Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

it doesn't work well with two parameters [post] #754

Open
kerszl opened this issue Nov 9, 2023 · 3 comments
Open

it doesn't work well with two parameters [post] #754

kerszl opened this issue Nov 9, 2023 · 3 comments
Labels
question Further information is requested

Comments

@kerszl
Copy link

kerszl commented Nov 9, 2023

"ffuf -fs=683 -w userzy:PAR1 -w /usr/share/seclists/Discovery/Web-Content/common.txt:PAR2 -d 'user=PAR1&pass=PAR2' -u http://172.16.1.117/index.php" - works bad, even if i change to "ffuf -fs=683 -w userzy:PAR1 -w /usr/share/seclists/Discovery/Web-Content/common.txt:PAR2 -d 'user=PAR1&pass=PAR2' -u http://172.16.1.117/index.php"

but wfuzz works perfect with 2 parameters...

wfuzz -w /usr/share/seclists/Passwords/Common-Credentials/10-million-password-list-top-1000.txt -d 'user=kevin&pass=FUZZ' -u http://172.16.1.117/index.php --hs 'invalid'

I used ffuf for a long time, but after it failed to check login with two parameters, I went back to wfuzz.

Can You correct ffuf?
@joohoi
Copy link
Member

joohoi commented Nov 9, 2023

This looks like a case where ffuf should work just as expected, but you didn't add the correct Content-Type header of application/x-www-form-urlencoded that is required by many form processors.

While many other tools do add this header by default, one of the design decisions of ffuf is to not to do any "magic" on behalf of the user.

Try to rerun with a cli flag:-H "Content-Type: application/x-www-form-urlencoded"

@kerszl
Copy link
Author

kerszl commented Nov 10, 2023

Thanx 4 answer. Ffuf with -H flag works fine.

Here is result from ffuf:

root@kali2023:/tmp# time ffuf -H "Content-Type: application/x-www-form-urlencoded" -fs=745 -w userzy.txt:PAR1 -w /usr/share/seclists/Passwords/Common-Credentials/10-million-password-list-top-1000.txt:PAR2  -d 'user=PAR1&pass=PAR2' -u http://172.16.1.117/index.php

        /'___\  /'___\           /'___\       
       /\ \__/ /\ \__/  __  __  /\ \__/       
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\      
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/      
         \ \_\   \ \_\  \ \____/  \ \_\       
          \/_/    \/_/   \/___/    \/_/       

       v2.1.0-dev
________________________________________________

 :: Method           : POST
 :: URL              : http://172.16.1.117/index.php
 :: Wordlist         : PAR1: /tmp/userzy.txt
 :: Wordlist         : PAR2: /usr/share/seclists/Passwords/Common-Credentials/10-million-password-list-top-1000.txt
 :: Header           : Content-Type: application/x-www-form-urlencoded
 :: Data             : user=PAR1&pass=PAR2
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200-299,301,302,307,401,403,405,500
 :: Filter           : Response size: 745
________________________________________________

[Status: 302, Size: 683, Words: 162, Lines: 30, Duration: 2ms]
    * PAR1: kevin
    * PAR2: foundedpass

:: Progress: [9000/9000] :: Job [1/1] :: 73 req/sec :: Duration: [0:00:04] :: Errors: 0 ::

real    0m4,887s
user    0m4,782s
sys     0m1,381s

Here is result from wfuzz

root@kali2023:/tmp# time wfuzz -w userzy.txt -w /usr/share/seclists/Passwords/Common-Credentials/10-million-password-list-top-1000.txt -d 'user=FUZZ&pass=FUZ2Z' -u http://172.16.1.117/index.php --hh 745                                                             
 /usr/lib/python3/dist-packages/wfuzz/__init__.py:34: UserWarning:Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer                         *
********************************************************

Target: http://172.16.1.117/index.php
Total requests: 9000

=====================================================================
ID           Response   Lines    Word       Chars       Payload                                                                      
=====================================================================

000008050:   302        29 L     45 W       683 Ch      "kevin - hasło"                                                           

Total time: 6.690186
Processed Requests: 9000
Filtered Requests: 8999
Requests/sec.: 1345.253


real    0m7,226s
user    0m6,741s
sys     0m1,423s

Ffuf is faster, but wfuzz does not need an additional flag to correctly find the login and password. Can You add a parameter that automatically adds the -H header "Content-Type: application/x-www-form-urlencoded", or trying to find it?

Thanks for creating such a great program

@bsysop
Copy link
Collaborator

bsysop commented Mar 1, 2024

Hi @kerszl, do you have any target that we could try?
Thanks

@bsysop bsysop added the question Further information is requested label Mar 1, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
question Further information is requested
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@joohoi @bsysop @kerszl