├── README.md
└── ffuf_basicauth.sh


/README.md:
--------------------------------------------------------------------------------
 1 | # Scripts and snippets for ffuf payloads
 2 | 
 3 | A collection of scripts that enable different kinds of payloads to be used with [ffuf](https://github.com/ffuf/ffuf).
 4 | 
 5 | ### ffuf_basicauth.sh - HTTP Basic authentication
 6 | 
 7 | A script that generates base64 encoded combinations of username:password values in the provided wordlists. Iterates through every possible combination.
 8 | 
 9 | #### Example usage
10 | Test each HTTP basic authentication username:password combination in https://example.org/endpoint, and filter out 403 - Forbidden responses.
11 | 
12 | ```
13 | ./ffuf_basicauth.sh usernames.txt passwords.txt |ffuf -w -:AUTH -u https://example.org/endpoint -H "Authorization: Basic AUTH" -fc 403 -c
14 | ```
15 | 
16 | ## Contributing
17 | 
18 | We welcome any and all contributions. Please see `ffuf_basicauth.sh` for the preferred script header format for usage examples and author information.
19 | 


--------------------------------------------------------------------------------
/ffuf_basicauth.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/sh
 2 | 
 3 | ##############################################################################
 4 | # Script name: ffuf_basicauth.sh
 5 | # Description: Generate HTTP basic authentication username:password
 6 | #              credential combinations from provided wordlists.
 7 | # Author:      Joona Hoikkala
 8 | # Email:       joohoi@io.fi
 9 | ############################################################################## 
10 | # 
11 | # Usage example:
12 | # Test each HTTP basic authentication username:password combination 
13 | # in https://example.org/endpoint, and filter out 403 - Forbidden responses.
14 | # 
15 | # ./ffuf_basicauth.sh usernames.txt passwords.txt |ffuf -w -:AUTH \
16 | #    -u https://example.org/endpoint -H "Authorization: Basic AUTH" -fc 403
17 | #
18 | ##############################################################################
19 | 
20 | if [ "$#" -ne 2 ]; then
21 |     printf "Usage: %s usernames.txt passwords.txt\n" "$0" >&2
22 |     exit 1
23 | fi
24 | 
25 | if ! [ -f "$1" ]; then
26 |     printf "%s file not found.\n\n" "$1" >&2
27 |     printf "Usage: %s usernames.txt passwords.txt\n" "$0" >&2
28 |     exit 1
29 | fi
30 | 
31 | if ! [ -f "$2" ]; then
32 |     printf "%s file not found.\n\n" "$2" >&2
33 |     printf "Usage: %s usernames.txt passwords.txt\n" "$0" >&2
34 |     exit 1
35 | fi
36 | 
37 | USERNAME_WORDLIST="$1"
38 | PASSWORD_WORDLIST="$2"
39 | USERNAME_WORDLIST_SIZE=$(wc -l "$USERNAME_WORDLIST" |awk '{print $1;}')
40 | PASSWORD_WORDLIST_SIZE=$(wc -l "$PASSWORD_WORDLIST" |awk '{print $1;}')
41 | OUTPUT_WORDLIST_SIZE=$((USERNAME_WORDLIST_SIZE * PASSWORD_WORDLIST_SIZE))
42 | 
43 | printf "\nGenerating HTTP basic authentication strings. This can take a while depending on the length of user and password lists.\n\n" >&2
44 | printf "Usernames: %s\n" "$USERNAME_WORDLIST_SIZE" >&2
45 | printf "Passwords: %s\n" "$PASSWORD_WORDLIST_SIZE" >&2
46 | printf "Total combinations: %s\n\n" "$OUTPUT_WORDLIST_SIZE" >&2
47 | 
48 | while IFS= read -r user
49 | do
50 |     while IFS= read -r password
51 |     do
52 |         printf "%s:%s" "$user" "$password" |base64
53 |     done < "$PASSWORD_WORDLIST"
54 | done < "$USERNAME_WORDLIST"
55 | 


--------------------------------------------------------------------------------