Wfuzz的使用

再fuzzing领域，最流行的是再二进制漏洞挖掘，后面也出来webfuzz，就是今天的wfuzz，其实有些在web领域算是暴力破解，但是说fuzz也没毛病。

安装及简介

直接pip安装即可

pip install wfuzz

kali的话是自带了的

或者直接下载源码，字典什么的比较好找

git clone https://github.com/xmendez/wfuzz.git

官方文档：https://wfuzz.readthedocs.io/en/latest/

Wfuzz的核心理念是用给定的payload去替换HTTP请求中的占位符，从而发现潜在的安全问题，例如可预测的认证、注入漏洞、路径遍历、跨站脚本等

使用

目录爆破

-w wordlist               : Specify a wordlist file (alias for -z file,wordlist).

wfuzz -w wordlist/general/common.txt http://testphp.vulnweb.com/FUZZ

不过速度比御剑那些还是慢点，而且信息可读性低，没有汇总返回包200或者301等情况，可以使用–hc过滤掉404

wfuzz -w wordlist/general/common.txt --hc 404 http://testphp.vulnweb.com/FUZZ

--hc/hl/hw/hh N[,N]+      : Hide responses with the specified code/lines/words/chars (Use BBB for taking values from baseline)

子域爆破

-c                        : Output with colors
-Z 指定要在扫描模式下输入的 URL，并忽略任何连接错误
--hc XXX   过滤掉不存在的子域名

$ wfuzz -c -Z -w wordlist/general/common.txt --hc XXX http://FUZZ.vulnweb.com
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer                         *
********************************************************

Target: http://FUZZ.vulnweb.com/
Total requests: 951

=====================================================================
ID           Response   Lines    Word       Chars       Payload                           
=====================================================================

000000936:   200        73 L     260 W      4018 Ch     "www"                             

Total time: 0
Processed Requests: 951
Filtered Requests: 950
Requests/sec.: 0

或者自己提供一个简单的列表来爆破

$ wfuzz -z list,www-testphp-admin-svn http://FUZZ.vulnweb.com/
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer                         *
********************************************************

Target: http://FUZZ.vulnweb.com/
Total requests: 4

=====================================================================
ID           Response   Lines    Word       Chars       Payload                           
=====================================================================

000000001:   200        73 L     260 W      4018 Ch     "www"                             
000000002:   200        109 L    388 W      4958 Ch     "testphp"                         

Total time: 0
Processed Requests: 2
Filtered Requests: 0
Requests/sec.: 0

 /usr/lib/python3/dist-packages/wfuzz/wfuzz.py:78: UserWarning:Fatal exception: Pycurl error 52: Empty reply from server

多重模糊测试（多位置模糊）

wfuzz -w wordlist/general/common.txt -w wordlist/general/common.txt -w wordlist/general/extensions_common.txt --hc 404 http://testphp.vulnweb.com/FUZZ/FUZ2ZFUZ3Z

每个字典对应后面的FUZZ 、FUZ2Z 和 FUZ3Z

登录暴力破解

-d postdata               : Use post data (ex: "id=FUZZ&catalogue=1")

$ wfuzz -z file,wordlist/others/common_pass.txt -d "uname=FUZZ&pass=FUZZ"  --hc 302 http://testphp.vulnweb.com/userinfo.php
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer                         *
********************************************************

Target: http://testphp.vulnweb.com/userinfo.php
Total requests: 52

=====================================================================
ID           Response   Lines    Word       Chars       Payload                           
=====================================================================

000000044:   200        119 L    448 W      5969 Ch     "test - test"                     

Total time: 0
Processed Requests: 52
Filtered Requests: 51
Requests/sec.: 0

$ wfuzz -w wordlist/general/common.txt -d "uname=FUZZ&pass=FUZZ"  --hc 302 http://testphp.vulnweb.com/userinfo.php
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer                         *
********************************************************

Target: http://testphp.vulnweb.com/userinfo.php
Total requests: 951

=====================================================================
ID           Response   Lines    Word       Chars       Payload                           
=====================================================================

000000830:   200        119 L    448 W      5985 Ch     "test - test"                     

Total time: 44.66879
Processed Requests: 951
Filtered Requests: 950
Requests/sec.: 21.29003

Cookie 模糊测试

-b cookie                 : Specify a cookie for the requests

带上cookie去请求

$ wfuzz -z file,wordlist/general/common.txt -b "login=test%2Ftest" --hc 404 http://testphp.vulnweb.com/FUZZ

fuzz cookie

wfuzz -z file,wordlist/general/common.txt -b login=FUZZ http://testphp.vulnweb.com/

HEADER模糊测试

$ wfuzz -w wordlist/Injections/SQL.txt -H "X-Forwarded-By: 127.0.0.1FUZZ" http://testphp.vulnweb.com/
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer                         *
********************************************************

Target: http://testphp.vulnweb.com/
Total requests: 125

=====================================================================
ID           Response   Lines    Word       Chars       Payload                           
=====================================================================

000000014:   200        109 L    388 W      4958 Ch     "\x3D%20\x3B'"                    
000000012:   200        109 L    388 W      4958 Ch     "\x23"                            
000000003:   200        109 L    388 W      4958 Ch     "#"                               
000000007:   200        109 L    388 W      4958 Ch     "--';"                            
000000001:   200        109 L    388 W      4958 Ch     "'"                               
000000016:   200        109 L    388 W      4958 Ch     "\x27\x4F\x52 SELECT *"           
000000011:   200        109 L    388 W      4958 Ch     "=%20--"                          
000000010:   200        109 L    388 W      4958 Ch     "=%20;"                           
000000013:   200        109 L    388 W      4958 Ch     "\x27"

请求方法模糊测试

$ wfuzz -z list,GET-HEAD-POST-TRACE-OPTIONS -X FUZZ http://testphp.vulnweb.com/
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer                         *
********************************************************

Target: http://testphp.vulnweb.com/
Total requests: 5

=====================================================================
ID           Response   Lines    Word       Chars       Payload                           
=====================================================================

000000002:   200        0 L      0 W        0 Ch        "HEAD - HEAD"                     
000000005:   405        7 L      11 W       157 Ch      "OPTIONS - OPTIONS"               
000000001:   200        109 L    388 W      4958 Ch     "GET - GET"                       
000000003:   200        109 L    388 W      4958 Ch     "POST - POST"                     
000000004:   405        7 L      11 W       157 Ch      "TRACE - TRACE"                   

Total time: 0
Processed Requests: 5
Filtered Requests: 0
Requests/sec.: 0

通过代理进行模糊测试

比如下面可以给到burp

wfuzz -z file,wordlist/general/common.txt -p localhost:8080 http://testphp.vulnweb.com/FUZZ

下面是SOCKS5代理的例子

wfuzz -z file,wordlist/general/common.txt -p localhost:9500:SOCKS5 http://testphp.vulnweb.com/FUZZ

身份验证模糊

–basic：提供基本的用户名和密码验证
–ntlm：Windows 身份验证
–digest：通过摘要访问进行网络服务器协商

$ wfuzz -z list,nonvalid-httpwatch --basic FUZZ:FUZZ https://www.httpwatch.com/httpgallery/authentication/authenticatedimage/default.aspx
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer                         *
********************************************************

Target: https://www.httpwatch.com/httpgallery/authentication/authenticatedimage/default.aspx
Total requests: 2

=====================================================================
ID           Response   Lines    Word       Chars       Payload                           
=====================================================================

000000001:   401        0 L      11 W       58 Ch       "nonvalid - nonvalid"             
000000002:   200        20 L     159 W      5037 Ch     "httpwatch - httpwatch"           

Total time: 0
Processed Requests: 2
Filtered Requests: 0
Requests/sec.: 0

编码器

$ wfuzz -z file,wordlist/general/common.txt,md5 http://testphp.vulnweb.com/FUZZ
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer                         *
********************************************************

Target: http://testphp.vulnweb.com/FUZZ
Total requests: 951

=====================================================================
ID           Response   Lines    Word       Chars       Payload                           
=====================================================================

000000001:   404        7 L      11 W       153 Ch      "518ed29525738cebdac49c49e60ea9d3"
000000009:   404        7 L      11 W       153 Ch      "a9b7ba70783b617e9998dc4dd82eb3c5"
000000004:   404        7 L      11 W       153 Ch      "a2ef406e2c2351e0b9e80029c909242d"
000000005:   404        7 L      11 W       153 Ch      "e45ee7ce7e88149af8dd32b27f9512ce"
000000008:   404        7 L      11 W       153 Ch      "f899139df5e1059396431415e770c6dd"
000000003:   404        7 L      11 W       153 Ch      "96a3be3cf272e017046d1b2674a52bd3"
000000010:   404        7 L      11 W       153 Ch      "202cb962ac59075b964b07152d234b70"
000000002:   404        7 L      11 W       153 Ch      "b4b147bc522828731f1a016bfa72c073"
000000007:   404        7 L      11 W       153 Ch      "d3d9446802a44259755d38e6d163e820"

参考

https://www.ddosi.org/wfuzz-guide/