Recon using fzf and other tools. for bugbounty

Hi hackers and bugbounty hunters. today, I'm going to share with you how to use fzf for bugbounty.
Sometimes when you do bugbounty, you get a lot of files. In particular, the amount of results using recon tools such as megg and gospider is beyond imagination.
때때로 버그바운티를 하다보면, 굉장히 많은 파일을 만나게 됩니다. 특히 meg, gospider 등 recon 도구를 사용한 결과의 양은 상상을 초월합니다.

hahwul@fire:~/test/bmw/out$ ll
합계 6412
drwxrwxrwx 1377 root root 69632 3월 28 02:50 ./
drwxrwxr-x 3 hahwul hahwul 4096 3월 28 02:36 ../
drwxr-x--- 2 hahwul hahwul 4096 3월 28 01:16 3gio-int.bmw.de/
drwxr-x--- 2 hahwul hahwul 4096 3월 28 01:16 ah-ahag-bochum.bmw.de/
drwxr-x--- 2 hahwul hahwul 4096 3월 28 01:16 ah-ahag-coesfeld.bmw.de/
drwxr-x--- 2 hahwul hahwul 4096 3월 28 01:16 ah-ahag-duelmen.bmw.de/
drwxr-x--- 2 hahwul hahwul 4096 3월 28 01:16 ah-ahag-gelsenkirchen.bmw.de/
drwxr-x--- 2 hahwul hahwul 4096 3월 28 01:16 ah-ahg-gmbh.bmw.de/
drwxr-x--- 2 hahwul hahwul 4096 3월 28 01:16 ah-arnold.bmw.de/
drwxr-x--- 2 hahwul hahwul 4096 3월 28 01:16 ah-augsburg.bmw.de/
drwxr-x--- 2 hahwul hahwul 4096 3월 28 01:16 ah-auto-eggert.bmw.de/
drwxr-x--- 2 hahwul hahwul 4096 3월 28 01:16 ah-auto-fischer.bmw.de/
drwxr-x--- 2 hahwul hahwul 4096 3월 28 01:16 ah-auto-motorrad-auer.bmw.de/
...snip...

I used one site as an example in this article, but I actually test more than 1.5 million URLs.... wtf..
이 글에선 한 사이트를 예시로 들었지만, 실제로 제가 테스트하는 URL은 150만개가 넘습니다..

오늘은 fzf를 이용하여 버그바운티 엔드포인트를 쉽게 찾는 방법에 대해 이야기할까 합니다.

What is fzf

fzf is a command-line fuzzy finer that makes it easy to retrieve large directory. This tool was made by a Korean and is close to me.
fzf는 command-line fuzzy finder 로 대량의 파일을 검색하기 용이한 cli 도구입니다. 자랑스럽게도 한국분이 만든 도구이고, 한다리 건너 아는분이다 보니 뭔가 반갑고 뿌듯하네요.

https://github.com/junegunn/fzf




How to use it for bugbounty

When you run fzf, a search window appears, such as the screen below, and you can easily find data with the keyword you want.
fzf 를 실행하면 아래 화면과 같은 검색 창이 나오며, 원하는 키워드로 쉽게 데이터를 찾을 수 있습니다.

The result of the search is the absolute path of the file.
찾는 데이터에 커서를 맞춘 후 엔터를 누르면 해당 파일의 경로를 반환합니다.

I find "test" string


$ fzf
mein-test.bmw-motorrad.de/43aa4ed4dc23df89e1b2b251e47901455d7152ee


So when you're managing data based on files, it's easy to find, and you can find the path in the following ways and use it right away.
즉 파일 기반으로 데이터를 관리할 때 이를 이용해서 쉽게 찾을수가 있는데, 아래와 같은 방식으로 경로를 찾아 바로 사용할 수 있습니다.

$ cat `fzf`
http://www.essen.mini.de:80/

> GET / HTTP/1.1
> Host: www.essen.mini.de
> User-Agent: Mozilla/5.0 (compatible; meg/0.2; +https://github.com/tomnomnom/meg)

< HTTP/1.1 302 Moved Temporarily
< Server: Apache
< Cache-Control: max-age=1800
< Expires: Fri, 27 Mar 2020 17:55:25 GMT
< Set-Cookie: visitorid=04e43517c37d000005377e5e66030000a5060000; expires=Tue, 26-Mar-2024 17:25:25 GMT
< X-Frame-Options: SAMEORIGIN
< Strict-Transport-Security: max-age=63072000; includeSubdomains;
< Location: http://www.essen.mini.de/de_DE/home.html
< Content-Length: 224
< Content-Type: text/html; charset=iso-8859-1
< Date: Fri, 27 Mar 2020 17:25:25 GMT

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://www.essen.mini.de/de_DE/home.html">here</a>.</p>
</body></html>

Pipeline-1 :: fzf + waybackurls

$ cat `fzf` | head -1 | ~/go/bin/waybackurls

< e.g >
hahwul@fire:~/test/bmw/out$ cat `fzf` | head -1 | ~/go/bin/waybackurls
http://essen.mini.de
http://essen.mini.de:80/360/index.html
http://essen.mini.de:80/7gruende/index.html
http://essen.mini.de:80/abschluss/index.html
http://essen.mini.de:80/accessories/car_care_special/index.html
http://essen.mini.de:80/accessories/championship/index.html
http://essen.mini.de:80/accessories/detergents/index.html
http://essen.mini.de:80/accessories/index.html
http://essen.mini.de:80/accessories/information/index.html

Pipeline-2 :: fzf + Burp & ZAP Scanning

fzf + burp scanning
The API provided by Burpsuite(pro) allows certain hosts to be passed to the scanning queue through fzf. Of course you have to set up the REST API before using it.
Burp에서 제공하는 API를 이용하면 fzf를 통해 특정 호스트를 스캐닝 큐로 전달할 수 있습니다. 당연히 사용에 앞서 REST API 세팅은 먼저 해주셔야하구요.



$ curl -vgw "\n" -X POST 'http://127.0.0.1:1337/v0.1/scan' -d "{\"urls\":[\"$(cat `fzf` | head -1)\"]}"

실제로 해보면...

curl -vgw "\n" -X POST 'http://127.0.0.1:1337/v0.1/scan' -d "{\"urls\":[\"$(cat `fzf` | head -1)\"]}"


hahwul@fire:~/test/bmw/out$ curl -vgw "\n" -X POST 'http://192.168.0.10:1337/v0.1/scan' -d "{\"urls\":[\"$(cat `fzf` | head -1)\"]}"
Note: Unnecessary use of -X or --request, POST is already inferred.
* Trying 192.168.0.10...
* TCP_NODELAY set
* Connected to 192.168.0.10 (192.168.0.10) port 1337 (#0)
> POST /v0.1/scan HTTP/1.1
> Host: 192.168.0.10:1337
> User-Agent: curl/7.58.0
> Accept: */*
> Content-Length: 41
> Content-Type: application/x-www-form-urlencoded
>
* upload completely sent off: 41 out of 41 bytes
< HTTP/1.1 201 Created
< Location: 4
< X-Frame-Options: DENY
< Content-Security-Policy: default-src 'self'; script-src 'self'; img-src 'self'; style-src 'self'; frame-src 'self'; connect-src 'self' ws://localhost:3333; font-src 'self'; media-src 'self'; object-src 'none'; child-src 'self' blob:
< X-XSS-Protection: 1; mode=block
< X-Content-Type-Options: nosniff
< Cache-Control: no-cache, no-store, must-revalidate
< Pragma: no-cache
< Expires: 0
< X-Burp-Version: 2020.2.1-1699
< Keep-Alive: timeout=15
< Content-Length: 0
<
* Connection #0 to host 192.168.0.10 left intact


Added scanning

ZAP can also be easily add to scanning via za-cli or REST API.
ZAP 또한 za-cli나 REST API를 통해 쉽게 스캐닝으로 넘길 수 있습니다.
fzf + zap-cli

$ zap-cli quick-scan -s xss,sqli --spider -r -e "some_regex_pattern" $(cat `fzf` | head -1)


Pipeline-3 :: fzf + sending proxy(burp)

$ proxychains4 curl $(cat `fzf` | head -1)
hahwul@fire:~/test/bmw/out$ proxychains4 curl $(cat `fzf` | head -1)
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/i386-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.12
[proxychains] Strict chain ... 192.168.0.10:8080 ... www.essen.mini.de:80 ... OK
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://www.essen.mini.de/de_DE/home.html">here</a>.</p>
</body></html>

Conclusion

It's a simple tool, but sometimes it's really useful.
간단한 도구이지만, 때론 정말 쓸만하게 다가옵니다. 잘 활용해서 해피해킹합시다!

Happy hacking +_+