This repository has been archived by the owner on Dec 2, 2022. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 4
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
7 changed files
with
231 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,20 @@ | ||
# Minimal makefile for Sphinx documentation | ||
# | ||
|
||
# You can set these variables from the command line. | ||
SPHINXOPTS = | ||
SPHINXBUILD = sphinx-build | ||
SPHINXPROJ = Wfuzz | ||
SOURCEDIR = . | ||
BUILDDIR = build | ||
|
||
# Put it first so that "make" without argument is like "make help". | ||
help: | ||
@$(SPHINXBUILD) -M help "$(SOURCEDIR)" "$(BUILDDIR)" $(SPHINXOPTS) $(O) | ||
|
||
.PHONY: help Makefile | ||
|
||
# Catch-all target: route all unknown targets to Sphinx using the new | ||
# "make mode" option. $(O) is meant as a shortcut for $(SPHINXOPTS). | ||
%: Makefile | ||
@$(SPHINXBUILD) -M $@ "$(SOURCEDIR)" "$(BUILDDIR)" $(SPHINXOPTS) $(O) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,10 @@ | ||
# Sphinx documentation build configuration file | ||
|
||
project = 'ZFuzz' | ||
copyright = '2019, Zepp' | ||
author = 'Zepp' | ||
release = '1.2' | ||
|
||
extensions = ['sphinx.ext.autodoc', 'sphinx_rtd_theme'] | ||
|
||
html_theme = 'sphinx_rtd_theme' |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,57 @@ | ||
.. title:: ZFuzz | ||
|
||
ZFuzz Web Fuzzer | ||
================= | ||
|
||
.. image:: https://img.shields.io/badge/python-3.7-20d47a?style=flat-square | ||
:target: https://python.org/ | ||
.. image:: https://img.shields.io/badge/license-GPLv3-4ab0d9?style=flat-square | ||
:target: https://github.com/z3pp/ZFuzz/blob/master/LICENSE | ||
.. image:: https://img.shields.io/badge/release-1.2-lightgrey?style=flat-square | ||
:target: https://github.com/z3pp/ZFuzz | ||
.. image:: https://img.shields.io/travis/z3pp/ZFuzz/master?style=flat-square | ||
:target: https://travis-ci.org/z3pp/ZFuzz | ||
|
||
|
||
ZFuzz is an opensource web fuzzer written in Python | ||
(See `Wfuzz <https://wfuzz.readthedocs.io>`_ for more advanced features) | ||
|
||
**Usage exemple**:: | ||
|
||
$ ./zfuzz.py -w /mywordlist -u https://example.com/^FUZZ^ --sc 200 | ||
___ | ||
___| _|_ _ ___ ___ | ||
|- _| _| | |- _|- _| | ||
|___|_| |___|___|___| v1.2 | ||
|
||
[TARGET] https://example.com/<fuzz> | ||
|
||
[27:58] [200]: admin | ||
[27:58] [200]: robots.txt | ||
[27:58] [200]: js | ||
[27:58] [200]: css | ||
[27:59] [200]: cgi-bin | ||
[27:59] [200]: about | ||
[28:00] [200]: accounts | ||
|
||
[28:00] Total time: 3s | ||
|
||
**Features**: | ||
|
||
- Multithreaded | ||
- Allows fuzzing of HTTP headers, POST data, cookies, and different parts of URL | ||
- Very simple architecture/codes so you can easily contribute to the project | ||
- Easy to use and a nice interface | ||
|
||
ZFuzz needs Python v3 to work, and it must be run on Linux | ||
|
||
Documentation | ||
============== | ||
.. toctree:: | ||
:maxdepth: 2 | ||
|
||
source/contributing | ||
source/installation | ||
source/basicusage | ||
source/indepth | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,76 @@ | ||
Basic Usage | ||
============ | ||
|
||
ZFuzz Options | ||
-------------- | ||
|
||
* -h/--help -- Print the help banner | ||
* -u/--url -- URL to fuzz | ||
* -w/--wordlist -- wordlist | ||
* -H/--headers -- HTTP headers | ||
* -d/--data -- POST data | ||
* -b/--cookies -- Cookie to send for the requests | ||
* -k/--keyword -- Fuzzing keyword to use. Default ^FUZZ^ | ||
* -t/--threads -- Number of threads. Default 35 | ||
* -s/--delay -- Delay between requests | ||
* --timeout -- Requests timeout | ||
* --hc/sc -- HTTP Code(s) to hide/show | ||
* --hs/ss -- Response to hide/show with the given str | ||
|
||
Fuzzing keyword | ||
---------------- | ||
|
||
By default, the fuzzing keyword is ^FUZZ^ but you can change it by using the [-k/--keyword] option:: | ||
|
||
$ ./zfuzz.py -k #FUZZ# ... | ||
|
||
To fuzz something, just add the ^FUZZ^ keyword in the options that you would like to fuzz, | ||
And zfuzz will replace this keyword by each word of the wordlist specified:: | ||
|
||
$ ./zfuzz.py -w /mywordlist -u https://example.com/^FUZZ^ | ||
$ ./zfuzz.py -w /mywordlist -u https://example.com/ -d "username=admin&password=^FUZZ^" | ||
$ ./zfuzz.py -w /mywordlist -u https://example.com/ -H "User-agent: ^FUZZ^" "Content-Type: application/json" | ||
$ ./zfuzz.py -w /mywordlist -u https://example.com/ -b cookie:^FUZZ^ | ||
|
||
Limiting requests | ||
------------------ | ||
|
||
The fuzzer is multi-threaded and by default, has 35 threads, you can change this by using the [-t/--threads] option | ||
You also can specify a delay between the requests | ||
|
||
* Safe mode (Sending requests each 0.2s):: | ||
|
||
$ ./zfuzz.py -w /mywordlist -u http://example.com/^FUZZ^ -t 1 --delay 0.2 | ||
|
||
Filters | ||
-------- | ||
|
||
You can easily filter the requests result with these filters: | ||
|
||
Hide reponse | ||
^^^^^^^^^^^^^ | ||
|
||
The following options can be used to hide certain HTTP responses | ||
|
||
--hc (HTTP Code(s) to hide):: | ||
|
||
$ ./zfuzz.py -w /mywordlist -u http://example.com/^FUZZ^ --hc 500,404 | ||
|
||
--hs (Response to hide with the given str):: | ||
|
||
$ ./zfuzz.py -w /mywordlist -u http://example.com/^FUZZ^ --hs "home page" | ||
|
||
|
||
Show reponse | ||
^^^^^^^^^^^^^ | ||
|
||
The following options can be used to show certain HTTP responses | ||
|
||
--sc (HTTP Code(s) to show):: | ||
|
||
$ ./zfuzz.py -w /mywordlist -u http://example.com/^FUZZ^ --sc 200,301 | ||
|
||
--hs (Response to show with the given str):: | ||
|
||
$ ./zfuzz.py -w /mywordlist -u http://example.com/^FUZZ^ --hs "home page" | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,20 @@ | ||
Contributing | ||
============= | ||
|
||
You can contribute to zfuzz depending on your python skills or your willingness to help as an user | ||
|
||
Improve the documentation | ||
-------------------------- | ||
|
||
You can improve this documentation by forking `this repository <https://github.com/z3pp/ZFuzz>`_, updating the contents and sending a pull request | ||
|
||
Improve ZFuzz | ||
----------------------- | ||
|
||
If you know how to code in Python and have ideas to improve zfuzz or just ameliorate the code to make it better, you're very welcome to send a pull requests, just make sure that you respect these rules: | ||
|
||
* Keep the code clean | ||
* Respect the PEP8 style | ||
* Don't too change the project structure/codes | ||
* That's all ;) | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,23 @@ | ||
How ZFuzz works | ||
================ | ||
|
||
ZFuzz CLI | ||
---------- | ||
.. automodule:: zfuzz.cli | ||
:members: | ||
|
||
Argparse custom actions | ||
------------------------ | ||
.. automodule:: zfuzz.action | ||
:members: | ||
|
||
The Fuzzer | ||
----------- | ||
.. automodule:: zfuzz.fuzzer | ||
:members: | ||
|
||
Utils | ||
------ | ||
.. automodule:: zfuzz.utils | ||
:members: | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,25 @@ | ||
Installation | ||
============= | ||
|
||
From pip | ||
--------- | ||
|
||
You can easily install ZFuzz using `pip <https://pypi.org/project/zfuzz/>`_ :: | ||
|
||
$ pip3 install zfuzz | ||
|
||
|
||
From source | ||
------------ | ||
|
||
You can also install ZFuzz from `Github <https://github.com/Zepp/ZFuzz.git>`_ by following these commands :: | ||
|
||
$ git clone https://github.com/z3pp/ZFuzz.git | ||
$ cd ZFuzz | ||
$ python3 setup.py install | ||
|
||
Dependencies | ||
------------- | ||
|
||
ZFuzz only use `colored <https://pypi.org/project/colored/>`_ for the colored output and `requests <https://2.python-requests.org/en/master/>`_ for the HTTP requests | ||
|