wfuzz

[WDavid404]

https://wfuzz.readthedocs.io/en/latest/user/basicusage.html#

Options:
        -h                        : This help
        --help                    : Advanced help
        --version                 : Wfuzz version details
        -e <type>                 : List of available encoders/payloads/iterators/printers/scripts

        -c                        : Output with colors
        -v                        : Verbose information.
        --interact                : (beta) If selected,all key presses are captured. This allows you to interact with the program.

        -p addr                   : Use Proxy in format ip:port:type. Repeat option for using various proxies.
                                    Where type could be SOCKS4,SOCKS5 or HTTP if omitted.

        -t N                      : Specify the number of concurrent connections (10 default)
        -s N                      : Specify time delay between requests (0 default)
        -R depth                  : Recursive path discovery being depth the maximum recursion level (0 default)
        -D depth                  : Maximum link depth level (4 default)
        -L, --follow              : Follow HTTP redirections

        -u url                    : Specify a URL for the request.
        -z payload                : Specify a payload for each FUZZ keyword used in the form of type,parameters,encoder.
                                    A list of encoders can be used, ie. md5-sha1. Encoders can be chained, ie. md5@sha1.
                                    Encoders category can be used. ie. url
                                    Use help as a payload to show payload plugin's details (you can filter using --slice)
        -w wordlist               : Specify a wordlist file (alias for -z file,wordlist).
        -V alltype                : All parameters bruteforcing (allvars and allpost). No need for FUZZ keyword.
        -X method                 : Specify an HTTP method for the request, ie. HEAD or FUZZ

        -b cookie                 : Specify a cookie for the requests
        -d postdata               : Use post data (ex: "id=FUZZ&catalogue=1")
        -H header                 : Use header (ex:"Cookie:id=1312321&user=FUZZ")
        --basic/ntlm/digest auth  : in format "user:pass" or "FUZZ:FUZZ" or "domain\FUZ2Z:FUZZ"

        --hc/hl/hw/hh N[,N]+      : Hide responses with the specified code/lines/words/chars (Use BBB for taking values from baseline)
        --sc/sl/sw/sh N[,N]+      : Show responses with the specified code/lines/words/chars (Use BBB for taking values from baseline)
        --ss/hs regex             : Show/Hide responses with the specified regex within the content

[WDavid404]

E.g

wfuzz -c -z file,/usr/share/wfuzz/wordlist/general/common.txt 
-p 192.168.1.198:8081 
-H "api-key: xxxx-xxxxx-xxxxx-xxxx" -H "Content-Type: application/json"  
--hc 404 
https://test.com/api/v1/FUZZ

用X指定POST请求

wfuzz -c -z file,/usr/share/wfuzz/wordlist/general/common.txt 
-p 192.168.1.198:8081 
-X POST 
-H "api-key: xxxx-xxxx-xxxxx-xxxx&Content-Type: application/json"  --hc 404 
https://test.com/api/v1/FUZZ 

[WDavid404]

OSCP实战例子：

• wfuzz -c -z file,/home/wei/Downloads/megabeast.txt --hc 404 http://192.168.202.189:80/FUZZ/ ---> megabeast.txt (https://github.com/xmendez/wfuzz/blob/master/wordlist/general/megabeast.txt)

• wfuzz -c -z file,/opt/SecLists/Discovery/Web-Content/raft-medium-directories.txt --hc 404 http://192.168.235.76:80/FUZZ/

• wfuzz -c -z file,/opt/SecLists/Discovery/Web-Content/directory-list-2.3-small.txt --hc 404 http://192.168.235.76/FUZZ

• wfuzz -c -z file,/opt/SecLists/Discovery/Web-Content/raft-medium-directories.txt --hc 404, 302 http://192.168.235.76:8080/FUZZ/

• wfuzz -c -z file,/opt/SecLists/Discovery/Web-Content/raft-medium-files-lowercase.txt --hc 404, 302 http://192.168.235.76:8080/FUZZ/

wfuzz -w wordlist/general/common.txt --hc 404 http://testphp.vulnweb.com/FUZZ wfuzz -c -z file,users.txt -z file,pass.txt --sc 200 http://www.site.com/log.asp?user=FUZZ&pass=FUZ2Z wfuzz -c -z range,1-10 --hc=BBB http://www.site.com/FUZZ{something not there} wfuzz --script=robots -z list,robots.txt http://www.webscantest.com/FUZZ

• -w: Specify a wordlist (required for brute force attacks).
• -c: Define the number of concurrent connections. (默认数量是10)
• -z: Define the payload type (e.g., "d" for digits, "f" for file content).
• -d: Specify POST data.
• -H: Add custom headers to the request.
• -R: Process cookies from the response and use them in subsequent requests.
• -hc: stands for "Hide Code." It is used to hide specific HTTP status codes from the output while performing fuzzing or scanning.
  • wfuzz -c -hc 404,500 http://example.com/FUZZ: This command will hide both 404 and 500 status code responses from the output.