Brute-forcing is a powerful technique for detecting hidden or mis-configured assets on web servers. One of the most common issues I come across when pen testing web services is temporary, old or other development files left lying around.
Most pen testers I speak to rely on ‘dirb’ as the standard tool for web application directory brute-forcing. dirb is a great tool, although I’ve always favored wfuzz. I’ve found it to be faster and far more configurable.
Using wfuzz, we can specify exactly what part of a URL to fuzz. Here are a couple of examples –
http://www.plzpwn.me/FUZZ http://www.plzpwn.me/somescript.php?user=FUZZ http://www.plzpwn.me/FUZZ.txt http://www.plzpwn.me/somescript.php?FUZZ=admin
wfuzz also allows us to filter matches based on web server response code, as well as number of lines, size of response, and text matched within the response.
Lets first start with:
./wfuzz.py -c -z file,./wordlist/vulns/cgis.txt --hc 404 http://www.plzpwn.me/FUZZ
Here, we’ll be fuzzing with data from ‘cgis.txt’, and we’ll be ignoring 404 responses (not found). Straight off, we start matching pages of items with ‘403’ codes instead (permission denied). Using ‘curl’ shows that we can’t even access ‘index.php’. Some trial and error shows that our user agent is being rejected as potentially malicious by the remote security filter. Setting it to ‘Mozilla’ seems to work –
Great. Now let’s try again with wfuzz, this time specifying our custom user agent, and also filtering out any 403 responses as well as 404 ones:
./wfuzz.py -c -z file,./wordlist/vulns/cgis.txt --hc 403,404 -H "User-Agent: Mozilla" http://www.plzpwn.me/FUZZ
Looking better.. The issue we have is that we’re getting certain false positives because index.php?ANYTHING returns a 200 even though there’s no functionality there. We notice that they all have 4 words, the same as index.php itself. Let’s now filter out anything with only 4 words:
./wfuzz.py -c -z file,./wordlist/vulns/cgis.txt --hc 400,403,404 --hw 4 -H "User-Agent: Mozilla" http://www.plzpwn.me/FUZZ
Oh look.. someone left phpinfo.php sitting around!