史上最详[ZI]细[DUO]的wfuzz中文教程(四)—— wfuzz 库

Posted on Edited on In

本文已在丁牛网安实验室FreeBuf专栏 DigApis安全 中首发!引用转发请注明 “原文来自:DigApis安全 m0nst3r”字样,谢谢!

[TOC]

wfuzz 库

wfuzz库参数

在wfuzz库中包含所有 wfuzz命令行的参数。

CLI Option Library Option
<URL> url=”url”
–recipe <filename> recipe=”filename”
-oF <filename> save=”filename”
-f filename,printer printer=(“filename”,”printer”)
–dry-run dryrun=True
-p addr proxies=[(“ip”,”port”,”type”)]
-t N concurrent=N
-s N delay=0.0
-R depth rlevel=depth
–follow follow=True
-Z scanmod=True
–req-delay N req_delay=N
–conn-delay N conn_delay=N
–script=<plugins> script=”plugins”
–script-args n1=v1,… script_args={n1:v1,}
-m iterator iterator=”iterator”
-z payload payloads=[(“name”,{default=””,encoder=[“md5”]},slice=””),]
-V alltype allvars=”alltype”
-X method method=”method”
–hc/hl/hw/hh N[,N]+ hc/hl/hw/hh=[N,N]
–sc/sl/sw/sh N[,N]+ sc/sl/sw/sh=[N,N]
–ss/hs regex ss/hs=”regex”
–filter <filter> filter=”filter exp”
–prefilter <filter> prefilter=”filter exp”
-b cookie cookie=[“cookie1=value1”,]
-d postdata postdata=”postdata”
-H header headers=[(“header1”,”value1”),]
–basic/ntlm/digest auth auth=(“basic”,”user:pass”)

这些参数可以在这些主库的接口中直接使用:fuzz, payload, session

测试一个URL

使用wfuzz库来测试一个URL是很简单的,首先,导入库文件:

1
2
3
4
5
6
┌─[michael@parrot]─[~]
└──╼ $python
Python 2.7.14+ (default, Feb  6 2018, 19:12:18) 
[GCC 7.3.0] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> import wfuzz

现在,来体验一下使用库进行目录扫描是什么感觉:

1
2
3
4
5
6
7
8
>>> import wfuzz
>>> for r in wfuzz.fuzz(url="http://testphp.vulnweb.com/FUZZ", hc=[404], payloads=[("file",dict(fn="wordlist/general/common.txt"))]):
...     print r
...
00060:  C=301      7 L        12 W          184 Ch        "admin"
00183:  C=403     10 L        29 W          263 Ch        "cgi-bin"
00429:  C=301      7 L        12 W          184 Ch        "images"
...

扫描后,我们就得到了一个FuzzResult的对象r,从中我们可以得到所有的信息。

FuzzSession对象

FuzzSession对象拥有wfuzz API的所有函数方法。
FuzzSession对象允许我们在测试会话中获取一些参数。

1
2
3
4
5
6
7
8
>>> import wfuzz
>>> s=wfuzz.FuzzSession(url="http://testphp.vulnweb.com/FUZZ")
>>> for r in s.fuzz(hc=[404], payloads=[("file",dict(fn="wordlist/general/common.txt"))]):
...     print r
...
00060:  C=301      7 L        12 W          184 Ch        "admin"
00183:  C=403     10 L        29 W          263 Ch        "cgi-bin"
...

FuzzSession对象还可以当作上下文管理器来使用:

1
2
3
4
5
6
>>> with wfuzz.FuzzSession(url="http://testphp.vulnweb.com/FUZZ", hc=[404], payloads=[("file",dict(fn="wordlist/general/common.txt"))]) as s:
...     for r in s.fuzz():
...             print r
...
00295:  C=301      7 L        12 W          184 Ch        "admin"
00418:  C=403     10 L        29 W          263 Ch        "cgi-bin"

生成Payload

get_payload方法可以生成wfuzz的payload,这是一个在不使用wfuzz payload plugins的情况下,使用编程的方法获得payload的方便快速的途径。

1
2
3
4
5
6
7
8
9
10
>>> import wfuzz
>>> for r in wfuzz.get_payload(range(5)).fuzz(url="http://testphp.vulnweb.com/FUZZ"):
...     print r
...
00012:  C=404      7 L        12 W          168 Ch        "0"
00013:  C=404      7 L        12 W          168 Ch        "1"
00014:  C=404      7 L        12 W          168 Ch        "2"
00015:  C=404      7 L        12 W          168 Ch        "3"
00016:  C=404      7 L        12 W          168 Ch        "4"
>>>

这个方法在需要多个payloads的时候可以这样使用:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
>>> import wfuzz
>>> for r in wfuzz.get_payloads([range(5), ["a","b"]]).fuzz(url="http://testphp.vulnweb.com/FUZZ/FUZ2Z"):
...     print r
...
00028:  C=404      7 L        12 W          168 Ch        "4 - b"
00027:  C=404      7 L        12 W          168 Ch        "4 - a"
00024:  C=404      7 L        12 W          168 Ch        "2 - b"
00026:  C=404      7 L        12 W          168 Ch        "3 - b"
00025:  C=404      7 L        12 W          168 Ch        "3 - a"
00022:  C=404      7 L        12 W          168 Ch        "1 - b"
00021:  C=404      7 L        12 W          168 Ch        "1 - a"
00020:  C=404      7 L        12 W          168 Ch        "0 - b"
00023:  C=404      7 L        12 W          168 Ch        "2 - a"
00019:  C=404      7 L        12 W          168 Ch        "0 - a"
>>>

生成Session

get_session方法可以使用命令行的参数来生成编程下的 FuzzSession 对象。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
>>> import wfuzz
>>> for r in wfuzz.get_session("-z range,0-10 http://testphp.vulnweb.com/FUZZ").fuzz():
...     print r
...
00002:  C=404      7 L        12 W          168 Ch        "1"
00011:  C=404      7 L        12 W          168 Ch        "10"
00008:  C=404      7 L        12 W          168 Ch        "7"
00001:  C=404      7 L        12 W          168 Ch        "0"
00003:  C=404      7 L        12 W          168 Ch        "2"
00004:  C=404      7 L        12 W          168 Ch        "3"
00005:  C=404      7 L        12 W          168 Ch        "4"
00006:  C=404      7 L        12 W          168 Ch        "5"
00007:  C=404      7 L        12 W          168 Ch        "6"
00009:  C=404      7 L        12 W          168 Ch        "8"
00010:  C=404      7 L        12 W          168 Ch        "9"