`

The output indicates that ffuf has identified that the path

http://172.16.10.10:8081/files/acme-hyper-branding-5.csv returned a

status code of HTTP 200 OK. If you look closely at the output, you

should see that the fuzzer sent 405 requests in less than a second,

which is pretty impressive.

Fuzzing with Wfuzz

Wfuzz is another web fuzzing tool that can do similar things to

ffuf. In fact, ffuf is based on Wfuzz. Let’s use Wfuzz to perform the

same type of word list-based scan (-w), then use its filtering

capabilities to show only files that receive a response status code of

200 OK (--sc 200):

$ wfuzz --sc 200 -w files_wordlist.txt http://172.16.10.10:8081/files/FUZZ

--snip--

Target: http://172.16.10.10:8081/files/FUZZ

Total requests: 405

=====================================================================

ID Response Lines Word Chars Payload

=====================================================================

000000022: 200 8 L 37 W 432 Ch "acme-hyper-branding-5.csv"

Total time: 0

Processed Requests: 405

Filtered Requests: 404

Requests/sec.: 0

Next, let’s use the wget command to download this file.

$ wget http://172.16.10.10:8081/files/acme-hyper-branding-5.csv

$ cat acme-hyper-branding-5.csv

no, first_name, last_name, designation, email

1, Jacob, Taylor, Founder, [email protected]

2, Sarah, Lewis, Executive Assistance, [email protected]

3, Nicholas, Young, Influencer, [email protected]

4, Lauren, Scott, Influencer, [email protected]

5, Aaron,Peres, Marketing Lead, [email protected]

6, Melissa, Rogers, Marketing Lead, [email protected]

We’ve identified a table of personally identifiable information

(PII), including first and last names, titles, and email addresses. Take

notes of every detail we’ve managed to extract in this chapter; you

never know when it will come in handy.

Black Hat Bash (Early Access) © 2023 by Dolev Farhi and Nick Aleks