How did I get 3300$ With Just FFUF!!

Ahmed Najeh
1 min readJul 2, 2023

By searching inside one of the Bitcoin platforms I found there a place to document accounts by sending documents such as ID or passport with Selfie )

I decided to upload a picture and send a request to Burp so that I know where to upload it And as I expected, he got my picture link within the same domain like this:- https://test.com/portal/api/uploads/241241451252/content

I changed the last number which is the `id` of the uploaded image And I didn’t get anything

I decided to use #FFUF

I made a random number containing six ranks And named num6.txt Time TO FUZZ I use : ffuf -w num6.txt -u https://test.com/portal/api/uploads/{number}FUZZ/content -mc 200

And I’ve got files uploaded by users on the site that include IDs and passports about 3GB

It took me only 10 minutes with a very easy idea, but cleverly Happy Hackin

--

--

Ahmed Najeh

ذو العَقلِ يَشقَى في النّعيمِ بعَقْلِهِ وَأخو الجَهالَةِ في الشّقاوَةِ يَنعَمُ https://hackerone.com/im4x https://web.facebook.com/im4xx/