Introduzione:

Wfuzz è uno strumento di pentesting open source che viene usato per scoprire vulnerabilità in un sistema o addirittura un applicazione web.
Funziona inviando richieste HTTP a un server, modificando parametri in modo che il server inizi a comportarsi in modo anomalo, esempio restituendo un codice di stato HTTP diverso dal normale funzionamento, in poche parole ci mettiamo nei panni dell'attaccante.

Dipendenze:

  • python3
  • python3-chardet
  • python3-distutils
  • python3-pycurl
  • python3-pyparsing
  • python3-six

Comandi base:

  • -c: puoi decidere se il tool deve o meno utilizzare i cookie.
  • -h: imponi un intestazione HTTP da inviare con la richiesta.
  • -H: intestazione aggiuntiva da inviare con la richiesta.
  • -o: per selezionare il formato dell'output che preferisci per visualizzare i risultati del test.
  • -p: file che contiene i parametri da utilizzare per la richiesta.
  • -s: per dare il codice di stato HTTP che wfuzz deve cercare nella risposta del server.
  • -u: per scrivere l'URL della richiesta da inviare al server.

Tutti i comandi:

root@kali:~# wfuzz --help
default
default
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer                         *
*                                                      *
* Version up to 1.4c coded by:                         *
* Christian Martorella (cmartorella@edge-security.com) *
* Carlos del ojo (deepbit@gmail.com)                   *
*                                                      *
* Version 1.4d to 3.1.0 coded by:                      *
* Xavier Mendez (xmendez@edge-security.com)            *
********************************************************

Usage:	wfuzz [options] -z payload,params <url>

	FUZZ, ..., FUZnZ  wherever you put these keywords wfuzz will replace them with the values of the specified payload.
	FUZZ{baseline_value} FUZZ will be replaced by baseline_value. It will be the first request performed and could be used as a base for filtering.


Options:
	-h/--help                 : This help
	--help                    : Advanced help
	--filter-help             : Filter language specification
	--version                 : Wfuzz version details
	-e <type>                 : List of available encoders/payloads/iterators/printers/scripts
	
	--recipe <filename>       : Reads options from a recipe. Repeat for various recipes.
	--dump-recipe <filename>  : Prints current options as a recipe
	--oF <filename>           : Saves fuzz results to a file. These can be consumed later using the wfuzz payload.
	
	-c                        : Output with colors
	-v                        : Verbose information.
	-f filename,printer       : Store results in the output file using the specified printer (raw printer if omitted).
	-o printer                : Show results using the specified printer.
	--interact                : (beta) If selected,all key presses are captured. This allows you to interact with the program.
	--dry-run                 : Print the results of applying the requests without actually making any HTTP request.
	--prev                    : Print the previous HTTP requests (only when using payloads generating fuzzresults)
	--efield <expr>           : Show the specified language expression together with the current payload. Repeat for various fields.
	--field <expr>            : Do not show the payload but only the specified language expression. Repeat for various fields.
	
	-p addr                   : Use Proxy in format ip:port:type. Repeat option for using various proxies.
	                            Where type could be SOCKS4,SOCKS5 or HTTP if omitted.
	
	-t N                      : Specify the number of concurrent connections (10 default)
	-s N                      : Specify time delay between requests (0 default)
	-R depth                  : Recursive path discovery being depth the maximum recursion level.
	-D depth                  : Maximum link depth level.
	-L,--follow               : Follow HTTP redirections
	--ip host:port            : Specify an IP to connect to instead of the URL's host in the format ip:port
	-Z                        : Scan mode (Connection errors will be ignored).
	--req-delay N             : Sets the maximum time in seconds the request is allowed to take (CURLOPT_TIMEOUT). Default 90.
	--conn-delay N            : Sets the maximum time in seconds the connection phase to the server to take (CURLOPT_CONNECTTIMEOUT). Default 90.
	
	-A, --AA, --AAA           : Alias for -v -c and --script=default,verbose,discover respectively
	--no-cache                : Disable plugins cache. Every request will be scanned.
	--script=                 : Equivalent to --script=default
	--script=<plugins>        : Runs script's scan. <plugins> is a comma separated list of plugin-files or plugin-categories
	--script-help=<plugins>   : Show help about scripts.
	--script-args n1=v1,...   : Provide arguments to scripts. ie. --script-args grep.regex="<A href=\"(.*?)\">"
	
	-u url                    : Specify a URL for the request.
	-m iterator               : Specify an iterator for combining payloads (product by default)
	-z payload                : Specify a payload for each FUZZ keyword used in the form of name[,parameter][,encoder].
	                            A list of encoders can be used, ie. md5-sha1. Encoders can be chained, ie. md5@sha1.
	                            Encoders category can be used. ie. url
	                            Use help as a payload to show payload plugin's details (you can filter using --slice)
	--zP <params>             : Arguments for the specified payload (it must be preceded by -z or -w).
	--zD <default>            : Default parameter for the specified payload (it must be preceded by -z or -w).
	--zE <encoder>            : Encoder for the specified payload (it must be preceded by -z or -w).
	--slice <filter>          : Filter payload's elements using the specified expression. It must be preceded by -z.
	-w wordlist               : Specify a wordlist file (alias for -z file,wordlist).
	-V alltype                : All parameters bruteforcing (allvars and allpost). No need for FUZZ keyword.
	-X method                 : Specify an HTTP method for the request, ie. HEAD or FUZZ
	
	-b cookie                 : Specify a cookie for the requests. Repeat option for various cookies.
	-d postdata               : Use post data (ex: "id=FUZZ&catalogue=1")
	-H header                 : Use header (ex:"Cookie:id=1312321&user=FUZZ"). Repeat option for various headers.
	--basic/ntlm/digest auth  : in format "user:pass" or "FUZZ:FUZZ" or "domain\FUZ2Z:FUZZ"
	
	--hc/hl/hw/hh N[,N]+      : Hide responses with the specified code/lines/words/chars (Use BBB for taking values from baseline)
	--sc/sl/sw/sh N[,N]+      : Show responses with the specified code/lines/words/chars (Use BBB for taking values from baseline)
	--ss/hs regex             : Show/hide responses with the specified regex within the content
	--filter <filter>         : Show/hide responses using the specified filter expression (Use BBB for taking values from baseline)
	--prefilter <filter>      : Filter items before fuzzing using the specified expression. Repeat for concatenating filters.

Esempi

  • Trovare file o directory nascosti su un server web:
    wfuzz -c -w wordlist.txt -u http://ethicalhacking.freeflarum.com/FUZZ

  • Trovare input di form non validati che possono essere sfruttati per vulnerabilità SQL:
    wfuzz -c -w wordlist.txt -d "username=admin&password=FUZZ" -u http://ethicalhacking.freeflarum.com/login.php

  • Trovare parametri di query non filtrati che possono essere utilizzati per la reflective XSS:
    wfuzz -c -w wordlist.txt -u "http://ethicalhacking.freeflarum.com/search?q=FUZZ"

Conclusioni:

Wfuzz è un tool molto utile per i pentester, per scoprire possibili vulnerabilità, con un utilizzo abbastanza semplice.
È giusto precisare che utilizzare questi tool senza autorizzazione o a scopo malevolo è illegale e può comportare conseguenze legali.

Fondatori

Samueleex Giulio_M

 

Powered by: FreeFlarum.
(remove this footer)