xmendez / wfuzz Goto Github PK
View Code? Open in Web Editor NEWWeb application fuzzer
Home Page: http://wfuzz.io
License: GNU General Public License v2.0
Web application fuzzer
Home Page: http://wfuzz.io
License: GNU General Public License v2.0
Hello again,
It would be great if the option order could not be taken into account while specifying the target.
For instance, if:
$ python wfuzz.py -w url.txt -w wlist.txt FUZZ/blabla/FUZ2Z -o csv
$ python wfuzz.py -o csv -w url.txt -w wlist.txt FUZZ/blabla/FUZ2Z
Cheers :)
When I attempt to use wfuzz against a server supporting SSL I receive a 200 response code in all cases.
wfuzz.py -w ./wordlist/general/common.txt https://localhost/FUZZ
Target: https://localhost/FUZZ
Total requests: 950
00000: C=200 130 L 432 W 5591 Ch "b"
00001: C=200 130 L 432 W 5591 Ch "back"
00002: C=200 130 L 432 W 5591 Ch "backdoor"
:
:
(and so on for all 950 requests)
Fatal exception: Bad usage: Hide and show filters flags are mutually exclusive. Only one group could be specified.
How is that --sc 200 and --hl 0 are mutually exclusive? Show response code 200 and hide empty responses, this used to work in previous versions IIRC.
Hello!
I would like to know if there is a way of limiting the amount or speed of the requests because when i try to use wfuzz in a website with SSL i'm getting a lot of 503 errors because the website has a limit on requests per second, i guess. This problem, for some reason, also seems to lead python to eat all of my RAM if i'm using a proxy and i am forced to shutdown.
I have been running wfuzz on a controlled group ever since.
I already use the software for a while but this issue is common and i would love to see it fixed.
Thank you
π
Hello,
If I'm no wrong today in wfuzz you can either see the output in the console or redirect it to a file.
For easier monitoring it would be super cool to have an output-file
option, having a file written in the background and still seeing the execution from the process.
Cheers.
Hello,
Adding an header containing commas, e.g.
./wfuzzy.py -H 'Accept-Language: da, en-gb;q=0.8, en;q=0.7' ...
Fails on command line parsing because ,
is considered as header separator. Is there a way to bypass this issue? A nice fix could be to build the header list supporting the cumulative use of the -H
option, e.g. ./wfuzzy.py -H 'Accept-Language: da, en-gb' -H 'Accept: text/plain; q=0.5, text/html'
. Argparse python library support this.
Thanks.
Hello,
To me wfuzz is missing an essential feature for a bruteforcer, the ability to set a maximum timeout
for the HTTP requests, when facing laggy front-end servers.
Cheers!
if can add Verification code identification that is good.....
Hi xmendez!
I want to fuzz many urls of wordpress website.
But, the urls are redirected to login page if it's not logged in wordpress site.
Is there this function in wfuzz?
If not, couldn't you add this function?
Best Regards,
Ross
Hello there,
I read the code for the raw
printer and there's a bug, a call is made to a _print
method here but there's no such method.
Cheers.
I'm trying to scan a site which has a valid certificate but for a wrong name, i.e. not a self-signed cert, and I'm getting this error:
Fatal exception: Pycurl error 56: gnutls_handshake() warning: The server name sent was not recognized
I've done quite a bit of searching and not worked out how to fix it but will keep looking. If you want to try this, try scanning my site at https://digininja.org that will give you the cert for digi.ninja.
Hello,
Could you support Kerberos authentication ?
It should be easy with pycurl
, with pycurl.HTTPAUTH_GSSNEGOTIATE
.
Cheers.
Hi
Does this work with python3?
Im having the following error
SyntaxError: Missing parentheses in call to 'print'
Thanks
I've had this problem with quite a few domains, pycurl isn't ale to resolve the host I specify:
$ ./wfuzz.py --hc 404 -z file,wordlist/general/common.txt https://a.b.co.uk/FUZZ/
********************************************************
* Wfuzz 2.1.3 - The Web Bruteforcer *
********************************************************
Target: https://a.b.co.uk/FUZZ/
Total requests: 950
==================================================================
ID Response Lines Word Chars Request
==================================================================
Fatal exception: Pycurl error 6: Could not resolve host: a.b.co.uk
None
dig and nslookup works fine, my resolve.conf is pointing at Google, ping picks up the IP correctly.
The only way I can get the app to run is to add the entry to my hosts file, then it runs without a problem.
I doubt that this is a wfuzz problem but wondering if you have seen this problem and have a solution for it, my hosts file is filling up!
I have tried with tips of one website this π
python wfuzz.py -c -z file,wordliste/general/big.txt --hc 404 http://pentesterlab.com/FUZZ
and i get f:
Fatal exception: Error opening file
I'm on kali linux 2.0
I was try to bruteforce server's virtual hosts and found that "Host" parameter is doesn't affect fuzzing.
wfuzz.py -H "Host: FUZZ.test.local" -w wordlist/general/test.txt http://127.0.0.1 -sc 200
After check source codes I find out that reqresp lib is rewrite fuzzed host parameter of request inside setUrl method.
newreq.setUrl(rawUrl)
self._headers["Host"]=self.__host
I used this fast hack to complete my task. Replace line at externals\reqresp\Request.py:138
from:
self._headers["Host"]=self.__host
to
if "Host" not in self._headers:
self._headers["Host"]=self.__host
But, isn't good to change logic of external library.
I guess, correct solution is add compiled headers after setUrl method here framework\fuzzer\fuzzobjects.py:210 if they involved in fuzzing process.
Hi
I am trying to install wfuzz in windows 64 bits and i am facing problems with wconio library. Apparently this library is only available for 32 bits (http://newcenturycomputers.net/projects/wconio.html)
Has anybody managed to install this?
Thanks
Hi
Im trying to run wfuzz against my own server where i have a self signed certificate. Im having an error from PyCurl when doing the handshake
Fatal exception: Pycurl error 35: OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to localhost:443
Can a wfuzz parameter be added to avoid ssl verification?
Thanks
Version: 2.2.8
Command:
wfuzz -z list,../../../etc/passwd http://127.0.0.1:8000/FUZZ
Output:
000001: C=000 9 L 25 W 195 Ch "../../../etc/passwd"
In the output we can see the valid payload but the program send only "etc/passwd" to the server.
python -m SimpleHTTPServer 8000
Serving HTTP on 0.0.0.0 port 8000 ...
127.0.0.1 - - [04/Jan/2018 04:43:14] "GET /etc/passwd HTTP/1.1" 404 -
Not so sure what causing this to happen, but these are the results i'm getting:
./wfuzz.py -p localhost:9999:SOCKS5 -z file,keywords.txt --hc 404 https://website.com/FUZZ
00000: C=000 0 L 0 W 0 Ch "KEYWORD1"
00001: C=000 0 L 0 W 0 Ch "KEYWORD2"
00002: C=000 0 L 0 W 0 Ch "KEYWORD3"
Using v2.1.1
class hexrand:
.....................
def next (self):
self.current = random.SystemRandom().randint(self.minimum,self.maximum)
lgth = len(hex(self.maximum).replace("0x",""))
pl="%"+str(lgth)+"s"
num = hex(self.current).replace("0x","")
pl = pl % (num)
payl =pl.replace(" ","0")
return payl
should be:
def next (self):
if self.__count==0: #add
raise StopIteration
self.current = random.SystemRandom().randint(self.minimum,self.maximum)
lgth = len(hex(self.maximum).replace("0x",""))
pl="%"+str(lgth)+"s"
num = hex(self.current).replace("0x","")
pl = pl % (num)
payl =pl.replace(" ","0")
self.__count+=1 #add
return payl
Add an option to continue fuzzing from a specific line in wordlist and / or some kind of pause & resume mechanism.
$ pip install wfuzz
Collecting wfuzz
Downloading wfuzz-2.2.8.tar.gz (80kB)
100% |ββββββββββββββββββββββββββββββββ| 81kB 1.4MB/s
Collecting pycurl (from wfuzz)
Downloading pycurl-7.43.0.tar.gz (182kB)
100% |ββββββββββββββββββββββββββββββββ| 184kB 1.7MB/s
Complete output from command python setup.py egg_info:
Traceback (most recent call last):
File "<string>", line 1, in <module>
File "/tmp/pip-build-IMKmtm/pycurl/setup.py", line 823, in <module>
ext = get_extension(sys.argv, split_extension_source=split_extension_source)
File "/tmp/pip-build-IMKmtm/pycurl/setup.py", line 497, in get_extension
ext_config = ExtensionConfiguration(argv)
File "/tmp/pip-build-IMKmtm/pycurl/setup.py", line 71, in __init__
self.configure()
File "/tmp/pip-build-IMKmtm/pycurl/setup.py", line 107, in configure_unix
raise ConfigurationError(msg)
__main__.ConfigurationError: Could not run curl-config: [Errno 2] No such file or directory
----------------------------------------
Command "python setup.py egg_info" failed with error code 1 in /tmp/pip-build-IMKmtm/pycurl/
I noticed a small issue when brute forcing directories with wfuzz in tmux. If you set the flag hc
to hide certain type of responses, this works okay until you resize the tmux pane. Let me show it in steps:
hc
flag. Here I "maximized" the pane.prefix+Z
. By default, prefix
means Ctrl+B
in tmux.prefix+Z
)As you can see, when there are changes in the layout, the flag hc
doesn't work anymore. Let me know if you need help reproducing these steps.
I have this error with running "C:\wfuzz-2.1.2\wfuzz.py" in windows
Traceback (most recent call last):
File "C:\wfuzz-2.1.2\wfuzz.py", line 6, in
from framework.fuzzer.Fuzzer import Fuzzer
File "C:\wfuzz-2.1.2\framework\fuzzer\Fuzzer.py", line 12, in
from framework.utils.myqueue import MyPriorityQueue
File "C:\wfuzz-2.1.2\framework\utils\myqueue.py", line 1, in
import resource
ImportError: No module named resource
If you use wfuzz 2.1 to scan an SSL host over a http proxy like burp suite, wfuzz will always report a 200 response code, this did not happen in 2.0. I would assume its getting the 200 SSL connect and reading that as the HTTP response code.
I tested the same settings over HTTP through the HTTP proxy and the response codes were correct.
PS. Very nice work! Glad to see wfuzz isn't dead.
Hi Xavi
How would be the equivalent call in the library to fuzz methods?
python wfuzz -z list,GET-HEAD-POST-TRACE-OPTIONS -X FUZZ http://testphp.vulnweb.com/
I am trying wfuzz.fuzz(url=http://testphp.vulnweb.com/,method=["GET","HEAD","POST","TRACE","OPTIONS"]) and it says that i need to specify a payload. In this case, i dont want to fuzz any parameter with payloads, i just want to test the methods
Thanks
Support for wildcard expansion. e.g. :
-w /usr/share/wfuzz/wordlist/general/*.txt
Hello @xmendez,
It would be awesome if you could add a specific option in order to take a file containing a list of URL and iterate over. This feature is really missing when you have to assess a large list of Web apps, for instance on an internal network.
I'm thinking about something like:
$ python wfuzz.py -w wordlist/general/common.txt -i urllist.txt
with urllist.txt
containing like:
http://url1/FUZZ
http://url2/FUZZ
...
http://urln/FUZZ
Do you think it would be easy to add this ? (sorry, haven't dug into the code yet...).
Cheers!
Hi
I recently open #49 and you advised how to run the method fuzzer from the python library
When running it, i can see it works fine, but the response doesnt contain the error code (it is displayed as 000)
00973: C=000 98 L 240 W 4636 Ch "GET"
00974: C=000 0 L 0 W 0 Ch "HEAD"
00976: C=000 4 L 23 W 178 Ch "TRACE"
00977: C=000 0 L 0 W 0 Ch "OPTIONS"
00975: C=000 4 L 23 W 178 Ch "POST"
Thanks
Hello back,
Sorry i have another question dealing with wfuzz's behavior.
Here is my commandline:
wfuzz --script=title,backups -o raw --follow --conn-delay 5 --req-delay 5 -Z -z file,/tmp/quickhits.txt --hc 401,403,404,500 https://domain.com/FUZZ
Unfortunately i still see some code that i do not want to output:
==================================================================
ID Response Lines Word Chars Request
==================================================================
00030: C=403 9 L 19 W 284 Ch "/.bz2"
|_ Plugin backups enqueued 5 more requests (rlevel=1)
00032: C=403 9 L 19 W 288 Ch "/.c9/"
|_ Page title: Access Denied
|_ Plugin backups enqueued 2 more requests (rlevel=1)
00029: C=403 9 L 19 W 287 Ch "/.bundle"
|_ Plugin backups enqueued 23 more requests (rlevel=1)
00028: C=403 9 L 19 W 287 Ch "/.builds"
|_ Plugin backups enqueued 17 more requests (rlevel=1)
00031: C=403 9 L 19 W 295 Ch "/.bzr/README"
|_ Plugin backups enqueued 1 more requests (rlevel=1)
00046: C=403 9 L 19 W 286 Ch "/.codio"
|_ Plugin backups enqueued 8 more requests (rlevel=1)
00001: C=403 9 L 19 W 295 Ch "/!.gitignore"
|_ Plugin backups enqueued 7 more requests (rlevel=1)
I am missing something? Thanks a lot!
Hello,
Could it be possible to support relative file paths for -w
and -z
options ?
Every time I get tricked by the current implementation as:
$ wfuzz -w toto.txt http://google.fr/FUZZ
$ wfuzz -w ./toto.txt http://google.fr/FUZZ
$ wfuzz -w /root/test/toto.txt http://google.fr/FUZZ
Cheers !
Hi!
I have the latest version wfuzz (2.1.3) available in kali linux. I'm trying to fuzz a website app that uses the symbol # to separate some vars, but it seems to cause some problem with wfuzz as it doesn't find the word FUZZ when it's behind this simbol.
Example:
This woks fine:
wfuzz -z file,/usr/share/wfuzz/wordlist/Injections/All_attack.txt --hc 404 https://example/FUZZ
But this is throwing a fatal exception:
wfuzz -z file,/usr/share/wfuzz/wordlist/Injections/All_attack.txt --hc 404 https://example/index.php#FUZZ
Fatal exception: FUZZ words and number of payloads do not match!
This was also happening in the version 2.0
I can do the fuzzing by replacing # with %23, but this shouldn't be happening right?
Hello,
here's a command used:
wfuzz -c -v -z file,/usr/share/wordlists/wfuzz/Injections/SQL.txt -d "username=FUZZ&password=#" http://192.168.0.199:8008/unisxcudkqjydw/vulnbank/client/login.php
Results:
As you can see, requests are not shown. Is it a mistake on my part, or a bug?
I want use wfuzz to try brute force website that have feature use HTTPS and Post data method. Can anyone help me how to write the codes?
I have try
wfuzz.py -c -z list,admin -z list,book-password-abc --hc 400 -d "loginOp=login&username=FUZZ&password=FUZ2Z&client=preferred" "https://website.com"
*website.com not the real site
and all the output result C=000.
Are there any parameters I forgot write in the codes?
Hello,
I know I'm sure not to be the first asking for it but really, give us a CSV output
printer.
For large engagements it is a pain to parse raw output or worse...the html one!
Cheers.
Wfuzz should be able to load a raw request from a file and fuzz the parameters in it. This would make it easier to use in more complex scenarios.
how to output result to a file?
Hi
Im sending request to a test application i have and for some reason, sometimes i have as response the error code 000
However, the response is 200 for the GET request, and 404 for the rest of them
See the example below
Have you seen this before? If you need any extra information, let me know
Thanks
00001: C=000 98 L 240 W 4636 Ch "GET"
00002: C=000 0 L 0 W 0 Ch "HEAD"
00003: C=000 4 L 23 W 178 Ch "POST"
00004: C=000 4 L 23 W 178 Ch "TRACE"
00005: C=000 0 L 0 W 0 Ch "OPTIONS"
Total time: 0.083100
Processed Requests: 5
Filtered Requests: 5
Requests/sec.: 60.16841
Version: 2.2.8
Command:
wfuzz --script=backups -z file,/root/Documents/repo/SecLists/Discovery/Web_Content/quickhits.txt -Z --conn-delay 5 --req-delay 5 --follow --hc 401,403,404,500 https://loop.brusselsairlines.com/FUZZ
Error:
006069: C=404 30 L 44 W 822 Ch "//web-console/.bakServerInfo"Exception in thread _read_multi_stack:
Traceback (most recent call last):
File "/usr/lib/python2.7/threading.py", line 801, in __bootstrap_inner
self.run()
File "/usr/lib/python2.7/threading.py", line 754, in run
self.__target(*self.__args, **self.__kwargs)
File "/usr/local/lib/python2.7/dist-packages/wfuzz/myhttp.py", line 194, in _read_multi_stack
res.history.from_http_object(c, buff_header.getvalue(), buff_body.getvalue())
File "/usr/local/lib/python2.7/dist-packages/wfuzz/fuzzobjects.py", line 380, in from_http_object
return self._request.response_from_conn_object(c, bh, bb)
File "/usr/local/lib/python2.7/dist-packages/wfuzz/externals/reqresp/Request.py", line 341, in response_from_conn_object
rp.parseResponse(header)
File "/usr/local/lib/python2.7/dist-packages/wfuzz/externals/reqresp/Response.py", line 153, in parseResponse
body=gzipper.read()
File "/usr/lib/python2.7/gzip.py", line 261, in read
self._read(readsize)
File "/usr/lib/python2.7/gzip.py", line 303, in _read
self._read_gzip_header()
File "/usr/lib/python2.7/gzip.py", line 197, in _read_gzip_header
raise IOError, 'Not a gzipped file'
IOError: Not a gzipped file
I launched several instances of Wfuzz in parallel.
It is impossible to run wfuzz from outside of the wfuzz root folder. If you follow these steps:
$ git clone https://github.com/xmendez/wfuzz.git
$ git reset --hard 574caa52be514ae012a0bdbb41350bd999c9dc9c
$ python2 wfuzz/wfuzz.py
/home/nate/.bin/wfuzz: 2: /home/nate/.bin/wfuzz: source: not found
********************************************************
* Wfuzz 2.1.3 - The Web Bruteforcer *
* *
* Version up to 1.4c coded by: *
* Christian Martorella ([email protected]) *
* Carlos del ojo ([email protected]) *
* *
* Version 1.4d to 2.1.3 coded by: *
* Xavier Mendez ([email protected]) *
********************************************************
Usage: /home/nate/.programs/wfuzz/wfuzz.py [options] -z payload,params <url>
Type wfuzz.py -h for further information.
Fatal exception: You must specify a payload and a URL
No handlers could be found for logger "libraries.FileLoader"
Traceback (most recent call last):
File "/home/nate/.programs/wfuzz/wfuzz.py", line 52, in <module>
Facade().sett.save()
File "/home/nate/.programs/wfuzz/patterns/singleton.py", line 13, in __call__
class_.instance = super(Singleton, class_).__call__(*args, **kwargs)
File "/home/nate/.programs/wfuzz/framework/core/facade.py", line 51, in __init__
raise FuzzException(FuzzException.FATAL, "Error loading plugins: %s" % str(e))
framework.core.myexception.FuzzException: Error loading plugins: No module named printers
Hello. Your tool is amazing, but I often get following error:
Fatal exception: Pycurl error 28: Connection timed out after 90000 milliseconds
What about adding option to retry connection if it fails?
Hello,
I have a question about recursion, what is the default recursion level and how can we stop recursion? -R0 does not seem to work.
Thanks in advance,
Hello,
It would be great if the Request
output field could follow the provided target format.
Let's say that I would like to fuzz multiple sites through the format URL/blabla/wordlist
.
So I use that following command with wfuzz:
$ python wfuzz.py -w url.txt -w wlist.txt FUZZ/blabla/FUZ2Z
with:
url.txt
:
http://google.fr
https://bing.com
wlist.txt
:
test
To date, it gives me that output:
$ python wfuzz.py -w url.txt -w wlist.txt FUZZ/blabla/FUZ2Z
********************************************************
* Wfuzz 2.1.3 - The Web Bruteforcer *
********************************************************
Target: http://FUZZ/blabla/FUZ2Z
Total requests: 2
==================================================================
ID Response Lines Word Chars Request
==================================================================
00000: C=404 11 L 72 W 1572 Ch "http://google.fr - test"
00001: C=301 0 L 0 W 0 Ch "https://bing.com - test"
The Request
field is misleading and does not reflect the provided pattern, it would be better if it can be something like below, in order to ease the use of the results:
==================================================================
ID Response Lines Word Chars Request
==================================================================
00000: C=404 11 L 72 W 1572 Ch "http://google.fr/blabla/test"
00001: C=301 0 L 0 W 0 Ch "https://bing.com/blabla/test"
This remark is especially true while using the csv
printer:
$ python wfuzz.py -w url.txt -w wlist.txt -o csv FUZZ/blabla/FUZ2Z
id,response,lines,word,chars,request,success
0,404,11,72,1572,http://google.fr - test,1
1,301,0,0,0,https://bing.com - test,1
Cheers !
Hello,
Last but not least, it would be great to be able to specify a regex for the filter
option.
I'm facing a lot of situation where for instance I'd like to hide any request returning a 4xx status code (mostly during large engagements, when you enumerate URL for a lot of targets).
Today I can only use the logic you implemented for filter =,<,>,!=,<=,>=
.
Tomorrow I'd like to type --filter c!=4.*.*
or --filter c!=4**
Cheers guys !
Hi
Im checking the json output format and seems like the response code is not returned
I have an output like this
{'description': 'master', 'postdata': {}, 'url': u'myurl, 'chars': 233, 'lines': 4, 'server': 'Werkzeug/0.11.15 Python/2.7.12', 'location': '', 'words': 34}
When use python comes from Homebrew,it's /usr/local/bin/python instead of /usr/bin/python,so use /usr/bin/env python could improve compatibility.
Hi
Im trying the printer option in the library and it doesnt seem to work correctly
According to the doc, it says:
-o filename,printer equals to printer=(βprinterβ, βfilenameβ)
I dont want to specify filename, just the format of the report. It still needs the filename
On top of that, the order is incorrect. it is printer=(filename,printer). See below
for r in wfuzz.get_payload(["GET","HEAD","POST","TRACE","OPTIONS"]).fuzz(url='http://localhost:5000/', method="FUZZ", printer=("t2","json")):
print r
And to finish, it doesnt do anything, it prints r in the default format, and t2 is empty
Let me know if i can help to solve any of the issues, as i find the tool quite useful
Thanks
A declarative, efficient, and flexible JavaScript library for building user interfaces.
π Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. πππ
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google β€οΈ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.