File http-form-fuzzer

脚本使用类型: portrule
脚本所属分类: fuzzer, intrusive
脚本下载地址: http://nmap.org/svn/scripts/http-form-fuzzer.nse

User Summary

Performs a simple form fuzzing against forms found on websites. Tries strings and numbers of increasing length and attempts to determine if the fuzzing was successful.

Script Arguments


the minimum length of a string that will be used for fuzzing, defaults to 300000


the maximum length of a string that will be used for fuzzing, defaults to 310000


a table with the targets of fuzzing, for example {{path = /index.html, minlength = 40002}, {path = /foo.html, maxlength = 10000}}. The path parameter is required, if minlength or maxlength is not specified, then the values of http-form-fuzzer.minlength or http-form-fuzzer.maxlength will be used. Defaults to {{path="/"}}

smbdomain, smbhash, smbnoguest, smbpassword, smbtype, smbusername

See the documentation for the smbauth library.

http.max-cache-size, http.max-pipeline, http.pipeline, http.useragent

See the documentation for the http library.

Example Usage


nmap --script http-form-fuzzer -p 80 <host>

This script attempts to fuzz fields in forms it detects (it fuzzes one field at a time).
In each iteration it first tries to fuzz a field with a string, then with a number.
In the output, actions and paths for which errors were observed are listed, along with
names of fields that were being fuzzed during error occurrence. Length and type
(string/integer) of the input that caused the error are also provided.
We consider an error to be either: a response with status 500 or with an empty body,
a response that contains "server error" or "sql error" strings. ATM anything other than
that is considered not to be an 'error'.
TODO: develop more sophisticated techniques that will let us determine if the fuzzing was
successful (i.e. we got an 'error'). Ideally, an algorithm that will tell us a percentage
difference between responses should be implemented.

Script Output

80/tcp open  http    syn-ack
| http-form-fuzzer: 
|   Path: /register.html Action: /validate.php
|     age
|       integer lengths that caused errors:
|         10000, 10001
|     name
|       string lengths that caused errors:
|         40000
|   Path: /form.html Action: /check_form.php
|     fieldfoo
|       integer lengths that caused errors:
|_        1, 2


Author: Piotr Olma

License: VER007 整理 http://www.ver007.com