Skip to content

Instantly share code, notes, and snippets.

@emadshanab

emadshanab/FFUF-Payloads.txt

Forked from Cuncis/FFUF-Payloads.txt
Created July 24, 2022 04:10
Show Gist options
  • Save emadshanab/528f99319155f972ba66379e6764e2ef to your computer and use it in GitHub Desktop.
Save emadshanab/528f99319155f972ba66379e6764e2ef to your computer and use it in GitHub Desktop.
Download ZIP
Raw
FFUF-Payloads.txt
```FFUF
-fc (filter code): hidden
-mc (match code): match/only
-w: read from stdout (coding 1 line)
-ic: ignore comments in wordlists (headers, copyright notes, comments, etc.)
```
```Payloads
ffuf -u http://10.10.226.27/FUZZ -w /opt/seclists/raft-medium-words-lowercase.txt -c -e .php,.txt
```
```Payloads code 200,302
fuf -c -w /opt/seclists/raft-medium-files-lowercase.txt -u http://10.10.226.27/FUZZ -fc 403
RESULTS:
favicon.ico [Status: 200, Size: 1406, Words: 5, Lines: 2, Duration: 226ms]
logout.php [Status: 302, Size: 0, Words: 1, Lines: 1, Duration: 238ms]
login.php [Status: 200, Size: 1523, Words: 89, Lines: 77, Duration: 3868ms]
index.php [Status: 302, Size: 0, Words: 1, Lines: 1, Duration: 3871ms]
robots.txt [Status: 200, Size: 26, Words: 3, Lines: 2, Duration: 220ms]
phpinfo.php [Status: 302, Size: 0, Words: 1, Lines: 1, Duration: 230ms]
. [Status: 302, Size: 0, Words: 1, Lines: 1, Duration: 223ms]
php.ini [Status: 200, Size: 148, Words: 17, Lines: 5, Duration: 225ms]
about.php [Status: 200, Size: 4840, Words: 331, Lines: 109, Duration: 225ms]
setup.php [Status: 200, Size: 4066, Words: 308, Lines: 123, Duration: 284ms]
security.php [Status: 302, Size: 0, Words: 1, Lines: 1, Duration: 223ms]
```
```Payloads code 200
ffuf -c -w /opt/seclists/raft-medium-files-lowercase.txt -u http://10.10.226.27/FUZZ -mc 200
RESULTS:
favicon.ico [Status: 200, Size: 1406, Words: 5, Lines: 2, Duration: 223ms]
robots.txt [Status: 200, Size: 26, Words: 3, Lines: 2, Duration: 257ms]
login.php [Status: 200, Size: 1523, Words: 89, Lines: 77, Duration: 2164ms]
php.ini [Status: 200, Size: 148, Words: 17, Lines: 5, Duration: 316ms]
about.php [Status: 200, Size: 4840, Words: 331, Lines: 109, Duration: 235ms]
setup.php [Status: 200, Size: 4066, Words: 308, Lines: 123, Duration: 242ms]
```
```Paylods regex no hidden files
ffuf -u http://10.10.226.27/FUZZ -w /usr/share/seclists/Discovery/Web-Content/raft-medium-files-lowercase.txt -fr '/\..*'
RESULTS:
ogin.php [Status: 200, Size: 1523, Words: 89, Lines: 77, Duration: 281ms]
favicon.ico [Status: 200, Size: 1406, Words: 5, Lines: 2, Duration: 303ms]
logout.php [Status: 302, Size: 0, Words: 1, Lines: 1, Duration: 432ms]
robots.txt [Status: 200, Size: 26, Words: 3, Lines: 2, Duration: 260ms]
phpinfo.php [Status: 302, Size: 0, Words: 1, Lines: 1, Duration: 236ms]
index.php [Status: 302, Size: 0, Words: 1, Lines: 1, Duration: 3822ms]
. [Status: 302, Size: 0, Words: 1, Lines: 1, Duration: 224ms]
php.ini [Status: 200, Size: 148, Words: 17, Lines: 5, Duration: 263ms]
about.php [Status: 200, Size: 4840, Words: 331, Lines: 109, Duration: 236ms]
setup.php [Status: 200, Size: 4066, Words: 308, Lines: 123, Duration: 222ms]
security.php [Status: 302, Size: 0, Words: 1, Lines: 1, Duration: 221ms]
wp-forum.phps [Status: 403, Size: 292, Words: 21, Lines: 11, Duration: 246ms] <---
```
```Paylods burp parameters
fuf -u "http://10.10.226.27/sqli-labs/Less-1/?FUZZ=1" -c -w /opt/seclists/burp-parameter-names.txt -fw 39
```
```Paylods subdomains
ffuf -u http://FUZZ.mydomain.com -c -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt -fs 0
```
```Show only items without size 0
ffuf -u http://10.10.125.4/api/site-log.php\?date\=FUZZ -w wordlist -c -fs 0
```
ffuf -u http://10.10.226.27/sqli-labs/Less-11/ -c -w /opt/seclists/hak5.txt -X POST -d 'uname=Dummy&passwd=FUZZ&submit=Submit' -fs 1435 -H 'Content-Type: application/x-www-form-urlencoded'
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment