# Web工具 - WFuzz
☁️ HackTricks云 ☁️ -🐦 Twitter 🐦 - 🎙️ Twitch 🎙️ - 🎥 Youtube 🎥 - 你在一家**网络安全公司**工作吗?你想在HackTricks中看到你的**公司广告**吗?或者你想获得**PEASS的最新版本或下载PDF格式的HackTricks**吗?请查看[**订阅计划**](https://github.com/sponsors/carlospolop)! - 发现我们的独家[**NFTs**](https://opensea.io/collection/the-peass-family)收藏品 - [**The PEASS Family**](https://opensea.io/collection/the-peass-family) - 获取[**官方PEASS和HackTricks周边产品**](https://peass.creator-spring.com) - **加入** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord群组**](https://discord.gg/hRep4RUj7f) 或 [**Telegram群组**](https://t.me/peass) 或 **关注**我在**Twitter**上的[**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks_live)**。** - **通过向[hacktricks仓库](https://github.com/carlospolop/hacktricks)和[hacktricks-cloud仓库](https://github.com/carlospolop/hacktricks-cloud)提交PR来分享你的黑客技巧。**
一个用于在任何地方FUZZ Web应用程序的工具。 > Wfuzz的创建是为了简化Web应用程序评估的任务,它基于一个简单的概念:它将任何对FUZZ关键字的引用替换为给定有效负载的值。 ## 安装 在Kali中安装 Github: [https://github.com/xmendez/wfuzz](https://github.com/xmendez/wfuzz) ``` pip install wfuzz ``` ## 过滤选项 ### **Code** ### **代码** - **-c, --code**: Filter by HTTP response code. You can specify multiple codes separated by commas. For example, `-c 200,301,404` will only show the requests that returned a 200, 301, or 404 status code. - **-c, --code**: 通过HTTP响应代码进行过滤。您可以用逗号分隔的方式指定多个代码。例如,`-c 200,301,404`将只显示返回200、301或404状态代码的请求。 ### **Size** ### **大小** - **-s, --size**: Filter by response size. You can specify a range using the format `min:max`. For example, `-s 100:500` will only show the requests that returned a response with a size between 100 and 500 bytes. - **-s, --size**: 通过响应大小进行过滤。您可以使用`min:max`的格式指定一个范围。例如,`-s 100:500`将只显示返回大小在100到500字节之间的请求。 ### **Words** ### **关键词** - **-w, --words**: Filter by response body content. You can specify multiple words separated by commas. For example, `-w admin,login` will only show the requests that have the words "admin" or "login" in the response body. - **-w, --words**: 通过响应正文内容进行过滤。您可以用逗号分隔的方式指定多个关键词。例如,`-w admin,login`将只显示响应正文中包含"admin"或"login"的请求。 ### **Headers** ### **头部** - **-H, --headers**: Filter by response headers. You can specify multiple headers separated by commas. For example, `-H Server,Content-Type` will only show the requests that have the headers "Server" or "Content-Type". - **-H, --headers**: 通过响应头部进行过滤。您可以用逗号分隔的方式指定多个头部。例如,`-H Server,Content-Type`将只显示具有"Server"或"Content-Type"头部的请求。 ### **Time** ### **时间** - **-t, --time**: Filter by response time. You can specify a range using the format `min:max`. For example, `-t 0:100` will only show the requests that had a response time between 0 and 100 milliseconds. - **-t, --time**: 通过响应时间进行过滤。您可以使用`min:max`的格式指定一个范围。例如,`-t 0:100`将只显示响应时间在0到100毫秒之间的请求。 ```bash --hs/ss "regex" #Hide/Show #Simple example, match a string: "Invalid username" #Regex example: "Invalid *" --hc/sc CODE #Hide/Show by code in response --hl/sl NUM #Hide/Show by number of lines in response --hw/sw NUM #Hide/Show by number of words in response --hh/sh NUM #Hide/Show by number of chars in response --hc/sc NUM #Hide/Show by response code ``` ## 输出选项 wfuzz provides several options to control the output format and content. These options can be used to customize the output according to your needs. ### Output Format Options #### -o, --output \ Specify the output file where the results will be saved. The results will be saved in plain text format by default. Example: ``` wfuzz -o output.txt http://example.com/FUZZ ``` #### -of, --output-format \ Specify the output format for the results. The available formats are: - `json`: Save the results in JSON format. - `html`: Save the results in HTML format. - `csv`: Save the results in CSV format. Example: ``` wfuzz -of json http://example.com/FUZZ ``` ### Output Content Options #### -v, --verbose Display verbose output, including additional information about the requests and responses. Example: ``` wfuzz -v http://example.com/FUZZ ``` #### -s, --silent Suppress all output except for the final summary. Example: ``` wfuzz -s http://example.com/FUZZ ``` #### -d, --debug Display debug output, including detailed information about the requests and responses. Example: ``` wfuzz -d http://example.com/FUZZ ``` #### -q, --quiet Suppress all output, including the final summary. Example: ``` wfuzz -q http://example.com/FUZZ ``` #### -c, --color Enable colored output for better readability. Example: ``` wfuzz -c http://example.com/FUZZ ``` #### -nc, --no-color Disable colored output. Example: ``` wfuzz -nc http://example.com/FUZZ ``` ```bash wfuzz -e printers #Prints the available output formats -f /tmp/output,csv #Saves the output in that location in csv format ``` ### 编码器选项 When using WFuzz, you have several options for encoding your payloads. These options can help you bypass filters or evade detection by modifying the format of your payloads. Here are some of the available encoders: - **URL Encoding**: This encoder replaces special characters with their corresponding URL-encoded representation. For example, the space character is replaced with "%20". - **HTML Encoding**: This encoder replaces special characters with their corresponding HTML-encoded representation. For example, the less than symbol "<" is replaced with "<". - **Base64 Encoding**: This encoder converts your payloads into a Base64-encoded format. This can be useful when dealing with binary data or when trying to obfuscate your payloads. - **Hex Encoding**: This encoder converts your payloads into a hexadecimal representation. Each character is replaced with its corresponding hexadecimal value. For example, the letter "A" is replaced with "41". - **Unicode Encoding**: This encoder converts your payloads into a Unicode representation. Each character is replaced with its corresponding Unicode value. For example, the letter "A" is replaced with "\u0041". - **Double URL Encoding**: This encoder applies URL encoding twice to your payloads. This can be useful when the target application is decoding the payloads multiple times. - **Mixed Encoding**: This encoder applies a combination of different encodings to your payloads. It can help you bypass complex filters that are looking for specific encoding patterns. To use an encoder in WFuzz, you can specify it with the `--encoding` option followed by the desired encoder. For example, `--encoding url` will apply URL encoding to your payloads. ```bash wfuzz -e encoders #Prints the available encoders #Examples: urlencode, md5, base64, hexlify, uri_hex, doble urlencode ``` 为了使用编码器,您需要在**"-w"**或**"-z"**选项中指定它。 示例: ```bash -z file,/path/to/file,md5 #Will use a list inside the file, and will transform each value into its md5 hash before sending it -w /path/to/file,base64 #Will use a list, and transform to base64 -z list,each-element-here,hexlify #Inline list and to hex before sending values ``` ## CheetSheet ### 登录表单暴力破解 #### **POST,单个列表,过滤字符串(隐藏)** ```bash wfuzz -c -w users.txt --hs "Login name" -d "name=FUZZ&password=FUZZ&autologin=1&enter=Sign+in" http://zipper.htb/zabbix/index.php #Here we have filtered by line ``` #### **POST请求,2个列表,过滤代码(显示)** ```plaintext wfuzz -c -z file,wordlist/general/common.txt --hc 404,403 -d "param1=FUZZ¶m2=FUZZ" -u http://target.com/page.php ``` 这个命令使用wfuzz工具进行POST请求。它使用两个列表进行模糊测试,并通过过滤代码来显示结果。 - `-c`:指定wfuzz在遇到错误时继续执行。 - `-z file,wordlist/general/common.txt`:使用`common.txt`中的常见词列表进行模糊测试。 - `--hc 404,403`:忽略HTTP状态码为404和403的响应。 - `-d "param1=FUZZ¶m2=FUZZ"`:指定POST请求的参数,其中`FUZZ`将被wfuzz替换为模糊测试的值。 - `-u http://target.com/page.php`:指定目标URL。 这个命令将显示通过模糊测试得到的结果。 ```bash wfuzz.py -c -z file,users.txt -z file,pass.txt --sc 200 -d "name=FUZZ&password=FUZ2Z&autologin=1&enter=Sign+in" http://zipper.htb/zabbix/index.php #Here we have filtered by code ``` #### **GET,2个列表,过滤字符串(显示),代理,cookies** --- ##### **Description** This technique involves using the web tool `wfuzz` to perform a GET request with two lists and filter the response based on a specific string. It also allows the use of a proxy and cookies. ##### **Syntax** ```plaintext wfuzz -c -z file, -z file, -u -H "Cookie: " -p --filter "" ``` ##### **Options** - `-c`: Enables colorized output. - `-z file,`: Specifies the first list to be used for fuzzing. - `-z file,`: Specifies the second list to be used for fuzzing. - `-u `: Specifies the target URL. - `-H "Cookie: "`: Specifies the cookie to be used. - `-p `: Specifies the proxy to be used. - `--filter ""`: Specifies the string to filter the response. ##### **Example** ```plaintext wfuzz -c -z file,common.txt -z file,parameters.txt -u http://example.com/page?FUZZ=PARAM -H "Cookie: session=123456" -p 127.0.0.1:8080 --filter "Welcome" ``` This example uses `wfuzz` to fuzz the `FUZZ` parameter in the URL `http://example.com/page?FUZZ=PARAM` using the lists `common.txt` and `parameters.txt`. It sets the cookie `session` to `123456`, uses the proxy `127.0.0.1:8080`, and filters the response to only show lines containing the string "Welcome". ```bash wfuzz -c -w users.txt -w pass.txt --ss "Welcome " -p 127.0.0.1:8080:HTTP -b "PHPSESSIONID=1234567890abcdef;customcookie=hey" "http://example.com/index.php?username=FUZZ&password=FUZ2Z&action=sign+in" ``` ### 暴力破解目录/RESTful暴力破解 [Arjun参数字典](https://raw.githubusercontent.com/s0md3v/Arjun/master/arjun/db/params.txt) ``` wfuzz -c -w /tmp/tmp/params.txt --hc 404 https://domain.com/api/FUZZ ``` ### 路径参数爆破 Path参数爆破是一种Web应用程序渗透测试技术,用于发现可能存在的敏感信息或漏洞。在URL的路径部分,有时会包含一些参数,这些参数可以用于控制应用程序的行为或访问特定资源。通过尝试不同的值来爆破这些参数,可以揭示隐藏的功能或发现潜在的安全问题。 使用wfuzz工具可以自动化执行路径参数爆破。wfuzz是一个功能强大的工具,可以通过替换URL中的参数值来测试不同的情况。它可以使用字典文件来生成可能的值,并根据服务器的响应来确定是否存在敏感信息或漏洞。 以下是使用wfuzz进行路径参数爆破的基本语法: ```plaintext wfuzz -c -z file, ``` 其中,`-c`选项用于显示完整的HTTP响应,`-z`选项用于指定字典文件,``是包含可能值的文本文件,``是要测试的目标URL。 通过使用wfuzz进行路径参数爆破,可以帮助发现潜在的安全问题,如未经授权的访问、敏感信息泄露等。然而,在进行路径参数爆破时,务必遵守法律和道德规范,并获得合法的授权。 ```bash wfuzz -c -w ~/git/Arjun/db/params.txt --hw 11 'http://example.com/path%3BFUZZ=FUZZ' ``` ### 头部身份验证 #### **基本,2个列表,过滤字符串(显示),代理** ```bash wfuzz -c -w users.txt -w pass.txt -p 127.0.0.1:8080:HTTP --ss "Welcome" --basic FUZZ:FUZ2Z "http://example.com/index.php" ``` #### **NTLM,2个列表,过滤字符串(显示),代理** --- ##### **Description** This technique involves using the `wfuzz` tool to perform NTLM authentication brute-forcing. It requires two lists: one containing usernames and the other containing passwords. The tool will iterate through each combination of username and password to attempt authentication. ##### **Syntax** ```plaintext wfuzz -c -z file, -z file, --ntlm ``` ##### **Options** - `-c`: This option tells `wfuzz` to show the output in a compact format. - `-z file,`: Specifies the file containing the list of usernames. - `-z file,`: Specifies the file containing the list of passwords. - `--ntlm`: This option enables NTLM authentication. - ``: The URL of the target website. ##### **Example** ```plaintext wfuzz -c -z file,usernames.txt -z file,passwords.txt --ntlm http://example.com/login ``` ##### **Filtering the Output** To filter the output and only display the successful authentication attempts, you can use the `--filter` option with a specific string. For example, to only show the successful attempts, you can use the following command: ```plaintext wfuzz -c -z file,usernames.txt -z file,passwords.txt --ntlm http://example.com/login --filter "Successful attempt" ``` ##### **Using a Proxy** If you want to use a proxy while performing the NTLM authentication brute-forcing, you can use the `--proxy` option followed by the proxy URL. For example: ```plaintext wfuzz -c -z file,usernames.txt -z file,passwords.txt --ntlm http://example.com/login --proxy http://proxy.example.com:8080 ``` --- #### **NTLM,2个列表,过滤字符串(显示),代理** ```bash wfuzz -c -w users.txt -w pass.txt -p 127.0.0.1:8080:HTTP --ss "Welcome" --ntlm 'domain\FUZZ:FUZ2Z' "http://example.com/index.php" ``` ### Cookie/Header暴力破解(虚拟主机暴力破解) #### **Cookie,过滤器代码(显示),代理** ```bash wfuzz -c -w users.txt -p 127.0.0.1:8080:HTTP --ss "Welcome " -H "Cookie:id=1312321&user=FUZZ" "http://example.com/index.php" ``` #### **User-Agent, 过滤代码(隐藏),代理** The User-Agent header is used by web servers to identify the client's operating system, browser, and device. By modifying the User-Agent header, you can impersonate different clients and bypass certain restrictions or filters. To change the User-Agent header, you can use the `--uagent` option in wfuzz. For example: ``` wfuzz --uagent "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.3" ... ``` This will set the User-Agent header to the specified value. In some cases, the web application may filter or block certain User-Agent strings. To bypass this, you can try encoding the User-Agent string or using a different User-Agent that is not filtered. To hide the filter code in the response, you can use the `--filter` option in wfuzz. For example: ``` wfuzz --filter "Invalid username or password" ... ``` This will hide any responses that contain the specified filter code. Using a proxy can help you hide your IP address and location, making it harder to trace your activities. You can use the `--proxy` option in wfuzz to route your requests through a proxy server. For example: ``` wfuzz --proxy http://127.0.0.1:8080 ... ``` This will send your requests through the specified proxy server. Remember to always respect the laws and regulations regarding the use of proxies and ensure that you have proper authorization before performing any hacking activities. ```bash wfuzz -c -w user-agents.txt -p 127.0.0.1:8080:HTTP --ss "Welcome " -H "User-Agent: FUZZ" "http://example.com/index.php" ``` #### **主机** #### **Description** ```bash wfuzz -c -w /usr/share/wordlists/SecLists/Discovery/DNS/subdomains- top1million-20000.txt --hc 400,404,403 -H "Host: FUZZ.example.com" -u http://example.com -t 100 ``` #### **使用文件** This technique involves using a file as input for the HTTP verb (method) brute force attack. The file contains a list of possible HTTP verbs that will be tested against the target web application. To perform this attack, you can use the `wfuzz` tool. First, create a file with a list of HTTP verbs, with each verb on a separate line. For example: ``` GET POST PUT DELETE ``` Save this file as `verbs.txt`. Next, use the following command to launch the brute force attack: ``` wfuzz -c -z file,verbs.txt http://target.com/FUZZ ``` In this command, `-c` specifies that the response status code should be displayed, and `-z file,verbs.txt` indicates that the file `verbs.txt` should be used as input. Replace `http://target.com/FUZZ` with the target URL, where `FUZZ` will be replaced by each verb in the file. The `wfuzz` tool will send requests to the target URL using each verb in the file, and display the response status code for each request. This allows you to identify any HTTP verbs that are accepted by the web application. Note that brute forcing HTTP verbs can be a time-consuming process, as it involves testing a large number of possibilities. Therefore, it is recommended to use a targeted approach and only test the most common HTTP verbs. #### **使用文件** 这种技术涉及使用文件作为HTTP动词(方法)暴力破解攻击的输入。该文件包含了一系列可能的HTTP动词,将对目标Web应用程序进行测试。 要执行此攻击,可以使用`wfuzz`工具。首先,创建一个包含HTTP动词列表的文件,每个动词占一行。例如: ``` GET POST PUT DELETE ``` 将此文件保存为`verbs.txt`。 接下来,使用以下命令启动暴力破解攻击: ``` wfuzz -c -z file,verbs.txt http://target.com/FUZZ ``` 在此命令中,`-c`指定显示响应状态码,`-z file,verbs.txt`表示使用文件`verbs.txt`作为输入。将`http://target.com/FUZZ`替换为目标URL,其中`FUZZ`将被文件中的每个动词替换。 `wfuzz`工具将使用文件中的每个动词向目标URL发送请求,并显示每个请求的响应状态码。这样可以确定Web应用程序接受的任何HTTP动词。 请注意,暴力破解HTTP动词可能是一个耗时的过程,因为它涉及测试大量的可能性。因此,建议采用有针对性的方法,仅测试最常见的HTTP动词。 ```bash wfuzz -c -w methods.txt -p 127.0.0.1:8080:HTTP --sc 200 -X FUZZ "http://example.com/index.php" ``` #### **使用内联列表** Inline lists are a useful feature in `wfuzz` that allows you to specify multiple values for a parameter in a single request. This can be helpful when you want to test different inputs or payloads for a specific parameter. To use an inline list in `wfuzz`, you need to enclose the list of values within curly braces `{}` and separate each value with a comma. For example, if you want to test different usernames for a login form, you can use an inline list like this: ``` wfuzz -u http://example.com/login.php?username=FUZZ -w {admin,user,test}.txt ``` In this example, `wfuzz` will replace the `FUZZ` keyword with each value from the inline list, resulting in the following requests: ``` http://example.com/login.php?username=admin http://example.com/login.php?username=user http://example.com/login.php?username=test ``` You can also use inline lists with multiple parameters. For example, if you want to test different combinations of usernames and passwords, you can use two inline lists like this: ``` wfuzz -u http://example.com/login.php?username=FUZZ&password=FUZ2Z -w {admin,user,test}.txt,{password1,password2}.txt ``` In this case, `wfuzz` will replace the `FUZZ` keyword in the `username` parameter with each value from the first inline list, and the `FUZ2Z` keyword in the `password` parameter with each value from the second inline list, resulting in multiple combinations of requests. Using inline lists can save you time and effort when testing different inputs or payloads in your web application. It allows you to automate the process and quickly identify any vulnerabilities or weaknesses. ```bash $ wfuzz -z list,GET-HEAD-POST-TRACE-OPTIONS -X FUZZ http://testphp.vulnweb.com/ ``` ### 目录和文件暴力破解 #### WFuzz WFuzz是一个非常强大的Web应用程序扫描工具,它可以用于目录和文件暴力破解。它使用了一种称为"模糊测试"的技术,通过在URL中插入不同的值来探测目标网站上的隐藏目录和文件。 #### 安装WFuzz 你可以通过以下命令来安装WFuzz: ```bash pip install wfuzz ``` #### 使用WFuzz进行目录暴力破解 要使用WFuzz进行目录暴力破解,你需要提供一个字典文件,该文件包含了可能的目录和文件名称。你可以使用常见的字典文件,如`dirbuster-medium.txt`或`dirb/common.txt`。 以下是使用WFuzz进行目录暴力破解的基本命令格式: ```bash wfuzz -c -z file,<字典文件路径> <目标URL>/FUZZ ``` 在上面的命令中,`-c`选项用于显示完整的HTTP响应,`-z`选项用于指定字典文件的路径。`<目标URL>`是目标网站的URL,`FUZZ`是WFuzz的占位符,它将被字典文件中的值替换。 #### 使用WFuzz进行文件暴力破解 除了目录暴力破解,你还可以使用WFuzz进行文件暴力破解。你可以提供一个字典文件,其中包含了可能的文件扩展名,然后WFuzz将尝试在目标网站上找到具有这些扩展名的文件。 以下是使用WFuzz进行文件暴力破解的基本命令格式: ```bash wfuzz -c -z file,<字典文件路径> <目标URL>/FUZZ.<扩展名> ``` 在上面的命令中,`<扩展名>`是你想要尝试的文件扩展名。 #### WFuzz的其他功能 除了目录和文件暴力破解,WFuzz还具有其他一些有用的功能,如: - 支持多线程扫描,可以加快扫描速度。 - 支持使用代理服务器进行扫描。 - 支持使用HTTP身份验证进行扫描。 - 支持使用自定义HTTP头进行扫描。 - 支持使用正则表达式过滤扫描结果。 你可以通过查看WFuzz的文档来了解更多关于它的功能和用法的信息。 ```bash #Filter by whitelisting codes wfuzz -c -z file,/usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt --sc 200,202,204,301,302,307,403 http://example.com/uploads/FUZZ ``` ## 用于绕过网站的工具 [https://github.com/carlospolop/fuzzhttpbypass](https://github.com/carlospolop/fuzzhttpbypass)
☁️ HackTricks Cloud ☁️ -🐦 Twitter 🐦 - 🎙️ Twitch 🎙️ - 🎥 Youtube 🎥 - 你在一家**网络安全公司**工作吗?想要在HackTricks中**宣传你的公司**吗?或者你想要**获取PEASS的最新版本或下载HackTricks的PDF**吗?请查看[**订阅计划**](https://github.com/sponsors/carlospolop)! - 发现我们的独家[**NFTs**](https://opensea.io/collection/the-peass-family)收藏品——[**The PEASS Family**](https://opensea.io/collection/the-peass-family) - 获取[**官方PEASS和HackTricks周边产品**](https://peass.creator-spring.com) - **加入**[**💬**](https://emojipedia.org/speech-balloon/) [**Discord群组**](https://discord.gg/hRep4RUj7f)或[**电报群组**](https://t.me/peass),或者**关注**我在**Twitter**上的[**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks_live)**。** - **通过向[hacktricks repo](https://github.com/carlospolop/hacktricks)和[hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)提交PR来分享你的黑客技巧**。