Directory & File Fuzzing

Using Ffuf
Using Gobuster

Using Ffuf

Wordlists

Wordlist	Description
`/usr/share/wordlists/Seclists/Discovery/Web-Content/directory-list-2.3-small.txt`	Directory/Page Wordlist
`/usr/share/wordlists/Seclists/Discovery/Web-Content/web-extensions.txt`	Extensions Wordlist
`/usr/share/wordlists/Seclists/Discovery/DNS/subdomains-top1million-5000.txt`	Domain Wordlist
`/usr/share/wordlists/Seclists/Discovery/Web-Content/burp-parameter-names.txt`	Parameters Wordlist

Directory Fuzzing:

To fuzz directories:

ffuf -w "wordlist" -u http://SERVER_IP:PORT/FUZZ

File extension fuzzing is also possible, but first we need to determine which extensions the page supports. For that:

ffuf -w /usr/share/Seclists/Discovery/Web-Content/web-extensions.txt:FUZZ -u http://134.209.19.24:32508/blog/indexFUZZ

Once we know it's php, we can fuzz php files:

ffuf -w /usr/share/wordlists/Seclists/Discovery/Web-Content/directory-list-2.3-small.txt:FUZZ -u http://134.209.19.24:32508/blog/FUZZ.php

Recursive Fuzzing:

For recursive fuzzing, simply pass the -recursion parameter. Additionally, we can choose how deep we want to go with: -recursion-depth X, where X is the number of subdirectories to fuzz.

ffuf -w "wordlist":FUZZ -u http://"ip:port"/FUZZ -recursion -recursion-depth 3 -e .php -v

Sub-domain Fuzzing & Vhost fuzzing

To fuzz sub-domains:

ffuf -w "wordlist":FUZZ -u https://FUZZ."domain"/

To fuzz vhosts:

ffuf -w "wordlist":FUZZ -u http://"domain":PORT/ -H 'Host: FUZZ."domain"'

Result Filtering

To hide certain codes while fuzzing:

-fs hide size
-fc http status code
-fl filter by lines in the response
-fr regexp
-fw by the words we obtain in the response
 
Example: ffuf -w /usr/share/wordlists/Seclists/Discovery/DNS/subdomains-top1million-5000.txt:FUZZ -u http://academy.htb:PORT/ -H 'Host: FUZZ.academy.htb' -fs 900

Parameter Fuzzing - GET

To fuzz the parameters the page accepts:

ffuf -w /usr/share/wordlists/Seclists/Discovery/Web-Content/burp-parameter-names.txt:FUZZ -u http://"domain/IP":"port"/"directory"?FUZZ=key -fs 798

ffuf -w /usr/share/wordlists/Seclists/Discovery/Web-Content/burp-parameter-names.txt:FUZZ -u http://admin.academy.htb:31419/admin/admin.php?FUZZ=key -fs 798

Parameter Fuzzing - POST

# Post: Requests are not exposed in the URL.
# GET: Requests are exposed in the URL.
 
ffuf -w /usr/share/wordlists/Seclists/Discovery/Web-Content/burp-parameter-names.txt:FUZZ -u http://admin.academy.htb:PORT/admin/admin.php -X POST -d 'FUZZ=key' -H 'Content-Type: application/x-www-form-urlencoded' -fs xxx
 
# To fuzz obtained parameters:
ffuf -w ids.txt:FUZZ -u http://admin.academy.htb:PORT/admin/admin.php -X POST -d 'id=FUZZ' -H 'Content-Type: application/x-www-form-urlencoded' -fs xxx
 
emy.htb:PORT/admin/admin.php -X POST -d 'id=key' -H 'Content-Type: application/x-www-form-urlencoded'

ffuf -w wordlist.txt -u http://target.domain/FUZZ

Using Gobuster

Gobuster for Directories:

gobuster dir -u $URL -W /usr/share/wordlists/Seclists/Discovery/Web-Content/raft-medium-directories.txt -k -t 30

Gobuster for Files:

gobuster dir -u $URL -W /usr/share/wordlists/Seclists/Discovery/Web-Content/raft-medium-files.txt -k -t 30

Gobuster for Subdomain Brute Force (DNS):

gobuster dns -d http://in.org -w /usr/share/wordlists/Seclists/Discovery/DNS/subdomains-top1million-110000.txt -t 30

Gobuster for Directory and File Extension Filtering:

gobuster dir -u http://in.org -x php,txt -w /usr/share/wordlists/dirb/common.txt

Gobuster Subdomain Scan:

gobuster vhost --append-domain -u https://napper.htb -w /usr/share/wordlists/Seclists/Discovery/DNS/subdomains-top1million-5000.txt -k