|
0 |
.\" Text automatically generated by txt2man
|
|
1 |
.TH ffuf "1" "May 2020" "ffuf 1.0.2" "User Commands"
|
|
2 |
.SH NAME
|
|
3 |
\fBffuf \fP- Fast web fuzzer written in Go
|
|
4 |
\fB
|
|
5 |
.SH SYNOPSIS
|
|
6 |
.nf
|
|
7 |
.fam C
|
|
8 |
\fBffuf\fP [\fBoptions\fP]
|
|
9 |
|
|
10 |
.fam T
|
|
11 |
.fi
|
|
12 |
.fam T
|
|
13 |
.fi
|
|
14 |
.SH DESCRIPTION
|
|
15 |
\fBffuf\fP is a fest web fuzzer written in Go that allows typical directory
|
|
16 |
discovery, virtual host discovery (without DNS records) and GET and POST
|
|
17 |
parameter fuzzing.
|
|
18 |
.RE
|
|
19 |
.SH OPTIONS
|
|
20 |
.PP
|
|
21 |
HTTP OPTIONS:
|
|
22 |
.RS
|
|
23 |
.TP
|
|
24 |
.B
|
|
25 |
\fB-H\fP
|
|
26 |
Header "Name: Value", separated by colon. Multiple \fB-H\fP flags are accepted.
|
|
27 |
.TP
|
|
28 |
.B
|
|
29 |
\fB-X\fP
|
|
30 |
HTTP method to use (default: GET)
|
|
31 |
.TP
|
|
32 |
.B
|
|
33 |
\fB-b\fP
|
|
34 |
Cookie data "NAME1=VALUE1; NAME2=VALUE2" for copy as curl functionality.
|
|
35 |
.TP
|
|
36 |
.B
|
|
37 |
\fB-d\fP
|
|
38 |
POST data
|
|
39 |
.TP
|
|
40 |
.B
|
|
41 |
\fB-r\fP
|
|
42 |
Follow redirects (default: false)
|
|
43 |
.TP
|
|
44 |
.B
|
|
45 |
\fB-recursion\fP
|
|
46 |
Scan recursively. Only FUZZ keyword is supported, and URL (\fB-u\fP) has to end in it. (default: false)
|
|
47 |
\fB-recursion-depth\fP Maximum recursion depth. (default: 0)
|
|
48 |
.TP
|
|
49 |
.B
|
|
50 |
\fB-replay-proxy\fP
|
|
51 |
Replay matched requests using this proxy.
|
|
52 |
.TP
|
|
53 |
.B
|
|
54 |
\fB-timeout\fP
|
|
55 |
HTTP request timeout in seconds. (default: 10)
|
|
56 |
.TP
|
|
57 |
.B
|
|
58 |
\fB-u\fP
|
|
59 |
Target URL
|
|
60 |
.TP
|
|
61 |
.B
|
|
62 |
\fB-x\fP
|
|
63 |
HTTP Proxy URL
|
|
64 |
.RE
|
|
65 |
.PP
|
|
66 |
GENERAL OPTIONS:
|
|
67 |
.RS
|
|
68 |
.TP
|
|
69 |
.B
|
|
70 |
\fB-V\fP
|
|
71 |
Show version information. (default: false)
|
|
72 |
.TP
|
|
73 |
.B
|
|
74 |
\fB-ac\fP
|
|
75 |
Automatically calibrate filtering options (default: false)
|
|
76 |
.TP
|
|
77 |
.B
|
|
78 |
\fB-acc\fP
|
|
79 |
Custom auto-calibration string. Can be used multiple times. Implies \fB-ac\fP
|
|
80 |
.TP
|
|
81 |
.B
|
|
82 |
\fB-c\fP
|
|
83 |
Colorize output. (default: false)
|
|
84 |
.TP
|
|
85 |
.B
|
|
86 |
\fB-maxtime\fP
|
|
87 |
Maximum running time in seconds. (default: 0)
|
|
88 |
.TP
|
|
89 |
.B
|
|
90 |
\fB-p\fP
|
|
91 |
Seconds of 'delay' between requests, or a range of random delay. For example "0.1" or "0.1-2.0"
|
|
92 |
.TP
|
|
93 |
.B
|
|
94 |
\fB-s\fP
|
|
95 |
Do not print additional information (silent mode) (default: false)
|
|
96 |
.TP
|
|
97 |
.B
|
|
98 |
\fB-sa\fP
|
|
99 |
Stop on all error cases. Implies \fB-sf\fP and \fB-se\fP. (default: false)
|
|
100 |
.TP
|
|
101 |
.B
|
|
102 |
\fB-se\fP
|
|
103 |
Stop on spurious errors (default: false)
|
|
104 |
.TP
|
|
105 |
.B
|
|
106 |
\fB-sf\fP
|
|
107 |
Stop when > 95% of responses return 403 Forbidden (default: false)
|
|
108 |
.TP
|
|
109 |
.B
|
|
110 |
\fB-t\fP
|
|
111 |
Number of concurrent threads. (default: 40)
|
|
112 |
.TP
|
|
113 |
.B
|
|
114 |
\fB-v\fP
|
|
115 |
Verbose output, printing full URL and redirect location (if any) with the results. (default: false)
|
|
116 |
.RE
|
|
117 |
.PP
|
|
118 |
MATCHER OPTIONS:
|
|
119 |
.RS
|
|
120 |
.TP
|
|
121 |
.B
|
|
122 |
\fB-mc\fP
|
|
123 |
Match HTTP status codes, or "all" for everything. (default: 200,204,301,302,307,401,403)
|
|
124 |
.TP
|
|
125 |
.B
|
|
126 |
\fB-ml\fP
|
|
127 |
Match amount of lines in response
|
|
128 |
.TP
|
|
129 |
.B
|
|
130 |
\fB-mr\fP
|
|
131 |
Match regexp
|
|
132 |
.TP
|
|
133 |
.B
|
|
134 |
\fB-ms\fP
|
|
135 |
Match HTTP response size
|
|
136 |
.TP
|
|
137 |
.B
|
|
138 |
\fB-mw\fP
|
|
139 |
Match amount of words in response
|
|
140 |
.RE
|
|
141 |
.PP
|
|
142 |
FILTER OPTIONS:
|
|
143 |
.RS
|
|
144 |
.TP
|
|
145 |
.B
|
|
146 |
\fB-fc\fP
|
|
147 |
Filter HTTP status codes from response. Comma separated list of codes and ranges
|
|
148 |
.TP
|
|
149 |
.B
|
|
150 |
\fB-fl\fP
|
|
151 |
Filter by amount of lines in response. Comma separated list of line counts and ranges
|
|
152 |
.TP
|
|
153 |
.B
|
|
154 |
\fB-fr\fP
|
|
155 |
Filter regexp
|
|
156 |
.TP
|
|
157 |
.B
|
|
158 |
\fB-fs\fP
|
|
159 |
Filter HTTP response size. Comma separated list of sizes and ranges
|
|
160 |
.TP
|
|
161 |
.B
|
|
162 |
\fB-fw\fP
|
|
163 |
Filter by amount of words in response. Comma separated list of word counts and ranges
|
|
164 |
.RE
|
|
165 |
.PP
|
|
166 |
INPUT OPTIONS:
|
|
167 |
.RS
|
|
168 |
.TP
|
|
169 |
.B
|
|
170 |
\fB-D\fP
|
|
171 |
DirSearch wordlist compatibility mode. Used in conjunction with \fB-e\fP flag. (default: false)
|
|
172 |
.TP
|
|
173 |
.B
|
|
174 |
\fB-e\fP
|
|
175 |
Comma separated list of extensions. Extends FUZZ keyword.
|
|
176 |
.TP
|
|
177 |
.B
|
|
178 |
\fB-ic\fP
|
|
179 |
Ignore wordlist comments (default: false)
|
|
180 |
.TP
|
|
181 |
.B
|
|
182 |
\fB-input-cmd\fP
|
|
183 |
Command producing the input. \fB--input-num\fP is required when using this input method. Overrides \fB-w\fP.
|
|
184 |
.TP
|
|
185 |
.B
|
|
186 |
\fB-input-num\fP
|
|
187 |
Number of inputs to test. Used in conjunction with \fB--input-cmd\fP. (default: 100)
|
|
188 |
.TP
|
|
189 |
.B
|
|
190 |
\fB-mode\fP
|
|
191 |
Multi-wordlist operation mode. Available modes: clusterbomb, pitchfork (default: clusterbomb)
|
|
192 |
.TP
|
|
193 |
.B
|
|
194 |
\fB-request\fP
|
|
195 |
File containing the raw http request
|
|
196 |
.TP
|
|
197 |
.B
|
|
198 |
\fB-request-proto\fP
|
|
199 |
Protocol to use along with raw request (default: https)
|
|
200 |
.TP
|
|
201 |
.B
|
|
202 |
\fB-w\fP
|
|
203 |
Wordlist file path and (optional) keyword separated by colon. eg. '/path/to/wordlist:KEYWORD'
|
|
204 |
.RE
|
|
205 |
.PP
|
|
206 |
OUTPUT OPTIONS:
|
|
207 |
.RS
|
|
208 |
.TP
|
|
209 |
.B
|
|
210 |
\fB-debug-log\fP
|
|
211 |
Write all of the internal logging to the specified file.
|
|
212 |
.TP
|
|
213 |
.B
|
|
214 |
\fB-o\fP
|
|
215 |
Write output to file
|
|
216 |
.TP
|
|
217 |
.B
|
|
218 |
\fB-od\fP
|
|
219 |
Directory path to store matched results to.
|
|
220 |
.TP
|
|
221 |
.B
|
|
222 |
\fB-of\fP
|
|
223 |
Output file format. Available formats: json, ejson, html, md, csv, ecsv (default: json)
|
|
224 |
.RE
|
|
225 |
.PP
|
|
226 |
.SH EXAMPLE USAGE:
|
|
227 |
Fuzz file paths from wordlist.txt, match all responses but filter out those with content-size 42.
|
|
228 |
Colored, verbose output.
|
|
229 |
\fBffuf\fP \fB-w\fP wordlist.txt \fB-u\fP https://example.org/FUZZ \fB-mc\fP all \fB-fs\fP 42 \fB-c\fP \fB-v\fP
|
|
230 |
.RS
|
|
231 |
.PP
|
|
232 |
Fuzz Host-header, match HTTP 200 responses.
|
|
233 |
\fBffuf\fP \fB-w\fP hosts.txt \fB-u\fP https://example.org/ \fB-H\fP "Host: FUZZ" \fB-mc\fP 200
|
|
234 |
.PP
|
|
235 |
Fuzz POST JSON data. Match all responses not containing text "error".
|
|
236 |
\fBffuf\fP \fB-w\fP entries.txt \fB-u\fP https://example.org/ \fB-X\fP POST \fB-H\fP "Content-Type: application/json" \
|
|
237 |
\fB-d\fP '{"name": "FUZZ", "anotherkey": "anothervalue"}' \fB-fr\fP "error"
|
|
238 |
.PP
|
|
239 |
Fuzz multiple locations. Match only responses reflecting the value of "VAL" keyword. Colored.
|
|
240 |
\fBffuf\fP \fB-w\fP params.txt:PARAM \fB-w\fP values.txt:VAL \fB-u\fP https://example.org/?PARAM=VAL \fB-mr\fP "VAL" \fB-c\fP
|
|
241 |
.PP
|
|
242 |
More information and examples: https://github.com/\fBffuf\fP/\fBffuf\fP
|
|
243 |
.PP
|
|
244 |
.SH AUTHOR
|
|
245 |
This manual page was written based on the author's README by Pedro Loami Barbosa dos Santos <[email protected]> for the Debian project (but may be used by others).
|
|
246 |
|