- Wfuzz 3.1.0 – The Web Fuzzer *
- *
- Version up to 1.4c coded by: *
- Christian Martorella (cmartorella@edge-security.com) *
- Carlos del ojo (deepbit@gmail.com) *
- *
- Version 1.4d to 3.1.0 coded by: *
- Xavier Mendez (xmendez@edge-security.com) *
Usage: wfuzz [options] -z payload,params
FUZZ, ..., FUZnZ wherever you put these keywords wfuzz will replace them with the values of the specified payload.
FUZZ{baseline_value} FUZZ will be replaced by baseline_value. It will be the first request performed and could be used as a base for filtering.
Examples:
wfuzz -c -z file,users.txt -z file,pass.txt –sc 200 http://www.site.com/log.asp?user=FUZZ&pass=FUZ2Z
wfuzz -c -z range,1-10 –hc=BBB http://www.site.com/FUZZ{something not there}
wfuzz –script=robots -z list,robots.txt http://www.webscantest.com/FUZZ
安裝
pip3 install wfuzz
指令
-c | 以彩色顯示輸出 |
-z | 指定將替換請求中的 FUZZ 的內容。 例如 -z 文件,big.txt 將讀取 big.txt 的所有行並將 FUZZ 替換為 |
–hc | 不要顯示某些 http 響應代碼 |
–hl | 不要在響應中顯示一定數量的行 |
–hh | 不要顯示一定數量的單詞 |
練習
我們可以看到,當沒有 note.txt 時,它返回 404,有 57 個字。讓我們通過將 –hw 設置為 57 來隱藏 57 個單詞。
000011138: 404 6 L 57 W 545 Ch “lp1”
000011140: 404 6 L 57 W 548 Ch “lpages”
000011137: 404 6 L 57 W 544 Ch “lp”
000011134: 404 6 L 57 W 545 Ch “low”
000011136: 404 6 L 57 W 549 Ch “loyalty”
000011181: 404 6 L 57 W 544 Ch “lz”
000011183: 404 6 L 57 W 544 Ch “m1”
000011187: 404 6 L 57 W 545 Ch “m2m”
000011195: 404 6 L 57 W 548 Ch “mac-ad”
000011194: 404 6 L 57 W 545 Ch “mac”
000011196: 404 6 L 57 W 550 Ch “macadmin”
所以指令為
wfuzz -c -z file,/usr/share/wordlists/dirb/big.txt --hw 57 http://10.10.211.133:81/FUZZ/note.txt
這樣就找到flag囉!