-
Notifications
You must be signed in to change notification settings - Fork 38
Advanced Usage
The reflected scanner checks if the payload was reflected on the response body.
--scanner Reflected
Example:
$ fuzzingtool -u https://domainexample.com/?search=FUZZ -w ~/wordlists/xss.txt --scanner Reflected
Grep content based on a regex match into the response body (this is not a Regex Match).
--scanner Grep=REGEX[;REGEX]*
Example: Grep emails during the path discovery.
$ fuzzingtool -u https://domainexample.com/FUZZ -w 'Robots;~/wordlists/paths.txt' --scanner Grep=email
Look for backups extension on matched responses for path fuzzing. This plugin enqueue new payloads for the next job.
--scanner Backups=EXTENSION[,EXTENSION]*
If no extension is setted, the program will use these as default: .bak,.tgz,.zip,.tar.gz,~,.rar,.old,.swp.
Lookup for technologies on a web page during discovery scan.
--scanner Wappalyzer
The crtsh build the wordlist for SubdomainFuzzing purposes, based on the content of https://crt.sh/.
-w CrtSh=TARGET_HOST
Examples:
$ fuzzingtool -u https://FUZZ.domainexample.com/ -w CrtSh
$ fuzzingtool -u https://FUZZ.domainexample.com/ -w CrtSh=domainexample.com
The overflow build the wordlist for overflow purposes. You can set the quantity of payloads used, the initial payload, the end of payload list and the repeated payload.
-w Overflow=QUANTITY_OF_PAYLOADS,INIT_PAYLOAD:PAYLOAD:END_PAYLOAD
Example to get etc/passwd by Path Traversal:
$ fuzzingtool -u https://domainexample.com/?page=FUZZ -w Overflow=10,:../:etc/passwd
Example to make a stress request on target (blank payloads):
$ fuzzingtool -u https://domainexample.com/ -w Overflow=50000
The DNS Zone tries to build a wordlist, for SubdomainFuzzing purposes, based on a DNS Zone Transfer request for the target.
-w DnsZone=TARGET_HOST
Examples:
$ fuzzingtool -u https://FUZZ.domainexample.com/ -w DnsZone
$ fuzzingtool -u https://FUZZ.domainexample.com/ -w DnsZone=domainexample.com
The robots build the wordlist for PathFuzzing purposes, using the target robots.txt.
-w Robots=TARGET_URL
Examples:
$ fuzzingtool -u https://domainexample.com/FUZZ -w Robots
$ fuzzingtool -u https://domainexample.com/FUZZ -w Robots=https://domainexample.com/
The DnsDumpster tries to build a wordlist, for SubdomainFuzzing purposes, based on the content of the site dnsdumpster.com.
-w DnsDumpster=TARGET_HOST
Examples:
$ fuzzingtool -u https://FUZZ.domainexample.com/ -w DnsDumpster
$ fuzzingtool -u https://FUZZ.domainexample.com/ -w DnsDumpster=domainexample.com
- To see all available encoders, see Plugin encoders
Encoders are used to encode a payload before sends it to a request. You can set multiple encoders to be used, and also chain these encoders to apply on a single payload instance. Here's some examples: We'll encode this payload <script>alert();</script>
$ fuzzingtool -u https://mydomainexample.com/?search=FUZZ -w '[<script>alert()\;</script>]' -e Html,HexIt'll encode the payload as Html entities and Hexadecimal, resulting in 2 different payloads
- New payload from Html:
<script>alert();</script> - New payload from Hex:
3c7363726970743e616c65727428293b3c2f7363726970743e
$ fuzzingtool -u https://mydomainexample.com/?search=FUZZ -w '[<script>alert()\;</script>]' -e Html@HexIt'll encode the payload chained with Html entities and Hexadecimal, resulting in 1 different payload
- New payload from Html@Hex:
266c743b7363726970742667743b616c65727428293b266c743b2f7363726970742667743b
On FuzzingTool you can also encode specific parts of a payload, by using regex.
$ fuzzingtool -u https://mydomainexample.com/?search=FUZZ -w '[<script>alert()\;</script>]' -e HtmlHex --encode-only '<|>|/'It'll encode only the < > / characters from the payload, with HtmlHexadecimal
- New payload from HtmlHex with regex:
<script>alert();</script>
You can combine the options multiple encoders, chained encoders and encode by regex!
Encodes the payload into hexadecimal format.
-e Hex
Encodes the payload into base64 format.
-e Base64
Escape HTML entities on payload.
-e Html
Encode payload to html decimal format
-e HtmlDec
Encode payload to html hexadecimal format.
-e HtmlHex
Replace special characters in string using the %xx escape. Letters, digits, and the characters '_.-~' are never quoted. If an encode level is not provided, the default is 1 for the encode level.
-e Url=ENCODE_LEVEL