Skip to main content

Parameter and Value Fuzzing

Serving Files From a Web Server

NGINX

/etc/nginx/sites-available/example.com.conf

server {
       listen 80;
       server_name www.example.com;
       root /var/www/example.com;
       index index.html;

       location / {
               try_files $uri $uri/ =404;
       }
}
  • Server Block
    • Listens on TCP/80
    • Answer any HTTP request with HOST: www.example.com
    • Serve the contents out of /var/www/example.com
    • Home page (index) is /var/www/example.com/index.html
    • When hitting the server name, try files in:
      • /var/www/example.com/ + user/requested/resource

Apache

/etc/apache2/sites-available/example.com.conf

<VirtualHost *:80>
        ServerName www.example.com
        ServerAdmin webmaster@localhost
        DocumentRoot /var/www/html
        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>
  • Server Block
    • Listens on TCP/80
    • Answer any HTTP request with HOST: www.example.com
    • Serve the contents out of /var/www/example.com
    • Home page (index) is /var/www/example.com/index.html
    • When hitting the server name, try files in:
      • /var/www/example.com/ + user/requested/resource



Example PHP Code

/var/www/example.com/test.php

<?php 
  $id = $_GET["cmd"];
  if ($_GET["cmd"] == NULL){
  	echo "Hello " . exec("whoami") . "!";
  } 
  else {
  	echo "Hello " . exec($id);
  }
?>

If a user navigates to http://www.example.com/test.php and they do not pass a parameter, the script does nothing. The user would most likely see a blank a page or empty output on some kind of placeholder on the screen.

As a user, we do not have the luxury of seeing the source code like this. We may know there is a test.php file, because we enumerated it following the steps here: Directory and File Enumeration, but we don't know the parameters this script accepts.



Request with Parameters

A request to a script file that accepts parameters would look like this: http://www.example.com/test.php?parameterName=userInput where:

  • parameterName is the parameter
  • userInput is some argument we pass to the parameter

So, something like: http://www.example.com/test.php?file=cute-picture-of-cat.jpg. The only problem is, we don't what to enter for the parameterName key, because we didn't develop the application.



Fuzzing with Gobuster

payload='whoami'
wordlist='/usr/share/seclists/Discovery/Web-Content/big.txt'

gobuster fuzz -u "http://www.example.com/test.php?FUZZ=$payload" -w $wordlist
  • Effectively, this is causing gobuster to do the following:
    • GET /test.php?[wordlist-item1]=whoami
    • GET /test.php?[wordlist-item2]=whoami
    • GET /test.php?[wordlist-item3]=whoami
Back to top