8.6 KiB
Support HackTricks and get benefits!
Do you work in a cybersecurity company? Do you want to see your company advertised in HackTricks? or do you want to have access the latest version of the PEASS or download HackTricks in PDF? Check the SUBSCRIPTION PLANS!
Discover The PEASS Family, our collection of exclusive NFTs
Get the official PEASS & HackTricks swag
Join the 💬 Discord group or the telegram group or follow me on Twitter 🐦@carlospolopm.
Share your hacking tricks submitting PRs to the hacktricks github repo.
Support HackTricks and get benefits!
Do you work in a cybersecurity company? Do you want to see your company advertised in HackTricks? or do you want to have access the latest version of the PEASS or download HackTricks in PDF? Check the SUBSCRIPTION PLANS!
Discover The PEASS Family, our collection of exclusive NFTs
Get the official PEASS & HackTricks swag
Join the 💬 Discord group or the telegram group or follow me on Twitter 🐦@carlospolopm.
Share your hacking tricks submitting PRs to the hacktricks github repo.
Web Tool - WFuzz
A tool to FUZZ web applications anywhere.
Wfuzz has been created to facilitate the task in web applications assessments and it is based on a simple concept: it replaces any reference to the FUZZ keyword by the value of a given payload.
Installation
Installed in Kali
Github: https://github.com/xmendez/wfuzz
pip install wfuzz
Filtering options
--hs/ss "regex" #Hide/Show
#Simple example, match a string: "Invalid username"
#Regex example: "Invalid *"
--hc/sc CODE #Hide/Show by code in response
--hl/sl NUM #ide/Show by number of lines in response
--hw/sw NUM #ide/Show by number of words in response
--hc/sc NUM #ide/Show by number of chars in response
Output options
wfuzz -e printers #Prints the available output formats
-f /tmp/output,csv #Saves the output in that location in csv format
Encoders options
wfuzz -e encoders #Prints the available encoders
#Examples: urlencode, md5, base64, hexlify, uri_hex, doble urlencode
In order to use a encoder, you have to indicate it in the "-w" or "-z" option.
Examples:
-z file,/path/to/file,md5 #Will use a list inside the file, and will trnasform each value into its md5 hash before sending it
-w /path/to/file,base64 #Will use a list, and transforms to base64
-z list,each-element-here,hexlify #Inline list and to hex before sending values
CheetSheet
Login Form bruteforce
POST, Single list, filter string (hide)
wfuzz -c -w users.txt --hs "Login name" -d "name=FUZZ&password=FUZZ&autologin=1&enter=Sign+in" http://zipper.htb/zabbix/index.php
#Here we have filtered by line
POST, 2 lists, filder code (show)
wfuzz.py -c -z file,users.txt -z file,pass.txt --sc 200 -d "name=FUZZ&password=FUZ2Z&autologin=1&enter=Sign+in" http://zipper.htb/zabbix/index.php
#Here we have filtered by code
GET, 2 lists, filter string show
, proxy, cookies
wfuzz -c -w users.txt -w pass.txt --ss "Welcome " -p 127.0.0.1:8080:HTTP -b "PHPSESSIONID=1234567890abcdef;customcookie=hey" "http://example.com/index.php?username=FUZZ&password=FUZ2Z&action=sign+in"
Bruteforce Dicrectory/RESTful bruteforce
wfuzz -c -w /tmp/tmp/params.txt --hc 404 https://domain.com/api/FUZZ
Path Parameters BF
wfuzz -c -w ~/git/Arjun/db/params.txt --hw 11 'http://example.com/path%3BFUZZ=FUZZ'
Header Authentication
Basic, 2 lists, filter string show
, proxy
wfuzz -c -w users.txt -w pass.txt -p 127.0.0.1:8080:HTTP --ss "Welcome" --basic FUZZ:FUZ2Z "http://example.com/index.php"
NTLM, 2 lists, filter string show
, proxy
wfuzz -c -w users.txt -w pass.txt -p 127.0.0.1:8080:HTTP --ss "Welcome" --ntlm 'domain\FUZZ:FUZ2Z' "http://example.com/index.php"
Cookie/Header bruteforce vhost brute
Cookie, filter code show
, proxy
wfuzz -c -w users.txt -p 127.0.0.1:8080:HTTP --ss "Welcome " -H "Cookie:id=1312321&user=FUZZ" "http://example.com/index.php"
User-Agent, filter code hide
, proxy
wfuzz -c -w user-agents.txt -p 127.0.0.1:8080:HTTP --ss "Welcome " -H "User-Agent: FUZZ" "http://example.com/index.php"
Host
wfuzz -c -w /usr/share/wordlists/SecLists/Discovery/DNS/subdomains-
top1million-20000.txt --hc 400,404,403 -H "Host: FUZZ.example.com" -u
http://example.com -t 100
HTTP Verbs methods
bruteforce
Using file
wfuzz -c -w methods.txt -p 127.0.0.1:8080:HTTP --sc 200 -X FUZZ "http://example.com/index.php"
Using inline list
$ wfuzz -z list,GET-HEAD-POST-TRACE-OPTIONS -X FUZZ http://testphp.vulnweb.com/
Directory & Files Bruteforce
#Filter by whitelisting codes
wfuzz -c -z file,/usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt --sc 200,202,204,301,302,307,403 http://example.com/uploads/FUZZ
Tool to bypass Webs
https://github.com/carlospolop/fuzzhttpbypass
Support HackTricks and get benefits!
Do you work in a cybersecurity company? Do you want to see your company advertised in HackTricks? or do you want to have access the latest version of the PEASS or download HackTricks in PDF? Check the SUBSCRIPTION PLANS!
Discover The PEASS Family, our collection of exclusive NFTs
Get the official PEASS & HackTricks swag
Join the 💬 Discord group or the telegram group or follow me on Twitter 🐦@carlospolopm.
Share your hacking tricks submitting PRs to the hacktricks github repo.
Support HackTricks and get benefits!
Do you work in a cybersecurity company? Do you want to see your company advertised in HackTricks? or do you want to have access the latest version of the PEASS or download HackTricks in PDF? Check the SUBSCRIPTION PLANS!
Discover The PEASS Family, our collection of exclusive NFTs
Get the official PEASS & HackTricks swag
Join the 💬 Discord group or the telegram group or follow me on Twitter 🐦@carlospolopm.
Share your hacking tricks submitting PRs to the hacktricks github repo.