Mirrors/hacktricks
2
0
Fork 0
mirror of https://github.com/carlospolop/hacktricks synced 2024-11-21 20:23:18 +00:00
Code Issues Projects Releases Packages Wiki Activity
hacktricks/pentesting-web/web-tool-wfuzz.md
Translator workflow b442ae90c4 Translated to Klingon
2024-02-10 17:52:19 +00:00

19 KiB
Raw Permalink Blame History

Web Tool - WFuzz

Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!

Other ways to support HackTricks:

A tool to FUZZ web applications anywhere.

Wfuzz has been created to facilitate the task in web applications assessments and it is based on a simple concept: it replaces any reference to the FUZZ keyword by the value of a given payload.

Installation

Installed in Kali

Github: https://github.com/xmendez/wfuzz

pip install wfuzz

Filtering options

-c / --code

Description

Filter by HTTP response code.

Example

wfuzz -c 200,301,302 https://example.com/FUZZ

-w / --wordlist

Description

Filter by response content.

Example

wfuzz -w wordlist.txt https://example.com/FUZZ

-r / --regex

Description

Filter by response content using regular expressions.

Example

wfuzz -r "Welcome, FUZZ!" https://example.com/FUZZ

-s / --size

Description

Filter by response size.

Example

wfuzz -s 1000-2000 https://example.com/FUZZ

-H / --header

Description

Filter by response headers.

Example

wfuzz -H "Server: Apache" https://example.com/FUZZ

-C / --cookie

Description

Filter by response cookies.

Example

wfuzz -C "session=123456" https://example.com/FUZZ

-R / --redirect

Description

Filter by redirect location.

Example

wfuzz -R "https://example.com/login" https://example.com/FUZZ

-t / --timeout

Description

Filter by response timeout.

Example

wfuzz -t 5 https://example.com/FUZZ

-x / --proxy

Description

Filter by proxy.

Example

wfuzz -x http://127.0.0.1:8080 https://example.com/FUZZ

-X / --proxy-auth

Description

Filter by proxy authentication.

Example

wfuzz -X "username:password" https://example.com/FUZZ

-P / --proxy-headers

Description

Filter by proxy headers.

Example

wfuzz -P "X-Forwarded-For: 127.0.0.1" https://example.com/FUZZ

-e / --encoding

Description

Filter by response encoding.

Example

wfuzz -e gzip https://example.com/FUZZ

-T / --content-type

Description

Filter by response content type.

Example

wfuzz -T "application/json" https://example.com/FUZZ

-A / --user-agent

Description

Filter by user agent.

Example

wfuzz -A "Mozilla/5.0" https://example.com/FUZZ

-b / --brute

Description

Filter by brute force.

Example

wfuzz -b "FUZZ:password" https://example.com/login

--hs/ss "regex" #Hide/Show
#Simple example, match a string: "Invalid username"
#Regex example: "Invalid *"

--hc/sc CODE #Hide/Show by code in response
--hl/sl NUM #Hide/Show by number of lines in response
--hw/sw NUM #Hide/Show by number of words in response
--hh/sh NUM #Hide/Show by number of chars in response
--hc/sc NUM #Hide/Show by response code

Output options

Standard output

The -o option allows you to specify the output format for the results of the fuzzing process. The available options are:

  • stdout: This is the default option, which prints the results to the standard output.
  • file: This option allows you to specify a file where the results will be saved. You can use the -o option followed by the file path to specify the output file.

For example, to save the results to a file named output.txt, you can use the following command:

wfuzz -o output.txt ...

JSON output

The -o json option allows you to save the results in JSON format. This can be useful if you want to process the results programmatically or analyze them using other tools.

For example, to save the results in JSON format, you can use the following command:

wfuzz -o json ...

XML output

The -o xml option allows you to save the results in XML format. This can be useful if you want to import the results into other tools or perform further analysis.

For example, to save the results in XML format, you can use the following command:

wfuzz -o xml ...

HTML output

The -o html option allows you to save the results in HTML format. This can be useful if you want to view the results in a web browser or share them with others.

For example, to save the results in HTML format, you can use the following command:

wfuzz -o html ...

Custom output

The -o custom option allows you to specify a custom output format using a template file. This can be useful if you want to customize the way the results are displayed.

For example, to use a custom template file named template.txt, you can use the following command:

wfuzz -o custom --output-format template.txt ...

wfuzz -e printers #Prints the available output formats
-f /tmp/output,csv #Saves the output in that location in csv format

Encoders qarDaS

HTML Encoding

HTML encoding is a technique used to convert special characters into their corresponding HTML entities. This is useful when dealing with user input that may contain characters that have special meaning in HTML, such as <, >, and &. By encoding these characters, we can prevent them from being interpreted as HTML tags or entities.

To use HTML encoding with wfuzz, you can use the --html-encode option. This will encode all special characters in the payload, ensuring that they are treated as literal characters and not interpreted as part of the HTML markup.

Example:

wfuzz --html-encode

URL Encoding

URL encoding is a technique used to convert special characters into their corresponding percent-encoded values. This is necessary when including special characters in a URL, as certain characters have special meaning and may cause issues if not properly encoded.

To use URL encoding with wfuzz, you can use the --url-encode option. This will encode all special characters in the payload, ensuring that they are treated as literal characters and not interpreted as part of the URL.

Example:

wfuzz --url-encode

Base64 Encoding

Base64 encoding is a technique used to convert binary data into a text format that can be safely transmitted over text-based protocols, such as HTTP. This encoding scheme represents binary data as a string of ASCII characters, making it suitable for use in situations where binary data needs to be included in a payload.

To use Base64 encoding with wfuzz, you can use the --base64-encode option. This will encode the payload using the Base64 encoding scheme.

Example:

wfuzz --base64-encode

Hex Encoding

Hex encoding is a technique used to convert binary data into a hexadecimal representation. This encoding scheme represents binary data as a string of hexadecimal digits, making it suitable for use in situations where binary data needs to be included in a payload.

To use Hex encoding with wfuzz, you can use the --hex-encode option. This will encode the payload using the Hex encoding scheme.

Example:

wfuzz --hex-encode

Unicode Encoding

Unicode encoding is a technique used to represent characters from various writing systems in a standardized way. This encoding scheme allows for the representation of characters from different languages and scripts, making it suitable for use in situations where multilingual support is required.

To use Unicode encoding with wfuzz, you can use the --unicode-encode option. This will encode the payload using the Unicode encoding scheme.

Example:

wfuzz --unicode-encode

UTF-8 Encoding

UTF-8 encoding is a variable-length encoding scheme used to represent Unicode characters. This encoding scheme allows for the representation of characters from different languages and scripts, making it suitable for use in situations where multilingual support is required.

To use UTF-8 encoding with wfuzz, you can use the --utf8-encode option. This will encode the payload using the UTF-8 encoding scheme.

Example:

wfuzz --utf8-encode

wfuzz -e encoders #Prints the available encoders
#Examples: urlencode, md5, base64, hexlify, uri_hex, doble urlencode

tlhIngan Hol:

encoder vItlhutlhlaHchugh, "-w" yIlo' "-z" option vItlhutlhlaHchugh.

Examples:

-z file,/path/to/file,md5 #Will use a list inside the file, and will transform each value into its md5 hash before sending it
-w /path/to/file,base64 #Will use a list, and transform to base64
-z list,each-element-here,hexlify #Inline list and to hex before sending values

CheetSheet

Login Form bruteforce

POST, Single list, filter string (hide)

POST, Single list, filter string (hide)

POST, Single list, filter string (hide)

POST, Single list, filter string (hide)

POST, Single list, filter string (hide)

POST, Single list, filter string (hide)

POST, Single list, filter string (hide)

POST, Single list, filter string (hide)

POST, Single list, filter string (hide)

POST, Single list, filter string (hide)

wfuzz -c -w users.txt --hs "Login name" -d "name=FUZZ&password=FUZZ&autologin=1&enter=Sign+in" http://zipper.htb/zabbix/index.php
#Here we have filtered by line

POST, 2 qama, filter code (show)

wfuzz.py -c -z file,users.txt -z file,pass.txt --sc 200 -d "name=FUZZ&password=FUZ2Z&autologin=1&enter=Sign+in" http://zipper.htb/zabbix/index.php
#Here we have filtered by code

GET, 2 qama, filter string (show), proxy, cookies

GET

The GET method is used to retrieve information from a specified resource. It sends data in the URL query parameters.

2 lists

In the context of web fuzzing, "2 lists" refers to the use of two different wordlists. These wordlists contain potential values that will be tested against the target application.

filter string (show)

The "filter string (show)" parameter is used to specify a string that should be present in the response in order for it to be displayed. This is useful for filtering out irrelevant responses and focusing on the desired ones.

proxy

A proxy acts as an intermediary between the client and the server. It can be used to intercept and modify requests and responses, making it a valuable tool for analyzing and manipulating web traffic.

cookies

Cookies are small pieces of data stored on the client's computer by the web server. They are commonly used for session management and tracking user activity. In the context of web fuzzing, cookies can be included in requests to simulate authenticated sessions or to test specific functionalities that rely on cookies.

wfuzz -c -w users.txt -w pass.txt --ss "Welcome " -p 127.0.0.1:8080:HTTP -b "PHPSESSIONID=1234567890abcdef;customcookie=hey" "http://example.com/index.php?username=FUZZ&password=FUZ2Z&action=sign+in"

Bruteforce Directory/RESTful bruteforce

Arjun parameters wordlist

wfuzz -c -w /tmp/tmp/params.txt --hc 404 https://domain.com/api/FUZZ

Path Parameters BF

tlhIngan Hol Translation:

Path Parameters BF

tlhIngan Hol Translation:

Path Parameters BF

tlhIngan Hol Translation:

Path Parameters BF

tlhIngan Hol Translation:

wfuzz -c -w ~/git/Arjun/db/params.txt --hw 11 'http://example.com/path%3BFUZZ=FUZZ'

Header Authentication

Basic, 2 lists, filter string (show), proxy

Qa'Hom, 2 lojmIt, filter string (choH), proxy

Basic, 2 lojmIt, filter string (choH), proxy

wfuzz -c -w users.txt -w pass.txt -p 127.0.0.1:8080:HTTP --ss "Welcome" --basic FUZZ:FUZ2Z "http://example.com/index.php"

NTLM, 2 qetlh, filter string (show), proxy

NTLM

NTLM stands for NT LAN Manager, which is a suite of Microsoft security protocols that provides authentication, integrity, and confidentiality to users. It is commonly used in Windows environments for user authentication.

2 qetlh

2 qetlh refers to the use of two lists during a hacking technique. These lists are typically used to perform a brute force attack or to test for vulnerabilities. The first list contains a set of usernames, while the second list contains a set of passwords. By combining the usernames and passwords from these lists, an attacker can attempt to gain unauthorized access to a system.

filter string (show)

A filter string (show) is a parameter used in hacking tools to filter and display specific information. It allows the user to define a string or pattern that the tool will use to filter the output and only display the relevant information.

proxy

A proxy is an intermediary server that acts as a gateway between a client and a server. It can be used to hide the client's IP address, bypass network restrictions, or cache and filter web content. In the context of hacking, a proxy can be used to anonymize the attacker's identity and hide their activities from being traced back to them.

wfuzz -c -w users.txt -w pass.txt -p 127.0.0.1:8080:HTTP --ss "Welcome" --ntlm 'domain\FUZZ:FUZ2Z' "http://example.com/index.php"

Cookie/Header bruteforce (vhost brute)

Cookie, filter code (show), proxy

Cookie/Header bruteforce (vhost brute)

Cookie, filter code (show), proxy
wfuzz -c -w users.txt -p 127.0.0.1:8080:HTTP --ss "Welcome " -H "Cookie:id=1312321&user=FUZZ"  "http://example.com/index.php"

User-Agent, filter code (hide), proxy

User-Agent, filter code (hide), proxy

User-Agent, filter code (hide), proxy

wfuzz -c -w user-agents.txt -p 127.0.0.1:8080:HTTP --ss "Welcome " -H "User-Agent: FUZZ"  "http://example.com/index.php"

Host

wfuzz -c -w /usr/share/wordlists/SecLists/Discovery/DNS/subdomains-
top1million-20000.txt --hc 400,404,403 -H "Host: FUZZ.example.com" -u
http://example.com -t 100

ghItlhvam (HTTP Verbs) bruteforce

Using file

wfuzz -c -w methods.txt -p 127.0.0.1:8080:HTTP --sc 200 -X FUZZ "http://example.com/index.php"

Using inline list

$ wfuzz -z list,GET-HEAD-POST-TRACE-OPTIONS -X FUZZ http://testphp.vulnweb.com/

QaStaHvIS & qawHaq

wfuzz

wfuzz is a web application brute-forcing tool that helps in finding hidden directories, files, and parameters by launching a dictionary-based attack. It can be used to discover sensitive information, such as backup files, configuration files, and more.

Installation

To install wfuzz, you can use the following command:

$ sudo apt-get install wfuzz

Basic Usage

To perform a directory brute-force attack using wfuzz, you need to specify the target URL and the wordlist containing the directories and files to be tested. The following command demonstrates the basic usage of wfuzz:

$ wfuzz -c -z file,wordlist.txt http://target.com/FUZZ

In the above command, -c is used to display the output in a colored format, -z specifies the payload type as a file, and wordlist.txt is the file containing the list of directories and files to be tested. http://target.com/FUZZ is the target URL where FUZZ will be replaced by the entries from the wordlist.

Advanced Usage

wfuzz provides various options to customize the brute-force attack. Some of the commonly used options are:

  • -w to specify the wordlist file
  • -t to set the number of concurrent connections
  • -p to specify the proxy
  • -H to add custom headers
  • -d to specify POST data
  • -o to save the output to a file

For example, the following command demonstrates the usage of some advanced options:

$ wfuzz -c -w wordlist.txt -t 50 -p 127.0.0.1:8080 -H "Authorization: Bearer token" -d "username=admin&password=FUZZ" -o output.txt http://target.com/login

In the above command, -w is used to specify the wordlist file, -t sets the number of concurrent connections to 50, -p specifies the proxy as 127.0.0.1:8080, -H adds a custom header Authorization: Bearer token, -d specifies the POST data with username=admin&password=FUZZ, and -o saves the output to output.txt. http://target.com/login is the target URL.

Tips

  • Use a good wordlist that covers common directories and files.
  • Customize the request headers to simulate different user agents or authentication tokens.
  • Use the -o option to save the output for further analysis.
  • Be cautious while performing brute-force attacks, as they can be resource-intensive and may trigger security measures.
#Filter by whitelisting codes
wfuzz -c -z file,/usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt --sc 200,202,204,301,302,307,403 http://example.com/uploads/FUZZ

Tool to bypass Webs

https://github.com/carlospolop/fuzzhttpbypass

Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!

Other ways to support HackTricks: