使用 ffuf 進行網頁目錄掃描、參數 Fuzzing、虛擬主機探測,Go 語言開發的高效能 Fuzzer
專案簡介
ffuf 是一個用 Go 語言編寫的高效能網頁 Fuzzer。支援目錄掃描、參數 Fuzzing、虛擬主機探測等多種模式,是取代 dirb、gobuster 的現代化工具。
GitHub Stars: 15K+
主要功能
- 高效能 - Go 語言開發,支援高並發
- 多模式 - 目錄、參數、Header Fuzzing
- 過濾強大 - 依狀態碼、大小、字數過濾
- 輸出豐富 - JSON、CSV、HTML 報告
- 管道友善 - 易於自動化整合
安裝
Go Install
1
| go install github.com/ffuf/ffuf/v2@latest
|
Homebrew
Kali Linux
基本使用
目錄掃描
1
| ffuf -u https://target.com/FUZZ -w /usr/share/seclists/Discovery/Web-Content/common.txt
|
指定副檔名
1
| ffuf -u https://target.com/FUZZ -w wordlist.txt -e .php,.html,.js,.txt
|
遞迴掃描
1
| ffuf -u https://target.com/FUZZ -w wordlist.txt -recursion -recursion-depth 2
|
過濾與匹配
狀態碼過濾
1
2
3
4
5
| # 只顯示 200, 301, 302
ffuf -u https://target.com/FUZZ -w wordlist.txt -mc 200,301,302
# 過濾 404
ffuf -u https://target.com/FUZZ -w wordlist.txt -fc 404
|
大小過濾
1
2
3
4
5
| # 過濾特定大小
ffuf -u https://target.com/FUZZ -w wordlist.txt -fs 1234
# 過濾大小範圍
ffuf -u https://target.com/FUZZ -w wordlist.txt -fs 0-100
|
字數過濾
1
| ffuf -u https://target.com/FUZZ -w wordlist.txt -fw 10
|
正則過濾
1
| ffuf -u https://target.com/FUZZ -w wordlist.txt -fr "not found|error"
|
進階用法
參數 Fuzzing
1
2
3
4
5
| # GET 參數
ffuf -u "https://target.com/page?FUZZ=value" -w params.txt
# 參數值
ffuf -u "https://target.com/page?id=FUZZ" -w values.txt
|
POST 資料
1
2
3
4
5
| ffuf -u https://target.com/login \
-X POST \
-d "username=admin&password=FUZZ" \
-w passwords.txt \
-fc 401
|
1
2
3
| ffuf -u https://target.com/ \
-H "X-Custom-Header: FUZZ" \
-w headers.txt
|
虛擬主機探測
1
2
3
4
| ffuf -u https://target.com/ \
-H "Host: FUZZ.target.com" \
-w subdomains.txt \
-fs 0
|
多關鍵字
1
2
3
4
| ffuf -u https://target.com/FUZZ1/FUZZ2 \
-w users.txt:FUZZ1 \
-w ids.txt:FUZZ2 \
-mode clusterbomb
|
效能調整
並發與速率
1
2
3
4
5
6
7
8
| # 設定執行緒數
ffuf -u https://target.com/FUZZ -w wordlist.txt -t 100
# 請求延遲(毫秒)
ffuf -u https://target.com/FUZZ -w wordlist.txt -p 0.1
# 每秒請求數
ffuf -u https://target.com/FUZZ -w wordlist.txt -rate 100
|
超時設定
1
| ffuf -u https://target.com/FUZZ -w wordlist.txt -timeout 10
|
輸出格式
JSON 輸出
1
| ffuf -u https://target.com/FUZZ -w wordlist.txt -o results.json -of json
|
CSV 輸出
1
| ffuf -u https://target.com/FUZZ -w wordlist.txt -o results.csv -of csv
|
HTML 報告
1
| ffuf -u https://target.com/FUZZ -w wordlist.txt -o results.html -of html
|
設定檔
~/.ffufrc
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
| [http]
timeout = 10
method = GET
[general]
threads = 50
rate = 0
[input]
wordlist = /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt
[output]
format = json
[matcher]
status = 200,204,301,302,307,401,403,405
|
使用設定檔
1
| ffuf -config ~/.ffufrc -u https://target.com/FUZZ
|
實戰範例
API 端點探測
1
2
3
4
| ffuf -u https://api.target.com/v1/FUZZ \
-w /usr/share/seclists/Discovery/Web-Content/api/api-endpoints.txt \
-mc 200,201,204 \
-H "Authorization: Bearer token"
|
敏感檔案尋找
1
2
3
| ffuf -u https://target.com/FUZZ \
-w /usr/share/seclists/Discovery/Web-Content/quickhits.txt \
-mc 200,403
|
備份檔案探測
1
2
3
| ffuf -u https://target.com/FUZZ \
-w /usr/share/seclists/Discovery/Web-Content/Common-Backups/common-backup-files.txt \
-e .bak,.old,.backup,.zip,.tar.gz
|
子域名接管檢測
1
2
3
4
| ffuf -u http://FUZZ.target.com \
-w subdomains.txt \
-H "Host: FUZZ.target.com" \
-mr "not found|NXDOMAIN|unclaimed"
|
與其他工具整合
搭配 Subfinder
1
2
3
| subfinder -d target.com -silent | \
sed 's/$/.target.com/' | \
ffuf -u http://FUZZ -w - -mc 200
|
搭配 httpx
1
2
| ffuf -u https://target.com/FUZZ -w wordlist.txt -o results.json -of json
cat results.json | jq -r '.results[].url' | httpx -title -tech-detect
|
搭配 Nuclei
1
2
| ffuf -u https://target.com/FUZZ -w wordlist.txt -mc 200 -o urls.txt -of csv
nuclei -l urls.txt -t exposures/
|
相關連結
延伸閱讀