hey guys,can some one help me for this question?
i fuzz this http://46.101.78.118:32280 and find exposed parameters,but nothing else,
please help me ,thank you very much!
After you have found the parameter, you need to test it for vulnerability. If you know how the parameter is vulnerable, you can read the flag.
thank you answer,i use the fuff test the parameters but i do not find this parameter,
example: ffuf -w ./burp-parameter-names.txt :FUZZ -u āhttp://46.101.78.118:32280?FUZZ=valueā -fs 0
finally,i can not find this paramemters , then i do not how to deal with problem
-fs 0 will not work. You have to find out the size of the answer first.
thank you very much ,i success
Hi, Iām getting 200 on all requests using the LFI wordlist and tried testing some payloads but they are not working. not sure if this is correct or not. need tips. thanks
you should pay attention to -fs size,then you can get correct result.
how should I find the fs size. all I can see is they have the same file size. thanks
i got it now. thanks
I also stuck on it , how did you find what size do u have to put ?
1 Like
in -fs i put arg 0 or 2000 it has not any reason. giving back huge amount of status 200 material , help please
Good afternoon.
I want to share my experience of passing this room.
One of the most incomprehensible tasks in my opinion.
I had to spend a lot of time looking for a solution, which turned out to be not so much complicated as confusing.
Due to the fact that I am not a native English speaker and I have to use a translator, the meaning and essence of the question is very often lost. And in order to understand what you need, you have to try a large number of ways and methods.
When you make a request ffuf -w /opt/useful/SecLists/Discovery/Web-Content/burp-parameter-names.txt:FUZZ -u āhttp://<SERVER_IP>:/index.php?FUZZ = valueā -fs 2287
You get a lot of directory names. They are all Size: 2309, but 1 is different from them. Find it!
Once youāve found it, donāt waste your time. I tried many tricks and methods of attack. Up to the use of Metasploit and an exploit for Apache.
When you got the directory name and -fs āits sizeā. You can find an example from this link and use āFind its name in this listā File Inclusion/Path traversal - HackTricks.
You can run a search with sudo ffuf -w ./LFI-Jhaddix.txt:FUZZ -u 'http://ip-server/index.php?xxxx=/.../.../.../FUZZ ā -fs āfound sizeā
In this way, you will find examples of requests that you need to enter into your browser. Donāt look for the flag right away! Itās practically meaningless until you understand what it takes.
Try getting passwd output first and make sure the query and directory traversal work!
Only then will you be able to easily find the flag.
Donāt use
ffuf -w /opt/useful/SecLists/Fuzzing/LFI/LFI-Jhaddix.txt:FUZZ -u āhttp://<SERVER_IP>:/index.php?language=FUZZā -fs 2287
Itās pointless. You will receive a large amount of incomprehensible information, as a result, I did not understand the meaning of this request. Gives only a general picture, but I did not find my -fs in this big list
This meaningless conclusion does nothing, but only takes time.
and also I did not find even approximately a close request that can be used. Itās one thing when you already know what it looks like, another thing when you look at a long list of queries and try to apply them at random!
Thatās bullshit.
curl http://<SERVER_IP>:/index.php?language=ā¦/ā¦/ā¦/ā¦/etc/apache2/apache2.conf
as well as
curl http://<SERVER_IP>:/index.php?language=ā¦/ā¦/ā¦/ā¦/etc/apache2/envvars
It also took a lot of time and I did not fully understand why they are needed in the task.
Perhaps the problem is with the translator, but in any case, in my practice, I find that my time is precious, and if I can minimize costs and make everything faster and easier, then itās better to do so. The main thing is the result at the lowest possible cost. I value my time and it seems to me that it is better to use it to improve your skills.
Good luck.
3 Likes