admin

Wfuzz入门指南
Wfuzz0x0 Wfuzz简介Wfuzz是由Python语言开发的 完全模块化的WEB安全fuzzer测试工具框...
扫描右侧二维码阅读全文
23
2019/04

Wfuzz入门指南

Wfuzz

0x0 Wfuzz简介

Wfuzz是由Python语言开发的 完全模块化的WEB安全fuzzer测试工具框架,支持Python3Python2

官方说明在Python3中使用更加快速

Wfuzz一些功能:

  • 具有多个词典的多注入点功能
  • 递归(当做目录暴力时)
  • 发布,标头和认证数据暴力强制
  • 输出到HTML
  • 彩色输出
  • 按返回码,字数,行号,正则表达式隐藏结果
  • Cookies fuzzing
  • 多线程
  • 代理支持
  • SOCK支持
  • 请求之间的时间延迟
  • 身份验证支持(NTLM,基本)
  • 所有参数bruteforce(POST和GET)
  • 每个有效载荷多个编码器
  • 有效载荷与迭代器的组合
  • 基线请求(用于过滤结果)
  • 蛮力HTTP方法
  • 多个代理支持(每个请求通过不同的代理)
  • HEAD扫描(资源发现更快)
  • 为已知应用量身定制的字典(Weblogic,Iplanet,Tomcat,Domino,Oracle 9i,Vignette,Coldfusion等等)

0x1 安装

使用pip安装:

#保证pip版本为最新
python -m pip install --upgrade --force pip
m4p1e@ubuntu:~$ pip install wfuzz

在安装过程中如果出现pyurl安装失败可用以下解决方法:

 $ sudo apt install libcurl4-openssl-dev
 $ sudo pip3 install --upgrade wfuzz

安装后再重新安装wfuzz,安装成功

0x2 入门

先来看一个简单的例子

wfuzz -w 字典 Target/FUZZ

wfuzz -w

w参数指定一个fuzz的字典 https://evi1s.com/为测试的目标站点 FUZZ则是占位符(即使用字典fuzz的位置)

********************************************************
* Wfuzz 2.3.4 - The Web Fuzzer                         *
********************************************************

Target: https://www.evi1s.com/FUZZ
Total requests: 49

==================================================================
ID   Response   Lines      Word         Chars          Payload    
==================================================================

000006:  C=404      7 L          12 W        162 Ch      "/bbs"
000007:  C=404      7 L          12 W        162 Ch      "/Editor"
000008:  C=404      7 L          12 W        162 Ch      "/manage"
000002:  C=301      7 L          12 W        178 Ch      "/admin"
000004:  C=404      7 L          12 W        162 Ch      "/Fckeditor"
000011:  C=404      7 L          12 W        162 Ch      "/login,asp"
000003:  C=404      7 L          12 W        162 Ch      "/edit"
000001:  C=404      7 L          12 W        162 Ch      "/dede"
000009:  C=404      7 L          12 W        162 Ch      "/shopadmin"
000012:  C=404      7 L          12 W        162 Ch      "/webadmin"
000013:  C=404      7 L          12 W        162 Ch      "/admin/WebEditor"
000014:  C=404      7 L          12 W        162 Ch      "/admin/daili/webedit"
000021:  C=302      0 L           0 W          0 Ch      "/admin/"
000015:  C=404      7 L          12 W        162 Ch      "/login/"
000022:  C=404      7 L          12 W        162 Ch      "/shopadmin/"
000017:  C=404      7 L          12 W        162 Ch      "/tmp/"
000016:  C=404      7 L          12 W        162 Ch      "/database/"
000018:  C=404      7 L          12 W        162 Ch      "/manager/"
000019:  C=404      7 L          12 W        162 Ch      "/manage/"
000020:  C=404      7 L          12 W        162 Ch      "/web/"
000023:  C=404      7 L          12 W        162 Ch      "/wp-includes/"
000024:  C=404      7 L          12 W        162 Ch      "/edit/"
000025:  C=404      7 L          12 W        162 Ch      "/editor/"
000026:  C=404      7 L          12 W        162 Ch      "/webadmin/"
000028:  C=404      7 L          12 W        162 Ch      "/data/"
000031:  C=404      7 L          12 W        162 Ch      "/southidceditor/"
000032:  C=404      7 L          12 W        162 Ch      "/fckeditor/"
000033:  C=404      7 L          12 W        162 Ch      "/admin/EDITOR/Dialog/"
000027:  C=404      7 L          12 W        162 Ch      "/test/"
000029:  C=404      7 L          12 W        162 Ch      "/include/"
000030:  C=404      7 L          12 W        162 Ch      "/office/"
000010:  C=404      7 L          12 W        162 Ch      "/web_Fckeditor"
000035:  C=404      7 L          12 W        162 Ch      "/Editor/Include/"
000034:  C=404      7 L          12 W        162 Ch      "/FCKeditor/editor/"
000040:  C=404      7 L          12 W        162 Ch      "/setup/"
000039:  C=404      7 L          12 W        162 Ch      "/upload/admin/"
000037:  C=404      7 L          12 W        162 Ch      "/kindeditor/"
000036:  C=404      7 L          12 W        162 Ch      "/guestbook/"
000038:  C=404      7 L          12 W        162 Ch      "/PayOnline/"
000005:  C=404      7 L          12 W        162 Ch      "/ewebeditor"
000045:  C=404      7 L          12 W        162 Ch      "/WEB-INF/"
000046:  C=404      7 L          12 W        162 Ch      "/robots.txt"
000044:  C=404      7 L          12 W        162 Ch      "/edit/db/"
000043:  C=404      7 L          12 W        162 Ch      "/company/"
000047:  C=404      7 L          12 W        162 Ch      "/eWebEditorNet/UploadFile/"
000041:  C=404      7 L          12 W        162 Ch      "/s_admin/"
000048:  C=404      7 L          12 W        162 Ch      "/user/"
000049:  C=200    757 L        2511 W      46823 Ch      ""
000042:  C=404      7 L          12 W        162 Ch      "/fund/"

Total time: 13.02233
Processed Requests: 49
Filtered Requests: 0
Requests/sec.: 3.762766
  • ID: 按执行顺序排列ID
  • Response: HTTP响应状态
  • Lines: HTTP响应中的行数
  • Word:HTTP响应中单词个数
  • Char:HTTP响应的字节数
  • Payload:FUZZ中的字典

帮助手册

和大多数工具相同Wfuzz也支持使用-h参数查看帮助

********************************************************
* Wfuzz 2.3.4 - The Web Fuzzer                         *
*                                                      *
* Version up to 1.4c coded by:                         *
* Christian Martorella (cmartorella@edge-security.com) *
* Carlos del ojo (deepbit@gmail.com)                   *
*                                                      *
* Version 1.4d to 2.3.4 coded by:                      *
* Xavier Mendez (xmendez@edge-security.com)            *
********************************************************

Usage:    wfuzz [options] -z payload,params <url>

    FUZZ, ..., FUZnZ  wherever you put these keywords wfuzz will replace them with the values of the specified payload.
    FUZZ{baseline_value} FUZZ will be replaced by baseline_value. It will be the first request performed and could be used as a base for filtering.


Options:
    -h                        : This help #查看帮助
    --help                    : Advanced help #高级帮助
    --version                 : Wfuzz version details #版本信息
    -e <type>                 : List of available encoders/payloads/iterators/printers/scripts    #列出可用的编码 payloads等模块
    
    -c                        : Output with colors #输出字体颜色
    -v                        : Verbose information. #详细信息
    --interact                : (beta) If selected,all key presses are captured. This allows you to interact with the program.#(测试功能) 如果启用,所有的按键将会被捕获,这使得你能够与程序交互
    
    -p addr                   : Use Proxy in format ip:port:type. Repeat option for using various proxies.         
                                Where type could be SOCKS4,SOCKS5 or HTTP if omitted.                        #使用指定代理 代理格式为 ip:port:type 类型可以是SOCKS4,SOCKS5 默认是HTTP
    
    -t N                      : Specify the number of concurrent connections (10 default)                           #指定连接的并发数量 默认为10
    -s N                      : Specify time delay between requests (0 default) #指定每个请求的时间间隔 默认为0
    -R depth                  : Recursive path discovery being depth the maximum recursion level.                #递归探测目录,depath为递归的深度
    -L, --follow              : Follow HTTP redirections  #跟随HTTP跳转
    
    -u url                    : Specify a URL for the request. #指定url
    -z payload                : Specify a payload for each FUZZ keyword used in the form of type,parameters,encoder. 
                                A list of encoders can be used, ie. md5-sha1. Encoders can be chained, ie. md5@sha1.
                                Encoders category can be used. ie. url
                                Use help as a payload to show payload plugin's details (you can filter using --slice) #为每个FUzz的关键字指定一个有效负载,可以用encode模块列表中的所有编码,md5-sha1,可以使用 --slice显示模块中每个插件的详细信息
    -w wordlist               : Specify a wordlist file (alias for -z file,wordlist).                #制定一个字典等同于 -z file,wordlist
    -V alltype                : All parameters bruteforcing (allvars and allpost). No need for FUZZ keyword.     #不需要占位符,爆破每个参数(包括get/post)
    -X method                 : Specify an HTTP method for the request, ie. HEAD or FUZZ                            #指定一个请求的HTTP方式,如HEAD
    
    -b cookie                 : Specify a cookie for the requests #为请求指定cookie
    -d postdata               : Use post data (ex: "id=FUZZ&catalogue=1")#设置用于测试的POST数据 
    -H header                 : Use header (ex:"Cookie:id=1312321&user=FUZZ")#设置请求的header
    --basic/ntlm/digest auth  : in format "user:pass" or "FUZZ:FUZZ" or "domain\FUZ2Z:FUZZ"  #设定基本身份认证
    
    --hc/hl/hw/hh N[,N]+      : Hide responses with the specified code/lines/words/chars (Use BBB for taking values from baseline)#以指定的返回码/行数/字数/字符数作为判断条件隐藏返回结果
    --sc/sl/sw/sh N[,N]+      : Show responses with the specified code/lines/words/chars (Use BBB for taking values from baseline)#以指定的返回码/行数/字数/字符数作为判断条件显示返回结果
    --ss/hs regex             : Show/Hide responses with the specified regex within the content                        #显示或隐藏响应中的符合正则表达式的内容

Payloads

Wfuzz基于一个简单的概念:它用给定负载的值替换对关键字FUZZ的任何引用。Wfuzz中的有效负载是输入数据的来源。

查看可用的payloads:

Available payloads:

  Name            | Summary                                                                           
------------------------------------------------------------------------------------------------------
  burplog         | Returns fuzz results from a Burp log.                                             
  bing            | Returns URL results of a given bing API search (needs api key).                   
  burpstate       | Returns fuzz results from a Burp state.                                           
  autorize        | Returns fuzz results' from autororize.                                            
  guitab          | This payload reads requests from a tab in the GUI                                 
  names           | Returns possible usernames by mixing the given words, separated by -, using know  
                  | n typical constructions.                                                          
  list            | Returns each element of the given word list separated by -.                       
  hexrange        | Returns each hex number of the given hex range.                                   
  stdin           | Returns each item read from stdin.                                                
  range           | Returns each number of the given range.                                           
  iprange         | Returns list of IP addresses of a given IP range.                                 
  dirwalk         | Returns filename's recursively from a local directory.                            
  permutation     | Returns permutations of the given charset and length.                             
  file            | Returns each word from a file.                                                    
  buffer_overflow | Returns a string using the following pattern A * given number.                    
  ipnet           | Returns list of IP addresses of a network.                                        
  hexrand         | Returns random hex numbers from the given range.                                  
  wfuzzp          | Returns fuzz results' URL from a previous stored wfuzz session. 

指定一个有效的payload实例

wfuzz -z file --zP fn=~/Desktop/word.txt  http://evi1s.com/FUZZ
wfuzz -w ~/Desktop/word.txt http://evi1s.com/FUZZ
wfuzz -z file,~/Desktop/word.txt http://evi1s.com/FUZZ

以上三种语句执行都是同样的功能,都是使用了file模块。根据帮助手册-z参数是指定一个可用的payload模块,--zP是指定payload中的参数看下file模块的详细信息

wfuzz -e help --slice "file"

--slice是一个过滤器 后面会详细讲到

多个payloads连用

Wfuzz可以通过指定多个-w-z参数以及相应的FUZZ..FUZnZ 关键字,n是每个payload的序号。例如:

wfuzz -w ~/Desktop/word.txt -w ~/Desktop/word1.txt http://evi1s.com/FUZZ/FUZ2Z/

在扫描多层次目录或者深层次目录下的某个文件时比较方便

Filter

过滤器在Wfuzz输出结果中作用非常重要,合理的使用过滤器将大大的提高工作效率

  1. Fuzz数据量过大的时候可以使用过滤器隐藏一些不必要的结果或者显示想要的某种类型的结果
  2. 例如在判断SQL注入时需要判断HTTP Response的状态码或者数据大小来判断是否存在注入,这里需要区分正常和错误的HTTP状态响应和Response 内容的长度大小

在帮助手册中可以看到,过滤器可以根据状态码,回复响应的内容,行数/字符进行过滤,同时也支持正则表达式的过滤

例如在扫描目录时,完全不需要关注状态为404的结果:

wfuzz -w ~/Desktop/word.txt -hc 404 http://www.evi1s.com/FUZZ

可以看到处理的请求功24个过滤的请求为21个

过滤的参数允许有多个内容如过滤404和301只需要用,分割即可:

wfuzz -w ~/Desktop/word.txt --hc 404,301 http://www.evi1s.com/FUZZ

上述都是使用参数--hc隐藏过滤结果,下面使用--sc显示过滤结果,如只需要状态码为301200结果输出

wfuzz -w ~/Desktop/word.txt --sc 404,301 http://www.evi1s.com/FUZZ

过滤参数可以连用,隐藏状态码为301字节数为178的数据:

wfuzz -c -w ~/Desktop/word.txt --hc 301 --hh 178 http://evi1s.com/FUZZ

使用 BaseLine

Baseline(基线)就是针对HTTP Response构建过滤器。例如在上图中根据发送/dede为标准来建立过滤器

wfuzz -c -w ~/Desktop/word.txt --hh BBB http://evi1s.com/FUZZ{dede}

这条命令里 http://evi1s.com/FUZZ{dede} {}代表的是第一次请求访问的路径:http://evi1s.com/dede

--h BBB(BBB是固定参数不可能更改)即是声明使用{}里的内容作为第一次请求,HTTP请求的Response作为一个标准线。这里dede目录时不存在的返回的`404状态,过滤器则会过滤与这个状态相同的请求

正则表达式

命令行参数--ss--hs允许使用正则表达式对返回的内容过滤。

wfuzz -c -w ~/Desktop/word.txt --hs "404 Not Found" http://evi1s.com/FUZZ/

0x3 基础

Wfuzz可用于扫描web服务中隐藏的文件或者目录,结果的成功率取决于所选择的字典

除了Wfuzz包含的一些字典,推荐两个更全面丰富的开源字典列表:

目录文件扫描

使用wfuzz扫描一个web服务的目录或者某个文件 例如robots.txtweb.config 等等可能泄露信息的文件 案例:

#扫描目录
wfuzz -c -w ~/Desktop/word.txt  http://evi1s.com/FUZZ/
********************************************************
* Wfuzz 2.3.4 - The Web Fuzzer                         *
********************************************************

Target: http://evi1s.com/FUZZ
Total requests: 27

==================================================================
ID   Response   Lines      Word         Chars          Payload    
==================================================================

000002:  C=301      7 L          12 W        178 Ch      "/admin"
000006:  C=404      7 L          12 W        162 Ch      "/bbs"
000004:  C=404      7 L          12 W        162 Ch      "/Fckeditor"
000009:  C=404      7 L          12 W        162 Ch      "/shopadmin"
000003:  C=404      7 L          12 W        162 Ch      "/edit"
000010:  C=404      7 L          12 W        162 Ch      "/web_Fckeditor"
000008:  C=404      7 L          12 W        162 Ch      "/manage"
000005:  C=404      7 L          12 W        162 Ch      "/ewebeditor"
000001:  C=404      7 L          12 W        162 Ch      "/dede"
000011:  C=404      7 L          12 W        162 Ch      "/login,asp"
000012:  C=404      7 L          12 W        162 Ch      "/webadmin"
000017:  C=302      0 L           0 W          0 Ch      "/admin/"
000013:  C=404      7 L          12 W        162 Ch      "/admin/WebEditor"
000016:  C=404      7 L          12 W        162 Ch      "/database/"
000020:  C=404      7 L          12 W        162 Ch      "/edit/"
000015:  C=404      7 L          12 W        162 Ch      "/login/"
000014:  C=404      7 L          12 W        162 Ch      "/admin/daili/webedit"
000024:  C=301      7 L          12 W        178 Ch      "admin"
000018:  C=404      7 L          12 W        162 Ch      "/shopadmin/"
000019:  C=404      7 L          12 W        162 Ch      "/wp-includes/"
000021:  C=404      7 L          12 W        162 Ch      "/editor/"
000022:  C=404      7 L          12 W        162 Ch      "/webadmin/"
000023:  C=404      7 L          12 W        162 Ch      "/user/"
000025:  C=404      7 L          12 W        162 Ch      "index"
000026:  C=404      7 L          12 W        162 Ch      "login"
000027:  C=200    757 L        2511 W      46348 Ch      ""
000007:  C=404      7 L          12 W        162 Ch      "/Editor"

Total time: 3.234214
Processed Requests: 27
Filtered Requests: 0
Requests/sec.: 8.348240

#扫描文件
$ wfuzz -c -w ~/Desktop/word.txt  http://evi1s.com/FUZZ.php
 

********************************************************
* Wfuzz 2.3.4 - The Web Fuzzer                         *
********************************************************

Target: http://evi1s.com/FUZZ.php
Total requests: 27

==================================================================
ID   Response   Lines      Word         Chars          Payload    
==================================================================

000003:  C=404      7 L          12 W        162 Ch      "/edit"
000005:  C=404      7 L          12 W        162 Ch      "/ewebeditor"
000004:  C=404      7 L          12 W        162 Ch      "/Fckeditor"
000006:  C=404      7 L          12 W        162 Ch      "/bbs"
000001:  C=404      7 L          12 W        162 Ch      "/dede"
000007:  C=404      7 L          12 W        162 Ch      "/Editor"
000010:  C=404      7 L          12 W        162 Ch      "/web_Fckeditor"
000009:  C=404      7 L          12 W        162 Ch      "/shopadmin"
000008:  C=404      7 L          12 W        162 Ch      "/manage"
000011:  C=404      7 L          12 W        162 Ch      "/login,asp"
000012:  C=404      7 L          12 W        162 Ch      "/webadmin"
000015:  C=404      7 L          12 W        162 Ch      "/login/"
000002:  C=404      7 L          12 W        162 Ch      "/admin"
000016:  C=404      7 L          12 W        162 Ch      "/database/"
000013:  C=404      7 L          12 W        162 Ch      "/admin/WebEditor"
000014:  C=404      7 L          12 W        162 Ch      "/admin/daili/webedit"
000018:  C=404      7 L          12 W        162 Ch      "/shopadmin/"
000019:  C=404      7 L          12 W        162 Ch      "/wp-includes/"
000017:  C=404      7 L          12 W        162 Ch      "/admin/"
000020:  C=404      7 L          12 W        162 Ch      "/edit/"
000021:  C=404      7 L          12 W        162 Ch      "/editor/"
000023:  C=404      7 L          12 W        162 Ch      "/user/"
000022:  C=404      7 L          12 W        162 Ch      "/webadmin/"
000024:  C=404      7 L          12 W        162 Ch      "admin"
000026:  C=404      7 L          12 W        162 Ch      "login"
000027:  C=404      7 L          12 W        162 Ch      ""
000025:  C=200    757 L        2515 W      46335 Ch      "index"

Total time: 1.926521
Processed Requests: 27
Filtered Requests: 0
Requests/sec.: 14.01489

Fuzzing URL中的参数

在一些url的查询字符串中,需要模糊测试的参数,例如某个参数可以遍历内容,某个id值可以进行sql注入等等

wfuzz -z range,0-10 http://testphp.vulnweb.com/listproducts.php?cat=FUZZ

********************************************************
* Wfuzz 2.3.4 - The Web Fuzzer                         *
********************************************************

Target: http://testphp.vulnweb.com/listproducts.php?cat=FUZZ
Total requests: 11

==================================================================
ID   Response   Lines      Word         Chars          Payload    
==================================================================

000001:  C=200     97 L         266 W       3830 Ch      "0"
000003:  C=200     99 L         302 W       4442 Ch      "2"
000005:  C=200     97 L         266 W       3830 Ch      "4"
000004:  C=200     97 L         266 W       3830 Ch      "3"
000006:  C=200     97 L         266 W       3830 Ch      "5"
000011:  C=200     97 L         266 W       3830 Ch      "10"
000008:  C=200     97 L         266 W       3830 Ch      "7"
000007:  C=200     97 L         266 W       3830 Ch      "6"
000002:  C=200    102 L         434 W       7011 Ch      "1"
000010:  C=200     97 L         266 W       3830 Ch      "9"
000009:  C=200     97 L         266 W       3830 Ch      "8"

Total time: 5.513400
Processed Requests: 11
Filtered Requests: 0
Requests/sec.: 1.995139

从fuzz结果中可以发现有些数据不同于其他数据,那么此处或许有着我们可以利用的攻击点

Fuzzing Post请求

这个功能常用于后台爆破

此处登录post两个字段没有验证码,就可以暴力猜解unamepass字段

$ wfuzz -w ~/Desktop/user.txt -w ~/Desktop/pass.txt -d "uname=FUZZ&pass=FUZ2Z" http://testphp.vulnweb.com/userinfo.php

可以看到用户名test密码为:test成功猜解出来

当然不仅限作用于爆破后台登录还有不限次数的验证码等等场景,合理运用

Fuzzing Cookies

Fuzzing一些路径时,有些目录是验证用户是否登录的,如果想要继续进行Fuzzing则需要指定cookie。再wfuzz中使用-b参数指定cookie值,也可以指定多个cookie

wfuzz -c -w word.txt -b cookie1=xxx -b cookie2=xxx http://testphp.vulnweb.com/FUZZ

访问请求时会在header中加入Cookie: cookie1=x cookie2=xxx

例如在http://testphp.vulnweb.com/userinfo.php如果没有用户登录信息会进行302跳转,这将使得fuzz结果不是很准确

加上cookie参数后

wfuzz -c -w word.txt -b login=test%2ftest http://testphp.vulnweb.com/FUZZ

Fuzzing 自定义 headers

fuzzing中如果目标站点限制user-agent或者存在XFF注入,则需要自定义headers的内容了

$ wfuzz -w word.txt -H "user-agent:aaa" http://testphp.vulnweb.com/FUZZ

发送的HTTP请求:

> GET / HTTP/1.1
> Host: testphp.vulnweb.com
> Accept: */*
> user-agent:aaa
> 
< HTTP/1.1 200 OK
< Server: nginx/1.4.1
< Date: Mon, 12 Jan 1970 00:18:19 GMT
< Content-Type: text/html
< Transfer-Encoding: chunked
< Connection: keep-alive
< X-Powered-By: PHP/5.3.10-1~lucid+2uwsgi2

当然可以字典对header中的内容进行fuzz

$ wfuzz -w word.txt -H "user-agent:FUZZ" http://testphp.vulnweb.com

Fuzzing HTTP 协议

这里经典的案例就是iis put 写入文件,适用场景在探测web服务支持的http协议,使用-X参数。

wfuzz -z list,GET-HEAD-POST-TRACE-OPTIONS -X FUZZ http://testphp.vulnweb.com/

设置代理

如果在fuzz中设置代理使用-p proxy地址,代理支持socks4、SOCKS5 也支持多个代理只需要使用多个-p参数即可

普通方式:

$ wfuzz -w word.txt -p localhost:8000 http://testphp.vulnweb.com

SOCKS4 |SOCKS5

$ wfuzz -w word.txt -p localhost:8000:SOCKS4 http://testphp.vulnweb.com

$ wfuzz -w word.txt -p localhost:8000:SOCKS5 http://testphp.vulnweb.com

HTTP基本认证

在访问一些站点时会弹出对话框验证用户名和密码,输入后会发送请求,request里面带上一行头信息,内容是 Authorization: Basic

$ wfuzz -z list,nonvalid-httpwatch --basic FUZZ:FUZZ https://www.httpwatch.com/httpgallery/authentication/authenticatedimage/default.aspx

递归Fuzzing

wfuzz可以使用-RN来指定fuzz的深度 N是指定深度。

可以fuzz已知目录下是否仍然含有这些目录。

例如在admin下仍有admin目录 ,深度是1。

wfuzz -z list,"admin-index" -R1 http://testphp.vulnweb.com/FUZZ

m4p1e@ubuntu:~/Desktop$  wfuzz -z list,"admin-index"  -R1 http://testphp.vulnweb.com/FUZZ

Warning: Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.

********************************************************
* Wfuzz 2.3.4 - The Web Fuzzer                         *
********************************************************

Target: http://testphp.vulnweb.com/FUZZ
Total requests: 2

==================================================================
ID   Response   Lines      Word         Chars          Payload    
==================================================================

000001:  C=301      7 L          12 W        184 Ch      "admin"
 |_  Enqueued response for recursion (level=1)
000004:  C=404      7 L          12 W        168 Ch      "admin - index"
000003:  C=404      7 L          12 W        168 Ch      "admin - admin"
000002:  C=404      7 L          12 W        168 Ch      "index"

Total time: 3.594329
Processed Requests: 4
Filtered Requests: 0
Requests/sec.: 1.112863

并发

在fuzz中如果目标存在waf,发送请求并发太高会被禁止,wfuzz中可以使用-t参数来增加或减少并发数量,也可以使用-s指定每次请求后的间隔秒数

输出结果

Wfuzz支持以不同的格式将结果写入文件。这是由名为“printers”的插件执行的。

使用wfuzz -e printers查看支持的格式

m4p1e@ubuntu:~/Desktop$ wfuzz -e printers



Available printers:

  Name      | Summary                             
--------------------------------------------------
  csv       | CSV printer ftw                     
  html      | Prints results in html format       
  json      | Results in json format              
  magictree | Prints results in magictree format  
  raw       | Raw output format     

使用-f参数指定输出的文件,使用-o指定输出结果的内容格式

wfuzz -f /tmp/outfile,json -w word.txt http://testphp.vulnweb.com/FUZZ

wfuzz -w word.txt -o csv http://testphp.vulnweb.com/FUZZ

0x4 高级篇

Wfuzz全局配置

m4p1e@ubuntu:~/.wfuzz$ cat wfuzz.ini 
[plugins]
bing_apikey =   #bing查询的api

[kbase]
discovery.blacklist = .svg-.css-.js-.jpg-.gif-.png-.jpeg-.mov-.avi-.flv-.ico #扫描目录的黑名单过滤

#连接信息
[connection]
concurrent = 10
conn_delay = 90
req_delay = 90
retries = 3
user-agent = Wfuzz/2.3.4

[general]
default_printer = raw
cancel_on_plugin_except = 0
concurrent_plugins = 3
lookup_dirs = .     #此选项将指示Wfuzz,查找文件的目录,避免在命令行中指定完整路径
encode_space = 1

迭代器:组合payload

wfuzz中可以使用-m参数来组合payload,此功能是由iterators提供的

m4p1e@ubuntu:~$ wfuzz -e iterators


Available iterators:

  Name    | Summary                                                                           
----------------------------------------------------------------------------------------------
  chain   | Returns an iterator returns elements from the first iterable until it is exhaust  
          | ed, then proceeds to the next iterable, until all of the iterables are exhausted  
          | .  #返回第一个可迭代的元素,直到元素耗尽为止 然后继续到下一个迭代器知道所有迭代器用完为止                                                                      
  product | Returns an iterator cartesian product of input iterables. #返回输入迭代器的笛卡尔积                        
  zip     | Returns an iterator that aggregates elements from each of the iterables.          #返回一个迭代器,该迭代器聚合来自没个迭代器的元素

默认提供三种类型

chain:

m4p1e@ubuntu:~$ wfuzz -z list,1-2-3 -z list,a-b-c -m chain http://testphp.vulnweb.com/FUZZ

Warning: Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.

********************************************************
* Wfuzz 2.3.4 - The Web Fuzzer                         *
********************************************************

Target: http://testphp.vulnweb.com/FUZZ
Total requests: 6

==================================================================
ID   Response   Lines      Word         Chars          Payload    
==================================================================

000003:  C=404      7 L          12 W        168 Ch      "3"
000006:  C=404      7 L          12 W        168 Ch      "c"
000004:  C=404      7 L          12 W        168 Ch      "a"
000002:  C=404      7 L          12 W        168 Ch      "2"
000005:  C=404      7 L          12 W        168 Ch      "b"
000001:  C=404      7 L          12 W        168 Ch      "1"

Total time: 3.590526
Processed Requests: 6
Filtered Requests: 0
Requests/sec.: 1.671063

zip:

m4p1e@ubuntu:~$ wfuzz -z list,1-2-3 -z list,a-b-c -m zip http://testphp.vulnweb.com/FUZZ/FUZ2Z

Warning: Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.

********************************************************
* Wfuzz 2.3.4 - The Web Fuzzer                         *
********************************************************

Target: http://testphp.vulnweb.com/FUZZ/FUZ2Z
Total requests: 3

==================================================================
ID   Response   Lines      Word         Chars          Payload    
==================================================================

000003:  C=404      7 L          12 W        168 Ch      "3 - c"
000001:  C=404      7 L          12 W        168 Ch      "1 - a"
000002:  C=404      7 L          12 W        168 Ch      "2 - b"

Total time: 21.48169
Processed Requests: 3
Filtered Requests: 0
Requests/sec.: 0.139653

product:

m4p1e@ubuntu:~$ wfuzz -z list,1-2-3 -z list,a-b-c -m product http://testphp.vulnweb.com/FUZZ/FUZ2Z

Warning: Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.

********************************************************
* Wfuzz 2.3.4 - The Web Fuzzer                         *
********************************************************

Target: http://testphp.vulnweb.com/FUZZ/FUZ2Z
Total requests: 9

==================================================================
ID   Response   Lines      Word         Chars          Payload    
==================================================================

000002:  C=404      7 L          12 W        168 Ch      "1 - b"
000007:  C=404      7 L          12 W        168 Ch      "3 - a"
000004:  C=404      7 L          12 W        168 Ch      "2 - a"
000008:  C=404      7 L          12 W        168 Ch      "3 - b"
000003:  C=404      7 L          12 W        168 Ch      "1 - c"
000006:  C=404      7 L          12 W        168 Ch      "2 - c"
000009:  C=404      7 L          12 W        168 Ch      "3 - c"
000005:  C=404      7 L          12 W        168 Ch      "2 - b"
000001:  C=404      7 L          12 W        168 Ch      "1 - a"

Total time: 3.395069
Processed Requests: 9
Filtered Requests: 0
Requests/sec.: 2.650903

编码器

在Wfuzz中,编码器是payload从一种格式到另一种格式的转换。可以使用wfuzz -e encoders获取可用编码器的列表,包含一些常见的编码格式例如base64,md5,html,sha1等

Available encoders:

  Category      | Name              | Summary                                                                           
------------------------------------------------------------------------------------------------------------------------
  hashes        | base64            | Encodes the given string using base64                                             
  url           | doble_nibble_hex  | Replaces ALL characters in string using the %%dd%dd escape                        
  url_safe, url | double urlencode  | Applies a double encode to special characters in string using the %25xx escape.   
                |                   | Letters, digits, and the characters '_.-' are never quoted.                       
  url           | first_nibble_hex  | Replaces ALL characters in string using the %%dd? escape                          
  default       | hexlify           | Every byte of data is converted into the corresponding 2-digit hex representatio  
                |                   | n.                                                                                
  html          | html_decimal      | Replaces ALL characters in string using the &#dd; escape                          
  html          | html_escape       | Convert the characters &<>" in string to HTML-safe sequences.                     
  html          | html_hexadecimal  | Replaces ALL characters in string using the &#xx; escape                          
  hashes        | md5               | Applies a md5 hash to the given string                                            
  db            | mssql_char        | Converts ALL characters to MsSQL's char(xx)                                       
  db            | mysql_char        | Converts ALL characters to MySQL's char(xx)                                       
  default       | none              | Returns string without changes                                                    
  db            | oracle_char       | Converts ALL characters to Oracle's chr(xx)                                       
  default       | random_upper      | Replaces random characters in string with its capitals letters                    
  url           | second_nibble_hex | Replaces ALL characters in string using the %?%dd escape                          
  hashes        | sha1              | Applies a sha1 hash to the given string                                           
  url           | uri_double_hex    | Encodes ALL charachers using the %25xx escape.                                    
  url           | uri_hex           | Encodes ALL charachers using the %xx escape.                                      
  url           | uri_triple_hex    | Encodes ALL charachers using the %25%xx%xx escape.                                
  url           | uri_unicode       | Replaces ALL characters in string using the %u00xx escape                         
  url_safe, url | urlencode         | Replace special characters in string using the %xx escape. Letters, digits, and   
                |                   | the characters '_.-' are never quoted.                                            
  url           | utf8              | Replaces ALL characters in string using the \u00xx escape                         
  url           | utf8_binary       | Replaces ALL characters in string using the \uxx escape                           

指定编码

在wfuzz中为payload指定特定 的编码有两种方式,这两种方式是等效的

(1):

wfuzz -z file --zP fn=word.txt,encoder=md5 http://testphp.vulnweb.com/FUZZ

(2):

wfuzz -z file,word.txt,md5 http://testphp.vulnweb.com/FUZZ

两者的效果都是同样的

也可以使用分隔符-或者@为payload指定多个编码

-:

m4p1e@ubuntu:~$ wfuzz -z list,1-2-3,md5-sha1  http://testphp.vulnweb.com/FUZZ

Warning: Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.

********************************************************
* Wfuzz 2.3.4 - The Web Fuzzer                         *
********************************************************

Target: http://testphp.vulnweb.com/FUZZ
Total requests: 6

==================================================================
ID   Response   Lines      Word         Chars          Payload    
==================================================================

000001:  C=404      7 L          12 W        168 Ch      "c4ca4238a0b923820dcc509a6f75849b"
000003:  C=404      7 L          12 W        168 Ch      "c81e728d9d4c2f636f067f89cc14862c"
000004:  C=404      7 L          12 W        168 Ch      "da4b9237bacccdf19c0760cab7aec4a8359010b0"
000006:  C=404      7 L          12 W        168 Ch      "77de68daecd823babbb58edb1c8e14d7106e83bb"
000002:  C=404      7 L          12 W        168 Ch      "356a192b7913b04c54574d18c28d46e6395428ab"
000005:  C=404      7 L          12 W        168 Ch      "eccbc87e4b5ce2fe28308fd9f2a7baf3"

Total time: 6.548747
Processed Requests: 6
Filtered Requests: 0
Requests/sec.: 0.916205

@

m4p1e@ubuntu:~$ wfuzz -z list,1-2-3,md5@sha1  http://testphp.vulnweb.com/FUZZ

Warning: Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.

********************************************************
* Wfuzz 2.3.4 - The Web Fuzzer                         *
********************************************************

Target: http://testphp.vulnweb.com/FUZZ
Total requests: 3

==================================================================
ID   Response   Lines      Word         Chars          Payload    
==================================================================

000003:  C=404      7 L          12 W        168 Ch      "a36abd601b784b2ece294786ee83e834"
000001:  C=404      7 L          12 W        168 Ch      "7055eced15538bfb7c07f8a5b28fc5d0"
000002:  C=404      7 L          12 W        168 Ch      "dca1117a4a9933499a4a870b4190065a"

Total time: 3.510787
Processed Requests: 3
Filtered Requests: 0
Requests/sec.: 0.854509

根据两种结果可以看出-是为字典中每个内容都进行一次指定的编码,例如md5-sha1 既会使用md5编码payload发送请求又会使用sha1编码payload发送请求

@是对payload发送一次请求进行多次编码

编码器按类别分组的在encoder列表中可以看到分类信息,wfuzz可以指定某个分类对payload进行编码

m4p1e@ubuntu:~$ wfuzz -z list,1-2-3,hashes  http://testphp.vulnweb.com/FUZZ

Warning: Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.

********************************************************
* Wfuzz 2.3.4 - The Web Fuzzer                         *
********************************************************

Target: http://testphp.vulnweb.com/FUZZ
Total requests: 3

==================================================================
ID   Response   Lines      Word         Chars          Payload    
==================================================================

000002:  C=404      7 L          12 W        168 Ch      "c4ca4238a0b923820dcc509a6f75849b"
000001:  C=404      7 L          12 W        168 Ch      "MQ=="
000003:  C=404      7 L          12 W        168 Ch      "356a192b7913b04c54574d18c28d46e6395428ab"
000008:  C=404      7 L          12 W        168 Ch      "eccbc87e4b5ce2fe28308fd9f2a7baf3"
000007:  C=404      7 L          12 W        168 Ch      "Mw=="
000009:  C=404      7 L          12 W        168 Ch      "77de68daecd823babbb58edb1c8e14d7106e83bb"
000006:  C=404      7 L          12 W        168 Ch      "da4b9237bacccdf19c0760cab7aec4a8359010b0"
000005:  C=404      7 L          12 W        168 Ch      "c81e728d9d4c2f636f067f89cc14862c"
000004:  C=404      7 L          12 W        168 Ch      "Mg=="

Total time: 6.398216
Processed Requests: 9
Filtered Requests: 0
Requests/sec.: 1.406642

扫描/解析插件

Wfuzz不仅仅是一个Web Content Scanner。Wfuzz也可以查找和利用Web应用程序漏洞

可以通过命令wfuzz -e scripts来获得这些脚本列表,类似于NMAP

Available scripts:

  Category                      | Name          | Summary                                              
-------------------------------------------------------------------------------------------------------
  default, active, discovery    | sitemap       | Parses sitemap.xml file                              
  active, discovery             | links         | Parses HTML looking for new content.                 
  verbose, passive              | cookies       | Looks for new cookies                                
  default, active, discovery    | svn_extractor | Parses .svn/entries file.                            
  default, passive              | listing       | Looks for directory listing vulnerabilities          
  verbose, passive              | title         | Parses HTML page title                               
  default, active, discovery    | cvs_extractor | Parses CVS/Entries file.                             
  verbose, passive              | headers       | Looks for server headers                             
  tools                         | grep          | HTTP response grep                                   
  default, active, discovery    | wc_extractor  | Parses subversion's wc.db file.                      
  tools, active                 | screenshot    | Performs a screen capture using linux cutycapt tool  
  re-enqueue, active, discovery | backups       | Looks for known backup filenames.                    
  default, active, discovery    | robots        | Parses robots.txt looking for new content.           
  default, passive              | errors        | Looks for error messages                             

这些脚本按类别分组,一个脚本可以属于多个类别

两大类:

passive(被动):被动脚本分析已有的请求和响应不会执行新的请求

active(主动):主动脚本向应用程序发送新的请求以探测目标系统存在的漏洞

其他类:

discovery(发现):通过自动将发现的内容载入wfuzz请求池来帮助抓取网站

default : 默认运行的插件进行分组

使用-script参数后跟选定的插件时会显示扫描模式。可以按类别或名称选择插件,也可以使用通配符

-A-script=default的别名,也可以使用--script-help获取脚本的详细信息

例如查看robots脚本的详细内容

m4p1e@ubuntu:~$ wfuzz --script-help=robots


Name: robots 0.1
Categories: default,active,discovery
Summary: Parses robots.txt looking for new content.
Author: Xavi Mendez (@xmendez)
Description:
   Parses robots.txt looking for new content.
Parameters:

这个脚本的作用是解析robots.txt内容进行fuzz

m4p1e@ubuntu:~$ wfuzz --script=robots -z list,robots.txt http://www.webscantest.com/FUZZ

Warning: Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.

********************************************************
* Wfuzz 2.3.4 - The Web Fuzzer                         *
********************************************************

Target: http://www.webscantest.com/FUZZ
Total requests: 1

==================================================================
ID   Response   Lines      Word         Chars          Payload    
==================================================================

000001:  C=200      6 L          10 W        101 Ch      "robots.txt"
 |_  Plugin robots enqueued 4 more requests (rlevel=1)
000004:  C=200     40 L         123 W       1611 Ch      "/crawlsnags/"
000002:  C=200     40 L         117 W       1528 Ch      "/osrun/"
000003:  C=200     55 L         132 W       1849 Ch      "/cal_endar/"
000005:  C=200     85 L         197 W       3486 Ch      "/static/"

Total time: 6.826601
Processed Requests: 5 (1 + 4)
Filtered Requests: 0
Requests/sec.: 0.732428

自定义脚本

用户可以自定义脚本,自定义的脚本需要放在主目录中,而且必须在.wfuzz目录下创建名为scirpts的目录

自定义快捷命令

wufzz可以将执行的命令选项保存到文件中,以便于以后的执行和分发

(1)创建快捷命令:

wfuzz --script=robots -z list,robots.txt --dump-recipe /tmp/recipe http://www.webscantest.com/FUZZ

主要的参数是--dump-recipe 默认会储存在\tmp\recipe文件中,每次执行都会覆盖此文件

m4p1e@ubuntu:~$ wfuzz --script=robots -z list,robots.txt --dump-recipe /tmp/recipe http://www.webscantest.com/FUZZ



********************************************************
* Wfuzz 2.3.4 - The Web Fuzzer                         *
*                                                      *
* Version up to 1.4c coded by:                         *
* Christian Martorella (cmartorella@edge-security.com) *
* Carlos del ojo (deepbit@gmail.com)                   *
*                                                      *
* Version 1.4d to 2.3.4 coded by:                      *
* Xavier Mendez (xmendez@edge-security.com)            *
********************************************************

Recipe written to /tmp/recipe.

(2)执行保存的命令文件

wfuzz --recipe /tmp/recipe

m4p1e@ubuntu:~$ wfuzz --recipe /tmp/recipe


********************************************************
* Wfuzz 2.3.4 - The Web Fuzzer                         *
********************************************************

Target: http://www.webscantest.com/FUZZ
Total requests: 1

==================================================================
ID   Response   Lines      Word         Chars          Payload    
==================================================================

000001:  C=200      6 L          10 W        101 Ch      "robots.txt"
 |_  Plugin robots enqueued 4 more requests (rlevel=1)
000005:  C=200     85 L         197 W       3486 Ch      "/static/"
000002:  C=200     40 L         117 W       1528 Ch      "/osrun/"
000004:  C=200     40 L         123 W       1611 Ch      "/crawlsnags/"
000003:  C=200     55 L         132 W       1849 Ch      "/cal_endar/"

Total time: 7.022261
Processed Requests: 5 (1 + 4)
Filtered Requests: 0
Requests/sec.: 0.712021

执行储存的命令文件时可以结合其他参数进行使用如:

扫描模式:忽略异常和错误

如果出现网络问题(例如DNS失败,拒绝连接等),Wfuzz将引发异常并停止执行

可以使用-Z参数忽略错误继续扫描

当错误代码为xxx时,可以使用过滤器来过滤这些结果

当Wfuzz在扫描模式下使用时,由于网络错误超时,HTTP请求将花费更长的时间。可以使用-req-delay和-conn-delay命令行参数调整这些参数。

过滤语言

Wfuzz的过滤语言语法是使用pyparsing构建的,因此必须在使用命令行参数“-filter,-prefilter,-slice”之前安装它。

必须使用以下符号和运算符构建过滤器表达式:

  • 布尔运算符

“and”,“或”和“not”运算符可用于构建条件表达式。

  • 表达式运算符

诸如=!= <>>> = <=的表达式运算符可用于检查值。此外,还提供以下匹配文本:

操作符描述
=〜当指定的正则表达式与值匹配时为True。
相当于“str1”中Python的“str2”(不区分大小写)
!〜相当于Python的“str2”而不是“str1”(不区分大小写)

其他内容具体参考:https://wfuzz.readthedocs.io/en/latest/user/advanced.html#filter-language

这里就不一一叙述了

过滤结果

-filter参数与所描述的过滤语言相结合,可以执行比标准过滤器更复杂的结果分类

wfuzz -z range,0-10 --filter "c=200 and l>97" http://testphp.vulnweb.com/listproducts.php?cat=FUZZ

这里使用--filter 显示状态码为200并且lines大于97的结果

也可以使用--filter显示结果中含有指定内容

m4p1e@ubuntu:~$  wfuzz -z list,echoedback -d searchFor=FUZZ --filter "content~FUZZ" http://testphp.vulnweb.com/search.php?test=query

********************************************************
* Wfuzz 2.3.4 - The Web Fuzzer                         *
********************************************************

Target: http://testphp.vulnweb.com/search.php?test=query
Total requests: 1

==================================================================
ID   Response   Lines      Word         Chars          Payload    
==================================================================

000001:  C=200     98 L         275 W       3911 Ch      "echoedback"

Total time: 10.85256
Processed Requests: 1
Filtered Requests: 0
Requests/sec.: 0.092144

上面命令时显示内容中包含echoedback的结果

重用之前的结果

以前执行的HTTP请求/响应包含大量数据。Wfuzz的payload和instrospection(在filter grammar一节中解释)对象,向Wfuzz或其他工具记录的请求/响应,公开Python对象接口。

如果想要使用以前的结果需要一个生成完整FuzzResult对象的payload。

wfuzz使用参数-oF储存

wfuzz --oF /tmp/session -z range,0-5 http://testphp.vulnweb.com/artists.php?artist=FUZZ

重用之前的结果

wfuzz -z wfuzzp,/tmp/session FUZZ

结合Burpsuite

wfuzz结合burpsuite需要burp配置Option->Misc->logging模块

保存后可以在wfuzz重用burp log的内容

wfuzz -z burplog,a_burp_log.burp FUZZ

也可以查询burpsuite保存的state:

wfuzz -z burpstate,a_burp_state.burp FUZZ

当然这些都可以和过滤器或者过滤语言相结合

wfpayload

如果不想执行任何请求,只需找到一些特定的HTTP请求即可使用wfpayload可执行文件。

例如,以下内容将返回唯一的HTTP请求列表,包括authtoken参数作为GET参数:

$ wfpayload -z burplog,a_burp_log.log --slice "params.get~'authtoken' and url.pstrip|u()"

Authtoken是BEA WebLogic Commerce Servers(TM)用作CSRF令牌的参数,因此上述内容将查找在URL中公开CSRF令牌的所有请求。

参考官方文档:https://wfuzz.readthedocs.io/

更多内容详见官方文档

完成于2019-04-23 22:40,如有错误,希望读者可以联系笔者进行更正

Last modification:April 23rd, 2019 at 10:43 pm
If you think my article is useful to you, please feel free to appreciate

Leave a Comment