Wfuzz的使用
Wfuzz的使用
再fuzzing领域,最流行的是再二进制漏洞挖掘,后面也出来webfuzz,就是今天的wfuzz,其实有些在web领域算是暴力,但是说fuzz也没毛病。安装及简介直接pip安装即可代码语言:javascript代码运行次数:0运行复制pip install wfuzzkali的话是自带了的或者直接下载源码,字典什么的比较好代码语言:javascript代码运行次数:0运行复
Wfuzz的使用
再fuzzing领域,最流行的是再二进制漏洞挖掘,后面也出来webfuzz,就是今天的wfuzz,其实有些在web领域算是暴力,但是说fuzz也没毛病。
安装及简介
直接pip安装即可
代码语言:javascript代码运行次数:0运行复制pip install wfuzzkali的话是自带了的
或者直接下载源码,字典什么的比较好
代码语言:javascript代码运行次数:0运行复制git clone .git官方文档:/
Wfuzz的核心理念是用给定的payload去替换HTTP请求中的占位符,从而发现潜在的安全问题,例如可预测的认证、注入漏洞、路径遍历、跨站脚本等
使用
-w wordlist : Specify a wordlist file (alias for -z file,wordlist).wfuzz -w wordlist/general/ 不过速度比御剑那些还是慢点,而且信息可读性低,没有汇总返回包200或者01等情况,可以使用–hc过滤掉404
代码语言:javascript代码运行次数:0运行复制wfuzz -w wordlist/general/ --hc 404 --hc/hl/hw/hh [,]+ : Hide respes with the specified code/lines/words/chars (Use BBB for taking values from baseline)-c : Output with colors
-Z 指定要在扫描模式下输入的 URL,并忽略任何连接错误
--hc XXX 过滤掉不存在的子域名$ wfuzz -c -Z -w wordlist/general/ --hc XXX
********************************************************
* Wfuzz .1.0 - The Web Fuzzer *
********************************************************
Target: /
Total requests: 951
=====================================================================
ID Respe Lines Word Chars Payload
=====================================================================
00000096: 200 7 L 260 W 4018 Ch "www"
Total time: 0
Processed Requests: 951
Filtered Requests: 950
Requests/sec.: 0或者自己提供一个简单的列表来爆破
代码语言:javascript代码运行次数:0运行复制$ wfuzz -z list,www-testphp-admin-svn /
********************************************************
* Wfuzz .1.0 - The Web Fuzzer *
********************************************************
Target: /
Total requests: 4
=====================================================================
ID Respe Lines Word Chars Payload
=====================================================================
000000001: 200 7 L 260 W 4018 Ch "www"
000000002: 200 109 L 88 W 4958 Ch "testphp"
Total time: 0
Processed Requests: 2
Filtered Requests: 0
Requests/sec.: 0
/usr/lib/python/dist-packages/wfuzz/wfuzz.py:78: UserWarning:Fatal exception: Pycurl error 52: Empty reply from serverwfuzz -w wordlist/general/ -w wordlist/general/ -w wordlist/general/extensi_ --hc 404 每个字典对应后面的FUZZ 、FUZ2Z 和 FUZZ
-d postdata : Use post data (ex: "id=FUZZ&catalogue=1")$ wfuzz -z file,wordlist/others/common_ -d "uname=FUZZ&pass=FUZZ" --hc 02 .php
********************************************************
* Wfuzz .1.0 - The Web Fuzzer *
********************************************************
Target: .php
Total requests: 52
=====================================================================
ID Respe Lines Word Chars Payload
=====================================================================
000000044: 200 119 L 448 W 5969 Ch "test - test"
Total time: 0
Processed Requests: 52
Filtered Requests: 51
Requests/sec.: 0$ wfuzz -w wordlist/general/ -d "uname=FUZZ&pass=FUZZ" --hc 02 .php
********************************************************
* Wfuzz .1.0 - The Web Fuzzer *
********************************************************
Target: .php
Total requests: 951
=====================================================================
ID Respe Lines Word Chars Payload
=====================================================================
00000080: 200 119 L 448 W 5985 Ch "test - test"
Total time: 44.66879
Processed Requests: 951
Filtered Requests: 950
Requests/sec.: 21.2900-b cookie : Specify a cookie for the requests带上cookie去请求
代码语言:javascript代码运行次数:0运行复制$ wfuzz -z file,wordlist/general/ -b "login=test%2Ftest" --hc 404 fuzz cookie
代码语言:javascript代码运行次数:0运行复制wfuzz -z file,wordlist/general/ -b login=FUZZ /$ wfuzz -w wordlist/Injecti/ -H "X-Forwarded-By: 127.0.0.1FUZZ" /
********************************************************
* Wfuzz .1.0 - The Web Fuzzer *
********************************************************
Target: /
Total requests: 125
=====================================================================
ID Respe Lines Word Chars Payload
=====================================================================
000000014: 200 109 L 88 W 4958 Ch "\xD%20\xB'"
000000012: 200 109 L 88 W 4958 Ch "\x2"
00000000: 200 109 L 88 W 4958 Ch "#"
000000007: 200 109 L 88 W 4958 Ch "--';"
000000001: 200 109 L 88 W 4958 Ch "'"
000000016: 200 109 L 88 W 4958 Ch "\x27\x4F\x52 SELECT *"
000000011: 200 109 L 88 W 4958 Ch "=%20--"
000000010: 200 109 L 88 W 4958 Ch "=%20;"
00000001: 200 109 L 88 W 4958 Ch "\x27"$ wfuzz -z list,GET-HEAD-POST-TRACE-OPTIOS -X FUZZ /
********************************************************
* Wfuzz .1.0 - The Web Fuzzer *
********************************************************
Target: /
Total requests: 5
=====================================================================
ID Respe Lines Word Chars Payload
=====================================================================
000000002: 200 0 L 0 W 0 Ch "HEAD - HEAD"
000000005: 405 7 L 11 W 157 Ch "OPTIOS - OPTIOS"
000000001: 200 109 L 88 W 4958 Ch "GET - GET"
00000000: 200 109 L 88 W 4958 Ch "POST - POST"
000000004: 405 7 L 11 W 157 Ch "TRACE - TRACE"
Total time: 0
Processed Requests: 5
Filtered Requests: 0
Requests/sec.: 0比如下面可以给到burp
代码语言:javascript代码运行次数:0运行复制wfuzz -z file,wordlist/general/ -p localhost:8080 下面是SOCKS5代理的例子
代码语言:javascript代码运行次数:0运行复制wfuzz -z file,wordlist/general/ -p localhost:9500:SOCKS5 代码语言:javascript代码运行次数:0运行复制–basic:提供基本的用户名和密码验证 –ntlm:Windows 身份验证 –digest:通过摘要访问进行网络服务器协商
$ wfuzz -z list,nonvalid-httpwatch --basic FUZZ:FUZZ .aspx
********************************************************
* Wfuzz .1.0 - The Web Fuzzer *
********************************************************
Target: .aspx
Total requests: 2
=====================================================================
ID Respe Lines Word Chars Payload
=====================================================================
000000001: 401 0 L 11 W 58 Ch "nonvalid - nonvalid"
000000002: 200 20 L 159 W 507 Ch "httpwatch - httpwatch"
Total time: 0
Processed Requests: 2
Filtered Requests: 0
Requests/sec.: 0$ wfuzz -z file,wordlist/general/,md5
********************************************************
* Wfuzz .1.0 - The Web Fuzzer *
********************************************************
Target:
Total requests: 951
=====================================================================
ID Respe Lines Word Chars Payload
=====================================================================
000000001: 404 7 L 11 W 15 Ch "518ed2952578cebdac49c49e60ea9d"
000000009: 404 7 L 11 W 15 Ch "a9b7ba7078b617e9998dc4dd82ebc5"
000000004: 404 7 L 11 W 15 Ch "a2ef406e2c251e0b9e80029c909242d"
000000005: 404 7 L 11 W 15 Ch "e45ee7ce7e88149af8dd2b27f9512ce"
000000008: 404 7 L 11 W 15 Ch "f89919df5e10599641415e770c6dd"
00000000: 404 7 L 11 W 15 Ch "96abecf272e017046d1b2674a52bd"
000000010: 404 7 L 11 W 15 Ch "202cb962ac59075b964b07152d24b70"
000000002: 404 7 L 11 W 15 Ch "b4b147bc52282871f1a016bfa72c07"
000000007: 404 7 L 11 W 15 Ch "dd9446802a44259755d8e6d16e820"参考
/
本文参与 腾讯云自媒体同步曝光计划,分享自作者个人站点/博客。 原始发表:2024-08-1,如有侵权请联系 cloudcommunity@tencent 删除httpcomrequests测试代理#感谢您对电脑配置推荐网 - 最新i3 i5 i7组装电脑配置单推荐报价格的认可,转载请说明来源于"电脑配置推荐网 - 最新i3 i5 i7组装电脑配置单推荐报价格
上传时间: 2025-07-24 11:43:55
推荐阅读
| 留言与评论(共有 10 条评论) |
| 本站网友 天津达沃斯论坛 | 16分钟前 发表 |
| 127.0.0.1FUZZ" / ******************************************************** * Wfuzz .1.0 - The Web Fuzzer * ******************************************************** Target | |
| 本站网友 骨胶原 | 8分钟前 发表 |
| wordlist/general/ -b "login=test%2Ftest" --hc 404 fuzz cookie代码语言:javascript代码运行次数:0运行复制wfuzz -z file | |
| 本站网友 背背佳怎么穿 | 18分钟前 发表 |
| wordlist/general/ -b login=FUZZ /HEADER模糊测试代码语言:javascript代码运行次数:0运行复制$ wfuzz -w wordlist/Injecti/ -H "X-Forwarded-By | |
| 本站网友 老鬼 | 28分钟前 发表 |
| 没有汇总返回包200或者01等情况 | |
| 本站网友 黑鹰安全网 | 23分钟前 发表 |
| 404 7 L 11 W 15 Ch "202cb962ac59075b964b07152d24b70" 000000002 | |
| 本站网友 广州治疗前列腺 | 26分钟前 发表 |
| FUZZ .aspx ******************************************************** * Wfuzz .1.0 - The Web Fuzzer * ******************************************************** Target | |
| 本站网友 曲靖二手房网 | 22分钟前 发表 |
| 没有汇总返回包200或者01等情况 | |
| 本站网友 葛兰素史克待遇 | 3分钟前 发表 |
| md5 ******************************************************** * Wfuzz .1.0 - The Web Fuzzer * ******************************************************** Target | |
| 本站网友 电热壶 | 10分钟前 发表 |
| 0 Processed Requests | |