Question

Now that you understand the general approach to take, let’s walk through a hands-on example using Wfuzz, which you can install by using this command:

现在您已经了解了通用的方法，让我们通过使用 Wfuzz 的实际示例来进一步讲解一下。您可以使用以下命令来安装它：

$     pip install wfuzz

Fuzzing is useful in both the recon phase and the hunting phase: you can use fuzzing to enumerate filepaths, brute-force authentication, test for common web vulnerabilities, and more.

模糊测试在侦查和打猎阶段都非常有用：您可以使用模糊测试枚举文件路径、暴力破解身份验证、测试常见的 Web 漏洞等。

Path Enumeration

During the recon stage, try using Wfuzz to enumerate filepaths on a server. Here’s a command you can use to enumerate filepaths on example.com :

在侦察阶段，可以尝试使用 Wfuzz 枚举服务器上的文件路径。以下是一个在 example.com 上枚举文件路径的命令示例：

$ wfuzz -w wordlist.txt -f output.txt --hc 404 --follow http://example.com/    FUZZ

The -w flag option specifies the wordlist to use for enumeration. In this case, you should pick a good path enumeration wordlist designed for the technology used by your target. The -f flag specifies the output file location. Here, we store our results into a file named output.txt in the current directory. The --hc 404 option tells Wfuzz to exclude any response that has a 404 status code. Remember that this code stands for File Not Found. With this filter, we can easily drop URLs that don’t point to a valid file or directory from the results list. The --follow flag tells Wfuzz to follow all HTTP redirections so that our result shows the URL’s actual destination.

-w 选项标志指定用于枚举的字典。在这种情况下，您应该选择一个针对目标使用技术设计的好的路径枚举字典。-f 标志指定输出文件位置。在这里，我们将结果存储在当前目录下名为 output.txt 的文件中。--hc 404 选项告诉 Wfuzz 排除任何具有 404 状态代码的响应。记住，这个代码代表“文件未找到”。通过这个过滤器，我们可以轻松地在结果列表中删除不指向有效文件或目录的 URL。--follow 标志告诉 Wfuzz 跟随所有 HTTP 重定向，以便我们的结果显示 URL 的实际目的地。

Let’s run the command using a simple wordlist to see what we can find on facebook.com . For our purposes, let’s use a wordlist comprising just four words, called wordlist.txt :

让我们使用简单的字词表运行命令，看看在 facebook.com 上能找到什么。为了我们的目的，让我们使用一个仅包含四个单词的字词表，名为 wordlist.txt：

authorize.php
cron.php
administrator
secure

Run this command to enumerate paths on Facebook:

运行此命令以枚举 Facebook 上的路径：

$     wfuzz -w wordlist.txt -f output.txt --hc 404 --follow http://facebook.com/FUZZ

Let’s take a look at the results. From left to right, a Wfuzz report has the following columns for each request: Request ID, HTTP Response Code, Response Length in Lines, Response Length in Words, Response Length in Characters, and the Payload Used:

让我们来看看结果。从左到右，每个请求的 Wfuzz 报告具有以下列：请求 ID、HTTP 响应代码、响应行长度、响应字长度、响应字符长度以及使用的有效载荷：

********************************************************
* Wfuzz 2.4.6 - The Web Fuzzer                         *
********************************************************

Target: http://facebook.com/FUZZ
Total requests: 4

===================================================================
ID           Response   Lines    Word     Chars       Payload                                                                                                                                           
===================================================================

000000004:   200        20 L     2904 W   227381 Ch   "secure"                                                                                                                                          

Total time: 1.080132
Processed Requests: 4
Filtered Requests: 3
Requests/sec.: 3.703250

You can see that these results contain only one response. This is because we filtered out irrelevant results. Since we dropped all 404 responses, we can now focus on the URLs that point to actual paths. It looks like /secure returned a 200 OK status code and is a valid path on facebook.com .

你可以看到这些结果只包含一个响应。这是因为我们过滤掉了无关的结果。由于我们删除了所有的 404 响应，现在我们可以专注于指向实际路径的 URL。看起来/secure 返回了 200 OK 状态码并且是 facebook.com 上的有效路径。

Brute-Forcing Authentication

Once you’ve gathered valid filepaths on the target, you might find that some of the pages on the server are protected. Most of the time, these pages will have a 403 Forbidden response code. What can you do then?

一旦您在目标上收集到有效的文件路径，您可能会发现服务器上有些页面是受保护的。大多数情况下，这些页面将返回 403 禁止请求代码。那么您该怎么办呢？

Well, you could try to brute-force the authentication on the page. For example, sometimes pages use HTTP’s basic authentication scheme as access control. In this case, you can use Wfuzz to fuzz the authentication headers, using the -H flag to specify custom headers:

嗯，您可以尝试在页面上进行暴力身份验证。 例如，有时候页面使用 HTTP 的基本身份验证方案作为访问控制方式。在这种情况下，您可以使用 Wfuzz 来模糊身份验证头，使用-H 标志指定自定义头：

$     wfuzz -w wordlist.txt -H "Authorization: Basic FUZZ" http://example.com/admin

The basic authentication scheme uses a header named Authorization to transfer credentials that are the base64-encoded strings of username and password pairs. For example, if your username and password were admin and password , your authentication string would be base64("admin:password") , or YWRtaW46cGFzc3dvcmQ= . You could generate authentication strings from common username and password pairs by using a script, then feed them to your target’s protected pages by using Wfuzz.

基本身份验证方案使用名为 Authorization 的头来传输凭据，这些凭据是用户名和密码对的 base64 编码字符串。例如，如果您的用户名和密码是 admin 和 password，您的认证字符串将是 base64（“admin：password”），即 YWRtaW46cGFzc3dvcmQ =。您可以使用脚本从常见的用户名和密码对中生成认证字符串，然后使用 Wfuzz 将其提供给目标保护页面。

Another way to brute-force basic authentication is to use Wfuzz’s --basic option. This option automatically constructs authentication strings to brute-force basic authentication, given an input list of usernames and passwords. In Wfuzz, you can mark different injection points with FUZZ , FUZ2Z , FUZ3Z , and so on. These injection points will be fuzzed with the first, second, and third wordlist passed in, respectively. Here’s a command you can use to fuzz the username and password field at the same time:

另一种暴力破解基本身份验证的方法是使用 Wfuzz 的--basic 选项。该选项自动地构造身份验证字符串来暴力破解基本身份验证，给出用户名和密码的输入列表。在 Wfuzz 中，您可以用 FUZZ，FUZ2Z，FUZ3Z 等标记不同的注入点。这些注入点将分别通过第一个，第二个和第三个传递的字典进行模糊处理。下面是一个您可以同时模糊处理用户名和密码字段的命令：

$     wfuzz -w usernames.txt -w passwords.txt --basic FUZZ:FUZ2Z http://example.com/admin

The usernames.txt file contains two usernames: admin and administrator . The passwords.txt file contains three passwords: secret , pass , and password . As you can see, Wfuzz sends a request for each username and password combination from your lists:

"usernames.txt"文件包含两个用户名：admin 和 administrator。"passwords.txt"文件包含三个密码：secret、pass 和 password。正如您所看到的，Wfuzz 会为您列表中的每个用户名和密码组合发送请求：

********************************************************
* Wfuzz 2.4.6 - The Web Fuzzer                         *
********************************************************

Target: http://example.com/admin
Total requests: 6

===================================================================
ID           Response   Lines    Word     Chars       Payload
===================================================================

000000002:   404        46 L     120 W    1256 Ch     "admin – pass"
000000001:   404        46 L     120 W    1256 Ch     "admin – secret"
000000003:   404        46 L     120 W    1256 Ch     "admin – password"
000000006:   404        46 L     120 W    1256 Ch     "administrator – password"
000000004:   404        46 L     120 W    1256 Ch     "administrator – secret" 
000000005:   404        46 L     120 W    1256 Ch     "administrator – pass" 

Total time: 0.153867
Processed Requests: 6
Filtered Requests: 0
Requests/sec.: 38.99447

Other ways to bypass authentication by using brute-forcing include switching out the User-Agent header or forging custom headers used for authentication. You could accomplish all of these by using Wfuzz to brute-force HTTP request headers.

使用暴力破解绕过身份验证的其他方法包括更改 User-Agent 头或伪造用于身份验证的自定义头。通过使用 Wfuzz 暴力破解 HTTP 请求头，您可以实现所有这些功能。

Testing for Common Web Vulnerabilities

Finally, Wfuzz can help you automatically test for common web vulnerabilities. First of all, you can use Wfuzz to fuzz URL parameters and test for vulnerabilities like IDOR and open redirects. Fuzz URL parameters by placing a FUZZ keyword in the URL. For example, if a site uses a numeric ID for chat messages, test various IDs by using this command:

最后，Wfuzz 可以帮助你自动测试常见的 Web 漏洞。首先，你可以使用 Wfuzz 对 URL 参数进行 FUZZ 测试，测试漏洞如 IDOR 和开放式重定向。在 URL 中放置一个 FUZZ 关键字来 Fuzz URL 参数。例如，如果一个站点使用数字 ID 作为聊天消息，可以使用以下命令测试各种 ID：

$     wfuzz -w wordlist.txt http://example.com/view_message?message_id=FUZZ

Then find valid IDs by examining the response codes or content length of the response and see if you can access the messages of others. The IDs that point to valid pages usually return a 200 response code or a longer web page.

然后，通过检查响应代码或响应内容长度来查找有效的 ID，并查看是否可以访问他人的消息。指向有效网页的 ID 通常返回 200 响应代码或更长的网页。

You can also insert payloads into redirect parameters to test for an open redirect:

你也可以将有效负载插入重定向参数中，以测试是否存在开放重定向：

$     wfuzz -w wordlist.txt http://example.com?redirect=FUZZ

To check if a payload causes a redirect, turn on Wfuzz’s follow ( --follow ) and verbose ( -v ) options. The follow option instructs Wfuzz to follow redirects. The verbose option shows more detailed results, including whether redirects occurred during the request. See if you can construct a payload that redirects users to your site:

要检查有效载荷是否导致重定向，请打开 Wfuzz 的跟随(--follow) 和详细(-v) 选项。跟随选项指示 Wfuzz 跟随重定向。详细选项显示更详细的结果，包括请求期间是否发生重定向。看看能否构造一个有效载荷，将用户重定向到您的站点：

$     wfuzz -w wordlist.txt -v –-follow http://example.com?redirect=FUZZ

Finally, test for vulnerabilities such as XSS and SQL injection by fuzzing URL parameters, POST parameters, or other user input locations with common payload lists.

最终，通过使用常见有效载荷列表对 URL 参数、POST 参数或其他用户输入位置进行模糊测试，测试漏洞，如 XSS 和 SQL 注入。

When testing for XSS by using Wfuzz, try creating a list of scripts that redirect the user to your page, and then turn on the verbose option to monitor for any redirects. Alternatively, you can use Wfuzz content filters to check for XSS payloads reflected. The --filter flag lets you set a result filter. An especially useful filter is content~ STRING , which returns responses that contain whatever STRING is:

使用 Wfuzz 测试 XSS 时，请尝试创建重定向用户到您的页面的脚本列表，然后打开详细选项以监视任何重定向。或者，您可以使用 Wfuzz 内容过滤器来检查反射的 XSS 有效负载。 --filter 标志允许您设置结果过滤器。一个尤其有用的过滤器是 content〜STRING，它返回包含任何 STRING 的响应。

$     wfuzz -w xss.txt --filter "content~FUZZ" http://example.com/get_user?user_id=FUZZ

For SQL injection vulnerabilities, try using a premade SQL injection wordlist and monitor for anomalies in the response time, response code, or response length of each payload. If you use SQL injection payloads that include time delays, look for long response times. If most payloads return a certain response code but one does not, investigate that response further to see if there’s a SQL injection there. A longer response length might also be an indication that you were able to extract data from the database.

在处理 SQL 注入漏洞时，尝试使用预先制作的 SQL 注入词库，并监测每个有效载荷的响应时间、响应代码或响应长度的异常情况。如果您使用的 SQL 注入有效载荷包括时间延迟，请寻找长时间的响应时间。如果大多数有效载荷返回特定的响应代码，但是某一个不返回，请进一步调查该响应，以查看是否存在 SQL 注入漏洞。较长的响应长度还可能表明您能够从数据库中提取数据。

The following command tests for SQL injection using the wordlist sqli.txt . You can specify POST body data with the -d flag:

以下命令使用单词列表 sqli.txt 测试 SQL 注入。您可以使用-d 标志指定 POST 正文数据：

$     wfuzz -w sqli.txt -d "user_id=FUZZ" http://example.com/get_user

More About Wfuzz

Wfuzz has many more advanced options, filters, and customizations that you can take advantage of. Used to its full potential, Wfuzz can automate the most tedious parts of your workflow and help you find more bugs. For more cool Wfuzz tricks, read its documentation at https://wfuzz.readthedocs.io/ .

Wfuzz 拥有更多的高级选项、过滤器和自定义功能，您可以充分利用它们。充分利用 Wfuzz，它可以自动化您工作流程中最繁琐的部分，并帮助您发现更多的漏洞。要了解更多酷炫的 Wfuzz 技巧，请阅读它在 https://wfuzz.readthedocs.io/上的文档。