Hey, can someone help me.
With the command ffuf -u http://46.101.32.158:32765/index.php?FUZZ=readme -c -w /dir/to/fuzzParameter.txt every parameter has the status code 200. But that is not possible.
I also tried these commands:
./gobuster fuzz -u 'http://46.101.32.158:32765/index.php?FUZZ=text' -w /dir/to/fuzzParameter.txt
wfuzz -w /dir/to/fuzzParameter.txt http://46.101.32.158:32765/index.php?FUZZ
but these have also the code 200.
Does someone know why?
Why isn’t it possible that the server returns 200? A server doesn’t have to recognize a parameter. It will just ignore it if the program doesn’t use it. The index.php file loads fine, hence the 200.
If you want to differentiate between different requests, then you would need to filter on something other than the status code. For the tools you describe, you could filter based on the number of words or total size of the response. You would need to read the manual for each tool to find what command parameter is required to set these filters.
But how do I know what size, words and lines they have. In the output, I get everything the same value of each:
For example:
A [Status: 200, Size: 2309, Words: 571, Lines: 56]
...
...
...
zoom [Status: 200, Size: 2309, Words: 571, Lines: 56]
In this case the filter does not make sense
have you tried the -ac switch? If I understand this correctly it will first try to come up with a baseline that requests are evaluated against, and it really did make a huge difference with a machine I was working on recently.
With the -ac parameter, the Filter found the values by default. How can I use these to get out the parameters? Should I use with the -ac parameter other filter parameters?
I fixed it, instead of a filter, I used the grep -v function in Linux.