史上最详[ZI]细[DUO]的wfuzz中文教程(四)—— wfuzz 库

本文已在丁牛网安实验室FreeBuf专栏 DigApis安全 中首发!引用转发请注明 “原文来自:DigApis安全 m0nst3r”字样,谢谢!

[TOC]

wfuzz 库


wfuzz库参数

在wfuzz库中包含所有 wfuzz命令行的参数。

CLI Option Library Option
<URL> url=”url”
–recipe <filename> recipe=”filename”
-oF <filename> save=”filename”
-f filename,printer printer=(“filename”,”printer”)
–dry-run dryrun=True
-p addr proxies=[(“ip”,”port”,”type”)]
-t N concurrent=N
-s N delay=0.0
-R depth rlevel=depth
–follow follow=True
-Z scanmod=True
–req-delay N req_delay=N
–conn-delay N conn_delay=N
–script=<plugins> script=”plugins”
–script-args n1=v1,… script_args={n1:v1,}
-m iterator iterator=”iterator”
-z payload payloads=[(“name”,{default=””,encoder=[“md5”]},slice=””),]
-V alltype allvars=”alltype”
-X method method=”method”
–hc/hl/hw/hh N[,N]+ hc/hl/hw/hh=[N,N]
–sc/sl/sw/sh N[,N]+ sc/sl/sw/sh=[N,N]
–ss/hs regex ss/hs=”regex”
–filter <filter> filter=”filter exp”
–prefilter <filter> prefilter=”filter exp”
-b cookie cookie=[“cookie1=value1”,]
-d postdata postdata=”postdata”
-H header headers=[(“header1”,”value1”),]
–basic/ntlm/digest auth auth=(“basic”,”user:pass”)

这些参数可以在这些主库的接口中直接使用:fuzz, payload, session


测试一个URL

使用wfuzz库来测试一个URL是很简单的,首先,导入库文件:

1
2
3
4
5
6
┌─[michael@parrot]─[~]
└──╼ $python
Python 2.7.14+ (default, Feb 6 2018, 19:12:18)
[GCC 7.3.0] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> import wfuzz

现在,来体验一下使用库进行目录扫描是什么感觉:

1
2
3
4
5
6
7
8
>>> import wfuzz
>>> for r in wfuzz.fuzz(url="http://testphp.vulnweb.com/FUZZ", hc=[404], payloads=[("file",dict(fn="wordlist/general/common.txt"))]):
... print r
...
00060: C=301 7 L 12 W 184 Ch "admin"
00183: C=403 10 L 29 W 263 Ch "cgi-bin"
00429: C=301 7 L 12 W 184 Ch "images"
...

扫描后,我们就得到了一个FuzzResult的对象r,从中我们可以得到所有的信息。


FuzzSession对象

FuzzSession对象拥有wfuzz API的所有函数方法。
FuzzSession对象允许我们在测试会话中获取一些参数。

1
2
3
4
5
6
7
8
>>> import wfuzz
>>> s=wfuzz.FuzzSession(url="http://testphp.vulnweb.com/FUZZ")
>>> for r in s.fuzz(hc=[404], payloads=[("file",dict(fn="wordlist/general/common.txt"))]):
... print r
...
00060: C=301 7 L 12 W 184 Ch "admin"
00183: C=403 10 L 29 W 263 Ch "cgi-bin"
...

FuzzSession对象还可以当作上下文管理器来使用:

1
2
3
4
5
6
>>> with wfuzz.FuzzSession(url="http://testphp.vulnweb.com/FUZZ", hc=[404], payloads=[("file",dict(fn="wordlist/general/common.txt"))]) as s:
... for r in s.fuzz():
... print r
...
00295: C=301 7 L 12 W 184 Ch "admin"
00418: C=403 10 L 29 W 263 Ch "cgi-bin"


生成Payload

get_payload方法可以生成wfuzz的payload,这是一个在不使用wfuzz payload plugins的情况下,使用编程的方法获得payload的方便快速的途径。

1
2
3
4
5
6
7
8
9
10
>>> import wfuzz
>>> for r in wfuzz.get_payload(range(5)).fuzz(url="http://testphp.vulnweb.com/FUZZ"):
... print r
...
00012: C=404 7 L 12 W 168 Ch "0"
00013: C=404 7 L 12 W 168 Ch "1"
00014: C=404 7 L 12 W 168 Ch "2"
00015: C=404 7 L 12 W 168 Ch "3"
00016: C=404 7 L 12 W 168 Ch "4"
>>>

这个方法在需要多个payloads的时候可以这样使用:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
>>> import wfuzz
>>> for r in wfuzz.get_payloads([range(5), ["a","b"]]).fuzz(url="http://testphp.vulnweb.com/FUZZ/FUZ2Z"):
... print r
...
00028: C=404 7 L 12 W 168 Ch "4 - b"
00027: C=404 7 L 12 W 168 Ch "4 - a"
00024: C=404 7 L 12 W 168 Ch "2 - b"
00026: C=404 7 L 12 W 168 Ch "3 - b"
00025: C=404 7 L 12 W 168 Ch "3 - a"
00022: C=404 7 L 12 W 168 Ch "1 - b"
00021: C=404 7 L 12 W 168 Ch "1 - a"
00020: C=404 7 L 12 W 168 Ch "0 - b"
00023: C=404 7 L 12 W 168 Ch "2 - a"
00019: C=404 7 L 12 W 168 Ch "0 - a"
>>>


生成Session

get_session方法可以使用命令行的参数来生成编程下的 FuzzSession 对象。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
>>> import wfuzz
>>> for r in wfuzz.get_session("-z range,0-10 http://testphp.vulnweb.com/FUZZ").fuzz():
... print r
...
00002: C=404 7 L 12 W 168 Ch "1"
00011: C=404 7 L 12 W 168 Ch "10"
00008: C=404 7 L 12 W 168 Ch "7"
00001: C=404 7 L 12 W 168 Ch "0"
00003: C=404 7 L 12 W 168 Ch "2"
00004: C=404 7 L 12 W 168 Ch "3"
00005: C=404 7 L 12 W 168 Ch "4"
00006: C=404 7 L 12 W 168 Ch "5"
00007: C=404 7 L 12 W 168 Ch "6"
00009: C=404 7 L 12 W 168 Ch "8"
00010: C=404 7 L 12 W 168 Ch "9"