Hi

I recently open #49 and you advised how to run the method fuzzer from the python library

When running it, i can see it works fine, but the response doesnt contain the error code (it is displayed as 000)

00973: C=000 98 L 240 W 4636 Ch "GET"
00974: C=000 0 L 0 W 0 Ch "HEAD"
00976: C=000 4 L 23 W 178 Ch "TRACE"
00977: C=000 0 L 0 W 0 Ch "OPTIONS"
00975: C=000 4 L 23 W 178 Ch "POST"

Thanks

if can add Verification code identification that is good.....

Hello,

It would be great if the Request output field could follow the provided target format.

Let's say that I would like to fuzz multiple sites through the format URL/blabla/wordlist.
So I use that following command with wfuzz:

$ python wfuzz.py -w url.txt -w wlist.txt FUZZ/blabla/FUZ2Z

with:

• url.txt:

  http://google.fr
  https://bing.com
  

• wlist.txt:

  test
  

To date, it gives me that output:

$ python wfuzz.py -w url.txt -w wlist.txt FUZZ/blabla/FUZ2Z
********************************************************
* Wfuzz 2.1.3 - The Web Bruteforcer                      *
********************************************************

Target: http://FUZZ/blabla/FUZ2Z
Total requests: 2

==================================================================
ID	Response   Lines      Word         Chars          Request    
==================================================================

00000:  C=404     11 L	      72 W	   1572 Ch	  "http://google.fr - test"
00001:  C=301      0 L	       0 W	      0 Ch	  "https://bing.com - test"

The Request field is misleading and does not reflect the provided pattern, it would be better if it can be something like below, in order to ease the use of the results:

==================================================================
ID	Response   Lines      Word         Chars          Request    
==================================================================

00000:  C=404     11 L	      72 W	   1572 Ch	  "http://google.fr/blabla/test"
00001:  C=301      0 L	       0 W	      0 Ch	  "https://bing.com/blabla/test"

This remark is especially true while using the csv printer:

$ python wfuzz.py -w url.txt -w wlist.txt -o csv FUZZ/blabla/FUZ2Z
id,response,lines,word,chars,request,success
0,404,11,72,1572,http://google.fr - test,1
1,301,0,0,0,https://bing.com - test,1

Cheers !

I have this error with running "C:\wfuzz-2.1.2\wfuzz.py" in windows

Traceback (most recent call last):
File "C:\wfuzz-2.1.2\wfuzz.py", line 6, in
from framework.fuzzer.Fuzzer import Fuzzer
File "C:\wfuzz-2.1.2\framework\fuzzer\Fuzzer.py", line 12, in
from framework.utils.myqueue import MyPriorityQueue
File "C:\wfuzz-2.1.2\framework\utils\myqueue.py", line 1, in
import resource
ImportError: No module named resource

Add an option to continue fuzzing from a specific line in wordlist and / or some kind of pause & resume mechanism.

Hi

Im trying to run wfuzz against my own server where i have a self signed certificate. Im having an error from PyCurl when doing the handshake

Fatal exception: Pycurl error 35: OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to localhost:443

Can a wfuzz parameter be added to avoid ssl verification?

Thanks

Hello back,

Sorry i have another question dealing with wfuzz's behavior.

Here is my commandline:

wfuzz --script=title,backups -o raw --follow --conn-delay 5 --req-delay 5 -Z -z file,/tmp/quickhits.txt --hc 401,403,404,500 https://domain.com/FUZZ

Unfortunately i still see some code that i do not want to output:

==================================================================
ID	Response   Lines      Word         Chars          Request    
==================================================================
00030:  C=403      9 L	      19 W	    284 Ch	  "/.bz2"
  |_ Plugin backups enqueued 5 more requests (rlevel=1)
00032:  C=403      9 L	      19 W	    288 Ch	  "/.c9/"
  |_ Page title: Access Denied
  |_ Plugin backups enqueued 2 more requests (rlevel=1)
00029:  C=403      9 L	      19 W	    287 Ch	  "/.bundle"
  |_ Plugin backups enqueued 23 more requests (rlevel=1)
00028:  C=403      9 L	      19 W	    287 Ch	  "/.builds"
  |_ Plugin backups enqueued 17 more requests (rlevel=1)
00031:  C=403      9 L	      19 W	    295 Ch	  "/.bzr/README"
  |_ Plugin backups enqueued 1 more requests (rlevel=1)
00046:  C=403      9 L	      19 W	    286 Ch	  "/.codio"
  |_ Plugin backups enqueued 8 more requests (rlevel=1)
00001:  C=403      9 L	      19 W	    295 Ch	  "/!.gitignore"
  |_ Plugin backups enqueued 7 more requests (rlevel=1)

I am missing something? Thanks a lot!

Hello!

I would like to know if there is a way of limiting the amount or speed of the requests because when i try to use wfuzz in a website with SSL i'm getting a lot of 503 errors because the website has a limit on requests per second, i guess. This problem, for some reason, also seems to lead python to eat all of my RAM if i'm using a proxy and i am forced to shutdown.
I have been running wfuzz on a controlled group ever since.

I already use the software for a while but this issue is common and i would love to see it fixed.
Thank you
👍

Hi

Does this work with python3?

Im having the following error

SyntaxError: Missing parentheses in call to 'print'

Thanks

Hello,

Last but not least, it would be great to be able to specify a regex for the filter option.
I'm facing a lot of situation where for instance I'd like to hide any request returning a 4xx status code (mostly during large engagements, when you enumerate URL for a lot of targets).

Today I can only use the logic you implemented for filter =,<,>,!=,<=,>=.
Tomorrow I'd like to type --filter c!=4.*.* or --filter c!=4**

Cheers guys !

If you use wfuzz 2.1 to scan an SSL host over a http proxy like burp suite, wfuzz will always report a 200 response code, this did not happen in 2.0. I would assume its getting the 200 SSL connect and reading that as the HTTP response code.

I tested the same settings over HTTP through the HTTP proxy and the response codes were correct.

PS. Very nice work! Glad to see wfuzz isn't dead.

Fatal exception: Bad usage: Hide and show filters flags are mutually exclusive. Only one group could be specified.

How is that --sc 200 and --hl 0 are mutually exclusive? Show response code 200 and hide empty responses, this used to work in previous versions IIRC.

I was try to bruteforce server's virtual hosts and found that "Host" parameter is doesn't affect fuzzing.
wfuzz.py -H "Host: FUZZ.test.local" -w wordlist/general/test.txt http://127.0.0.1 -sc 200

After check source codes I find out that reqresp lib is rewrite fuzzed host parameter of request inside setUrl method.

• framework\fuzzer\fuzzobjects.py:210

    newreq.setUrl(rawUrl)

• externals\reqresp\Request.py:138

        self._headers["Host"]=self.__host

I used this fast hack to complete my task. Replace line at externals\reqresp\Request.py:138
from:

        self._headers["Host"]=self.__host

to

        if "Host" not in self._headers:
            self._headers["Host"]=self.__host

But, isn't good to change logic of external library.
I guess, correct solution is add compiled headers after setUrl method here framework\fuzzer\fuzzobjects.py:210 if they involved in fuzzing process.

Hello. Your tool is amazing, but I often get following error:
Fatal exception: Pycurl error 28: Connection timed out after 90000 milliseconds
What about adding option to retry connection if it fails?

Hi Xavi

How would be the equivalent call in the library to fuzz methods?

python wfuzz -z list,GET-HEAD-POST-TRACE-OPTIONS -X FUZZ http://testphp.vulnweb.com/

I am trying wfuzz.fuzz(url=http://testphp.vulnweb.com/,method=["GET","HEAD","POST","TRACE","OPTIONS"]) and it says that i need to specify a payload. In this case, i dont want to fuzz any parameter with payloads, i just want to test the methods

Thanks

Hi xmendez!

I want to fuzz many urls of wordpress website.
But, the urls are redirected to login page if it's not logged in wordpress site.

Is there this function in wfuzz?
If not, couldn't you add this function?

Best Regards,
Ross

Hello,

I know I'm sure not to be the first asking for it but really, give us a CSV output printer.
For large engagements it is a pain to parse raw output or worse...the html one!

Cheers.

Hello,

Could you support Kerberos authentication ?
It should be easy with pycurl, with pycurl.HTTPAUTH_GSSNEGOTIATE.

Cheers.

Hello,

Adding an header containing commas, e.g.

./wfuzzy.py -H 'Accept-Language: da, en-gb;q=0.8, en;q=0.7' ...

Fails on command line parsing because , is considered as header separator. Is there a way to bypass this issue? A nice fix could be to build the header list supporting the cumulative use of the -H option, e.g. ./wfuzzy.py -H 'Accept-Language: da, en-gb' -H 'Accept: text/plain; q=0.5, text/html'. Argparse python library support this.

Thanks.

Hello there,

I read the code for the raw printer and there's a bug, a call is made to a _print method here but there's no such method.

Cheers.

When use python comes from Homebrew,it's /usr/local/bin/python instead of /usr/bin/python,so use /usr/bin/env python could improve compatibility.

Hi!

I have the latest version wfuzz (2.1.3) available in kali linux. I'm trying to fuzz a website app that uses the symbol # to separate some vars, but it seems to cause some problem with wfuzz as it doesn't find the word FUZZ when it's behind this simbol.

Example:

This woks fine:
wfuzz -z file,/usr/share/wfuzz/wordlist/Injections/All_attack.txt --hc 404 https://example/FUZZ

But this is throwing a fatal exception:
wfuzz -z file,/usr/share/wfuzz/wordlist/Injections/All_attack.txt --hc 404 https://example/index.php#FUZZ

Fatal exception: FUZZ words and number of payloads do not match!

This was also happening in the version 2.0

I can do the fuzzing by replacing # with %23, but this shouldn't be happening right?

When I attempt to use wfuzz against a server supporting SSL I receive a 200 response code in all cases.

wfuzz.py -w ./wordlist/general/common.txt https://localhost/FUZZ

• Wfuzz 2.1.3 - The Web Bruteforcer *

Target: https://localhost/FUZZ
Total requests: 950

==================================================================
ID Response Lines Word Chars Request

00000: C=200 130 L 432 W 5591 Ch "b"
00001: C=200 130 L 432 W 5591 Ch "back"
00002: C=200 130 L 432 W 5591 Ch "backdoor"
:
:
(and so on for all 950 requests)

class hexrand:
.....................
def next (self):
self.current = random.SystemRandom().randint(self.minimum,self.maximum)

lgth = len(hex(self.maximum).replace("0x",""))
pl="%"+str(lgth)+"s"
num = hex(self.current).replace("0x","")	
pl = pl % (num)
payl =pl.replace(" ","0")
return payl

should be:

def next (self):
if self.__count==0:                              #add   
	raise StopIteration

self.current = random.SystemRandom().randint(self.minimum,self.maximum)

lgth = len(hex(self.maximum).replace("0x",""))
pl="%"+str(lgth)+"s"
num = hex(self.current).replace("0x","")	
pl = pl % (num)
payl =pl.replace(" ","0")
self.__count+=1                                       #add
return payl

I've had this problem with quite a few domains, pycurl isn't ale to resolve the host I specify:

$ ./wfuzz.py --hc 404 -z file,wordlist/general/common.txt https://a.b.co.uk/FUZZ/ 
********************************************************
* Wfuzz 2.1.3 - The Web Bruteforcer                      *
********************************************************

Target: https://a.b.co.uk/FUZZ/
Total requests: 950

==================================================================
ID      Response   Lines      Word         Chars          Request
==================================================================


Fatal exception: Pycurl error 6: Could not resolve host: a.b.co.uk

None

dig and nslookup works fine, my resolve.conf is pointing at Google, ping picks up the IP correctly.

The only way I can get the app to run is to add the entry to my hosts file, then it runs without a problem.

I doubt that this is a wfuzz problem but wondering if you have seen this problem and have a solution for it, my hosts file is filling up!

Hello,

If I'm no wrong today in wfuzz you can either see the output in the console or redirect it to a file.
For easier monitoring it would be super cool to have an output-file option, having a file written in the background and still seeing the execution from the process.

Cheers.

Hello,

Could it be possible to support relative file paths for -w and -z options ?
Every time I get tricked by the current implementation as:

• I'd like to do $ wfuzz -w toto.txt http://google.fr/FUZZ
• or even $ wfuzz -w ./toto.txt http://google.fr/FUZZ
• ...instead of $ wfuzz -w /root/test/toto.txt http://google.fr/FUZZ

Cheers !

Hello,

I have a question about recursion, what is the default recursion level and how can we stop recursion? -R0 does not seem to work.

Thanks in advance,

Hi

Im trying the printer option in the library and it doesnt seem to work correctly

According to the doc, it says:

-o filename,printer equals to printer=(“printer”, “filename”)

I dont want to specify filename, just the format of the report. It still needs the filename

On top of that, the order is incorrect. it is printer=(filename,printer). See below

for r in wfuzz.get_payload(["GET","HEAD","POST","TRACE","OPTIONS"]).fuzz(url='http://localhost:5000/', method="FUZZ", printer=("t2","json")):
print r

And to finish, it doesnt do anything, it prints r in the default format, and t2 is empty

Let me know if i can help to solve any of the issues, as i find the tool quite useful

Thanks

Hello,

The current version 2.1.4 is not reflected here :)

Cheers.

I want use wfuzz to try brute force website that have feature use HTTPS and Post data method. Can anyone help me how to write the codes?
I have try
wfuzz.py -c -z list,admin -z list,book-password-abc --hc 400 -d "loginOp=login&username=FUZZ&password=FUZ2Z&client=preferred" "https://website.com"
*website.com not the real site
and all the output result C=000.
Are there any parameters I forgot write in the codes?

Not so sure what causing this to happen, but these are the results i'm getting:
./wfuzz.py -p localhost:9999:SOCKS5 -z file,keywords.txt --hc 404 https://website.com/FUZZ

00000: C=000 0 L 0 W 0 Ch "KEYWORD1"
00001: C=000 0 L 0 W 0 Ch "KEYWORD2"
00002: C=000 0 L 0 W 0 Ch "KEYWORD3"

Using v2.1.1

I have tried with tips of one website this 👍
python wfuzz.py -c -z file,wordliste/general/big.txt --hc 404 http://pentesterlab.com/FUZZ
and i get f:
Fatal exception: Error opening file

I'm on kali linux 2.0

Version: 2.2.8

Command:
wfuzz -z list,../../../etc/passwd http://127.0.0.1:8000/FUZZ

Output:
000001: C=000 9 L 25 W 195 Ch "../../../etc/passwd"

In the output we can see the valid payload but the program send only "etc/passwd" to the server.

python -m SimpleHTTPServer 8000
Serving HTTP on 0.0.0.0 port 8000 ...
127.0.0.1 - - [04/Jan/2018 04:43:14] "GET /etc/passwd HTTP/1.1" 404 -

Hello again,

It would be great if the option order could not be taken into account while specifying the target.
For instance, if:

• $ python wfuzz.py -w url.txt -w wlist.txt FUZZ/blabla/FUZ2Z -o csv
  could be equivalent to:
• $ python wfuzz.py -o csv -w url.txt -w wlist.txt FUZZ/blabla/FUZ2Z

Cheers :)

Hi

Im sending request to a test application i have and for some reason, sometimes i have as response the error code 000

However, the response is 200 for the GET request, and 404 for the rest of them

See the example below

Have you seen this before? If you need any extra information, let me know

Thanks

==================================================================
ID Response Lines Word Chars Payload

00001: C=000 98 L 240 W 4636 Ch "GET"
00002: C=000 0 L 0 W 0 Ch "HEAD"
00003: C=000 4 L 23 W 178 Ch "POST"
00004: C=000 4 L 23 W 178 Ch "TRACE"
00005: C=000 0 L 0 W 0 Ch "OPTIONS"

Total time: 0.083100
Processed Requests: 5
Filtered Requests: 5
Requests/sec.: 60.16841

Wfuzz should be able to load a raw request from a file and fuzz the parameters in it. This would make it easier to use in more complex scenarios.

Hello,

To me wfuzz is missing an essential feature for a bruteforcer, the ability to set a maximum timeout for the HTTP requests, when facing laggy front-end servers.

Cheers!

Hi

I am trying to install wfuzz in windows 64 bits and i am facing problems with wconio library. Apparently this library is only available for 32 bits (http://newcenturycomputers.net/projects/wconio.html)

Has anybody managed to install this?

Thanks

Hi

Im checking the json output format and seems like the response code is not returned

I have an output like this

{'description': 'master', 'postdata': {}, 'url': u'myurl, 'chars': 233, 'lines': 4, 'server': 'Werkzeug/0.11.15 Python/2.7.12', 'location': '', 'words': 34}

Hello @xmendez,

It would be awesome if you could add a specific option in order to take a file containing a list of URL and iterate over. This feature is really missing when you have to assess a large list of Web apps, for instance on an internal network.
I'm thinking about something like:

$ python wfuzz.py -w wordlist/general/common.txt -i urllist.txt

with urllist.txt containing like:

http://url1/FUZZ
http://url2/FUZZ
...
http://urln/FUZZ

Do you think it would be easy to add this ? (sorry, haven't dug into the code yet...).

Cheers!

Version: 2.2.8

Command:

wfuzz --script=backups -z file,/root/Documents/repo/SecLists/Discovery/Web_Content/quickhits.txt -Z --conn-delay 5 --req-delay 5 --follow --hc 401,403,404,500 https://loop.brusselsairlines.com/FUZZ

Error:

006069:  C=404     30 L	      44 W	    822 Ch	  "//web-console/.bakServerInfo"Exception in thread _read_multi_stack:
Traceback (most recent call last):
  File "/usr/lib/python2.7/threading.py", line 801, in __bootstrap_inner
    self.run()
  File "/usr/lib/python2.7/threading.py", line 754, in run
    self.__target(*self.__args, **self.__kwargs)
  File "/usr/local/lib/python2.7/dist-packages/wfuzz/myhttp.py", line 194, in _read_multi_stack
    res.history.from_http_object(c, buff_header.getvalue(), buff_body.getvalue())
  File "/usr/local/lib/python2.7/dist-packages/wfuzz/fuzzobjects.py", line 380, in from_http_object
    return self._request.response_from_conn_object(c, bh, bb)
  File "/usr/local/lib/python2.7/dist-packages/wfuzz/externals/reqresp/Request.py", line 341, in response_from_conn_object
    rp.parseResponse(header)
  File "/usr/local/lib/python2.7/dist-packages/wfuzz/externals/reqresp/Response.py", line 153, in parseResponse
    body=gzipper.read()
  File "/usr/lib/python2.7/gzip.py", line 261, in read
    self._read(readsize)
  File "/usr/lib/python2.7/gzip.py", line 303, in _read
    self._read_gzip_header()
  File "/usr/lib/python2.7/gzip.py", line 197, in _read_gzip_header
    raise IOError, 'Not a gzipped file'
IOError: Not a gzipped file

I launched several instances of Wfuzz in parallel.

Hello,

here's a command used:
wfuzz -c -v -z file,/usr/share/wordlists/wfuzz/Injections/SQL.txt -d "username=FUZZ&password=#" http://192.168.0.199:8008/unisxcudkqjydw/vulnbank/client/login.php

Results:

As you can see, requests are not shown. Is it a mistake on my part, or a bug?

It is impossible to run wfuzz from outside of the wfuzz root folder. If you follow these steps:

$ git clone https://github.com/xmendez/wfuzz.git
$ git reset --hard 574caa52be514ae012a0bdbb41350bd999c9dc9c
$ python2 wfuzz/wfuzz.py
    /home/nate/.bin/wfuzz: 2: /home/nate/.bin/wfuzz: source: not found
********************************************************
* Wfuzz 2.1.3 - The Web Bruteforcer                      *
*                                                      *
* Version up to 1.4c coded by:                         *
* Christian Martorella ([email protected]) *
* Carlos del ojo ([email protected])                   *
*                                                      *
* Version 1.4d to 2.1.3 coded by:                        *
* Xavier Mendez ([email protected])            *
********************************************************

Usage: /home/nate/.programs/wfuzz/wfuzz.py [options] -z payload,params <url>

Type wfuzz.py -h for further information.


Fatal exception: You must specify a payload and a URL
No handlers could be found for logger "libraries.FileLoader"
Traceback (most recent call last):
  File "/home/nate/.programs/wfuzz/wfuzz.py", line 52, in <module>
    Facade().sett.save()
  File "/home/nate/.programs/wfuzz/patterns/singleton.py", line 13, in __call__         
    class_.instance = super(Singleton, class_).__call__(*args, **kwargs)
  File "/home/nate/.programs/wfuzz/framework/core/facade.py", line 51, in __init__
    raise FuzzException(FuzzException.FATAL, "Error loading plugins: %s" % str(e))
framework.core.myexception.FuzzException: Error loading plugins: No module named printers

Support for wildcard expansion. e.g. :
-w /usr/share/wfuzz/wordlist/general/*.txt

how to output result to a file?

I noticed a small issue when brute forcing directories with wfuzz in tmux. If you set the flag hc to hide certain type of responses, this works okay until you resize the tmux pane. Let me show it in steps:

0. To give a bit of context, this is the initial layout in tmux.

1. You launch wfuzz in some pane with the hc flag. Here I "maximized" the pane.

2. Then you resize the pane (this screenshot only shows a part of the 4x4 layout). This is done by pressing prefix+Z. By default, prefix means Ctrl+B in tmux.

3. Now you go back to the initial layout (again pressing prefix+Z)

As you can see, when there are changes in the layout, the flag hc doesn't work anymore. Let me know if you need help reproducing these steps.

I'm trying to scan a site which has a valid certificate but for a wrong name, i.e. not a self-signed cert, and I'm getting this error:

Fatal exception: Pycurl error 56: gnutls_handshake() warning: The server name sent was not recognized

I've done quite a bit of searching and not worked out how to fix it but will keep looking. If you want to try this, try scanning my site at https://digininja.org that will give you the cert for digi.ninja.