-
Notifications
You must be signed in to change notification settings - Fork 38
Basic Usage
The FuzzingTool result class contains the base result information, and also can handle custom information from the plugins. Check the attributes from Result
You can match (include) results based on response: status code -Mc
, length -Ms
, RTT -Mt
, quantity of words -Mw
, quantity of lines -Ml
and regex -Mr
Match by status code: Set a single, a list, or a range of status code to match.
-Mc 500 # Set only status code 500
-Mc 200,301,302 # Set a list of status codes; including 200, 301 and 302
-Mc 500-600 # Set a range of status codes; 500 <= status <= 600
-Mc 200,301,302,500-600 # Combination of the previous examples
Match by length: Set a length to match (in bytes)
-Ms 1000 # Set the response size to match greater than 1000 bytes
Match by elapsed time: Set a time (RTT) to match (in seconds)
-Mt 30 # Set the request+response elapsed time to match greater than 30 seconds
Match by quantity of words: Set a quantity of words to match on response body
-Mw 30 # Set the quantity of words to match equals to 30
Match by quantity of lines: Set a quantity of lines to match on response body
-Ml 15 # Set the quantity of lines to match equals to 15
Match by regex: Set a regular expression to match on response body
-Mr '[a-zA-Z]'
Combine match options to perform a precise analysis.
$ fuzzingtool -u https://mydomainexample.com/post.php?id= -w ~/wordlists/sqli.txt -Mc 500 -Mt 20 -t 50
You can also set a logic operator with the item that'll be compared. Here's some examples:
# Match length examples
-Ms '>=10000' # Set the response size to match greater or equal than 10000 bytes
-Ms '!=10000' # Set the response size to match different than 10000 bytes
-Ms '==10000' # Set the response size to match equal than 10000 bytes
# Match time examples
-Mt '>=30' # Set the request+response elapsed time to match greater or equal than 30 seconds
-Mt '<30' # Set the request+response elapsed time to match below than 30 seconds
You can filter (exclude) results based on response: status code -Fc
and regex -Fr
. The usage is similar as match results. Here's an example how to use both of them:
# Include responses by status codes between 200 and 499, but exclude for 404 code
-Mc 200-499 -Fc 404
With setting a status code to blacklist, you avoid the FuzzingTool to keep doing fuzzing tests when a unwanted status is detected.
--blacklist-status STATUS:ACTION
# Available actions: stop | wait
--blacklist-status STATUS:stop # Stops the application
--blacklist-status STATUS:wait=SECONDS # Pause the app for some seconds
For example, if you don't want to stress the server or cause internal errors, just stop the application when detecting code 500:
--blacklist-status 500:stop
Another example, if the server rejects your requests (status 429) you can pause the app for some seconds:
--blacklist-status 429:wait=300 # Will wait for 5 minutes before resume the app
For multiple status codes, just separate them with a comma:
--blacklist-status 429,500:stop # For all codes, do the action stop
The DataScanner is the default scanner for DataFuzzing type of fuzzing. This scanner add the payload length attribute for the result:
result.scanners_res['DataScanner'].data['payload_length'] = payload_length
The PathScanner is the default scanner for URL PathFuzzing type of fuzzing. This scanner add the redirected attribute for the result:
result.scanners_res['PathScanner'].data['redirected'] = redirected
The SubdomainScanner is the default scanner for URL SubdomainFuzzing type of fuzzing. This scanner does not add any information into the result. The IP info is handled by the HttpHistory
class:
result.history.ip = target_ip
The file wordlist build the wordlist based on a file.
-w ~/example/directory/wordlist.txt
Example:
$ fuzzingtool -u https://FUZZ.domain.com/ -w ~/wordlists/subdomains.txt
The list wordlist build the wordlist based on a payload list gived in the terminal.
-w [payload1,payload2,...]
Example:
$ fuzzingtool -u https://FUZZ.domain.com/ -w [cpanel,admin,wp-admin,mail]
You can set a range (integer or alphabet) inside or outside of a payload. Only accepts one range per payload. For example:
-w [0-10] # Produces [0, 1, 2, 3, ..., 10]
-w [a-z] # Produces [a, b, c, d, ..., z]
-w [PAY0-10LOAD] # Produces [PAY0LOAD, PAY1LOAD, PAY2LOAD, ..., PAY10LOAD]
-w ['PAY\-LOAD'] # Produces [PAY-LOAD]
-w [init,0-10,end1,end2] # Produces [init, 0, 1, 2, 3, ..., 10, end1, end2]
Pay attention to the list separator mark. For multiple wordlists, the separator is ;
and for multiple items in the list the separator is ,
. So, if you want to include these characters in the list, you must ignore them with \
. For example:
-w '[pay\,load]' # Produces one payload 'pay,load'
-w '[pay,loa\,d]' # Produces two payloads [pay, 'loa,d']
-w '[pay\;load]' # Produces one payload 'pay;load'