WFUZZ
Basic Fuzzing:
1
| wfuzz -c -t 200 --hc 404 -w /usr/share/seclists/Discovery/Web-Content/IIS.fuzz.txt -u http://10.10.10.203/FUZZ
|
Examples: Worker [[StreamIO#^a1b013]]
Subdomain fuzzing:
1
| wfuzz -c -t 200 --hw 55 --hc 403,404 -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt -H 'Host: FUZZ.worker.htb' -u http://worker.htb/
|
Examples: Worker [[StreamIO#^a1b013]]
Cookies fuzzing:
1
| wfuzz -c -t 200 --hh 703 --hc 404 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -b 'PHPSESSID=b4l3qrn1urotb80r5qbsvmrpge' -u https://streamio.htb/FUZZ
|
Examples: [[StreamIO#^8b6d87]]
Parameter fuzzing:
1
| wfuzz -c -t 200 --hw 131 --hc 404 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -b 'PHPSESSID=b4l3qrn1urotb80r5qbsvmrpge' -u https://streamio.htb/admin/\\?FUZZ=
|
Examples: [[StreamIO#^f42c86]] [[StreamIO#^10fd58]]
DIRSEARCH
Fuzzing:
- -u: Specifies the target URL to be scanned.
- -e: Specifies the extensions to be tested.
- -x: Specifies the status codes to exclude from the scan.
- -t: Specifies the number of threads to be used.
- -w: Specifies the wordlist to be used.
- -r: Enables recursive mode, which will follow links found in HTML responses.
- -f: Enables full URL disclosure, which will display the full URL of each page found.
- -k: Allows connections to SSL sites without certificate verification.
- –random-agents: Randomly selects a User-Agent string for each request.
- –headers: Allows you to add custom headers to each request.
1
2
| python3 dirsearch.py -u https://example.com/ -e php,asp,aspx,jsp,html,txt -x 403,404 -t 50 -w /path/to/wordlist.txt -r -f -k --random-agents --headers 'User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.3'
|
FFUF
Basic Fuzzing:
- -w: Specifies the wordlist to be used.
- -u: Specifies the target URL with the FUZZ keyword indicating where in the URL the payloads should be injected.
- -H: Specifies the header to be used in the requests. In this case, we’re adding an Authorization header with a bearer token.
- -t: Specifies the number of threads to be used.
- -recursion: Enables recursion, which will follow links found in HTML responses.
- -recursion-depth: Specifies the maximum recursion depth. In this case, we’re allowing up to 2 levels of recursion.
- -mc: Specifies the minimum and maximum HTTP status codes to be considered a match. In this case, we’re matching HTTP status codes 200, 301, 302, and 307.
- -ac: Automatically calibrates the timing attack according to the server response.
- -e: Specifies the extensions to be tested.
- -fc: Specifies the status code to consider as a false positive. In this case, we’re ignoring HTTP status code 404.
- -p: Specifies the percentage of progress updates to be displayed.
- -o: Specifies the output file.
1
| ffuf -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt -u https://example.com/FUZZ -H "Authorization: Bearer 123456789" -t 100 -recursion -recursion-depth 2 -mc 200,301,302,307 -ac -e .php,.txt,.html -fc 404 -p 0.5 -o output.html
|
Subdomain Fuzzing:
1
| ffuf -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt -u http://10.129.94.147/FUZZ -H "Host: FUZZ.inlanefreight.htb"
|