fuzzuli v1.1.4 releases: find critical backup files

by do son · Published July 28, 2022 · Updated July 17, 2023

fuzzuli

fuzzuli is a url fuzzing tool that aims to find critical backup files by creating a dynamic wordlist based on the domain.

Motivation

In my application security testing journey that I have been doing for years, I found a lot of critical backup files kept in externally accessible directories. While naming these files, common preferred words were used. (such as backup.zip, db.rar, conf.tar.gz, etc). However, most of these files were named using the domain name where the application was located. Let’s suppose we have a domain address fuzzuli.musana.net. If the developer keeps critical backup files in the accessible directory, the possible file names will be like this.

fuzzuli.net.rar
fuzzuli.net.zip
fuzzuli.net.tar.gz
...
other file compression extensions
...
fuzzulinet.rar
fuzzulinet.zip
...
fuzzulimusana.rar
fuzzulimusana.7z
...
musana.fuzzuli.zip
musanafuzzuli.rar
...
so on
...

It is not possible to find these files in the traditional wordlist approach.

Background

When naming these files, the domain name is often taken as a reference. I’ve encountered scenarios when naming these files where the dots in the domain are deleted, vowel letters are deleted, or the domain name is used as-is. I took this into account when developing this tool. Therefore, when creating a domain-based wordlist, I took the variants without dots, without vowels, both without dots and without vowels. Then the domain passes from the following function after removing dots, vowel letters both dot and vowel letters.

It goes through the below function after a domain is reversed in the reverse method.

mixed-method changes the position of each subdomain. The results go through the below function.

A mathematical equation is like this.

shuffle method just shuffles subdomains and removes dots, vowel letters both dots and vowel letters. It does not iterate over each char in the domain string.

fuzzuli consists of two main parts. One of them creates a wordlist dynamically. The other sends the HTTP request and checks the response for backup/sensitive files.

The flow chart of fuzzuli is the following.