Skip to content

Usage Examples

Jump to bottom
Vitor Oriel edited this page May 5, 2022 · 23 revisions

HTTP verb Fuzzing

On FuzzingTool you can set multiple http verbs, and also fuzz them! Here's an example:

$ fuzzingtool -u https://mydomainexample.com/edit.php -X FUZZ -d 'id=5&action=insert' -w ~/wordlists/methods.txt

Now here's an example for inner http verb fuzzing:

$ fuzzingtool -u https://mydomainexample.com/edit.php -X POSFUZZT,PUT -d 'id=5&action=insert' -w ~/wordlists/methods.txt

Data Fuzzing

Parameter data fuzzing

On this example, you set the parameter variable 'id' as an entry for the fuzzing test. The payloads are read from the file 'sqli.txt'. If no http verb is specified, GET request method will be used by default.

$ fuzzingtool -u https://mydomainexample.com/post.php?id= -w ~/wordlists/sqli.txt -o blind_sqli.csv

If you want to test more than one parameter, you can just do something like that on url:

http://mydomainexample.com/post.php?id=FUZZ&user=FUZZ

Body data fuzzing

On this example, you set the body data variables 'login' and 'passw' as entries for the fuzzing test; and also sets the fixed value 'login' for 'user' variable. If no http verb is specified, POST request method will be used by default.

$ fuzzingtool -w ~/wordlists/sqli.txt -u https://mydomainexample.com/controller/user.php -d 'login&passw&user=login'

Keep in mind: If neither match results by size or by elapsed time are set, FuzzingTool will ask you for a data comparator to be used for match responses, based on length or elapsed time. But the app looks first for the response status code before look at these elements. So, if you are testing Blind SQLi Time-Based, make sure to allow status code 500 if the server raises internal server error responses.

URL Fuzzing

You can set the payload mode on URL for the fuzzing test. It's based on the variable 'FUZZ' position too.

Path Scanning

Example for path scanning (added suffixes to the payload):

$ fuzzingtool -w ~/wordlists/paths.txt -u http://mydomainexample.com/FUZZ --suffix .php,.html

If your file paths.txt looks like this:

wp-admin
administration
admin-page

Your payloads will be:

wp-admin.php
wp-admin.html
administration.php
administration.html
admin-page.php
admin-page.html

You can also make subpath scanning, see these urls:

http://mydomainexample.com/scripts/FUZZ # <-- subpath inside 'scripts' directory
http://mydomainexample.com/FUZZ/admin.php # <-- enumerate paths

Subdomain Scanning

Example for subdomain scanning:

$ fuzzingtool -w ~/wordlists/subdomains.txt -u http://FUZZ.mydomainexample.com/ --timeout 4 -V -o subdomains.json

Reading raw HTTP request

On this example, you can read the raw http request from a file.

$ fuzzingtool -r ~/raw-http.txt -w ~/wordlists/sqli.txt -V

Data Fuzzing

Here we've two examples of raw POST request format. The first one is about the raw data sended to server during the request.

POST /controller/user.php HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:85.0) Gecko/20100101 Firefox/85.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-worm-urlencoded
Content-Length: 40
Origin: http://localhost
Connection: keep-alive
Referer: http://localhost/index.php
Cookie: PHPSESSID=agkkekwsukpvurjmfcasaslj61l
Upgrade-Insecure-Requests: 1

User=Login&Login=usr&Pass=usr

This other is a modified version of the raw, to be readable for the FuzzingTool. Note that the body data was changed, and removed the Cookie from the HTTP Header (we don't want to send the Cookie as part of the request on this example).

POST /controller/user.php HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:85.0) Gecko/20100101 Firefox/85.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-worm-urlencoded
Content-Length: 40
Origin: http://localhost
Connection: keep-alive
Referer: http://localhost/index.php
Upgrade-Insecure-Requests: 1

User=Login&Login=FUZZ&Pass=FUZZ

Parameter Fuzzing

Raw http example for GET request:

GET /post.php?id=5 HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:85.0) Gecko/20100101 Firefox/85.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-worm-urlencoded
Origin: http://localhost
Connection: keep-alive
Referer: http://localhost/index.php
Cookie: PHPSESSID=agkkekwsukpvurjmfcasaslj61l
Upgrade-Insecure-Requests: 1

On this example we'll make both parameter fuzzing and HTTP headers fuzzing (look the Cookie header):

GET /post.php?id=FUZZ HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:85.0) Gecko/20100101 Firefox/85.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-worm-urlencoded
Origin: http://localhost
Connection: keep-alive
Referer: http://localhost/index.php
Cookie: PHPSESSID=FUZZagkkekwsukpvurjmfcasaslj61lFUZZ
Upgrade-Insecure-Requests: 1

Using multiple http verbs

Same example as using POST, but now with more than one http verb.

POST,PUT /controller/user.php HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:85.0) Gecko/20100101 Firefox/85.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-worm-urlencoded
Content-Length: 40
Origin: http://localhost
Connection: keep-alive
Referer: http://localhost/index.php
Upgrade-Insecure-Requests: 1

User=Login&Login=FUZZ&Pass=FUZZ

Path scanning

GET /FUZZ HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:85.0) Gecko/20100101 Firefox/85.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-worm-urlencoded
Origin: http://localhost
Connection: keep-alive
Referer: http://localhost/index.php
Cookie: PHPSESSID=agkkekwsukpvurjmfcasaslj61l
Upgrade-Insecure-Requests: 1

Subdomain scanning

GET / HTTP/1.1
Host: FUZZ.mydomainexample.com
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:85.0) Gecko/20100101 Firefox/85.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-worm-urlencoded
Origin: http://localhost
Connection: keep-alive
Referer: http://localhost/index.php
Cookie: PHPSESSID=agkkekwsukpvurjmfcasaslj61l
Upgrade-Insecure-Requests: 1

Note: FuzzingTool can't determine what is the url scheme based on the file. The default scheme is http. If you want to set a custom scheme, insert the argument --scheme

$ fuzzingtool -r ~/wordlists/raw-http.txt --scheme https -w ~/wordlists/sqli.txt -V

Using multiple wordlists

You can also set multiple wordlists, just separate them with ;.

$ fuzzingtool -u http://mydomainexample1.com/FUZZ -w 'Robots;/home/user/wordlists/paths.txt' -t 15 --timeout 10 -S --no-colors
Clone this wiki locally