{"id":530,"date":"2014-07-10T00:53:43","date_gmt":"2014-07-10T00:53:43","guid":{"rendered":"http:\/\/ixyzero.com\/blog\/?p=530"},"modified":"2014-07-10T00:53:43","modified_gmt":"2014-07-10T00:53:43","slug":"web%e6%bc%8f%e6%b4%9e%e6%89%ab%e6%8f%8f%e7%9a%84%e5%b7%a5%e5%85%b7-wfuzz","status":"publish","type":"post","link":"https:\/\/ixyzero.com\/blog\/archives\/530.html","title":{"rendered":"Web\u6f0f\u6d1e\u626b\u63cf\u7684\u5de5\u5177–WFuzz"},"content":{"rendered":"

Wfuzz\uff08\u4e00\u6b3e\u652f\u6301\u5404\u79cdWeb\u6f0f\u6d1e\u626b\u63cf\u7684\u5de5\u5177\uff09<\/p>\n

Wfuzz\u662f\u4e00\u6b3eWeb\u5e94\u7528\u7a0b\u5e8f\u66b4\u529b\u7834\u89e3\u5de5\u5177\u3002\u5b83\u53ef\u4ee5\u901a\u8fc7\u904d\u5386\u4ee5\u53d1\u73b0\u9690\u85cf\u7684\u8d44\u6e90\uff08\u4f8b\u5982\uff1a\u76ee\u5f55\u3001\u811a\u672c\u548cservlets\u7b49\uff09\u3002Wfuzz\u80fd\u591f\u7a77\u4e3eGET\u548cPOST\u53c2\u6570\uff0c\u7528\u4e8e\u68c0\u6d4b\u4e0d\u540c\u7c7b\u578b\u7684\u6ce8\u5165\uff0c\u5b83\u8fd8\u80fd\u591f\u66b4\u529b\u7834\u89e3Form\u53c2\u6570\uff0c\u5982\u7528\u6237\u540d\/\u5bc6\u7801\uff08User\/Password\uff09\u3001Fuzzing\u7b49\u3002<\/p>\n

Wfuzz is a tool designed to brutefore web applications, it’s very flexible, it supports:<\/p>\n

-Recursion (When doing directory discovery)
\n-Post data bruteforcing
\n-Header bruteforcing
\n-Output to HTML (easy for just clicking the links and checking the page, even with postdata!)
\n-Colored output
\n-Hide results by return code, word numbers, line numbers, etc.
\n-Url encoding
\n-Cookies
\n-Multithreading
\n-Proxy support
\n-All parameter fuzzing<\/p>\n

It was created to facilitate the task in web applications assessments, it’s a tool by pentesters for pentesters \ud83d\ude09<\/p>\n

\u6240\u4ee5\uff0c\u5982\u679c\u4f60\u89c9\u5f97\u5408\u9002\u7684\u8bdd\uff0c\u53ef\u4ee5\u8bd5\u8bd5\uff0c\u4f7f\u7528\u65b9\u6cd5\/\u9009\u9879\u5982\u4e0b\uff1a
\n——————<\/p>\n

The tool is based on dictionaries or ranges, then you choose where you want to bruteforce just by replacing the value by the word FUZZ.\uff08WFuzz\u662f\u57fa\u4e8e \u5b57\u5178or\u6392\u5217\u7ec4\u5408 \u7684\u66b4\u529b\u731c\u89e3\uff0c\u4f60\u53ea\u8981\u5c06\u4e0b\u9762\u7684FUZZ\u66ff\u6362\u6210\u5bf9\u5e94\u7684\u65b9\u5f0f\u5373\u53ef\u3002\uff09<\/p>\n

\u4f7f\u7528\u6837\u4f8b\uff1a<\/p>\n

- wfuzz.py -c -z file,wordlists\/commons.txt --hc 404 -o html http:\/\/www.mysite.com\/FUZZ 2> results.html\n\nThis will bruteforce the site http:\/\/www.mysyte.com\/FUZZ in search of resources i\n(directories, scripts, files,etc), it will hide from the output the return code 404\n(for easy reading results), it will use the dictionary commons.txt for the bruteforce\n, and also will output the results to the results.html file (with a cool format to work).\n\n- wfuzz.py -c -z range,1-100 --hc 404 http:\/\/www.mysite.com\/list.asp?id=FUZZ\nIn this example instead of using a file as dictionary, it will use a range from 1-100,\nand will bruteforce the parameter \"id\".\n\n- wfuzz.py -c -z file,wordlists\/commons.txt --hc 404 --html -d \"id=1&catalogue=FUZZ\"\nhttp:\/\/www.mysite.com\/check.asp 2> results.html\nHere you can see the use of POST data, with the option \"-d\".\n\n- wfuzz.py -c -z file, wordlists\/commons.txt --hc 404 -R 2 http:\/\/www.mysite.com\/FUZZ\nExample of path discovery, using a recursive level of 2 paths.\n\n- wfuzz.py -z file,wordlists\/http_methods.txt -X http:\/\/testphp.vulnweb.com\/\nHTTP method scanning example\n\n- wfuzz.py -z file,wordlists\/http_methods.txt -z file,wordlists\/commons.txt -X http:\/\/testphp.vulnweb.com\/FUZ2Z\/\nHTTP method scanning example in several paths\n\n- wfuzz.py -z list,TRACE -X http:\/\/testphp.vulnweb.com\/\nScanning for TRACE method using a list payload\n\n- wfuzz.py -c -z file,wordlists\/methods.txt --hc 404 -v --follow http:\/\/www.mysite.com\/FUZZ\nBruteforce following HTTP redirects\n\n- wfuzz.py -c -z file,wordlists\/commons.txt --hc 404 -I http:\/\/www.mysite.com\/FUZZ\nBruteforce using HEAD HTTP method\n\n- wfuzz.py -z list,http:\/\/mysite.com -z list,dir-dir2-dir3 FUZZ\/FUZ2Z\nBruteforce using URL as payload and a list of directories.\n\n- wfuzz.py -z list,..,double_nibble_hexa@second_nibble_hexa@uri_double_hexadecimal@uri_hexadecimal@first_nibble_hexa@none http:\/\/mysite.com\/FUZZ\/jmx-console\nBruteforce using multiple encodings per payload.\n\n- wfuzz.py -z list,dir1-dir2 -z file,wordlist\/general\/common.txt -z list,jsp-php-asp -z range,1-40 http:\/\/localhost\/FUZZ\/FUZ2Z.FUZ3Z?id=FUZ4Z\nFuzzing using 4 payloads\n\n- wfuzz.py -z -c -z range,1-10 --hc=BBB http:\/\/mysite.com\/FUZZ{directory}\nBaseline support, Bruteforcing and hiding the response codes that are equal to http:\/\/mysite.com\/directory\n\n- Combining payloads using iterators:\n\nzip\n\n- wfuzz.py -z list,a-b-c -z list,1-2-3 -m zip http:\/\/mysite.com\/FUZZ\/FUZ2Z\n\nTarget: http:\/\/mysite.com\/FUZZ\/FUZ2Z\nPayload type: list,a-b-c; list,1-2-3\n\nTotal requests: 3\n==========================================================\nID Response Lines Word Chars Request\n==========================================================\n\n00001: C=404 9 L 32 W 276 Ch \"a - 1\"\n00002: C=404 9 L 32 W 276 Ch \"c - 3\"\n00003: C=404 9 L 32 W 276 Ch \"b - 2\"\n\n\nchain\n\n- wfuzz.py -z list,a-b-c -z list,1-2-3 -m chain http:\/\/mysite.com\/FUZZ\/FUZ2Z\n\nTarget: http:\/\/mysite.com\/FUZZ\/FUZ2Z\nPayload type: list,a-b-c; list,1-2-3\n\nTotal requests: 6\n==========================================================\nID Response Lines Word Chars Request\n==========================================================\n\n00001: C=404 9 L 32 W 280 Ch \"b\"\n00002: C=404 9 L 32 W 280 Ch \"a\"\n00003: C=404 9 L 32 W 280 Ch \"c\"\n00004: C=404 9 L 32 W 280 Ch \"1\"\n00006: C=404 9 L 32 W 280 Ch \"3\"\n00005: C=404 9 L 32 W 280 Ch \"2\"\n\n\nproduct\n\n- wfuzz.py -z list,a-b-c -z list,1-2-3 http:\/\/mysite.com\/FUZZ\/FUZ2Z\n\nTarget: http:\/\/mysite.com\/FUZZ\/FUZ2Z\nPayload type: list,a-b-c; list,1-2-3\n\nTotal requests: 9\n==========================================================\nID Response Lines Word Chars Request\n==========================================================\n\n00001: C=404 9 L 32 W 276 Ch \"a - 2\"\n00002: C=404 9 L 32 W 276 Ch \"a - 1\"\n00005: C=404 9 L 32 W 276 Ch \"b - 2\"\n00004: C=404 9 L 32 W 276 Ch \"a - 3\"\n00008: C=404 9 L 32 W 276 Ch \"c - 2\"\n00003: C=404 9 L 32 W 276 Ch \"b - 1\"\n00007: C=404 9 L 32 W 276 Ch \"c - 1\"\n00006: C=404 9 L 32 W 276 Ch \"b - 3\"\n00009: C=404 9 L 32 W 276 Ch \"c - 3\"<\/pre>\n
 <\/p>\n
Dependencies:
\n————<\/p>\n
On *nix systems, need pycurl to work.
\nOn Windows just run the wfuzz.exe<\/p>\n
——<\/p>\n
The wordlist directory includes FuzzDB project:<\/p>\n
http:\/\/code.google.com\/p\/fuzzdb\/<\/a><\/p>\n
 <\/p>\n
\u4e0b\u8f7d\u5730\u5740\uff1a<\/p>\n
https:\/\/wfuzz.googlecode.com\/files\/wfuzz-2.0.tgz<\/a><\/p>\n
\u518d\u52a0\u4e0a\u4e24\u7bc7PDF\u6587\u6863\u4ecb\u7ecd\/\u8bf4\u660e\uff1a<\/p>\n
https:\/\/wfuzz.googlecode.com\/files\/wfuzzforpentester2011.pdf<\/a>
\nhttps:\/\/wfuzz.googlecode.com\/files\/Blackhat%20Arsenal%202.pdf<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"
Wfuzz\uff08\u4e00\u6b3e\u652f\u6301\u5404\u79cdWeb\u6f0f\u6d1e\u626b\u63cf\u7684\u5de5\u5177\uff09 Wfuzz\u662f\u4e00\u6b3eWeb\u5e94\u7528\u7a0b\u5e8f\u66b4\u529b\u7834\u89e3\u5de5\u5177\u3002\u5b83\u53ef\u4ee5\u901a\u8fc7\u904d\u5386\u4ee5\u53d1 […]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[25,12],"tags":[223],"class_list":["post-530","post","type-post","status-publish","format-standard","hentry","category-security","category-tools","tag-wfuzz"],"views":5362,"_links":{"self":[{"href":"https:\/\/ixyzero.com\/blog\/wp-json\/wp\/v2\/posts\/530","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ixyzero.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ixyzero.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ixyzero.com\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/ixyzero.com\/blog\/wp-json\/wp\/v2\/comments?post=530"}],"version-history":[{"count":0,"href":"https:\/\/ixyzero.com\/blog\/wp-json\/wp\/v2\/posts\/530\/revisions"}],"wp:attachment":[{"href":"https:\/\/ixyzero.com\/blog\/wp-json\/wp\/v2\/media?parent=530"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ixyzero.com\/blog\/wp-json\/wp\/v2\/categories?post=530"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ixyzero.com\/blog\/wp-json\/wp\/v2\/tags?post=530"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}