forked from xmendez/wfuzz
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathREADME
executable file
·309 lines (222 loc) · 12.6 KB
/
README
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
********************************************************
* Wfuzz - The Web Bruteforcer *
********************************************************
Bit of history
--------------
This project was started by Carlos del Ojo and Christian Martorella back in 2006, and it was in actively development until version 1.4c.
In 2011 after the code being unchanged for various years, Xavier Mendez took over the project and became the maintainer and main
developer of the tool, releasing versions 1.4d to 2.1. Christian Martorella has remained in the project as a collaborator, actively supporting new
versions with suggestions, beta testing and minor code changes.
What is this?
-------------
Wfuzz is a tool designed to brutefore web applications, it's very flexible, it supports:
- Recursion (When doing directory discovery)
- Post data bruteforcing
- Header bruteforcing
- Output to HTML (easy for just clicking the links and checking the page, even with postdata!)
- Colored output
- Hide results by return code, word numbers, line numbers, etc.
- Url encoding
- Cookies
- Multithreading
- Proxy support
- All parameter fuzzing
- etc.
It was created to facilitate the task in web applications assessments, it's a tool by pentesters for pentesters ;)
How does it works?
------------------
The tool is based on dictionaries or ranges, then you choose where you want to bruteforce just by replacing the value by the word FUZZ.
Examples:
- wfuzz.py -c -z file,wordlist/general/common.txt --hc 404 -o html http://www.mysite.com/FUZZ > results.html
This will bruteforce the site http://www.mysyte.com/FUZZ in search of resources
(directories, scripts, files,etc), it will hide from the output the return code 404
(for easy reading results), it will use the dictionary common.txt for the bruteforce
, and also will output the results to the results.html file (with a cool format to work).
- wfuzz.py -c -z range,1-100 --hc 404 http://www.mysite.com/list.asp?id=FUZZ
In this example instead of using a file as dictionary, it will use a range from 1-100,
and will bruteforce the parameter "id".
- wfuzz.py -c -z file,wordlist/general/common.txt --hc 404 -d "id=1&catalogue=FUZZ" http://www.mysite.com/check.asp
Here you can see the use of POST data, with the option "-d".
- wfuzz.py -c -z file,wordlist/general/common.txt --hc 404 -R 2 http://www.mysite.com/FUZZ
Example of path discovery, using 2 levels deep of recursivity.
- wfuzz.py -z file,wordlist/general/http_methods.txt -X http://testphp.vulnweb.com/
HTTP method scanning example (find supported methods)
- wfuzz.py -z file,wordlists/http_methods.txt -z file,wordlist/general/common.txt -X http://testphp.vulnweb.com/FUZ2Z/
HTTP method scanning example in different paths
- wfuzz.py -z list,TRACE -z file,urls.txt -X http://FUZZ
Scanning for TRACE method using a list payload in different hosts
- wfuzz.py -c -z file,wordlists/methods.txt --hc 404 -v --follow http://www.mysite.com/FUZZ
Bruteforce following HTTP redirects
- wfuzz.py -c -z file,wordlists/wordlist/general/common.txt-I http://www.mysite.com/FUZZ
Bruteforce using HEAD HTTP method
- wfuzz.py -z list,http://mysite.com -z list,dir-dir2-dir3 FUZZ/FUZ2Z
Bruteforce using URL as payload and a list of directories.
- Combining/chaining multiples encodings per payload
- wfuzz.py -z list,uno,uri_hexadecimal-md5 http://localhost/FUZZ
00001: C=XXX 0 L 0 W Error in - %75%6e%6f
00002: C=XXX 0 L 0 W Error in - 1eaa8bb195869a23f081acbb5bf08527
- wfuzz.py -z list,uno,uri_hexadecimal@md5 http://localhost/FUZZ
00001: C=XXX 0 L 0 W Error in 33%66%30%38%31%61%63%62%62%35%62%66%30%38%35%32%37
- Encoders can be selected by category
$ python wfuzz.py -e encoders | grep url
url | utf8_binary | Replaces ALL characters in string using the \uxx escape
url | first_nibble_hex | Replaces ALL characters in string using the %%dd? escape
...
url | utf8 | Replaces ALL characters in string using the \u00xx escape
url | uri_triple_hex | Encodes ALL charachers using the %25%xx%xx escape.
url | uri_hex | Encodes ALL charachers using the %xx escape.
$ python wfuzz.py -c -z list,..,url --sc 200 http://www.webscantest.com/FUZZ/jmx-console/
00000: C=200 30 L 120 W 1382 Ch "\x2e\x2e"
00006: C=200 30 L 120 W 1382 Ch "%252e%252e"
00007: C=200 30 L 120 W 1382 Ch "%25%32%65%25%32%65"
00010: C=200 30 L 120 W 1382 Ch "\u002e\u002e"
- wfuzz.py -z list,dir1-dir2 -z file,wordlist/general/common.txt -z list,jsp-php-asp -z range,1-40 http://localhost/FUZZ/FUZ2Z.FUZ3Z?id=FUZ4Z
Fuzzing using 4 payloads
- wfuzz.py -w ~/wordslist/plataformas/apache.txt -A --hh=BBB --hc 404 http://www.webscantest.com/FUZZ{notthere}
Several filters flags could be used.
- wfuzz.py -z -c -z range,1-10 --hh=BBB http://mysite.com/FUZZ{directory not there}
Baseline support, Bruteforcing and hiding the response codes that are equal to http://mysite.com/directory%20not%20there
- crunch 2 2 | python wfuzz.py -z stdin, http://localhost/FUZZ
Reading wordlist from stdin.
- Combining payloads using iterators:
zip
- wfuzz.py -z list,a-b-c -z list,1-2-3 -m zip http://mysite.com/FUZZ/FUZ2Z
00001: C=404 9 L 32 W 276 Ch "a - 1"
00002: C=404 9 L 32 W 276 Ch "c - 3"
00003: C=404 9 L 32 W 276 Ch "b - 2"
chain
- wfuzz.py -z list,a-b-c -z list,1-2-3 -m chain http://mysite.com/FUZZ/FUZ2Z
00001: C=404 9 L 32 W 280 Ch "b"
00002: C=404 9 L 32 W 280 Ch "a"
00003: C=404 9 L 32 W 280 Ch "c"
00004: C=404 9 L 32 W 280 Ch "1"
00006: C=404 9 L 32 W 280 Ch "3"
00005: C=404 9 L 32 W 280 Ch "2"
product
- wfuzz.py -z list,a-b-c -z list,1-2-3 http://mysite.com/FUZZ/FUZ2Z
00001: C=404 9 L 32 W 276 Ch "a - 2"
00002: C=404 9 L 32 W 276 Ch "a - 1"
00005: C=404 9 L 32 W 276 Ch "b - 2"
00004: C=404 9 L 32 W 276 Ch "a - 3"
00008: C=404 9 L 32 W 276 Ch "c - 2"
00003: C=404 9 L 32 W 276 Ch "b - 1"
00007: C=404 9 L 32 W 276 Ch "c - 1"
00006: C=404 9 L 32 W 276 Ch "b - 3"
00009: C=404 9 L 32 W 276 Ch "c - 3"
- Script scanning
- wfuzz.py -z list,robots.txt --script=robots http://www.webscantest.com/FUZZ
00000: C=200 6 L 10 W 101 Ch "robots.txt"
|_ Plugin robots enqueued 4 more requests (rlevel=1)
00001: C=200 32 L 116 W 1424 Ch "/osrun/"
00002: C=200 47 L 131 W 1745 Ch "/cal_endar/"
00003: C=200 32 L 122 W 1507 Ch "/crawlsnags/"
00004: C=200 77 L 196 W 3382 Ch "/static/"
- Advanced filter
- wfuzz.py -z list,robots.txt --filter "(c=200 and h!=3382)" --script=robots http://www.webscantest.com/FUZZ
00000: C=200 6 L 10 W 101 Ch "robots.txt"
|_ Plugin robots enqueued 4 more requests (rlevel=1)
00001: C=200 32 L 116 W 1424 Ch "/osrun/"
00002: C=200 47 L 131 W 1745 Ch "/cal_endar/"
00003: C=200 32 L 122 W 1507 Ch "/crawlsnags/"
- Scan mode
Ignore connection exceptions, ie. scanning through proxies, range sweeping, port scanning
$ python wfuzz.py -z range,0-9 -Z http://localhost:800FUZZ/
00003: 0.000s C=XXX 0 L 0 W 0 Ch "Pycurl error 7: Failed connect to localhost:8009; Connection refused..."
...
00006: 0.000s C=XXX 0 L 0 W 0 Ch "Pycurl error 7: Failed connect to localhost:8004; Connection refused..."
00007: 0.003s C=200 4 L 25 W 177 Ch "0"
- Passing parameters to scripts
$ python wfuzz.py -c --script-args grep.regex="<A href=\"(.*?)\">" -z list, --script=grep http://lists.gnupg.org/pipermail/gnupg-users/FUZZ
00000: C=200 2207 L 5205 W 77159 Ch ""
|_ Pattern match 2014-March/thread.html
....
|_ Pattern match 2014-February/thread.html
Platforms:
----------
wfuzz was tested on Linux, Os X and Windows.
On windows the colored output doesn't work, we are working towards fixing this problem.
Dependencies:
------------
On *nix systems, need pycurl to work.
On Windows just run the wfuzz.exe
Thanks:
-------
Shouts goes to: Trompeti an all the S21sec Team. (www.s21sec.com)
Special thanks to DarkRaver for the tool Dirb, part of wfuzz is based on the functionallity of dirb. (www.open-labs.org) and most of the wordlist are from his tool.
Andres Andreu, all Injection payloads are taken from wsFuzzer (www.neurofuzz.com)
Changelog 2.1:
==============
- Massive code rewriting, reorganisation and bug fixing
- Selection of encoders by categories
- Chaining encoders
- Improved reqresp library performance (pycurl multi)
- Enhanced exception handling and error management
- Interactive keyboard (pause, stats).
This feature has some known issues as wfuzz "eating" first keystroke, ie. you need to press ctrl+c twice to cancel.
The need to press a key to leave the app after finishing.
- Advanced filter expression
- Filter responses by regex
- Combine regex and simple filters
- Show responses filter switches
- Alias -w for "-z file,xx". Thanks to Daniel García <[email protected]>
- Fixed reqresp bug. thanks to [email protected]
- Extended help/description for plugins (printers, scripts, payloads, iterators)
- Improved multiple proxy specification (ip:port:type)
- Scan mode ignoring connection errors.
- Configuration ini file for common settings
- Plugin support:
- Plugin: Directory listing identification
- Plugin: Response link parser
- Plugin: Robots parser
- Plugin: New cookies
- Plugin: Grep
- Plugin: SVN Extractor
- Plugin: wc.db extractor
- New payloads:
- Payload: Overflow string
- Payload: Stdin
- Payload: Bing API search
Changelog 2.0:
==============
- Dynamic output printers
- Dynamic payloads
- Multiple payload support (FUZZ, FUZ2Z, ... , FUZnZ)
- Combine payloads using dynamic iterators (zip, chain, product)
- Multiple encodings per payload
- Added baseline request
- Fixed to FUZZ completely in the URL without hostname or IP or schema (i.e. FUZZ/FUZ2Z)
- Fixed to FUZZ mixing all payload's positions (auth, http method, URL, data)
- Payload: Word list
- Encoder: encoder_uri_double_hex
- Encoder: encoder_first_nibble_hex
- Encoder: encoder_second_nibble_hex
- Encoder: encoder_none
Changelog 1.4d:
==============
-Using _ in encoders names
-Added HEAD method scanning
-Added magictree support
-Fuzzing in HTTP methods
-Hide responses by regex
-Bash auto completion script (modify and then copy wfuzz_bash_completion into /etc/bash_completion.d)
-Verbose output including server header and redirect location
-Added follow HTTP redirects option (this functionality was already provided by reqresp)
-Fixed HTML output, thanks to Christophe De La Fuente
-Fixed terminal colour, thanks to [email protected]
Changelog 1.4c:
==============
-Fixed Headers parsing, thanks to Osama
-Fixed encoding naming problems, thanks to Osama
-Added support to Hexa-Random payload (hexa-rand), thanks to Kaerast
Changelog 1.4:
==============
-More encodings:
-Performance improving
-Some bugs fixed
Changelog 1.3:
=========
-Creada funcion select_encoding
-Multiple encoding, it's possible to encode both dictionries with different encodings.
-Hidecode XXX (cuando da muchos errores, pero puede servir)
-Word count fixed
-More encoders (binascii,md5,sha1)