wfuzz usage:
Directory Brute Force
Directory brute force excluding any page returning a 404 error code
wfuzz -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt --hc 404 http://10.10.10.69/FUZZ
Parameter Brute Force
If we want to test for parameters as shown below, then use the wordlist
/usr/share/wordlists/SecLists/Discovery/Web-Content/burp-parameter-names.txt
http://1.1.1.1/index.html?param=1
Next we use
The word FUZZ to tell WFUZZ where to add our payload.
wfuzz -c -w /usr/share/wordlists/SecLists/Discovery/Web-Content/burp-parameter-names.txt http://10.10.10.69/sync?FUZZ=test
This outputs a huge wealth of 200 messages that we notice are all 19 characters long.
We can therefore filter out all of these 19 character lengths by using the "hh" with a value.
"--hh=19" in this case.
wfuzz -c -w /usr/share/wordlists/SecLists/Discovery/Web-Content/burp-parameter-names.txt --hh=19 http://10.10.10.69/sync?FUZZ=test
We now only have 1 result as expected.
Another way would be to hide all responses that return a html 200 code. We do this with "--hc=200" and we get the same response.
Directory Brute Force
Directory brute force excluding any page returning a 404 error code
wfuzz -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt --hc 404 http://10.10.10.69/FUZZ
Parameter Brute Force
If we want to test for parameters as shown below, then use the wordlist
/usr/share/wordlists/SecLists/Discovery/Web-Content/burp-parameter-names.txt
http://1.1.1.1/index.html?param=1
Next we use
The word FUZZ to tell WFUZZ where to add our payload.
wfuzz -c -w /usr/share/wordlists/SecLists/Discovery/Web-Content/burp-parameter-names.txt http://10.10.10.69/sync?FUZZ=test
This outputs a huge wealth of 200 messages that we notice are all 19 characters long.
We can therefore filter out all of these 19 character lengths by using the "hh" with a value.
"--hh=19" in this case.
wfuzz -c -w /usr/share/wordlists/SecLists/Discovery/Web-Content/burp-parameter-names.txt --hh=19 http://10.10.10.69/sync?FUZZ=test
We now only have 1 result as expected.
Another way would be to hide all responses that return a html 200 code. We do this with "--hc=200" and we get the same response.
No comments:
Post a Comment