때때로 버그바운티를 하다보면, 굉장히 많은 파일을 만나게 됩니다. 특히 meg, gospider 등 recon 도구를 사용한 결과의 양은 상상을 초월합니다.
Hi hackers and bugbounty hunters. today, I’m going to share with you how to use fzf for bugbounty. Sometimes when you do bugbounty, you get a lot of files. In particular, the amount of results using recon tools such as megg and gospider is beyond imagination.
ll
합계 6412
drwxrwxrwx 1377 root root 69632 3월 28 02:50 ./
drwxrwxr-x 3 hahwul hahwul 4096 3월 28 02:36 ../
drwxr-x--- 2 hahwul hahwul 4096 3월 28 01:16 3gio-int.bmw.de/
drwxr-x--- 2 hahwul hahwul 4096 3월 28 01:16 ah-ahag-bochum.bmw.de/
drwxr-x--- 2 hahwul hahwul 4096 3월 28 01:16 ah-ahag-coesfeld.bmw.de/
drwxr-x--- 2 hahwul hahwul 4096 3월 28 01:16 ah-ahag-duelmen.bmw.de/
drwxr-x--- 2 hahwul hahwul 4096 3월 28 01:16 ah-ahag-gelsenkirchen.bmw.de/
drwxr-x--- 2 hahwul hahwul 4096 3월 28 01:16 ah-ahg-gmbh.bmw.de/
drwxr-x--- 2 hahwul hahwul 4096 3월 28 01:16 ah-arnold.bmw.de/
drwxr-x--- 2 hahwul hahwul 4096 3월 28 01:16 ah-augsburg.bmw.de/
drwxr-x--- 2 hahwul hahwul 4096 3월 28 01:16 ah-auto-eggert.bmw.de/
drwxr-x--- 2 hahwul hahwul 4096 3월 28 01:16 ah-auto-fischer.bmw.de/
drwxr-x--- 2 hahwul hahwul 4096 3월 28 01:16 ah-auto-motorrad-auer.bmw.de/
...snip...
이 글에선 한 사이트를 예시로 들었지만, 실제로 제가 테스트하는 URL은 150만개가 넘습니다. 오늘은 fzf를 이용하여 버그바운티 엔드포인트를 쉽게 찾는 방법에 대해 이야기할까 합니다.
I used one site as an example in this article, but I actually test more than 1.5 million URLs.
Fzf
fzf는 command-line fuzzy finder 로 대량의 파일을 검색하기 용이한 cli 도구입니다. fzf는 한국분이 만든 도구이고, 한다리 건너 아는분이다 보니 뭔가 반갑고 뿌듯하네요.
fzf is a command-line fuzzy finer that makes it easy to retrieve large directory. This tool was made by a Korean and is close to me.
- https://github.com/junegunn/fzf
For bugbounty
fzf 를 실행하면 아래 화면과 같은 검색 창이 나오며, 원하는 키워드로 쉽게 데이터를 찾을 수 있습니다.
When you run fzf, a search window appears, such as the screen below, and you can easily find data with the keyword you want.
The result of the search is the absolute path of the file. 찾는 데이터에 커서를 맞춘 후 엔터를 누르면 해당 파일의 경로를 반환합니다.
fzf
mein-test.bmw-motorrad.de/43aa4ed4dc23df89e1b2b251e47901455d7152ee
즉 파일 기반으로 데이터를 관리할 때 이를 이용해서 쉽게 찾을수가 있는데, 아래와 같은 방식으로 경로를 찾아 바로 사용할 수 있습니다.
So when you’re managing data based on files, it’s easy to find, and you can find the path in the following ways and use it right away.
cat `fzf`
http://www.essen.mini.de:80/
> GET / HTTP/1.1
> Host: www.essen.mini.de
> User-Agent: Mozilla/5.0 (compatible; meg/0.2; +https://github.com/tomnomnom/meg)
< HTTP/1.1 302 Moved Temporarily
< Server: Apache
< Cache-Control: max-age=1800
< Expires: Fri, 27 Mar 2020 17:55:25 GMT
< Set-Cookie: visitorid=04e43517c37d000005377e5e66030000a5060000; expires=Tue, 26-Mar-2024 17:25:25 GMT
< X-Frame-Options: SAMEORIGIN
< Strict-Transport-Security: max-age=63072000; includeSubdomains;
< Location: http://www.essen.mini.de/de_DE/home.html
< Content-Length: 224
< Content-Type: text/html; charset=iso-8859-1
< Date: Fri, 27 Mar 2020 17:25:25 GMT
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://www.essen.mini.de/de_DE/home.html">here</a>.</p>
</body></html>
Pipeline
fzf + waybackurls (or gau)
cat `fzf` | head -1 | ~/go/bin/waybackurls
e.g
cat `fzf` | head -1 | ~/go/bin/waybackurls
http://essen.mini.de
http://essen.mini.de:80/360/index.html
http://essen.mini.de:80/7gruende/index.html
http://essen.mini.de:80/abschluss/index.html
http://essen.mini.de:80/accessories/car_care_special/index.html
http://essen.mini.de:80/accessories/championship/index.html
http://essen.mini.de:80/accessories/detergents/index.html
http://essen.mini.de:80/accessories/index.html
http://essen.mini.de:80/accessories/information/index.html
fzf + Burp
Burp에서 제공하는 API를 이용하면 fzf를 통해 특정 호스트를 스캐닝 큐로 전달할 수 있습니다. 당연히 사용에 앞서 REST API 세팅은 먼저 해주셔야하구요.
The API provided by Burpsuite(pro) allows certain hosts to be passed to the scanning queue through fzf. Of course you have to set up the REST API before using it.
curl -vgw "\n" -X POST 'http://127.0.0.1:1337/v0.1/scan' -d "{\"urls\":[\"$(cat `fzf` | head -1)\"]}"
e.g
curl -vgw "\n" -X POST 'http://192.168.0.10:1337/v0.1/scan' -d "{\"urls\":[\"$(cat `fzf` | head -1)\"]}"
Note: Unnecessary use of -X or --request, POST is already inferred.
* Trying 192.168.0.10...
* TCP_NODELAY set
* Connected to 192.168.0.10 (192.168.0.10) port 1337 (#0)
> POST /v0.1/scan HTTP/1.1
> Host: 192.168.0.10:1337
> User-Agent: curl/7.58.0
> Accept: */*
> Content-Length: 41
> Content-Type: application/x-www-form-urlencoded
>
* upload completely sent off: 41 out of 41 bytes
< HTTP/1.1 201 Created
< Location: 4
< X-Frame-Options: DENY
< Content-Security-Policy: default-src 'self'; script-src 'self'; img-src 'self'; style-src 'self'; frame-src 'self'; connect-src 'self' ws://localhost:3333; font-src 'self'; media-src 'self'; object-src 'none'; child-src 'self' blob:
< X-XSS-Protection: 1; mode=block
< X-Content-Type-Options: nosniff
< Cache-Control: no-cache, no-store, must-revalidate
< Pragma: no-cache
< Expires: 0
< X-Burp-Version: 2020.2.1-1699
< Keep-Alive: timeout=15
< Content-Length: 0
<
* Connection #0 to host 192.168.0.10 left intact
fzf + ZAP
ZAP 또한 za-cli나 REST API를 통해 쉽게 스캐닝으로 넘길 수 있습니다.
ZAP can also be easily add to scanning via za-cli or REST API.
zap-cli quick-scan -s xss,sqli \
--spider -r \
-e "some_regex_pattern" $(cat `fzf` | head -1)
fzf + sending proxy
proxychains4 curl $(cat `fzf` | head -1)
e.g
proxychains4 curl $(cat `fzf` | head -1)
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/i386-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.12
[proxychains] Strict chain ... 192.168.0.10:8080 ... www.essen.mini.de:80 ... OK
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://www.essen.mini.de/de_DE/home.html">here</a>.</p>
</body></html>
Conclusion
간단한 도구이지만, 때론 정말 쓸만하게 다가옵니다. 잘 활용해서 해피해킹합시다!
It’s a simple tool, but sometimes it’s really useful. Happy hacking +_+
