1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
|
Python library
===============
Wfuzz's Python library allows to automate tasks and integrate Wfuzz into new tools or scripts.
Library Options
---------------
All options that are available within the Wfuzz command line interface are available as library options:
======================== =====================================================================================
CLI Option Library Option
======================== =====================================================================================
<URL> url="url"
--recipe <filename> recipe=["filename"]
--oF <filename> save="filename"
-f filename,printer printer=("filename", "printer")
--dry-run transport="dryrun"
-p addr proxies=[("ip","port","type")]
-t N concurrent=N
-s N delay=0.0
-R depth rleve=depth
--follow follow=True
-Z scanmode=True
--req-delay N req_delay=0
--conn-delay N conn_delay=0.0
--no-cache no_cache=True
--script=<plugins> script="plugins"
--script-args n1=v1,... script_args={n1: v1}
-m iterator iterator="iterator"
-z payload payloads=[("name",{default="",encoder=["md5"]},slice=""),]
-V alltype allvars="alltype"
-X method method="method"
--hc/hl/hw/hh N[,N]+ hc/hl/hw/hh=[N,N]
--sc/sl/sw/sh N[,N]+ sc/sl/sw/sh=[N,N]
--ss/hs regex ss/hs="regex"
--filter <filter> filter="filter exp"
--prefilter <filter> prefilter=["prefilter exp"]
-b cookie cookie=["cookie1=value1",]
-d postdata postdata="postdata"
-H header headers=[("header1", "value1"),]
--basic/ntlm/digest auth auth=("basic", "user:pass")
======================== =====================================================================================
These options can be used in the main library interfaces: fuzz, payload or session indistinctly.
Fuzzing a URL
-------------
Fuzzing a URL with wfuzz library is very simple. Firstly, import the wfuzz module::
>>> import wfuzz
Now, let's try to fuzz a web page to look for hidden content, such as directories. For this example, let's use Acunetix's testphp (http://testphp.vulnweb.com/)::
>>> import wfuzz
>>> for r in wfuzz.fuzz(url="http://testphp.vulnweb.com/FUZZ", hc=[404], payloads=[("file",dict(fn="wordlist/general/common.txt"))]):
... print r
...
00060: C=301 7 L 12 W 184 Ch "admin"
00183: C=403 10 L 29 W 263 Ch "cgi-bin"
00429: C=301 7 L 12 W 184 Ch "images"
...
Now, we have a FuzzResult object called r. We can get all the information we need from this object.
FuzzSession object
------------------
A FuzzSession object has all the methods of the main wfuzz API.
The FuzzSession object allows you to persist certain parameters across fuzzing sessions::
>>> import wfuzz
>>> s = wfuzz.FuzzSession(url="http://testphp.vulnweb.com/FUZZ")
>>> for r in s.fuzz(hc=[404], payloads=[("file",dict(fn="wordlist/general/common.txt"))]):
... print r
...
00060: C=301 7 L 12 W 184 Ch "admin"
00183: C=403 10 L 29 W 263 Ch "cgi-bin"
...
FuzzSession can also be used as context manager::
>>> with wfuzz.FuzzSession(url="http://testphp.vulnweb.com/FUZZ", hc=[404], payloads=[("file",dict(fn="wordlist/general/common.txt"))]) as s:
... for r in s.fuzz():
... print r
...
00295: C=301 7 L 12 W 184 Ch "admin"
00418: C=403 10 L 29 W 263 Ch "cgi-bin"
Get payload
-----------
The get_payload function generates a Wfuzz payload from a Python iterable. It is a quick and flexible way of getting a payload programmatically without using Wfuzz payloads plugins.
Generating a new payload and start fuzzing is really simple::
>>> import wfuzz
>>> s = wfuzz.get_payload(range(5))
>>> for r in s.fuzz(url="http://testphp.vulnweb.com/FUZZ"):
... print r
...
00012: C=404 7 L 12 W 168 Ch "0"
00013: C=404 7 L 12 W 168 Ch "1"
00014: C=404 7 L 12 W 168 Ch "2"
00015: C=404 7 L 12 W 168 Ch "3"
00016: C=404 7 L 12 W 168 Ch "4"
The get_payloads method can be used when various payloads are needed::
>>> import wfuzz
>>> s = wfuzz.get_payloads([range(5), ["a","b"]])
>>> for r in s.fuzz(url="http://testphp.vulnweb.com/FUZZ/FUZ2Z"):
... print r
...
00028: C=404 7 L 12 W 168 Ch "4 - b"
00027: C=404 7 L 12 W 168 Ch "4 - a"
00024: C=404 7 L 12 W 168 Ch "2 - b"
00026: C=404 7 L 12 W 168 Ch "3 - b"
00025: C=404 7 L 12 W 168 Ch "3 - a"
00022: C=404 7 L 12 W 168 Ch "1 - b"
00021: C=404 7 L 12 W 168 Ch "1 - a"
00020: C=404 7 L 12 W 168 Ch "0 - b"
00023: C=404 7 L 12 W 168 Ch "2 - a"
00019: C=404 7 L 12 W 168 Ch "0 - a"
Get session
-----------
The get_session function generates a Wfuzz session object from the specified command line. It is a quick way of getting a payload programmatically from a string representing CLI options::
$ python
>>> import wfuzz
>>> s = wfuzz.get_session("-z range,0-10 http://testphp.vulnweb.com/FUZZ")
>>> for r in s.fuzz():
... print r
...
00002: C=404 7 L 12 W 168 Ch "1"
00011: C=404 7 L 12 W 168 Ch "10"
00008: C=404 7 L 12 W 168 Ch "7"
00001: C=404 7 L 12 W 168 Ch "0"
00003: C=404 7 L 12 W 168 Ch "2"
00004: C=404 7 L 12 W 168 Ch "3"
00005: C=404 7 L 12 W 168 Ch "4"
00006: C=404 7 L 12 W 168 Ch "5"
00007: C=404 7 L 12 W 168 Ch "6"
00009: C=404 7 L 12 W 168 Ch "8"
00010: C=404 7 L 12 W 168 Ch "9"
Interacting with the results
----------------------------
Once a Wfuzz result is available the grammar defined in the filter language can be used to work with the results' values. For example::
$ python
>>> import wfuzz
>>> with wfuzz.get_session("-z list --zD test -u http://testphp.vulnweb.com/userinfo.php -d uname=FUZZ&pass=FUZZ") as s:
... for r in s.fuzz():
... print(r.history.cookies.response)
... print(r.history.params.all)
... print(r.history.params.post)
... print(r.history.params.post.uname)
... print(r.history.params.post['pass'])
{'login': 'test%2Ftest'}
{'uname': 'test', 'pass': 'test'}
{'uname': 'test', 'pass': 'test'}
test
test
>>>
The result object has also a method to evaluate a language expression::
>> print(r.eval("r.cookies.response"))
login=test%2Ftest
|
