Parameter and Value Fuzzing
Serving Files From a Web Server
NGINX
/etc/nginx/sites-available/example.com.conf
server {
listen 80;
server_name www.example.com;
root /var/www/example.com;
index index.html;
location / {
try_files $uri $uri/ =404;
}
}
- Server Block
- Listens on
TCP/80
- Answer any HTTP request with
HOST: www.example.com
- Serve the contents out of
/var/www/example.com
- Home page (index) is
/var/www/example.com/index.html
- When hitting the server name, try files in:
/var/www/example.com/
+user/requested/resource
- Listens on
Apache
/etc/apache2/sites-available/example.com.conf
<VirtualHost *:80>
ServerName www.example.com
ServerAdmin webmaster@localhost
DocumentRoot /var/www/html
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>
- Server Block
- Listens on
TCP/80
- Answer any HTTP request with
HOST: www.example.com
- Serve the contents out of
/var/www/example.com
- Home page (index) is
/var/www/example.com/index.html
- When hitting the server name, try files in:
/var/www/example.com/
+user/requested/resource
- Listens on
Example PHP Code
/var/www/example.com/test.php
<?php
$id = $_GET["cmd"];
if ($_GET["cmd"] == NULL){
echo "Hello " . exec("whoami") . "!";
}
else {
echo "Hello " . exec($id);
}
?>
As a user, we do not have the luxury of seeing the source code like this. We may know there is a test.php
file, because we enumerated it following the steps here: Directory and File Enumeration, but we don't know the parameters this script accepts.
Request with Parameters
A request to a script file that accepts parameters would look like this: http://www.example.com/test.php?parameterName=userInput
where:
parameterName
is the parameteruserInput
is some argument we pass to the parameter
So, something like: http://www.example.com/test.php?file=cute-picture-of-cat.jpg
. The only problem is, we don't what to enter for the parameterName
key, because we didn't develop the application.
Fuzzing with Gobuster
payload='whoami'
wordlist='/usr/share/seclists/Discovery/Web-Content/big.txt'
gobuster fuzz -u "http://www.example.com/test.php?FUZZ=$payload" -w $wordlist
- Effectively, this is causing
gobuster
to do the following:GET /test.php?[wordlist-item1]=whoami
GET /test.php?[wordlist-item2]=whoami
GET /test.php?[wordlist-item3]=whoami