├── README.md
└── lazyFuzzZ.sh


/README.md:
--------------------------------------------------------------------------------
 1 | ![](https://th3hack3rwiz.github.io/images/LazyFuzz/banner_final.PNG)
 2 | # Lazy-FuzzZ
 3 | 
 4 | Sometimes we want to fuzz a set of sub-domain URLs with a common wordlist for content discovery. Fuzzing each URL one by one is a tedious task, and not to mention the false positives we obtain in those results. To solve this problem I created Lazy FuzzZ. It fuzzes all those urls, removes all the false positive results and stores only legitimate results which are later sent to Burp Suite.
 5 | 
 6 | ## Installation
 7 | 
 8 | 1. Clone the repository : git clone https://github.com/th3hack3rwiz/Lazy-FuzzZ.git
 9 | 2. cd Lazy-FuzzZ ; chmod +x lazyFuzzZ.sh 
10 | 3. The script is now ready to use. 
11 | 
12 | ## Requirements
13 | 
14 | 1. Must have ffuf installed from: https://github.com/ffuf/ffuf
15 | 2. Must have bfeed.py installed from: https://github.com/ZephrFish/BurpFeed/blob/master/bfeed.py
16 | 
17 | ## Instructions
18 | 
19 | - Add the path to bfeed.py on line no. 129 of lazyFuzzZ.sh.
20 | - Use flags (-d ,-f, or -a) if required, before supplying command line arguments.
21 | 
22 | ## Usage
23 | 
24 | - It  requires 3 command line arguments: ./lazyFuzzZ.sh <target_domain_name> <subdomains_https.txt> <common-wordlist.txt>
25 | 
26 | ![](https://th3hack3rwiz.github.io/images/LazyFuzz/usage_final.PNG)
27 | 
28 | ## Example usage
29 | 
30 | ![](https://th3hack3rwiz.github.io/images/LazyFuzz/results.PNG)
31 | 
32 | # Explained output
33 | 
34 | ![](https://th3hack3rwiz.github.io/images/LazyFuzz/output_final.PNG)
35 | 
36 | ## Features 
37 | 
38 | 1. Helps in automating the directory enumeration process.
39 | 2. Provides users with an option to use their prefered set of ffuf flags.
40 | 3. Fuzzes a set of sub-domains' URLs with a common-wordlist and stores clean results in a new directory. *(It creates a new directory using name of the wordlist supplied)*
41 | 4. Removes most false positive from the results we obtain from ffuf.
42 | 5. Adds only legitimate results to an active burp session using bfeed.py.
43 | 


--------------------------------------------------------------------------------
/lazyFuzzZ.sh:
--------------------------------------------------------------------------------
  1 | #!/bin/bash
  2 | BOLD='\e[1m'
  3 | GOLD='\e[38;5;226m'
  4 | GREY='\033[0;37m'
  5 | echo -e "${GOLD}${BOLD}$(figlet -f slant  Lazy FuzzZ)"
  6 | echo -e "\033[0;37m\e[1m\n\t\t\t  ${GREY}${BOLD}© Created By: th3hack3rwiz"
  7 | CYAN='\033[0;36m'
  8 | PEACH='\e[38;5;216m'
  9 | GREEN='\e[38;5;149m'
 10 | ORANGE='\e[38;5;202m'
 11 | MAGENTA='\033[0;95m'
 12 | PINK='\e[38;5;204m'
 13 | YELLOW='\e[38;5;227m'
 14 | OFFWHITE='\e[38;5;157m'
 15 | RED='\e[38;5;196m'
 16 | 
 17 | new=0	#new flag
 18 | dis=0	#disable flag
 19 | append=0 #append flag
 20 | function usage()
 21 | {
 22 | 	echo -e "${PINK}\n[+] Usage:\n\t./lazyFuzzZ  <target-domain name> <subdomains_http/https_URLs_to_fuzz.txt> <common wordlist file>"	
 23 | 	echo -e "${GREEN}  Eg: ./lazyFuzzZ  example.com   example.com_https_subdomains.txt   common_fuzzing_wordlist.txt\n"
 24 | 	echo -e "${GREEN} -f : to use your own ffuf flags. ${OFFWHITE}(IMPORTANT: This flag should be written before command line arguments)"
 25 | 	echo -e "${GREEN}  Eg: ./lazyFuzzZ -f '-mc 403 -t 200'  example.com   example.com_https_subdomains.txt   common_fuzzing_wordlist.txt\n"
 26 | 	echo -e "${GREEN} -a : to append ffuf flags. ${OFFWHITE}(IMPORTANT: This flag should be written before the command line arguments)"
 27 | 	echo -e "${GREEN}  Eg: ./lazyFuzzZ -a '-H User-Agent:xyz -H X-Forwarded-For:127.0.0.1 -b cookie_1:value;cookie_2:value -replay-proxy http://127.0.0.1:8080' example.com  	example.com_https_subdomains.txt common_fuzzing_wordlist.txt"
 28 | 	echo -e "${YELLOW}\n[+] Tip! If you are going to using the -replay-proxy ffuf flag, use -d flag with lazyFuzzZ."
 29 | 	echo -e "${GREEN}\n -d : to DISABLE bfeed.py ${OFFWHITE}(IMPORTANT: This flag should be written before command line arguments)"
 30 | 	echo -e "${GREEN} -h : to display usage."
 31 | 	echo -e "${CYAN}\n[+] Default ffuf flags used: -mc 200,403 -fs 0 -t 80 -sa -timeout 7"
 32 | 	echo -e "${RED}[-] WARNING: Do not specify 'output flags', -u, and -w for ffuf!"
 33 | }
 34 | 
 35 | while getopts :f:dha: fuzz_args; do 
 36 | 	case $fuzz_args in
 37 | 		f)
 38 | 			#echo -e "\n\n[+]Replacing original flags with new flags..."
 39 | 			new=1
 40 | 			flags=$OPTARG
 41 | 			;;
 42 | 		d)
 43 | 			#echo -e "\n[+]Disabling bfeed.py..."
 44 | 			dis=1
 45 | 			;;
 46 | 		h)	usage
 47 | 			exit 1
 48 | 			;;
 49 | 		a)	append=1
 50 | 			flags=$OPTARG
 51 | 			;;
 52 | 		*)
 53 | 			usage
 54 | 			echo "Invalid argument!"
 55 | 			exit 1
 56 | 			;;
 57 | 	esac
 58 | done
 59 | shift $((OPTIND-1))
 60 | 
 61 | if [[ append -eq 1 && new -eq 1 ]] ; then
 62 | 		echo -e "${RED}\n[-] Don't specify -a and -f flags together!"
 63 | 		exit 1
 64 | fi
 65 | if [[ $# -ne 3 ]] ; then
 66 | 	usage
 67 | 	echo -e "\n[-] Not enough arguments! Check usage."
 68 | else
 69 | 	printf "\n"
 70 | 	cat ${2} | grep ${1} | uniq | sed 's/'${1}'/'${1}'\/FUZZ/g' > ${1}.fuZZmeePleasee
 71 | 	echo -e "${GREEN}[+] Starting Lazy FuzzZ! :D\n"
 72 | 	mkdir lazyFuzzZ.output.${3}
 73 | 	for line in $(cat ${1}.fuZZmeePleasee) ; do
 74 | 		echo -e "${CYAN}[+]Running on $line"
 75 | 		subdomain=$(echo ${line} | sed s/FUZZ//g | awk -F '/' '{print $3}')  #storing subdomain name
 76 | 		if [[ $new -eq 1 ]] ; then
 77 | 			ffuf $(echo $flags) -u $line -w ${3} -of csv -o test > /dev/null
 78 | 		elif [[ $append -eq 1 ]] ; then
 79 | 			ffuf -mc 200,403 -fs 0 -t 80 -sa -timeout 7 -u $line -w ${3} $(echo $flags) -of csv -o test > /dev/null	
 80 | 		else
 81 | 			ffuf -mc 200,403 -fs 0 -t 80 -sa -timeout 7 -u $line -w ${3} -of csv -o test > /dev/null
 82 | 		fi
 83 | 		cat test | sed s/'^.*http'/http/g | sed 's/\,\,/ /g' | sed 's/ [[:digit:]]*,/                    /g' | sed 's/,$//g' | grep http > lazyFuzzZ.output.${3}/${subdomain}.output
 84 | 		if [[ -s lazyFuzzZ.output.${3}/${subdomain}.output ]] ; then 	#checking if file is non empty
 85 | 			max_occurence=$(cat lazyFuzzZ.output.${3}/${subdomain}.output | awk -F "," '{print $2}'| sort -n | grep [[:digit:]] | uniq -c | sort -k1 -nr | head -1 | awk '{print $1}')
 86 | 			max_size=$(cat lazyFuzzZ.output.${3}/${subdomain}.output | awk -F "," '{print $2}'| sort -n | grep [[:digit:]] | uniq -c | sort -k1 -nr | head -1 | awk '{print $2}')
 87 | 			if [[ max_occurence -gt 100 ]] ; then
 88 | 				echo -e "${MAGENTA}[+] Results obtained with false positives... Removing them..."
 89 | 				cat lazyFuzzZ.output.${3}/${subdomain}.output | grep -v $max_size > buff ; cat buff > lazyFuzzZ.output.${3}/${subdomain}.output ; rm buff
 90 | 				if [[ -s lazyFuzzZ.output.${3}/${subdomain}.output ]] ;	then
 91 | 					line_of_result=$(cat lazyFuzzZ.output.${3}/${subdomain}.output | wc -l)
 92 | 					max_freq_size=$(cat lazyFuzzZ.output.${3}/${subdomain}.output | awk -F "," '{print $2}'| sort -n | grep [[:digit:]] | uniq -c | sort -k1 -nr | head -1 | awk '{print $2}')
 93 | 					max_size_freq=$(cat lazyFuzzZ.output.${3}/${subdomain}.output | awk -F "," '{print $2}'| sort -n | grep [[:digit:]] | uniq -c | sort -k1 -nr | head -1 | awk '{print $1}')
 94 | 					if [[ $line_of_result -gt 2 ]]; then
 95 | 						if [[ $max_size_freq -le line_of_result/2 ]] ; then
 96 | 							cat lazyFuzzZ.output.${3}/${subdomain}.output | cut -d " " -f1 >> lazyFuzzZ.output.${3}/burpSeeds
 97 | 							echo -e "${GREEN}[+] Number of results obtained for $line : ${YELLOW}$( cat lazyFuzzZ.output.${3}/${subdomain}.output | wc -l )   \n"
 98 | 						else
 99 | 							echo -e "${ORANGE}[+] More false positives detected! :-]] Removing them..."
100 | 							cat lazyFuzzZ.output.${3}/${subdomain}.output | grep -v $max_freq_size > buff ; cat buff > lazyFuzzZ.output.${3}/${subdomain}.output ; rm buff
101 | 							if [[ -s lazyFuzzZ.output.${3}/${subdomain}.output ]] ; then
102 | 								cat lazyFuzzZ.output.${3}/${subdomain}.output | cut -d " " -f1 >> lazyFuzzZ.output.${3}/burpSeeds
103 | 								echo -e "${GREEN}[+] Number of results obtained for $line : ${YELLOW}$( cat lazyFuzzZ.output.${3}/${subdomain}.output | wc -l )   \n"
104 | 							else
105 | 								echo -e "${PEACH}[-] Results found were all false positives! :( Moving on..\n"
106 | 								rm lazyFuzzZ.output.${3}/${subdomain}.output			#removing it if it's empty
107 | 							fi	
108 | 						fi 
109 | 					else
110 | 						cat lazyFuzzZ.output.${3}/${subdomain}.output | cut -d " " -f1 >> lazyFuzzZ.output.${3}/burpSeeds
111 | 						echo -e "${GREEN}[+] Number of results obtained for $line : ${YELLOW}$( cat lazyFuzzZ.output.${3}/${subdomain}.output | wc -l )   \n"
112 | 					fi	
113 | 				else
114 | 					echo -e "${PEACH}[-] Results found were all false positives! :( Moving on..\n"
115 | 					rm lazyFuzzZ.output.${3}/${subdomain}.output			#removing it if it's empty
116 | 				fi				
117 | 			else
118 | 				cat lazyFuzzZ.output.${3}/${subdomain}.output | cut -d " " -f1 >> lazyFuzzZ.output.${3}/burpSeeds
119 | 				echo -e "${GREEN}[+] Number of results obtained for $line : ${YELLOW}$( cat lazyFuzzZ.output.${3}/${subdomain}.output | wc -l )   \n"
120 | 			fi
121 | 		else
122 | 			echo -e "${RED}[-] No results found! :-| Moving on..\n"
123 | 			rm lazyFuzzZ.output.${3}/${subdomain}.output
124 | 		fi
125 | 		sleep 7
126 | 	done
127 | 	rm  ${1}.fuZZmeePleasee
128 | 	if [[ $dis -eq 0 ]] ; then
129 | 		echo -e "\n${CYAN}[+]Firing up BurpFeed and sending the results to Burpsuite!"
130 | 		#python <path_to_bfeed.py>/bfeed.py lazyFuzzZ.output.${3}/burpSeeds > /dev/null
131 | 	fi
132 | 	echo -e "${GREEN}[+] Thank you for using Lazy FuzzZ! :D"
133 | 	rm test
134 | 	rm ${1}.fuZZmeePleasee
135 | fi
136 | 


--------------------------------------------------------------------------------