Comments (3)
joohoi
commented on May 24, 2024
This looks like a case where ffuf should work just as expected, but you didn't add the correct Content-Type header of application/x-www-form-urlencoded that is required by many form processors.
While many other tools do add this header by default, one of the design decisions of ffuf is to not to do any "magic" on behalf of the user.
Try to rerun with a cli flag:-H "Content-Type: application/x-www-form-urlencoded"
from ffuf.
kerszl
commented on May 24, 2024
Thanx 4 answer. Ffuf with -H flag works fine.
Here is result from ffuf:
root@kali2023:/tmp# time ffuf -H "Content-Type: application/x-www-form-urlencoded" -fs=745 -w userzy.txt:PAR1 -w /usr/share/seclists/Passwords/Common-Credentials/10-million-password-list-top-1000.txt:PAR2 -d 'user=PAR1&pass=PAR2' -u http://172.16.1.117/index.php
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v2.1.0-dev
________________________________________________
:: Method : POST
:: URL : http://172.16.1.117/index.php
:: Wordlist : PAR1: /tmp/userzy.txt
:: Wordlist : PAR2: /usr/share/seclists/Passwords/Common-Credentials/10-million-password-list-top-1000.txt
:: Header : Content-Type: application/x-www-form-urlencoded
:: Data : user=PAR1&pass=PAR2
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200-299,301,302,307,401,403,405,500
:: Filter : Response size: 745
________________________________________________
[Status: 302, Size: 683, Words: 162, Lines: 30, Duration: 2ms]
* PAR1: kevin
* PAR2: foundedpass
:: Progress: [9000/9000] :: Job [1/1] :: 73 req/sec :: Duration: [0:00:04] :: Errors: 0 ::
real 0m4,887s
user 0m4,782s
sys 0m1,381s
Here is result from wfuzz
root@kali2023:/tmp# time wfuzz -w userzy.txt -w /usr/share/seclists/Passwords/Common-Credentials/10-million-password-list-top-1000.txt -d 'user=FUZZ&pass=FUZ2Z' -u http://172.16.1.117/index.php --hh 745
/usr/lib/python3/dist-packages/wfuzz/__init__.py:34: UserWarning:Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer *
********************************************************
Target: http://172.16.1.117/index.php
Total requests: 9000
=====================================================================
ID Response Lines Word Chars Payload
=====================================================================
000008050: 302 29 L 45 W 683 Ch "kevin - hasło"
Total time: 6.690186
Processed Requests: 9000
Filtered Requests: 8999
Requests/sec.: 1345.253
real 0m7,226s
user 0m6,741s
sys 0m1,423s
Ffuf is faster, but wfuzz does not need an additional flag to correctly find the login and password. Can You add a parameter that automatically adds the -H header "Content-Type: application/x-www-form-urlencoded", or trying to find it?
Thanks for creating such a great program
from ffuf.
bsysop
commented on May 24, 2024
Hi @kerszl, do you have any target that we could try?
Thanks
from ffuf.
Related Issues (20)
- Allow filter size greater/less than value & write output to file dynamic HOT 5
- Custom scrape rule to extract status code not working.. HOT 1
- Disable warnings for defined but unused keywords
- `-ach` flag gives `Encountered an error while executing autocalibration request` errors HOT 1
- Feature Request: Use wordlist to provide multiple file names for output HOT 7
- recrusion doesn't add job when using Host header HOT 1
- 0 requests per second HOT 1
- Feature Request: audit logging / complete request-response logging HOT 2
- Latest version is not installed HOT 2
- Missing results HOT 3
- * bufio.Scanner: token too long ffuf
- not showing output HOT 3
- about -rate HOT 1
- Ffuf fails with zero-size responses HOT 6
- Feature request: use files as payloads. HOT 3
- چ
- Can ffuf print POST request with data when occur error?
- Fix -recursion-strategy greedy so it won't do recursive on extensions
- ffuf broken with ÿØÿî HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from ffuf.