-
Notifications
You must be signed in to change notification settings - Fork 0
auxiliary fuzzers dir_trav_fuzz
Chris Gates (CG)
This modules fuzzes various directory traversal payloads against the user specified Remote URL (RURL).
COOKIES false Enter the cookies here. Ex: set COOKIES ASPSESSIONID=1234;
FILE boot.ini true File To View
FUZZPARAM false Identify which param is to be fuzzed
LFILE wordlists/dir_traversal_strings.txt true Directory Traversal Strings File
LOG no false If yes, the output will be logged in dradis upload format,
under lib/wXf/wXflog
METHOD get true Choose either get or post
PROXYA false Proxy IP Address
PROXYP false Proxy Port Number
RPARAMS false Enter the body like so: foo=bar&cow=moo
RURL http://www.example.com/test.php true Target address
COOKIES -- If you have a cookie or cookies that you'd like to add to the request (whether GET or POST, doesn't matter), go ahead and set them here like so:
SINGLE COOKIE
set COOKIES ASPSESSIONID=1234;
MULTI COOKIE
set COOKIES ASPSESSIONID=1234; ASP.NET_SessionId=5678;
FILE -- This is the path AND file you are to attempting to retrieve with each request on the remote system. If the system is linux, you may try etc/passwd for example.
set FILE etc/passwd
FUZZPARAM -- The query, whether GET or POST, will include an RPARAMS string. wXf needs to know which of the parameters we will inject our fuzzing payloads into. This is the FUZZPARAM. For example:
set RPARAMS foo=bar&cow=moooooo
If we wanted to fuzz the parameter "cow", we'd use the following:
set FUZZPARAM cow
LFILE -- The LFILE can be left default, no interaction required. However, if you choose to user another wordlist type
show lfiles
(choose the LFILE you'd like from the wordlists options)
set LFILE wordlists/<chosen file>
LOG -- This option can be left default, no interaction required. However, if you'd like to log the requests/responses, headers, debug information and timestamp into an xml file suitable for Dradis Framework upload, type: yes. Example:
set LOG yes
METHOD -- By default the request is GET. If POST/post is set, the request will be a POST.
set METHOD get
set METHOD GET
set METHOD post
set METHOD POST
RPARAMS -- This is the query string. Regardless of GET or POST, wXf will convert the parameters accordingly. There is only one way in which to enter the parameters. Example:
set RPARAMS foo=bar&cow=moo&sky=blue
Target is http://www.foo.com, the request is a POST request and the query is foo=bar&show_file=cool_file.html. We want to log the output to dradis, and we'd like to fuzz the parameter show_file. We will use the default wordlist. This is a linux system so etc/resolv.conf is a file we'd like to attempt to retrieve.
set RURL http://www.foo.com
set METHOD post
set RPARAMS foo=bar&show_file=cool
set FUZZPARAM show_file
set LOG yes
run
Now the output of each request and response is stored under lib/wXf/wXflog under dir_trav_fuzz.xml. Analyze to see what worked. Enjoy!