基本用法
fuzz文件/路径
ffuf -w wordlist.txt -u https://host.name:PORT/FUZZfuzz扩展
ffuf -w wordlist.txt -u https://host.name/indexFUZZfuzz文件名
ffuf -w wordlist.txt -u https://host.name/blog/FUZZ.php
使用命令的输出内容作为字典,例如使用seq命令fuzz用户ID
ffuf -c -w <(seq 1 1000) -u https://host.name/api/users/FUZZ多层递归fuzz
ffuf -recursion -recursion-depth 3 -w wordlist.txt -u https://host.name/FUZZ设置 cookie
ffuf -b "NAME1=VALUE1; NAME2=VALUE2" -w wordlist.txt -u https://host.name/FUZZ多个字典
clusterbomb
clusterbomb模式会fuzz多个字典中每一个值的组合。
尝试不同的用户名和密码
ffuf -w users.txt:USER -w passwords.txt:PASS -u https://example.com/login?username=USER&password=PASS --mode clusterbomb
对 JSON 请求的多个部分进行fuzz
ffuf -w usernames.txt:U -w passwords.txt:P -X POST -d '{"username":"U","password":"P"}' -H 'Content-Type: application/json' -u https://example.com/api/login
对目录名和文件名进行fuzz
ffuf -w dirs.txt:DIR -w files.txt:FILE -u https://example.com/DIR/FILEPitchfork模式
ffuf将从users.txt列表中获取第一个用户名,并从passwords.txt列表中获取第一个密码,然后一起发送
ffuf -w users.txt:USER -w passwords.txt:PASS -u https://example.com/login?username=USER&password=PASS --mode pitchfork子域名和虚拟主机
子域名
ffuf -w wordlist.txt -u https://FUZZ.host.name/VHosts
ffuf -w wordlist.txt -u http://host.name/ -H 'Host: FUZZ.host.name'HTTP 参数
参数 - GET
ffuf -w wordlist.txt -u http://host.name/index.php?FUZZ=key参数 - POST
ffuf -w wordlist.txt -u https://host.name/index.php -X POST -d 'FUZZ=key' -H 'Content-Type: application/x-www-form-urlencoded' 参数值 - POST
ffuf -w ids.txt -u https://host.name/index.php -X POST -d 'id=FUZZ' -H 'Content-Type: application/x-www-form-urlencoded'测试 JSON POST 数据
ffuf -X POST -H "Content-Type: application/json" -d '{"username": "admin", "password": "FUZZ"}' -w /path/to/wordlist.txt -u http://example.com/api/loginHeaders
使用自定义header
ffuf -w wordlist.txt -u https://host.name/FUZZ -H "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:88.0) Gecko/20100101 Firefox/88.0"
设置Content-type标头
ffuf -w wordlist.txt -u https://host.name/FUZZ -H "Content-Type: application/json" -X POST
设置带鉴权的headers
ffuf -w /path/to/wordlist.txt -u https://example.com/FUZZ -H "Authorization: Bearer mytoken"token
ffuf -w tokens.txt -H "Authorization: Bearer FUZZ" -u https://example.com/api/resourceHeaders值
ffuf -w /path/to/wordlist.txt -u http://example.com -H "X-Forwarded-For: FUZZ"速度限制
速度限制为 50/s
ffuf -rate 50 -w wordlist.txt -u https://host.name/FUZZ设置线程数
ffuf -t 5 -w wordlist.txt -u https://host.name/FUZZ延迟
ffuf -w wordlist.txt -u https://example.com/FUZZ -t 2 -p 1过滤返回包
过滤响应301和302
ffuf -fc 301,302 -w wordlist.txt -u https://host.name/FUZZ
按2000字节的响应大小进行筛选
ffuf -fs 2003 -w wordlist.txt -u https://host.name/FUZZ
根据2000至3000字节范围内的响应大小进行筛选
ffuf -fs 2000-3000 -w wordlist.txt -u https://host.name/FUZZ按行过滤
ffuf -fl 5 -w wordlist.txt -u https://host.name/FUZZ按字数筛选
ffuf -fw 10 -w wordlist.txt -u https://host.name/FUZZ
自动校准过滤选项
ffuf -ac -w wordlist.txt -u https://host.name/FUZZ匹配返回包
匹配状态代码
ffuf -u https://example.com/FUZZ -w wordlist.txt -mc 200匹配响应大小
ffuf -u https://example.com/FUZZ -w wordlist.txt -ms 1000
匹配一个范围内的响应大小:
ffuf -u https://example.com/FUZZ -w wordlist.txt -ms 900-1100字数匹配
ffuf -u https://example.com/FUZZ -w wordlist.txt -mw 50
按响应行匹配
ffuf -u https://example.com/FUZZ -w wordlist.txt -ml 10Regex 匹配
ffuf -w /path/to/wordlist.txt -u https://example.com/FUZZ -mr "success|welcome"输出选项
以 JSON 格式保存结果
ffuf -w /path/to/wordlist.txt -u https://example.com/FUZZ -o results.json -of json以 CSV 格式保存结果
ffuf -w wordlist.txt -u https://example.com/FUZZ -o results.csv -of csv
以所有支持的格式保存输出:
ffuf -w wordlist.txt -u https://example.com/FUZZ -o results -of all代理
HTTP 代理
ffuf -x http://127.0.0.1:8080 -w wordlist.txt -u https://host.name/FUZZsock代理
ffuf -x socks5://127.0.0.1:1080 -w wordlist.txt -u https://host.name/FUZZ重放代理
ffuf -replay-proxy http://127.0.0.1:8080 -w wordlist.txt -u https://host.name/FUZZ时间限制
设置最长执行时间为60秒
ffuf -w wordlist.txt -u https://host.name/FUZZ -maxtime 60每个线程的最长时间
ffuf -w wordlist.txt -u https://host.name/FUZZ -maxtime-job 60其他
忽略单字典注释
ffuf -ic -w wordlist.txt -u https://host.name/FUZZ |