diff --git a/.github/FUNDING.yml b/.github/FUNDING.yml deleted file mode 100644 index cf4f8bf..0000000 --- a/.github/FUNDING.yml +++ /dev/null @@ -1 +0,0 @@ -github: [joohoi] diff --git a/.github/pull_request_template.md b/.github/pull_request_template.md deleted file mode 100644 index 817cba2..0000000 --- a/.github/pull_request_template.md +++ /dev/null @@ -1,14 +0,0 @@ -# Description - -Please add a short description of pull request contents. -If this PR addresses an existing issue, please add the issue number below. - -Fixes: #(issue number) - -## Additonally - -- [ ] If this is the first time you are contributing to ffuf, add your name to `CONTRIBUTORS.md`. -The file should be alphabetically ordered. -- [ ] Add a short description of the fix to `CHANGELOG.md` - -Thanks for contributing to ffuf :) diff --git a/.github/workflows/golangci-lint.yml b/.github/workflows/golangci-lint.yml deleted file mode 100644 index ab35228..0000000 --- a/.github/workflows/golangci-lint.yml +++ /dev/null @@ -1,28 +0,0 @@ -name: golangci-lint -on: - push: - tags: - - v* - branches: - - master - pull_request: -jobs: - golangci: - name: lint - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v2 - - name: golangci-lint - uses: golangci/golangci-lint-action@v2 - with: - # Required: the version of golangci-lint is required and must be specified without patch version: we always use the latest patch version. - version: v1.29 - - # Optional: working directory, useful for monorepos - # working-directory: somedir - - # Optional: golangci-lint command line arguments. - # args: --issues-exit-code=0 - - # Optional: show only new issues if it's a pull request. The default value is `false`. - # only-new-issues: true \ No newline at end of file diff --git a/.gitignore b/.gitignore deleted file mode 100644 index 2bbc392..0000000 --- a/.gitignore +++ /dev/null @@ -1,2 +0,0 @@ -/ffuf -.idea diff --git a/debian/README.Debian b/debian/README.Debian new file mode 100644 index 0000000..419a6be --- /dev/null +++ b/debian/README.Debian @@ -0,0 +1,14 @@ +Note regarding the Kali package ffuf +------------------------------------ + +Upstream + +As ffuf employs a sponsorware model and the Kali package of ffuf is using this exclusive +codebase, the upstream repository for ffuf package is https://github.com/ffuf/ffuf-exclusive +instead of the publicly available https://github.com/ffuf/ffuf + +The changes published in the ffuf-exclusive repository as well as directly in Kali Linux +packages repository, will be made publicly available in https://github.com/ffuf/ffuf +after 30 days of the initial release. + +More details of the model are available at https://github.com/ffuf/ffuf#sponsorware diff --git a/debian/changelog b/debian/changelog new file mode 100644 index 0000000..74f339a --- /dev/null +++ b/debian/changelog @@ -0,0 +1,86 @@ +ffuf (1.5.0-0kali1) kali-dev; urgency=medium + + [ Ben Wilson ] + * README.Debian consistency + * Consistency with tabs to spaces + * Add Uploaders + * Add XSBC-Vcs-* + + [ Arnaud Rebillout ] + * Fix upstream vcs field name + + [ Sophie Brun ] + * New upstream version 1.5.0 + * Remove useless debian/salsa-ci.yml + * Refresh patches + * Bump Standards-Version to 4.6.0 + + -- Sophie Brun Wed, 06 Apr 2022 09:35:14 +0200 + +ffuf (1.3.1-0kali1) kali-dev; urgency=low + + * New upstream release. + + -- Kali Janitor Thu, 29 Apr 2021 19:58:57 -0000 + +ffuf (1.3.0-0kali1) kali-dev; urgency=medium + + [ Kali Janitor ] + * Set upstream metadata fields: Repository, Repository-Browse. + + [ Arnaud Rebillout ] + * Configure gbp import-dsc for a Debian-derived package + + [ Raphaël Hertzog ] + * Pass build flags for the Kali specific version prepared by upstream + + [ Joona Hoikkala ] + * Describe the upstream discrepancy in README.debian + + [ Sophie Brun ] + * New upstream version 1.3.0 + * Update debian/copyright + + -- Sophie Brun Wed, 17 Mar 2021 08:36:42 +0100 + +ffuf (1.2.1-0kali1) kali-dev; urgency=medium + + [ Raphaël Hertzog ] + * Monitor upstream releases in the Kali repository + * Update Maintainer field + * Update Vcs-* fields + * Configure git-buildpackage for Kali + * Add GitLab's CI configuration file + * New upstream version 1.2.1 + * Drop patches that don't apply + + [ Sophie Brun ] + * Add missing Build-dep golang-github-pelletier-go-toml-dev + * Bump Standards-Version to 4.5.1 (no changes) + + -- Sophie Brun Mon, 22 Feb 2021 16:24:08 +0100 + +ffuf (1.1.0-1) unstable; urgency=medium + + * New upstream version 1.1.0 + + [ Marcio de Souza Oliveira ] + * debian/tests/control: + - Created the directory files. + - Creted the file files/test-fuzz-list.txt. + - Updated the test to simple fuzzing test. + + -- Pedro Loami Barbosa dos Santos Thu, 10 Sep 2020 08:04:29 -0300 + +ffuf (1.0.2-2) unstable; urgency=medium + + * debian/control: + - (Vcs-*): changed value to correct repository address. + + -- Pedro Loami Barbosa dos Santos Mon, 22 Jun 2020 20:47:18 -0300 + +ffuf (1.0.2-1) unstable; urgency=medium + + * Initial release (Closes: 960067) + + -- Pedro Loami Barbosa dos Santos Tue, 12 May 2020 18:06:42 -0300 diff --git a/debian/control b/debian/control new file mode 100644 index 0000000..da7c29e --- /dev/null +++ b/debian/control @@ -0,0 +1,29 @@ +Source: ffuf +XSBC-Original-Maintainer: Pedro Loami Barbosa dos Santos +Maintainer: Kali Developers +Uploaders: Sophie Brun , +Section: devel +Testsuite: autopkgtest-pkg-go +Priority: optional +Build-Depends: debhelper-compat (= 13), + dh-golang, + golang-any, + golang-github-pelletier-go-toml-dev +Standards-Version: 4.6.0 +XS-Debian-Vcs-Browser: https://salsa.debian.org/debian/ffuf/ +XS-Debian-Vcs-Git: https://salsa.debian.org/debian/ffuf.git +Vcs-Browser: https://gitlab.com/kalilinux/packages/ffuf +Vcs-Git: https://gitlab.com/kalilinux/packages/ffuf.git +Homepage: https://github.com/ffuf/ffuf +Rules-Requires-Root: no +XS-Go-Import-Path: github.com/ffuf/ffuf + +Package: ffuf +Architecture: any +Depends: ${misc:Depends}, + ${shlibs:Depends} +Built-Using: ${misc:Built-Using} +Description: Fast web fuzzer written in Go (program) + ffuf is a fest web fuzzer written in Go that allows typical directory + discovery, virtual host discovery (without DNS records) and GET and POST + parameter fuzzing. diff --git a/debian/copyright b/debian/copyright new file mode 100644 index 0000000..f6f6af4 --- /dev/null +++ b/debian/copyright @@ -0,0 +1,32 @@ +Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/ +Upstream-Name: ffuf +Upstream-Contact: https://github.com/ffuf/ffuf/issues +Source: https://github.com/ffuf/ffuf + +Files: * +Copyright: 2018-2021 Joona Hoikkala +License: MIT + +Files: debian/* +Copyright: 2020 Pedro Loami Barbosa dos Santos +License: MIT +Comment: Debian packaging is licensed under the same terms as upstream + +License: MIT + Permission is hereby granted, free of charge, to any person obtaining a copy + of this software and associated documentation files (the "Software"), to deal + in the Software without restriction, including without limitation the rights + to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + copies of the Software, and to permit persons to whom the Software is + furnished to do so, subject to the following conditions: + . + The above copyright notice and this permission notice shall be included in all + copies or substantial portions of the Software. + . + THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + SOFTWARE. diff --git a/debian/ffuf.1 b/debian/ffuf.1 new file mode 100644 index 0000000..41117ca --- /dev/null +++ b/debian/ffuf.1 @@ -0,0 +1,247 @@ +.\" Text automatically generated by txt2man +.TH ffuf "1" "May 2020" "ffuf 1.0.2" "User Commands" +.SH NAME +\fBffuf \fP- Fast web fuzzer written in Go +\fB +.SH SYNOPSIS +.nf +.fam C + \fBffuf\fP [\fBoptions\fP] + +.fam T +.fi +.fam T +.fi +.SH DESCRIPTION +\fBffuf\fP is a fast web fuzzer written in Go that allows typical directory +discovery, virtual host discovery (without DNS records) and GET and POST +parameter fuzzing. +.RE +.SH OPTIONS +.PP +HTTP OPTIONS: +.RS +.TP +.B +\fB-H\fP +Header "Name: Value", separated by colon. Multiple \fB-H\fP flags are accepted. +.TP +.B +\fB-X\fP +HTTP method to use (default: GET) +.TP +.B +\fB-b\fP +Cookie data "NAME1=VALUE1; NAME2=VALUE2" for copy as curl functionality. +.TP +.B +\fB-d\fP +POST data +.TP +.B +\fB-r\fP +Follow redirects (default: false) +.TP +.B +\fB-recursion\fP +Scan recursively. Only FUZZ keyword is supported, and URL (\fB-u\fP) has to end in it. (default: false) +\fB-recursion-depth\fP Maximum recursion depth. (default: 0) +.TP +.B +\fB-replay-proxy\fP +Replay matched requests using this proxy. +.TP +.B +\fB-timeout\fP +HTTP request timeout in seconds. (default: 10) +.TP +.B +\fB-u\fP +Target URL +.TP +.B +\fB-x\fP +HTTP Proxy URL +.RE +.PP +GENERAL OPTIONS: +.RS +.TP +.B +\fB-V\fP +Show version information. (default: false) +.TP +.B +\fB-ac\fP +Automatically calibrate filtering options (default: false) +.TP +.B +\fB-acc\fP +Custom auto-calibration string. Can be used multiple times. Implies \fB-ac\fP +.TP +.B +\fB-c\fP +Colorize output. (default: false) +.TP +.B +\fB-maxtime\fP +Maximum running time in seconds. (default: 0) +.TP +.B +\fB-p\fP +Seconds of 'delay' between requests, or a range of random delay. For example "0.1" or "0.1-2.0" +.TP +.B +\fB-s\fP +Do not print additional information (silent mode) (default: false) +.TP +.B +\fB-sa\fP +Stop on all error cases. Implies \fB-sf\fP and \fB-se\fP. (default: false) +.TP +.B +\fB-se\fP +Stop on spurious errors (default: false) +.TP +.B +\fB-sf\fP +Stop when > 95% of responses return 403 Forbidden (default: false) +.TP +.B +\fB-t\fP +Number of concurrent threads. (default: 40) +.TP +.B +\fB-v\fP +Verbose output, printing full URL and redirect location (if any) with the results. (default: false) +.RE +.PP +MATCHER OPTIONS: +.RS +.TP +.B +\fB-mc\fP +Match HTTP status codes, or "all" for everything. (default: 200,204,301,302,307,401,403) +.TP +.B +\fB-ml\fP +Match amount of lines in response +.TP +.B +\fB-mr\fP +Match regexp +.TP +.B +\fB-ms\fP +Match HTTP response size +.TP +.B +\fB-mw\fP +Match amount of words in response +.RE +.PP +FILTER OPTIONS: +.RS +.TP +.B +\fB-fc\fP +Filter HTTP status codes from response. Comma separated list of codes and ranges +.TP +.B +\fB-fl\fP +Filter by amount of lines in response. Comma separated list of line counts and ranges +.TP +.B +\fB-fr\fP +Filter regexp +.TP +.B +\fB-fs\fP +Filter HTTP response size. Comma separated list of sizes and ranges +.TP +.B +\fB-fw\fP +Filter by amount of words in response. Comma separated list of word counts and ranges +.RE +.PP +INPUT OPTIONS: +.RS +.TP +.B +\fB-D\fP +DirSearch wordlist compatibility mode. Used in conjunction with \fB-e\fP flag. (default: false) +.TP +.B +\fB-e\fP +Comma separated list of extensions. Extends FUZZ keyword. +.TP +.B +\fB-ic\fP +Ignore wordlist comments (default: false) +.TP +.B +\fB-input-cmd\fP +Command producing the input. \fB--input-num\fP is required when using this input method. Overrides \fB-w\fP. +.TP +.B +\fB-input-num\fP +Number of inputs to test. Used in conjunction with \fB--input-cmd\fP. (default: 100) +.TP +.B +\fB-mode\fP +Multi-wordlist operation mode. Available modes: clusterbomb, pitchfork (default: clusterbomb) +.TP +.B +\fB-request\fP +File containing the raw http request +.TP +.B +\fB-request-proto\fP +Protocol to use along with raw request (default: https) +.TP +.B +\fB-w\fP +Wordlist file path and (optional) keyword separated by colon. eg. '/path/to/wordlist:KEYWORD' +.RE +.PP +OUTPUT OPTIONS: +.RS +.TP +.B +\fB-debug-log\fP +Write all of the internal logging to the specified file. +.TP +.B +\fB-o\fP +Write output to file +.TP +.B +\fB-od\fP +Directory path to store matched results to. +.TP +.B +\fB-of\fP +Output file format. Available formats: json, ejson, html, md, csv, ecsv (default: json) +.RE +.PP +.SH EXAMPLE USAGE: +Fuzz file paths from wordlist.txt, match all responses but filter out those with content-size 42. +Colored, verbose output. +\fBffuf\fP \fB-w\fP wordlist.txt \fB-u\fP https://example.org/FUZZ \fB-mc\fP all \fB-fs\fP 42 \fB-c\fP \fB-v\fP +.RS +.PP +Fuzz Host-header, match HTTP 200 responses. +\fBffuf\fP \fB-w\fP hosts.txt \fB-u\fP https://example.org/ \fB-H\fP "Host: FUZZ" \fB-mc\fP 200 +.PP +Fuzz POST JSON data. Match all responses not containing text "error". +\fBffuf\fP \fB-w\fP entries.txt \fB-u\fP https://example.org/ \fB-X\fP POST \fB-H\fP "Content-Type: application/json" \ +\fB-d\fP '{"name": "FUZZ", "anotherkey": "anothervalue"}' \fB-fr\fP "error" +.PP +Fuzz multiple locations. Match only responses reflecting the value of "VAL" keyword. Colored. +\fBffuf\fP \fB-w\fP params.txt:PARAM \fB-w\fP values.txt:VAL \fB-u\fP https://example.org/?PARAM=VAL \fB-mr\fP "VAL" \fB-c\fP +.PP +More information and examples: https://github.com/\fBffuf\fP/\fBffuf\fP +.PP +.SH AUTHOR +This manual page was written based on the author's README by Pedro Loami Barbosa dos Santos for the Debian project (but may be used by others). + diff --git a/debian/ffuf.manpages b/debian/ffuf.manpages new file mode 100644 index 0000000..09b222b --- /dev/null +++ b/debian/ffuf.manpages @@ -0,0 +1 @@ +debian/ffuf.1 diff --git a/debian/gbp.conf b/debian/gbp.conf new file mode 100644 index 0000000..d33e3df --- /dev/null +++ b/debian/gbp.conf @@ -0,0 +1,14 @@ +[DEFAULT] +debian-branch = kali/master +debian-tag = kali/%(version)s +pristine-tar = True + +[pq] +patch-numbers = False + +[dch] +multimaint-merge = True + +[import-dsc] +debian-branch = debian/master +debian-tag = debian/%(version)s diff --git a/debian/kali-ci.yml b/debian/kali-ci.yml new file mode 100644 index 0000000..058e396 --- /dev/null +++ b/debian/kali-ci.yml @@ -0,0 +1,2 @@ +include: + - https://gitlab.com/kalilinux/tools/kali-ci-pipeline/raw/master/recipes/kali.yml diff --git a/debian/patches/10-fix-spelling.patch b/debian/patches/10-fix-spelling.patch new file mode 100644 index 0000000..60f3386 --- /dev/null +++ b/debian/patches/10-fix-spelling.patch @@ -0,0 +1,28 @@ +From: Kali Developers +Date: Wed, 6 Apr 2022 09:29:08 +0200 +Subject: fix-spelling + +# Author: Pedro Loami Barbosa dos Santos +# Date: May 11 2020 +# Description: Fix spelling on /pkg/ffuf/multierror.go + +# Author: Pedro Loami Barbosa dos Santos +# Date: May 11 2020 +# Description: Fix spelling on /pkg/ffuf/multierror.go +--- + pkg/ffuf/multierror.go | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/pkg/ffuf/multierror.go b/pkg/ffuf/multierror.go +index d83bdc6..b5d9a09 100644 +--- a/pkg/ffuf/multierror.go ++++ b/pkg/ffuf/multierror.go +@@ -20,7 +20,7 @@ func (m *Multierror) Add(err error) { + func (m *Multierror) ErrorOrNil() error { + var errString string + if len(m.errors) > 0 { +- errString += fmt.Sprintf("%d errors occured.\n", len(m.errors)) ++ errString += fmt.Sprintf("%d errors occurred.\n", len(m.errors)) + for _, e := range m.errors { + errString += fmt.Sprintf("\t* %s\n", e) + } diff --git a/debian/patches/series b/debian/patches/series new file mode 100644 index 0000000..b0cb74e --- /dev/null +++ b/debian/patches/series @@ -0,0 +1 @@ +10-fix-spelling.patch diff --git a/debian/rules b/debian/rules new file mode 100755 index 0000000..18d0e85 --- /dev/null +++ b/debian/rules @@ -0,0 +1,11 @@ +#!/usr/bin/make -f + +%: + dh $@ --builddirectory=_build --buildsystem=golang --with=golang + +override_dh_auto_build: + # Pass build flags for the Kali exclusive version + dh_auto_build -- -ldflags="-X 'github.com/ffuf/ffuf/pkg/ffuf.VERSION_APPENDIX= Kali Exclusive <3'" + +override_dh_auto_install: + dh_auto_install -- --no-source diff --git a/debian/source/format b/debian/source/format new file mode 100644 index 0000000..163aaf8 --- /dev/null +++ b/debian/source/format @@ -0,0 +1 @@ +3.0 (quilt) diff --git a/debian/tests/control b/debian/tests/control new file mode 100644 index 0000000..a5bbfa7 --- /dev/null +++ b/debian/tests/control @@ -0,0 +1,3 @@ +Test-Command: ffuf -w debian/tests/files/test-fuzz-list.txt -u https://www.debian.org/FUZZ +Depends: @ +Restrictions: allow-stderr diff --git a/debian/tests/files/test-fuzz-list.txt b/debian/tests/files/test-fuzz-list.txt new file mode 100644 index 0000000..327a560 --- /dev/null +++ b/debian/tests/files/test-fuzz-list.txt @@ -0,0 +1,3 @@ +intro +about +devel diff --git a/debian/upstream/metadata b/debian/upstream/metadata new file mode 100644 index 0000000..00ddae4 --- /dev/null +++ b/debian/upstream/metadata @@ -0,0 +1,3 @@ +--- +Repository: https://gitlab.com/kalilinux/packages/ffuf.git +Repository-Browse: https://gitlab.com/kalilinux/packages/ffuf diff --git a/debian/watch b/debian/watch new file mode 100644 index 0000000..40b5f77 --- /dev/null +++ b/debian/watch @@ -0,0 +1,4 @@ +version=4 + +opts=filenamemangle=s/.+\/v?(\d\S*)\.tar\.gz/ffuf-$1\.tar\.gz/ \ + https://github.com/ffuf/ffuf/tags .*/v?(\d\S*)\.tar\.gz