# Web Tool - WFuzz A tool to FUZZ web applications anywhere. > Wfuzz has been created to facilitate the task in web applications assessments and it is based on a simple concept: it replaces any reference to the FUZZ keyword by the value of a given payload. ## Installation Installed in Kali Github: ## Filtering options ``` --hs/ss "regex" --hc/sc CODE --hl/sl NUM --hw/sw NUM --hc/sc NUM ``` ## Output options ``` wfuzz -e printers -f /tmp/output,csv ``` ### Encoders options In order to use a encoder, you have to indicate it in the **"-w"** or **"-z"** option. Examples: ``` -z file,/path/to/file,md5 -w /path/to/file,base64 -z list,each-element-here,hexlify ``` ## CheetSheet ### Login Form bruteforce #### **POST, Single list, filter string (hide)** ``` wfuzz -c -w users.txt --hs "Login name" -d "name=FUZZ&password=FUZZ&autologin=1&enter=Sign+in" http://zipper.htb/zabbix/index.php ``` #### **POST, 2 lists, filder code (show)** ``` wfuzz.py -c -z file,users.txt -z file,pass.txt --sc 200 -d "name=FUZZ&password=FUZ2Z&autologin=1&enter=Sign+in" http://zipper.htb/zabbix/index.php ``` #### **GET, 2 lists, filter string (show), proxy, cookies** ``` wfuzz -c -w users.txt -w pass.txt --ss "Welcome " -p 127.0.0.1:8080:HTTP -b "PHPSESSIONID=1234567890abcdef;customcookie=hey" "http://example.com/index.php?username=FUZZ&password=FUZ2Z&action=sign+in" ``` ### Bruteforce Dicrectory/RESTful bruteforce [Arjun parameters wordlist](https://raw.githubusercontent.com/s0md3v/Arjun/master/db/params.txt) ``` wfuzz -c -w /tmp/tmp/params.txt --hc 404 https://domain.com/api/FUZZ ``` ### Path Parameters BF ``` wfuzz -c -w ~/git/Arjun/db/params.txt --hw 11 'http://example.com/path%3BFUZZ=FUZZ' ``` #### **Basic, 2 lists, filter string (show), proxy** ``` wfuzz -c -w users.txt -w pass.txt -p 127.0.0.1:8080:HTTP --ss "Welcome" --basic FUZZ:FUZ2Z "http://example.com/index.php" ``` #### **NTLM, 2 lists, filter string (show), proxy** ``` wfuzz -c -w users.txt -w pass.txt -p 127.0.0.1:8080:HTTP --ss "Welcome" --ntlm 'domain\FUZZ:FUZ2Z' "http://example.com/index.php" ``` #### **Cookie, filter code (show), proxy** ``` wfuzz -c -w users.txt -p 127.0.0.1:8080:HTTP --ss "Welcome " -H "Cookie:id=1312321&user=FUZZ" "http://example.com/index.php" ``` #### **User-Agent, filter code (hide), proxy** ``` wfuzz -c -w user-agents.txt -p 127.0.0.1:8080:HTTP --ss "Welcome " -H "User-Agent: FUZZ" "http://example.com/index.php" ``` #### **Host** ``` wfuzz -c -w /usr/share/wordlists/SecLists/Discovery/DNS/subdomains-top1million-20000.txt --hc 400,404,403 -H "Host: FUZZ.example.com" -u http://example.com -t 100 ``` ### HTTP Verbs (methods) bruteforce #### **Using file** ``` wfuzz -c -w methods.txt -p 127.0.0.1:8080:HTTP --sc 200 -X FUZZ "http://example.com/index.php" ``` #### **Using inline list** ``` $ wfuzz -z list,GET-HEAD-POST-TRACE-OPTIONS -X FUZZ http://testphp.vulnweb.com/ ``` ### Directory & Files Bruteforce ``` wfuzz -c -z file,/usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt --sc 200,202,204,301,302,307,403 http://example.com/uploads/FUZZ ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://pwc-3.gitbook.io/pwc/ji-shu/webpentest2/untitled-29.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.