Importing old wfuzz 2.0 from google code

xmendez · Oct 22, 2014 · 1453d54 · 1453d54
1 parent 677b73b
commit 1453d54
Show file tree

Hide file tree

Showing 1,374 changed files with 1,283,161 additions and 361 deletions.
diff --git a/README b/README
@@ -1,11 +1,10 @@
-*************************************
-* Wfuzz  1.4d - The web bruteforcer  *
-* Coded by:                         *
-* Christian Martorella              *
-*   - cmartorella@edge-security.com *
-* Carlos del ojo                    *
-*   - deepbit@gmail.com             *
-*************************************
+********************************************************
+* Wfuzz  2.0 - The Web Bruteforcer                     *
+* Coded by:                                            *
+* Christian Martorella (cmartorella@edge-security.com) *
+* Carlos del ojo (deepbit@gmail.com)                   *
+* Xavier Mendez aka Javi (xmendez@edge-security.com)   *
+********************************************************
 
 What is this?
 -------------
@@ -33,36 +32,113 @@ The tool is based on dictionaries or ranges, then you choose where you want to b
 
 Examples:
 
-	- wfuzz.py -c -z file -f wordlists/commons.txt --hc 404 --html http://www.mysite.com/FUZZ 2> results.html
+	- wfuzz.py -c -z file,wordlists/commons.txt --hc 404 -o html http://www.mysite.com/FUZZ 2> results.html
 
 	 This will bruteforce the site http://www.mysyte.com/FUZZ in search of resources i
 	 (directories, scripts, files,etc), it will hide from the output the return code 404 
 	 (for easy reading results), it will use the dictionary commons.txt for the bruteforce
 	 , and also will output the results to the results.html file (with a cool format to work).
 
-	- wfuzz.py -c -z range -r 1-100 --hc 404 http://www.mysite.com/list.asp?id=FUZZ
+	- wfuzz.py -c -z range,1-100 --hc 404 http://www.mysite.com/list.asp?id=FUZZ
 	  In this example instead of using a file as dictionary, it will use a range from 1-100,
 	  and will bruteforce the parameter "id".
 
-	- wfuzz.py -c -z file -f wordlists/commons.txt --hc 404 --html -d "id=1&catalogue=FUZZ" 
+	- wfuzz.py -c -z file,wordlists/commons.txt --hc 404 --html -d "id=1&catalogue=FUZZ" 
 	   http://www.mysite.com/check.asp 2> results.html 
 	   Here you can see the use of POST data, with the option "-d".
 
-	- wfuzz.py -c -z file -f wordlists/commons.txt --hc 404 -R 2 http://www.mysite.com/FUZZ
+	- wfuzz.py -c -z file, wordlists/commons.txt --hc 404 -R 2 http://www.mysite.com/FUZZ
 	  Example of path discovery, using a recursive level of 2 paths.
 
-	- wfuzz.py -z file -f wordlists/http_methods.txt -X http://testphp.vulnweb.com/
+	- wfuzz.py -z file,wordlists/http_methods.txt -X http://testphp.vulnweb.com/
 	  HTTP method scanning example
 
-	- wfuzz.py -z file -f wordlists/http_methods.txt,wordlists/commons.txt -X http://testphp.vulnweb.com/FUZ2Z/
+	- wfuzz.py -z file,wordlists/http_methods.txt -z file,wordlists/commons.txt -X http://testphp.vulnweb.com/FUZ2Z/
 	  HTTP method scanning example in several paths
 
-	- wfuzz.py -c -z file -f  wordlists/methods.txt --hc 404 -v --follow http://www.mysite.com/FUZZ
+	- wfuzz.py -z list,TRACE -X http://testphp.vulnweb.com/
+	  Scanning for TRACE method using a list payload
+
+	- wfuzz.py -c -z file,wordlists/methods.txt --hc 404 -v --follow http://www.mysite.com/FUZZ
 	  Bruteforce following HTTP redirects
 
-	- wfuzz.py -c -z file -f wordlists/commons.txt --hc 404 -I http://www.mysite.com/FUZZ
+	- wfuzz.py -c -z file,wordlists/commons.txt --hc 404 -I http://www.mysite.com/FUZZ
 	  Bruteforce using HEAD HTTP method 
 
+	- wfuzz.py -z list,http://mysite.com -z list,dir-dir2-dir3  FUZZ/FUZ2Z
+	  Bruteforce using URL as payload and a list of directories.
+
+	- wfuzz.py -z list,..,double_nibble_hexa@second_nibble_hexa@uri_double_hexadecimal@uri_hexadecimal@first_nibble_hexa@none http://mysite.com/FUZZ/jmx-console
+	  Bruteforce using multiple encodings per payload.
+
+	- wfuzz.py -z list,dir1-dir2 -z file,wordlist/general/common.txt -z list,jsp-php-asp -z range,1-40  http://localhost/FUZZ/FUZ2Z.FUZ3Z?id=FUZ4Z
+	  Fuzzing using 4 payloads
+
+	- wfuzz.py -z -c -z range,1-10 --hc=BBB http://mysite.com/FUZZ{directory}
+	  Baseline support, Bruteforcing and hiding the response codes that are equal to http://mysite.com/directory
+
+	- Combining payloads using iterators:
+
+	zip
+
+	    - wfuzz.py -z list,a-b-c -z list,1-2-3 -m zip http://mysite.com/FUZZ/FUZ2Z
+
+	    Target: http://mysite.com/FUZZ/FUZ2Z
+	    Payload type: list,a-b-c; list,1-2-3
+
+	    Total requests: 3
+	    ==================================================================
+	    ID      Response   Lines      Word         Chars          Request    
+	    ==================================================================
+
+	    00001:  C=404      9 L        32 W          276 Ch        "a - 1"
+	    00002:  C=404      9 L        32 W          276 Ch        "c - 3"
+	    00003:  C=404      9 L        32 W          276 Ch        "b - 2"
+
+
+	chain
+
+	    - wfuzz.py -z list,a-b-c -z list,1-2-3 -m chain http://mysite.com/FUZZ/FUZ2Z
+
+	    Target: http://mysite.com/FUZZ/FUZ2Z
+	    Payload type: list,a-b-c; list,1-2-3
+
+	    Total requests: 6
+	    ==================================================================
+	    ID      Response   Lines      Word         Chars          Request    
+	    ==================================================================
+
+	    00001:  C=404      9 L        32 W          280 Ch        "b"
+	    00002:  C=404      9 L        32 W          280 Ch        "a"
+	    00003:  C=404      9 L        32 W          280 Ch        "c"
+	    00004:  C=404      9 L        32 W          280 Ch        "1"
+	    00006:  C=404      9 L        32 W          280 Ch        "3"
+	    00005:  C=404      9 L        32 W          280 Ch        "2"
+
+
+	product
+
+	    - wfuzz.py -z list,a-b-c -z list,1-2-3 http://mysite.com/FUZZ/FUZ2Z
+
+	    Target: http://mysite.com/FUZZ/FUZ2Z
+	    Payload type: list,a-b-c; list,1-2-3
+
+	    Total requests: 9
+	    ==================================================================
+	    ID      Response   Lines      Word         Chars          Request    
+	    ==================================================================
+
+	    00001:  C=404      9 L        32 W          276 Ch        "a - 2"
+	    00002:  C=404      9 L        32 W          276 Ch        "a - 1"
+	    00005:  C=404      9 L        32 W          276 Ch        "b - 2"
+	    00004:  C=404      9 L        32 W          276 Ch        "a - 3"
+	    00008:  C=404      9 L        32 W          276 Ch        "c - 2"
+	    00003:  C=404      9 L        32 W          276 Ch        "b - 1"
+	    00007:  C=404      9 L        32 W          276 Ch        "c - 1"
+	    00006:  C=404      9 L        32 W          276 Ch        "b - 3"
+	    00009:  C=404      9 L        32 W          276 Ch        "c - 3"
+
+
 Platforms:
 ----------
 
@@ -84,8 +160,51 @@ Shouts goes to: Trompeti an all the S21sec Team. (www.s21sec.com)
 Special thanks to DarkRaver for the tool Dirb, part of wfuzz is based on the functionallity of dirb. (www.open-labs.org) and most of the wordlist are from his tool.
 
 Andres Andreu, all Injection payloads are taken from wsFuzzer (www.neurofuzz.com)
+
+FuzzDB project, the all database is included in the wordlist directory.
+
 Stay tunned for the GUI it rocks..
 
+FuzzDB
+------
+
+The wordlist directory includes FuzzDB project:
+
+Attack and Discovery Pattern Database for Application Fuzz Testing
+
+http://code.google.com/p/fuzzdb/
+
+Copyright (c) 2010, Adam Muntner
+All rights reserved.
+
+Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
+
+Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
+Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.
+Neither the name of fuzzdb  nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission.
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+Licensed under Creative Commons - By Attribution
+
+Changelog 2.0:
+==============
+
+- Dynamic output printers
+- Dynamic payloads
+- Multiple payload support (FUZZ, FUZ2Z, ... , FUZnZ)
+- Combine payloads using dynamic iterators (zip, chain, product)
+- Added list payload
+- Added encoder_uri_double_hex
+- Added encoder_first_nibble_hex
+- Added encoder_second_nibble_hex
+- Added encoder_none
+- Multiple encodings per payload
+- Fixed to FUZZ completely in the URL without hostname or IP or schema (i.e. FUZZ/FUZ2Z)
+- Fixed to FUZZ mixing all payload's positions (auth, http method, URL, data)
+- Added baseline request functionality
+- Added fuzzdb (Attack and Discovery Pattern Database for Application Fuzz Testing)
+
 Changelog 1.4d:
 ==============
 -Using _ in encoders names

diff --git a/dictio.py b/dictio.py
@@ -13,18 +13,19 @@ def __init__(self,dicc=None):
 			self.__encoder=dicc.getencoder()
 		else:	
 			self.__payload=payload()
-			self.__encoder=encoder()
-		self.iter=self.__payload.__iter__()
+			self.__encoder = [lambda x: encoder().encode(x)]
+		self.restart()
 
 	def count (self):
-		return self.__payload.count()
+		return self.__payload.count() * len(self.__encoder)
 
 	def setpayload(self,payl):
-		self.__payload=payl
-		self.iter=self.__payload.__iter__()
+		self.__payload = payl
+		self.restart()
 
 	def setencoder(self,encd):
 		self.__encoder=encd
+		self.generator = self.gen()
 
 	def getpayload (self):
 		return self.__payload
@@ -42,10 +43,16 @@ def __iter__(self):
 		self.restart()
 		return self
 
-	def next(self):
+	def gen(self):
+	    while 1:
 		pl=self.iter.next()
-		return self.__encoder.encode(pl)
+		for encode in self.__encoder:
+		    yield encode(pl)
+
+	def next(self):
+		return self.generator.next()
 
 	def restart(self):
 		self.iter=self.__payload.__iter__()
+		self.generator = self.gen()
 
diff --git a/encoders.py b/encoders.py
@@ -22,6 +22,14 @@ def encode (self,string):
 #######################################################
 ######################################################
 
+class encoder_none:
+	text="none"
+	def __init__(self):
+		pass
+
+	def encode (self,string):
+		return string
+
 class encoder_urlencode (encoder):
 	text="urlencode"
 	def __init__(self):
@@ -61,6 +69,22 @@ def decode(self,string):
 		except:
 			return 1
 
+class encoder_uri_double_hex (encoder):
+	text="uri double hexadecimal"
+	def __init__(self):
+		encoder.__init__(self)
+
+	def encode(self,string):
+		strt = ""
+		con = "%%25%02x"
+		s=re.compile(r"/|;|=|:|&|@|\\|\?")	
+		for c in string:
+			if s.search(c):
+				strt += c
+				continue
+			strt += con % ord(c)
+		return strt
+
 class encoder_uri_hex (encoder):
 	text="uri hexadecimal"
 	def __init__(self):
@@ -95,6 +119,40 @@ def encode(self,string):
 		return strt   
 
 
+class encoder_second_nibble_hex (encoder):
+	text="second nibble Hexa"
+	def __init__(self):
+		encoder.__init__(self)
+
+	def encode(self,string):
+		strt = ""
+		con = "%%%02x"
+		s=re.compile(r"/|;|=|:|&|@|\\|\?")	
+		for c in string:
+			if s.search(c):
+				strt += c
+				continue
+			temp = hex(ord(c))[2:]
+			strt += "%%%s%%%02x" % (str(temp[:1]), ord(temp[1:]))
+		return strt
+
+class encoder_first_nibble_hex (encoder):
+	text="first nibble Hexa"
+	def __init__(self):
+		encoder.__init__(self)
+
+	def encode(self,string):
+		strt = ""
+		con = "%%%02x"
+		s=re.compile(r"/|;|=|:|&|@|\\|\?")	
+		for c in string:
+			if s.search(c):
+				strt += c
+				continue
+			temp = hex(ord(c))[2:]
+			strt += "%%%%%02x%s" % (ord(temp[:1]), str(temp[1:]))
+		return strt
+
 class encoder_doble_nibble_hex (encoder):
 	text="double nibble Hexa"
 	def __init__(self):
@@ -104,7 +162,6 @@ def encode(self,string):
 		strt = ""
 		fin = ""
 		con = "%%%02x"
-# first get it in straight hex
 		s=re.compile(r"/|;|=|:|&|@|\\|\?")	
 		enc=encoder_uri_hex()
 		strt = enc.encode(string)

diff --git a/iterations.py b/iterations.py
@@ -0,0 +1,37 @@
+import itertools
+
+class iterator_zip(itertools.izip):
+    text="zip"
+
+    def __init__(self, *i):
+	itertools.izip.__init__(self, *i)
+	self.__count = max(map(lambda x:x.count(), i))
+
+    def count(self):
+	return self.__count
+
+class iterator_product(itertools.product):
+    text="product"
+
+    def __init__(self, *i):
+	itertools.product.__init__(self, *i)
+	self.__count = reduce(lambda x,y:x*y.count(), i[1:], i[0].count())
+
+    def count(self):
+	return self.__count
+
+class iterator_chain:
+    text="chain"
+
+    def count(self):
+	return self.__count
+
+    def __init__(self, *i):
+	self.__count = sum(map(lambda x:x.count(), i))
+	self.it = itertools.chain(*i)
+
+    def next(self):
+	return (self.it.next(),)
+
+    def __iter__(self):
+	return self