HTTP Form Field Fuzzer - Metasploit
This page contains detailed information about how to use the auxiliary/fuzzers/http/http_form_field metasploit module. For list of all metasploit modules, visit the Metasploit Module Library.
Module Overview
Name: HTTP Form Field Fuzzer
Module: auxiliary/fuzzers/http/http_form_field
Source code: modules/auxiliary/fuzzers/http/http_form_field.rb
Disclosure date: -
Last modification time: 2017-07-24 06:26:21 +0000
Supported architecture(s): -
Supported platform(s): -
Target service / protocol: http, https
Target network port(s): 80, 443, 3000, 8000, 8008, 8080, 8443, 8880, 8888
List of CVEs: -
This module will grab all fields from a form, and launch a series of POST actions, fuzzing the contents of the form fields. You can optionally fuzz headers too (option is enabled by default)
Module Ranking and Traits
Module Ranking:
- normal: The exploit is otherwise reliable, but depends on a specific version and can't (or doesn't) reliably autodetect. More information about ranking can be found here.
Basic Usage
msf > use auxiliary/fuzzers/http/http_form_field
msf auxiliary(http_form_field) > show targets
... a list of targets ...
msf auxiliary(http_form_field) > set TARGET target-id
msf auxiliary(http_form_field) > show options
... show and set options ...
msf auxiliary(http_form_field) > exploit
Required Options
- RHOSTS: The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
Go back to menu.
Msfconsole Usage
Here is how the fuzzers/http/http_form_field auxiliary module looks in the msfconsole:
msf6 > use auxiliary/fuzzers/http/http_form_field
msf6 auxiliary(fuzzers/http/http_form_field) > show info
Name: HTTP Form Field Fuzzer
Module: auxiliary/fuzzers/http/http_form_field
License: Metasploit Framework License (BSD)
Rank: Normal
Provided by:
corelanc0d3r
Paulino Calderon <[email protected]>
Check supported:
No
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
ACTION no Form action full URI. Leave empty to autodetect
CODE 200,301,302,303 yes Response code(s) indicating OK
CYCLIC true yes Use Cyclic pattern instead of A's (fuzzing payload).
DELAY 0 yes Number of seconds to wait between 2 actions
ENDSIZE 40000 yes Max Fuzzing string size.
FIELDS no Name of the fields to fuzz. Leave empty to fuzz all fields
FORM no The name of the form to use. Leave empty to fuzz all forms
FUZZHEADERS true yes Fuzz headers
HANDLECOOKIES false yes Appends cookies with every request.
HEADERFIELDS no Name of the headerfields to fuzz. Leave empty to fuzz all fields
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 80 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
STARTSIZE 1000 yes Fuzzing string startsize.
STEPSIZE 1000 yes Increment fuzzing string each attempt.
STOPAFTER 2 no Stop after x number of consecutive errors
TIMEOUT 15 yes Number of seconds to wait for response on GET or POST
TYPES text,password,inputtextbox yes Field types to fuzz
URL / no The URL that contains the form
VHOST no HTTP server virtual host
Description:
This module will grab all fields from a form, and launch a series of
POST actions, fuzzing the contents of the form fields. You can
optionally fuzz headers too (option is enabled by default)
References:
http://www.corelan.be:8800/index.php/2010/11/12/metasploit-module-http-form-field-fuzzer
Module Options
This is a complete list of options available in the fuzzers/http/http_form_field auxiliary module:
msf6 auxiliary(fuzzers/http/http_form_field) > show options
Module options (auxiliary/fuzzers/http/http_form_field):
Name Current Setting Required Description
---- --------------- -------- -----------
ACTION no Form action full URI. Leave empty to autodetect
CODE 200,301,302,303 yes Response code(s) indicating OK
CYCLIC true yes Use Cyclic pattern instead of A's (fuzzing payload).
DELAY 0 yes Number of seconds to wait between 2 actions
ENDSIZE 40000 yes Max Fuzzing string size.
FIELDS no Name of the fields to fuzz. Leave empty to fuzz all fields
FORM no The name of the form to use. Leave empty to fuzz all forms
FUZZHEADERS true yes Fuzz headers
HANDLECOOKIES false yes Appends cookies with every request.
HEADERFIELDS no Name of the headerfields to fuzz. Leave empty to fuzz all fields
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 80 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
STARTSIZE 1000 yes Fuzzing string startsize.
STEPSIZE 1000 yes Increment fuzzing string each attempt.
STOPAFTER 2 no Stop after x number of consecutive errors
TIMEOUT 15 yes Number of seconds to wait for response on GET or POST
TYPES text,password,inputtextbox yes Field types to fuzz
URL / no The URL that contains the form
VHOST no HTTP server virtual host
Advanced Options
Here is a complete list of advanced options supported by the fuzzers/http/http_form_field auxiliary module:
msf6 auxiliary(fuzzers/http/http_form_field) > show advanced
Module advanced options (auxiliary/fuzzers/http/http_form_field):
Name Current Setting Required Description
---- --------------- -------- -----------
DOMAIN WORKSTATION yes The domain to use for Windows authentication
DigestAuthIIS true no Conform to IIS, should work for most servers. Only set to false for non-IIS servers
FingerprintCheck true no Conduct a pre-exploit fingerprint verification
HttpClientTimeout no HTTP connection and receive timeout
HttpPassword no The HTTP password to specify for authentication
HttpRawHeaders no Path to ERB-templatized raw headers to append to existing headers
HttpTrace false no Show the raw HTTP requests and responses
HttpTraceColors red/blu no HTTP request and response colors for HttpTrace (unset to disable)
HttpTraceHeadersOnly false no Show HTTP headers only in HttpTrace
HttpUsername no The HTTP username to specify for authentication
SSLVersion Auto yes Specify the version of SSL/TLS to be used (Auto, TLS and SSL23 are auto-negotiate) (Accepted: Auto, TLS, SSL23, SSL3, TLS1, TLS1.1, TLS1.2)
UserAgent Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) no The User-Agent header to use for all requests
VERBOSE false no Enable detailed status messages
WORKSPACE no Specify the workspace for this module
Auxiliary Actions
This is a list of all auxiliary actions that the fuzzers/http/http_form_field module can do:
msf6 auxiliary(fuzzers/http/http_form_field) > show actions
Auxiliary actions:
Name Description
---- -----------
Evasion Options
Here is the full list of possible evasion options supported by the fuzzers/http/http_form_field auxiliary module in order to evade defenses (e.g. Antivirus, EDR, Firewall, NIDS etc.):
msf6 auxiliary(fuzzers/http/http_form_field) > show evasion
Module evasion options:
Name Current Setting Required Description
---- --------------- -------- -----------
HTTP::header_folding false no Enable folding of HTTP headers
HTTP::method_random_case false no Use random casing for the HTTP method
HTTP::method_random_invalid false no Use a random invalid, HTTP method for request
HTTP::method_random_valid false no Use a random, but valid, HTTP method for request
HTTP::pad_fake_headers false no Insert random, fake headers into the HTTP request
HTTP::pad_fake_headers_count 0 no How many fake headers to insert into the HTTP request
HTTP::pad_get_params false no Insert random, fake query string variables into the request
HTTP::pad_get_params_count 16 no How many fake query string variables to insert into the request
HTTP::pad_method_uri_count 1 no How many whitespace characters to use between the method and uri
HTTP::pad_method_uri_type space no What type of whitespace to use between the method and uri (Accepted: space, tab, apache)
HTTP::pad_post_params false no Insert random, fake post variables into the request
HTTP::pad_post_params_count 16 no How many fake post variables to insert into the request
HTTP::pad_uri_version_count 1 no How many whitespace characters to use between the uri and version
HTTP::pad_uri_version_type space no What type of whitespace to use between the uri and version (Accepted: space, tab, apache)
HTTP::uri_dir_fake_relative false no Insert fake relative directories into the uri
HTTP::uri_dir_self_reference false no Insert self-referential directories into the uri
HTTP::uri_encode_mode hex-normal no Enable URI encoding (Accepted: none, hex-normal, hex-noslashes, hex-random, hex-all, u-normal, u-all, u-random)
HTTP::uri_fake_end false no Add a fake end of URI (eg: /%20HTTP/1.0/../../)
HTTP::uri_fake_params_start false no Add a fake start of params to the URI (eg: /%3fa=b/../)
HTTP::uri_full_url false no Use the full URL for all HTTP requests
HTTP::uri_use_backslashes false no Use back slashes instead of forward slashes in the uri
HTTP::version_random_invalid false no Use a random invalid, HTTP version for request
HTTP::version_random_valid false no Use a random, but valid, HTTP version for request
Go back to menu.
Error Messages
This module may fail with the following error messages:
- STOPAFTER
- No response - <VALUE> / <STOPAFTER> - fuzzdata length : <FUZZSIZE>
- STOPAFTER
- *!* No response : <TYPE> <FIELD> | fuzzdata length : <FUZZSIZE>
- STOPAFTER
- *!* Error response code <RESPONSE.CODE> | <TYPE> <FIELD> | fuzzdata length <FUZZSIZE>
- No response
- No response
- Server replied with error code. Check URL or set CODE to another value, and try again.
- No form found in response body
- No response data
Check for the possible causes from the code snippets below found in the module source code. This can often times help in identifying the root cause of the problem.
STOPAFTER
Here is a relevant code snippet related to the "STOPAFTER" error message:
35: OptInt.new('STARTSIZE', [ true, "Fuzzing string startsize.",1000]),
36: OptInt.new('ENDSIZE', [ true, "Max Fuzzing string size.",40000]),
37: OptInt.new('STEPSIZE', [ true, "Increment fuzzing string each attempt.",1000]),
38: OptInt.new('TIMEOUT', [ true, "Number of seconds to wait for response on GET or POST",15]),
39: OptInt.new('DELAY', [ true, "Number of seconds to wait between 2 actions",0]),
40: OptInt.new('STOPAFTER', [ false, "Stop after x number of consecutive errors",2]),
41: OptBool.new('CYCLIC', [ true, "Use Cyclic pattern instead of A's (fuzzing payload).",true]),
42: OptBool.new('FUZZHEADERS', [ true, "Fuzz headers",true]),
43: OptString.new('HEADERFIELDS', [ false, "Name of the headerfields to fuzz. Leave empty to fuzz all fields","" ] ),
44: OptString.new('TYPES', [ true, "Field types to fuzz","text,password,inputtextbox"]),
45: OptString.new('CODE', [ true, "Response code(s) indicating OK", "200,301,302,303" ] ),
No response - <VALUE> / <STOPAFTER> - fuzzdata length : <FUZZSIZE>
Here is a relevant code snippet related to the "No response - <VALUE> / <STOPAFTER> - fuzzdata length : <FUZZSIZE>" error message:
252: end
253: end
254:
255: def process_response(response,field,type)
256: if response == nil
257: print_error(" No response - #{@nrerrors+1} / #{datastore['STOPAFTER']} - fuzzdata length : #{@fuzzsize}")
258: if @nrerrors+1 >= datastore['STOPAFTER']
259: print_status(" *!* No response : #{type} #{field} | fuzzdata length : #{@fuzzsize}")
260: return false
261: else
262: @nrerrors = @nrerrors + 1
STOPAFTER
Here is a relevant code snippet related to the "STOPAFTER" error message:
253: end
254:
255: def process_response(response,field,type)
256: if response == nil
257: print_error(" No response - #{@nrerrors+1} / #{datastore['STOPAFTER']} - fuzzdata length : #{@fuzzsize}")
258: if @nrerrors+1 >= datastore['STOPAFTER']
259: print_status(" *!* No response : #{type} #{field} | fuzzdata length : #{@fuzzsize}")
260: return false
261: else
262: @nrerrors = @nrerrors + 1
263: end
*!* No response : <TYPE> <FIELD> | fuzzdata length : <FUZZSIZE>
Here is a relevant code snippet related to the "*!* No response : <TYPE> <FIELD> | fuzzdata length : <FUZZSIZE>" error message:
254:
255: def process_response(response,field,type)
256: if response == nil
257: print_error(" No response - #{@nrerrors+1} / #{datastore['STOPAFTER']} - fuzzdata length : #{@fuzzsize}")
258: if @nrerrors+1 >= datastore['STOPAFTER']
259: print_status(" *!* No response : #{type} #{field} | fuzzdata length : #{@fuzzsize}")
260: return false
261: else
262: @nrerrors = @nrerrors + 1
263: end
264: else
STOPAFTER
Here is a relevant code snippet related to the "STOPAFTER" error message:
265: okcode = is_error_code(response.code)
266: if okcode
267: @nrerrors = 0
268: incr_fuzzsize()
269: end
270: if not okcode and @nrerrors+1 >= datastore['STOPAFTER']
271: print_status(" *!* Error response code #{response.code} | #{type} #{field} | fuzzdata length #{@fuzzsize}")
272: return false
273: else
274: @nrerrors = @nrerrors + 1
275: end
*!* Error response code <RESPONSE.CODE> | <TYPE> <FIELD> | fuzzdata length <FUZZSIZE>
Here is a relevant code snippet related to the "*!* Error response code <RESPONSE.CODE> | <TYPE> <FIELD> | fuzzdata length <FUZZSIZE>" error message:
266: if okcode
267: @nrerrors = 0
268: incr_fuzzsize()
269: end
270: if not okcode and @nrerrors+1 >= datastore['STOPAFTER']
271: print_status(" *!* Error response code #{response.code} | #{type} #{field} | fuzzdata length #{@fuzzsize}")
272: return false
273: else
274: @nrerrors = @nrerrors + 1
275: end
276: end
No response
Here is a relevant code snippet related to the "No response" error message:
475: 'method' => 'GET',
476: 'headers' => @get_data_headers
477:
478: }, datastore['TIMEOUT'])
479: if response == nil
480: print_error("No response")
481: return
482: end
483:
484: if datastore['HANDLECOOKIES']
485: cookie = response.get_cookies
No response
Here is a relevant code snippet related to the "No response" error message:
494: 'method' => 'GET',
495: 'headers' => @get_data_headers
496: }, datastore['TIMEOUT'])
497: end
498: if response == nil
499: print_error("No response")
500: return
501: end
502: print_status("Code : #{response.code}")
503: okcode = is_error_code(response.code)
504: if not okcode
Server replied with error code. Check URL or set CODE to another value, and try again.
Here is a relevant code snippet related to the "Server replied with error code. Check URL or set CODE to another value, and try again." error message:
500: return
501: end
502: print_status("Code : #{response.code}")
503: okcode = is_error_code(response.code)
504: if not okcode
505: print_error("Server replied with error code. Check URL or set CODE to another value, and try again.")
506: return
507: end
508: if response.body
509: formfound = response.body.downcase.index("<form")
510: if formfound
No form found in response body
Here is a relevant code snippet related to the "No form found in response body" error message:
535: end
536: end
537: end
538:
539: else
540: print_error("No form found in response body")
541: print_status(response.body)
542: return
543: end
544: else
545: print_error("No response data")
No response data
Here is a relevant code snippet related to the "No response data" error message:
539: else
540: print_error("No form found in response body")
541: print_status(response.body)
542: return
543: end
544: else
545: print_error("No response data")
546: end
547:
548: end
549: end
Go back to menu.
Related Pull Requests
- #8716 Merged Pull Request: Print_Status -> Print_Good (And OCD bits 'n bobs)
- #8338 Merged Pull Request: Fix msf/core and self.class msftidy warnings
- #6655 Merged Pull Request: use MetasploitModule as a class name
- #6648 Merged Pull Request: Change metasploit class names
- #6644 Merged Pull Request: Preserve default types for datastore options
- #5059 Merged Pull Request: Yard doc corrections
- #3354 Merged Pull Request: Resolved some msftidy warnings (Set-Cookie)
- #2525 Merged Pull Request: Change module boilerplate
- #1228 Merged Pull Request: MSFTIDY cleanup #1 - auxiliary
- #1047 Merged Pull Request: Set normalize uri on modules
References
- CVE: Not available
- http://www.corelan.be:8800/index.php/2010/11/12/metasploit-module-http-form-field-fuzzer
See Also
Check also the following modules related to this module:
- auxiliary/fuzzers/http/http_get_uri_long
- auxiliary/fuzzers/http/http_get_uri_strings
- auxiliary/dos/windows/http/http_sys_accept_encoding_dos_cve_2021_31166
- auxiliary/gather/http_pdf_authors
- auxiliary/scanner/http/http_header
- auxiliary/scanner/http/http_hsts
- auxiliary/scanner/http/http_login
- auxiliary/scanner/http/http_put
- auxiliary/scanner/http/http_sickrage_password_leak
- auxiliary/scanner/http/http_traversal
- auxiliary/scanner/http/http_version
- auxiliary/server/capture/http_basic
- auxiliary/server/capture/http_javascript_keylogger
- auxiliary/server/capture/http_ntlm
- auxiliary/server/http_ntlmrelay
- exploit/multi/browser/java_verifier_field_access
- exploit/unix/webapp/wp_advanced_custom_fields_exec
- exploit/unix/webapp/joomla_comfields_sqli_rce
- auxiliary/admin/http/wp_custom_contact_forms
- auxiliary/dos/http/sonicwall_ssl_format
- auxiliary/fileformat/badpdf
- auxiliary/fileformat/multidrop
- auxiliary/fileformat/odt_badodt
- auxiliary/gather/alienvault_newpolicyform_sqli
Authors
- corelanc0d3r
- Paulino Calderon <calderon[at]websec.mx>
Version
This page has been produced using Metasploit Framework version 6.1.36-dev. For more modules, visit the Metasploit Module Library.
Go back to menu.