add the correct Content-Type header of application/x-www-form-urlencoded that is required by many form processors.
While many other tools do add this header by default, one of the design decisions of ffuf is to not to do any "magic" on behalf of the user.
Try to rerun with a cli flag:-H "Content-Type: application/x-www-form-urlencoded"
kerszl
commented
8 months ago Thanx 4 answer. Ffuf with -H flag works fine.
Here is result from ffuf:
root@kali2023:/tmp# time ffuf -H "Content-Type: application/x-www-form-urlencoded" -fs=745 -w userzy.txt:PAR1 -w /usr/share/seclists/Passwords/Common-Credentials/10-million-password-list-top-1000.txt:PAR2 -d 'user=PAR1&pass=PAR2' -u http://172.16.1.117/index.php
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v2.1.0-dev
________________________________________________
:: Method : POST
:: URL : http://172.16.1.117/index.php
:: Wordlist : PAR1: /tmp/userzy.txt
:: Wordlist : PAR2: /usr/share/seclists/Passwords/Common-Credentials/10-million-password-list-top-1000.txt
:: Header : Content-Type: application/x-www-form-urlencoded
:: Data : user=PAR1&pass=PAR2
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200-299,301,302,307,401,403,405,500
:: Filter : Response size: 745
________________________________________________
[Status: 302, Size: 683, Words: 162, Lines: 30, Duration: 2ms]
* PAR1: kevin
* PAR2: foundedpass
:: Progress: [9000/9000] :: Job [1/1] :: 73 req/sec :: Duration: [0:00:04] :: Errors: 0 ::
real 0m4,887s
user 0m4,782s
sys 0m1,381s
Here is result from wfuzz
root@kali2023:/tmp# time wfuzz -w userzy.txt -w /usr/share/seclists/Passwords/Common-Credentials/10-million-password-list-top-1000.txt -d 'user=FUZZ&pass=FUZ2Z' -u http://172.16.1.117/index.php --hh 745
/usr/lib/python3/dist-packages/wfuzz/__init__.py:34: UserWarning:Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer *
********************************************************
Target: http://172.16.1.117/index.php
Total requests: 9000
=====================================================================
ID Response Lines Word Chars Payload
=====================================================================
000008050: 302 29 L 45 W 683 Ch "kevin - hasło"
Total time: 6.690186
Processed Requests: 9000
Filtered Requests: 8999
Requests/sec.: 1345.253
real 0m7,226s
user 0m6,741s
sys 0m1,423s
Ffuf is faster, but wfuzz does not need an additional flag to correctly find the login and password. Can You add a parameter that automatically adds the -H header "Content-Type: application/x-www-form-urlencoded", or trying to find it?
Thanks for creating such a great program
bsysop
commented
5 months ago Hi @kerszl, do you have any target that we could try? Thanks
"ffuf -fs=683 -w userzy:PAR1 -w /usr/share/seclists/Discovery/Web-Content/common.txt:PAR2 -d 'user=PAR1&pass=PAR2' -u http://172.16.1.117/index.php" - works bad, even if i change to "ffuf -fs=683 -w userzy:PAR1 -w /usr/share/seclists/Discovery/Web-Content/common.txt:PAR2 -d 'user=PAR1\&pass=PAR2' -u http://172.16.1.117/index.php"
but wfuzz works perfect with 2 parameters...
wfuzz -w /usr/share/seclists/Passwords/Common-Credentials/10-million-password-list-top-1000.txt -d 'user=kevin&pass=FUZZ' -u http://172.16.1.117/index.php --hs 'invalid'
I used ffuf for a long time, but after it failed to check login with two parameters, I went back to wfuzz.
Can You correct ffuf?