fuzzuli is a url fuzzing tool that aims to find critical backup files by creating a dynamic wordlist based on the domain.
In my application security testing journey that i have been doing for years, i found a lot critical backup files kept in externally accessible directories. While naming these files, common preferred words were used. (such as backup.zip, db.rar, conf.tar.gz etc). However, most of these files were named using the domain name where the application was located. Let's suppose we have a domain address fuzzuli.musana.net If the developer keeps critical backup files in the accessible directory, the possible file names will be like this.
fuzzuli.net.rar
fuzzuli.net.zip
fuzzuli.net.tar.gz
...
other file compression extensions
...
fuzzulinet.rar
fuzzulinet.zip
...
fuzzulimusana.rar
fuzzulimusana.7z
...
musana.fuzzuli.zip
musanafuzzuli.rar
...
so on
...
It is not possible to find these files in the traditional wordlist approach.
When naming these files, the domain name is often taken as a reference. I've encountered scenarios when naming these files where the dots in the domain are deleted, vowel letters are deleted, or the domain name is used as is. I took this into account when developing this tool. Therefore, when creating a domain-based wordlist, I took the variants without dots, without vowels, both without dots and without vowels. Then the domain passes from the following function after removing dots, vowel letters both dot and vowel letter.
It goes through the below function after domain is reversed in reverse method.
mixed method changes position of each subdomain. Then results goes through the below function.
Mathematical equation is like this.
shuffle method just shuffle subdomains and removes dots, vowel letters both dots and vowel letters. It does not itarate over each char in domain string.
fuzzuli consists of two main parts. One of them creates a wordlist dynamically. The other sends the HTTP request and checks the response for backup/sensitive file.
Flow chart of fuzzuli is the following.
fuzzuli is using 7 different methods for creating wordlists. Let's see results for fuzzuli.musana.net
all uses all methods then removes duplicates. It will generate 7777 word for fuzzuli.musana.net
fuzzuli requires go1.17 to install successfully. Run the following command to install.
┌──(root㉿kali)-[/root/fuzzuli] └─# fuzzuli -h __ _ _ / _| | | (_) | |_ _ _ ____ ____ _ _ | | _ | _| | | | | |_ / |_ / | | | | | | | | | | | |_| | / / / / | |_| | | | | | |_| \__,_| /___| /___| \__,_| |_| |_| musana.net | @musana -------------------------------------------- fuzzuli is a fuzzing tool that aims to find critical backup files by creating a dynamic wordlist based on the domain. Usage: fuzzuli [flags] Flags: GENERAL OPTIONS: -w int worker count (default 16) -f string input file containing list of host/domain -pt string paths. separate with commas to use multiple paths. e.g. /,/db/,/old/ (default "/") -p print urls that is sent request -v print version -help print this -banner print banner WORDLIST OPTIONS: -mt string methods. avaible methods: regular, withoutdots, withoutvowels, reverse, mixed, withoutdv, shuffle -sf string suffix -pf string prefix -ex string file extension. default (rar, zip, tar.gz, tar, gz, jar, 7z, bz2, sql, backup, war) -rp string replace specified char -rm string remove specified char DOMAIN OPTIONS: -es string exclude domain that contains specified string or char. e.g. for OR operand google|bing|yahoo (default "#") -dl int match domain length that specified. (default 40) MATCHER OPTIONS: -ct string match response with specified content type -sc int match response with specified status code (default 200) -cl int match response with specified minimum content length. e.g. >100 (default 100) HTTP OPTIONS: -to int timeout in seconds. (default 10) -ua string user agent (default "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:100.0) Gecko/20100101 Firefox/100.0") -hm string HTTP Method. (default "HEAD") -px string http proxy to use
┌──(root㉿kali)-[/root/fuzzuli]
└─# cat domains.txt
https://play.google.com
https://code.facebook.com
https://blog.twitter.com
https://help.instagram.com
https://tesla.com
https://yandex.com
┌──(root㉿kali)-[/root/fuzzuli]
└─# fuzzuli -f domains.txt -w 32 -ex .rar,.zip -es "tesla|twitter" -dl 11 -p
__ _ _
/ _| | | (_)
| |_ _ _ ____ ____ _ _ | | _
| _| | | | | |_ / |_ / | | | | | | | |
| | | |_| | / / / / | |_| | | | | |
|_| \__,_| /___| /___| \__,_| |_| |_|
musana.net | @musana
--------------------------------------------
[*] Scan starting time: 2022-06-22 21:07:58
[-] https://yandex.com/yandex.rar
[-] https://yandex.com/yandex.zip
[-] https://yandex.com/yndx.rar
[-] https://yandex.com/yndx.zip
[-] https://yandex.com/yandex.com.rar
[-] https://yandex.com/yandex.com.zip
[-] https://yandex.com/yndx.cm.rar
[-] https://yandex.com/yndx.cm.zip
[-] https://yandex.com/yandexcom.rar
[-] https://yandex.com/yandexcom.zip
[-] https://yandex.com/yndxcm.rar
[-] https://yandex.com/yndxcm.zip
┌──(root㉿kali)-[/root/fuzzuli]
└─# fuzzuli -f domains.txt -w 32 -ex .rar,.zip -p
__ _ _
/ _| | | (_)
| |_ _ _ ____ ____ _ _ | | _
| _| | | | | |_ / |_ / | | | | | | | |
| | | |_| | / / / / | |_| | | | | |
|_| \__,_| /___| /___| \__,_| |_| |_|
musana.net | @musana
--------------------------------------------
[*] Scan starting time: 2022-06-22 21:00:34
[-] https://code.facebook.com/code.rar
[-] https://tesla.com/tesla.rar
[-] https://blog.twitter.com/blog.rar
[-] https://yandex.com/yandex.rar
[-] https://play.google.com/play.rar
[-] https://help.instagram.com/help.rar
[-] https://play.google.com/play.zip
[-] https://help.instagram.com/help.zip
[-] https://blog.twitter.com/blog.zip
[-] https://play.google.com/ply.rar
[-] https://code.facebook.com/code.zip
[-] https://yandex.com/yandex.zip
[-] https://help.instagram.com/hlp.rar
[-] https://tesla.com/tesla.zip
[-] https://play.google.com/ply.zip
[-] https://help.instagram.com/hlp.zip
[-] https://blog.twitter.com/blg.rar
[-] https://code.facebook.com/cd.rar
[-] https://play.google.com/play.google.rar
[-] https://yandex.com/yndx.rar
如有侵权请联系:admin#unsafe.sh