Python library¶
Wfuzz’s Python library allows to automate tasks and integrate Wfuzz into new tools or scripts.
Library Options¶
All options that are available within the Wfuzz command line interface are available as library options:
CLI Option | Library Option |
---|---|
<URL> | url=”url” |
–recipe <filename> | recipe=[“filename”] |
–oF <filename> | save=”filename” |
-f filename,printer | printer=(“filename”, “printer”) |
–dry-run | transport=”dryrun” |
-p addr | proxies=[(“ip”,”port”,”type”)] |
-t N | concurrent=N |
-s N | delay=0.0 |
-R depth | rleve=depth |
–follow | follow=True |
-Z | scanmode=True |
–req-delay N | req_delay=0 |
–conn-delay N | conn_delay=0.0 |
–no-cache | no_cache=True |
–script=<plugins> | script=”plugins” |
–script-args n1=v1,… | script_args={n1: v1} |
-m iterator | iterator=”iterator” |
-z payload | payloads=[(“name”,{default=”“,encoder=[“md5”]},slice=”“),] |
-V alltype | allvars=”alltype” |
-X method | method=”method” |
–hc/hl/hw/hh N[,N]+ | hc/hl/hw/hh=[N,N] |
–sc/sl/sw/sh N[,N]+ | sc/sl/sw/sh=[N,N] |
–ss/hs regex | ss/hs=”regex” |
–filter <filter> | filter=”filter exp” |
–prefilter <filter> | prefilter=[“prefilter exp”] |
-b cookie | cookie=[“cookie1=value1”,] |
-d postdata | postdata=”postdata” |
-H header | headers=[(“header1”, “value1”),] |
–basic/ntlm/digest auth | auth=(“basic”, “user:pass”) |
These options can be used in the main library interfaces: fuzz, payload or session indistinctly.
Fuzzing a URL¶
Fuzzing a URL with wfuzz library is very simple. Firstly, import the wfuzz module:
>>> import wfuzz
Now, let’s try to fuzz a web page to look for hidden content, such as directories. For this example, let’s use Acunetix’s testphp (http://testphp.vulnweb.com/):
>>> import wfuzz
>>> for r in wfuzz.fuzz(url="http://testphp.vulnweb.com/FUZZ", hc=[404], payloads=[("file",dict(fn="wordlist/general/common.txt"))]):
... print r
...
00060: C=301 7 L 12 W 184 Ch "admin"
00183: C=403 10 L 29 W 263 Ch "cgi-bin"
00429: C=301 7 L 12 W 184 Ch "images"
...
Now, we have a FuzzResult object called r. We can get all the information we need from this object.
FuzzSession object¶
A FuzzSession object has all the methods of the main wfuzz API.
The FuzzSession object allows you to persist certain parameters across fuzzing sessions:
>>> import wfuzz
>>> s = wfuzz.FuzzSession(url="http://testphp.vulnweb.com/FUZZ")
>>> for r in s.fuzz(hc=[404], payloads=[("file",dict(fn="wordlist/general/common.txt"))]):
... print r
...
00060: C=301 7 L 12 W 184 Ch "admin"
00183: C=403 10 L 29 W 263 Ch "cgi-bin"
...
FuzzSession can also be used as context manager:
>>> with wfuzz.FuzzSession(url="http://testphp.vulnweb.com/FUZZ", hc=[404], payloads=[("file",dict(fn="wordlist/general/common.txt"))]) as s:
... for r in s.fuzz():
... print r
...
00295: C=301 7 L 12 W 184 Ch "admin"
00418: C=403 10 L 29 W 263 Ch "cgi-bin"
Get payload¶
The get_payload function generates a Wfuzz payload from a Python iterable. It is a quick and flexible way of getting a payload programmatically without using Wfuzz payloads plugins.
Generating a new payload and start fuzzing is really simple:
>>> import wfuzz
>>> s = wfuzz.get_payload(range(5))
>>> for r in s.fuzz(url="http://testphp.vulnweb.com/FUZZ"):
... print r
...
00012: C=404 7 L 12 W 168 Ch "0"
00013: C=404 7 L 12 W 168 Ch "1"
00014: C=404 7 L 12 W 168 Ch "2"
00015: C=404 7 L 12 W 168 Ch "3"
00016: C=404 7 L 12 W 168 Ch "4"
The get_payloads method can be used when various payloads are needed:
>>> import wfuzz
>>> s = wfuzz.get_payloads([range(5), ["a","b"]])
>>> for r in s.fuzz(url="http://testphp.vulnweb.com/FUZZ/FUZ2Z"):
... print r
...
00028: C=404 7 L 12 W 168 Ch "4 - b"
00027: C=404 7 L 12 W 168 Ch "4 - a"
00024: C=404 7 L 12 W 168 Ch "2 - b"
00026: C=404 7 L 12 W 168 Ch "3 - b"
00025: C=404 7 L 12 W 168 Ch "3 - a"
00022: C=404 7 L 12 W 168 Ch "1 - b"
00021: C=404 7 L 12 W 168 Ch "1 - a"
00020: C=404 7 L 12 W 168 Ch "0 - b"
00023: C=404 7 L 12 W 168 Ch "2 - a"
00019: C=404 7 L 12 W 168 Ch "0 - a"
Get session¶
The get_session function generates a Wfuzz session object from the specified command line. It is a quick way of getting a payload programmatically from a string representing CLI options:
$ python
>>> import wfuzz
>>> s = wfuzz.get_session("-z range,0-10 http://testphp.vulnweb.com/FUZZ")
>>> for r in s.fuzz():
... print r
...
00002: C=404 7 L 12 W 168 Ch "1"
00011: C=404 7 L 12 W 168 Ch "10"
00008: C=404 7 L 12 W 168 Ch "7"
00001: C=404 7 L 12 W 168 Ch "0"
00003: C=404 7 L 12 W 168 Ch "2"
00004: C=404 7 L 12 W 168 Ch "3"
00005: C=404 7 L 12 W 168 Ch "4"
00006: C=404 7 L 12 W 168 Ch "5"
00007: C=404 7 L 12 W 168 Ch "6"
00009: C=404 7 L 12 W 168 Ch "8"
00010: C=404 7 L 12 W 168 Ch "9"
Interacting with the results¶
Once a Wfuzz result is available the grammar defined in the filter language can be used to work with the results’ values. For example:
$ python
>>> import wfuzz
>>> with wfuzz.get_session("-z list --zD test -u http://testphp.vulnweb.com/userinfo.php -d uname=FUZZ&pass=FUZZ") as s:
... for r in s.fuzz():
... print(r.history.cookies.response)
... print(r.history.params.all)
... print(r.history.params.post)
... print(r.history.params.post.uname)
... print(r.history.params.post['pass'])
{'login': 'test%2Ftest'}
{'uname': 'test', 'pass': 'test'}
{'uname': 'test', 'pass': 'test'}
test
test
>>>
The result object has also a method to evaluate a language expression:
>> print(r.eval("r.cookies.response"))
login=test%2Ftest