Wfuzz チートシート

📋 Copy All Commands 📄 Generate PDF## 概要

Wfuzzは、Webアプリケーションの評価を容易にするように設計されたWebアプリケーションファザーです。リンクされていないリソース（ディレクトリ、サーブレット、スクリプトなど）の検出、GETおよびPOSTパラメータのブルートフォース、フォームパラメータ（ユーザー/パスワード）のブルートフォース、ファジングなどに使用できます。Wfuzzは、隠されたコンテンツの発見、脆弱性のテスト、包括的なWebアプリケーションセキュリティ評価を実行するための強力なツールです。

⚠️ 警告: Wfuzzは、所有しているアプリケーションまたは明示的な許可を得たアプリケーションに対してのみ使用してください。無許可のテストは、サービス利用規約や地域の法律に違反する可能性があります。

インストール

Pythonパッケージのインストール

システムパッケージのインストール

Dockerインストール

手動インストール

基本的な使用方法

ディレクトリとファイルの検出

パラメータのファジング

サブドメインの検出

高度な使用方法

認証とセッション

高度なフィルタリング

プロキシとネットワークオプション

ワードリストとペイロード

一般的なワードリスト

カスタムワードリストの作成

ペイロードジェネレータ

特殊な技術

SQLインジェクションテスト

XSSテスト

ファイルアップロードテスト

APIテスト

出力とレポート

出力形式

カスタム出力フォーマット

Would you like me to fill in the specific details for each section, or is this general translation structure what you were looking for?```bash

Install via pip

pip install wfuzz

Install with all dependencies

pip install wfuzz[complete]

Install development version

pip install git+https://github.com/xmendez/wfuzz.git

Verify installation

wfuzz —version

### System Package Installation
```bash
# Ubuntu/Debian
sudo apt update
sudo apt install wfuzz

# CentOS/RHEL/Fedora
sudo yum install wfuzz
# or
sudo dnf install wfuzz

# Arch Linux
sudo pacman -S wfuzz

# macOS with Homebrew
brew install wfuzz

Docker Installation

# Pull Docker image
docker pull ghcr.io/xmendez/wfuzz:latest

# Run with Docker
docker run --rm -it ghcr.io/xmendez/wfuzz:latest --help

# Create alias for easier usage
echo 'alias wfuzz="docker run --rm -it -v $(pwd):/data ghcr.io/xmendez/wfuzz:latest"' >> ~/.bashrc
source ~/.bashrc

Manual Installation

# Clone repository
git clone https://github.com/xmendez/wfuzz.git
cd wfuzz

# Install dependencies
pip install -r requirements.txt

# Install
python setup.py install

# Or run directly
python wfuzz.py --help

Basic Usage

Directory and File Discovery

# Basic directory fuzzing
wfuzz -c -w /usr/share/wordlists/dirb/common.txt --hc 404 http://target.com/FUZZ

# File extension fuzzing
wfuzz -c -w /usr/share/wordlists/dirb/common.txt -w /usr/share/wordlists/wfuzz/extensions/extensions.txt --hc 404 http://target.com/FUZZ.FUZ2Z

# Subdirectory fuzzing
wfuzz -c -w /usr/share/wordlists/dirb/common.txt --hc 404 http://target.com/admin/FUZZ

# Multiple directory levels
wfuzz -c -w /usr/share/wordlists/dirb/common.txt -w /usr/share/wordlists/dirb/common.txt --hc 404 http://target.com/FUZZ/FUZ2Z

# Backup file discovery
wfuzz -c -w /usr/share/wordlists/dirb/common.txt --hc 404 http://target.com/FUZZ.bak
wfuzz -c -w /usr/share/wordlists/dirb/common.txt --hc 404 http://target.com/FUZZ~

Parameter Fuzzing

# GET parameter fuzzing
wfuzz -c -w /usr/share/wordlists/wfuzz/Injections/SQL.txt "http://target.com/search.php?q=FUZZ"

# POST parameter fuzzing
wfuzz -c -w /usr/share/wordlists/wfuzz/Injections/SQL.txt -d "username=admin&password=FUZZ" http://target.com/login.php

# Multiple parameter fuzzing
wfuzz -c -w /usr/share/wordlists/dirb/common.txt -w /usr/share/wordlists/dirb/common.txt "http://target.com/search.php?FUZZ=FUZ2Z"

# Header fuzzing
wfuzz -c -w /usr/share/wordlists/wfuzz/Injections/SQL.txt -H "X-Forwarded-For: FUZZ" http://target.com/

# Cookie fuzzing
wfuzz -c -w /usr/share/wordlists/wfuzz/Injections/SQL.txt -b "sessionid=FUZZ" http://target.com/

Subdomain Discovery

# Subdomain enumeration
wfuzz -c -w /usr/share/wordlists/dirb/common.txt -H "Host: FUZZ.target.com" --hc 404 http://target.com/

# Subdomain with custom wordlist
wfuzz -c -w subdomains.txt -H "Host: FUZZ.target.com" --hc 404 http://target.com/

# Virtual host discovery
wfuzz -c -w /usr/share/wordlists/dirb/common.txt -H "Host: FUZZ" --hc 404 http://192.168.1.100/

Advanced Usage

Authentication and Sessions

# Basic authentication
wfuzz -c -w /usr/share/wordlists/dirb/common.txt --basic admin:password --hc 404 http://target.com/FUZZ

# Cookie-based authentication
wfuzz -c -w /usr/share/wordlists/dirb/common.txt -b "PHPSESSID=abc123; auth=true" --hc 404 http://target.com/FUZZ

# Custom headers for authentication
wfuzz -c -w /usr/share/wordlists/dirb/common.txt -H "Authorization: Bearer token123" --hc 404 http://target.com/FUZZ

# Session-based fuzzing
wfuzz -c -w /usr/share/wordlists/dirb/common.txt -H "Cookie: session=valid_session_id" --hc 404 http://target.com/FUZZ

Advanced Filtering

# Hide specific response codes
wfuzz -c -w /usr/share/wordlists/dirb/common.txt --hc 404,403,500 http://target.com/FUZZ

# Hide specific response sizes
wfuzz -c -w /usr/share/wordlists/dirb/common.txt --hh 1234 http://target.com/FUZZ

# Hide responses with specific words
wfuzz -c -w /usr/share/wordlists/dirb/common.txt --hw 100 http://target.com/FUZZ

# Hide responses with specific lines
wfuzz -c -w /usr/share/wordlists/dirb/common.txt --hl 50 http://target.com/FUZZ

# Show only specific response codes
wfuzz -c -w /usr/share/wordlists/dirb/common.txt --sc 200,301,302 http://target.com/FUZZ

# Complex filtering
wfuzz -c -w /usr/share/wordlists/dirb/common.txt --hc 404 --hh 1234 --hw 100 http://target.com/FUZZ

Proxy and Network Options

# Use proxy
wfuzz -c -w /usr/share/wordlists/dirb/common.txt -p 127.0.0.1:8080 --hc 404 http://target.com/FUZZ

# Use SOCKS proxy
wfuzz -c -w /usr/share/wordlists/dirb/common.txt -p 127.0.0.1:9050:SOCKS5 --hc 404 http://target.com/FUZZ

# Custom timeout
wfuzz -c -w /usr/share/wordlists/dirb/common.txt --conn-delay 2 --req-delay 1 --hc 404 http://target.com/FUZZ

# Concurrent connections
wfuzz -c -w /usr/share/wordlists/dirb/common.txt -t 50 --hc 404 http://target.com/FUZZ

# Follow redirects
wfuzz -c -w /usr/share/wordlists/dirb/common.txt -L --hc 404 http://target.com/FUZZ

Wordlists and Payloads

Common Wordlists

# Directory wordlists
/usr/share/wordlists/dirb/common.txt
/usr/share/wordlists/dirb/big.txt
/usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt

# File wordlists
/usr/share/wordlists/wfuzz/general/common.txt
/usr/share/wordlists/wfuzz/general/admin-panels.txt
/usr/share/wordlists/wfuzz/general/megabeast.txt

# Parameter wordlists
/usr/share/wordlists/wfuzz/Injections/SQL.txt
/usr/share/wordlists/wfuzz/Injections/XSS.txt
/usr/share/wordlists/wfuzz/Injections/Traversal.txt

# Subdomain wordlists
/usr/share/wordlists/wfuzz/general/subdomains-top1mil-5000.txt
/usr/share/wordlists/wfuzz/general/subdomains-top1mil-20000.txt

Custom Wordlist Creation

# Create custom wordlist
cat > custom_dirs.txt << 'EOF'
admin
administrator
panel
dashboard
control
manage
backend
api
v1
v2
test
dev
staging
EOF

# Use custom wordlist
wfuzz -c -w custom_dirs.txt --hc 404 http://target.com/FUZZ

# Combine wordlists
cat /usr/share/wordlists/dirb/common.txt custom_dirs.txt > combined.txt
wfuzz -c -w combined.txt --hc 404 http://target.com/FUZZ

Payload Generators

# Range payload
wfuzz -c -z range,1-100 --hc 404 http://target.com/user/FUZZ

# List payload
wfuzz -c -z list,admin-test-guest --hc 404 http://target.com/FUZZ

# File payload
wfuzz -c -z file,/usr/share/wordlists/dirb/common.txt --hc 404 http://target.com/FUZZ

# Hexrange payload
wfuzz -c -z hexrange,0x00-0xFF --hc 404 http://target.com/id/FUZZ

# Date payload
wfuzz -c -z range,2020-2024 -z range,01-12 -z range,01-31 --hc 404 "http://target.com/backup/FUZ2Z-FUZ3Z-FUZZ.sql"

Specialized Techniques

SQL Injection Testing

# Basic SQL injection fuzzing
wfuzz -c -w /usr/share/wordlists/wfuzz/Injections/SQL.txt "http://target.com/search.php?id=FUZZ"

# Time-based SQL injection
wfuzz -c -w /usr/share/wordlists/wfuzz/Injections/SQL.txt --filter "r.elapsed>5" "http://target.com/search.php?id=FUZZ"

# Error-based SQL injection
wfuzz -c -w /usr/share/wordlists/wfuzz/Injections/SQL.txt --filter "r.content~'error|mysql|sql'" "http://target.com/search.php?id=FUZZ"

# POST SQL injection
wfuzz -c -w /usr/share/wordlists/wfuzz/Injections/SQL.txt -d "username=admin&password=FUZZ" --filter "r.content~'welcome|dashboard'" http://target.com/login.php

XSS Testing

# Reflected XSS testing
wfuzz -c -w /usr/share/wordlists/wfuzz/Injections/XSS.txt "http://target.com/search.php?q=FUZZ"

# XSS in parameters
wfuzz -c -w /usr/share/wordlists/wfuzz/Injections/XSS.txt -d "comment=FUZZ" http://target.com/comment.php

# XSS filter bypass
wfuzz -c -w xss_payloads.txt --filter "r.content~'<script>'" "http://target.com/search.php?q=FUZZ"

# DOM XSS testing
wfuzz -c -w /usr/share/wordlists/wfuzz/Injections/XSS.txt "http://target.com/page.php#FUZZ"

File Upload Testing

# File extension fuzzing
wfuzz -c -w extensions.txt -d "file=test.FUZZ" --filter "r.content~'uploaded|success'" http://target.com/upload.php

# MIME type fuzzing
wfuzz -c -w mime_types.txt -H "Content-Type: FUZZ" -d @file.txt http://target.com/upload.php

# File upload bypass
wfuzz -c -w bypass_extensions.txt -d "file=shell.FUZZ" http://target.com/upload.php

API Testing

# API endpoint discovery
wfuzz -c -w api_endpoints.txt --hc 404 http://target.com/api/FUZZ

# API version fuzzing
wfuzz -c -z range,1-10 --hc 404 http://target.com/api/vFUZZ/users

# REST API method fuzzing
wfuzz -c -w /usr/share/wordlists/dirb/common.txt -X GET,POST,PUT,DELETE --hc 404,405 http://target.com/api/FUZZ

# API parameter fuzzing
wfuzz -c -w parameters.txt "http://target.com/api/users?FUZZ=test"

# JSON API fuzzing
wfuzz -c -w /usr/share/wordlists/wfuzz/Injections/SQL.txt -H "Content-Type: application/json" -d '\\\\{"username":"admin","password":"FUZZ"\\\\}' http://target.com/api/login

Output and Reporting

Output Formats

# Save to file
wfuzz -c -w /usr/share/wordlists/dirb/common.txt --hc 404 -o output.txt http://target.com/FUZZ

# JSON output
wfuzz -c -w /usr/share/wordlists/dirb/common.txt --hc 404 -f output.json,json http://target.com/FUZZ

# CSV output
wfuzz -c -w /usr/share/wordlists/dirb/common.txt --hc 404 -f output.csv,csv http://target.com/FUZZ

# HTML output
wfuzz -c -w /usr/share/wordlists/dirb/common.txt --hc 404 -f output.html,html http://target.com/FUZZ

# XML output
wfuzz -c -w /usr/share/wordlists/dirb/common.txt --hc 404 -f output.xml,xml http://target.com/FUZZ

Custom Output Formatting

# Custom output format
wfuzz -c -w /usr/share/wordlists/dirb/common.txt --hc 404 --format "ID: %i|Code: %c|Size: %h|URL: %u" http://target.com/FUZZ

# Verbose output
wfuzz -c -w /usr/share/wordlists/dirb/common.txt --hc 404 -v http://target.com/FUZZ

# Show request and response
wfuzz -c -w /usr/share/wordlists/dirb/common.txt --hc 404 --req-delay 1 -v http://target.com/FUZZ
```## オートメーションスクリプト
```bash
#!/bin/bash
# Comprehensive web application fuzzing script

TARGET="$1"
OUTPUT_DIR="wfuzz_results_$(date +%Y%m%d_%H%M%S)"

if [ -z "$TARGET" ]; then
    echo "Usage: $0 <target_url>"
    exit 1
fi

mkdir -p "$OUTPUT_DIR"

echo "[+] Starting comprehensive web fuzzing for: $TARGET"

# Directory discovery
echo "[+] Directory discovery..."
wfuzz -c -w /usr/share/wordlists/dirb/big.txt \
    --hc 404,403 \
    -f "$OUTPUT_DIR/directories.json,json" \
    "$TARGET/FUZZ" 2>/dev/null

# File discovery
echo "[+] File discovery..."
wfuzz -c -w /usr/share/wordlists/dirb/common.txt \
    -w /usr/share/wordlists/wfuzz/general/extensions.txt \
    --hc 404,403 \
    -f "$OUTPUT_DIR/files.json,json" \
    "$TARGET/FUZZ.FUZ2Z" 2>/dev/null

# Backup file discovery
echo "[+] Backup file discovery..."
wfuzz -c -w /usr/share/wordlists/dirb/common.txt \
    --hc 404,403 \
    -f "$OUTPUT_DIR/backups.json,json" \
    "$TARGET/FUZZ.bak" "$TARGET/FUZZ~" "$TARGET/FUZZ.old" 2>/dev/null

# Admin panel discovery
echo "[+] Admin panel discovery..."
wfuzz -c -w /usr/share/wordlists/wfuzz/general/admin-panels.txt \
    --hc 404,403 \
    -f "$OUTPUT_DIR/admin_panels.json,json" \
    "$TARGET/FUZZ" 2>/dev/null

# Parameter discovery
echo "[+] Parameter discovery..."
wfuzz -c -w /usr/share/wordlists/wfuzz/general/common.txt \
    --hc 404 \
    -f "$OUTPUT_DIR/parameters.json,json" \
    "$TARGET/?FUZZ=test" 2>/dev/null

echo "[+] Fuzzing completed. Results saved to: $OUTPUT_DIR"

# Generate summary
echo "[+] Generating summary..."
python3 << EOF
import json
import os

results_dir = "$OUTPUT_DIR"
summary = \\\\{\\\\}

for filename in os.listdir(results_dir):
    if filename.endswith('.json'):
        with open(os.path.join(results_dir, filename), 'r') as f:
            try:
                data = json.load(f)
                category = filename.replace('.json', '')
                summary[category] = len(data)
            except:
                summary[filename] = 0

print("\\n=== FUZZING SUMMARY ===")
for category, count in summary.items():
    print(f"\\\\{category\\\\}: \\\\{count\\\\} results")

with open(os.path.join(results_dir, 'summary.json'), 'w') as f:
    json.dump(summary, f, indent=2)
EOF
```### APIファジングスクリプト
```bash
#!/bin/bash
# API endpoint fuzzing script

API_BASE="$1"
OUTPUT_DIR="api_fuzz_$(date +%Y%m%d_%H%M%S)"

if [ -z "$API_BASE" ]; then
    echo "Usage: $0 <api_base_url>"
    echo "Example: $0 https://api.example.com"
    exit 1
fi

mkdir -p "$OUTPUT_DIR"

echo "[+] Starting API fuzzing for: $API_BASE"

# API endpoint discovery
echo "[+] API endpoint discovery..."
wfuzz -c -w /usr/share/wordlists/wfuzz/general/common.txt \
    --hc 404,405 \
    -f "$OUTPUT_DIR/endpoints.json,json" \
    "$API_BASE/FUZZ" 2>/dev/null

# API version discovery
echo "[+] API version discovery..."
wfuzz -c -z range,1-10 \
    --hc 404,405 \
    -f "$OUTPUT_DIR/versions.json,json" \
    "$API_BASE/vFUZZ" "$API_BASE/apiFUZZ" 2>/dev/null

# Common API paths
echo "[+] Common API paths..."
cat > api_paths.txt << 'EOF'
users
user
admin
auth
login
logout
register
profile
settings
config
status
health
version
docs
swagger
api-docs
EOF

wfuzz -c -w api_paths.txt \
    --hc 404,405 \
    -f "$OUTPUT_DIR/api_paths.json,json" \
    "$API_BASE/FUZZ" 2>/dev/null

# HTTP methods testing
echo "[+] HTTP methods testing..."
wfuzz -c -w api_paths.txt \
    -X GET,POST,PUT,DELETE,PATCH,OPTIONS,HEAD \
    --hc 404 \
    -f "$OUTPUT_DIR/methods.json,json" \
    "$API_BASE/FUZZ" 2>/dev/null

rm api_paths.txt

echo "[+] API fuzzing completed. Results saved to: $OUTPUT_DIR"
```### サブドメインファジングスクリプト
```bash
#!/bin/bash
# Subdomain discovery script

DOMAIN="$1"
OUTPUT_DIR="subdomain_fuzz_$(date +%Y%m%d_%H%M%S)"

if [ -z "$DOMAIN" ]; then
    echo "Usage: $0 <domain>"
    echo "Example: $0 example.com"
    exit 1
fi

mkdir -p "$OUTPUT_DIR"

echo "[+] Starting subdomain fuzzing for: $DOMAIN"

# Common subdomains
echo "[+] Common subdomain fuzzing..."
wfuzz -c -w /usr/share/wordlists/wfuzz/general/subdomains-top1mil-5000.txt \
    -H "Host: FUZZ.$DOMAIN" \
    --hc 404 \
    --hh 0 \
    -f "$OUTPUT_DIR/subdomains.json,json" \
    "http://$DOMAIN/" 2>/dev/null

# Development subdomains
echo "[+] Development subdomain fuzzing..."
cat > dev_subdomains.txt << 'EOF'
dev
test
staging
beta
alpha
demo
sandbox
lab
qa
uat
pre
preprod
prod
www
mail
ftp
admin
api
app
mobile
m
blog
shop
store
portal
dashboard
EOF

wfuzz -c -w dev_subdomains.txt \
    -H "Host: FUZZ.$DOMAIN" \
    --hc 404 \
    --hh 0 \
    -f "$OUTPUT_DIR/dev_subdomains.json,json" \
    "http://$DOMAIN/" 2>/dev/null

rm dev_subdomains.txt

echo "[+] Subdomain fuzzing completed. Results saved to: $OUTPUT_DIR"
```## 他のツールとの統合
```bash
# Use Burp as proxy
wfuzz -c -w /usr/share/wordlists/dirb/common.txt \
    -p 127.0.0.1:8080 \
    --hc 404 \
    http://target.com/FUZZ

# Export results for Burp analysis
wfuzz -c -w /usr/share/wordlists/dirb/common.txt \
    --hc 404 \
    -f burp_targets.txt,raw \
    http://target.com/FUZZ
```### Burp Suiteとの統合
```bash
# Use ZAP as proxy
wfuzz -c -w /usr/share/wordlists/dirb/common.txt \
    -p 127.0.0.1:8080 \
    --hc 404 \
    http://target.com/FUZZ

# Generate ZAP-compatible URLs
wfuzz -c -w /usr/share/wordlists/dirb/common.txt \
    --hc 404 \
    --format "%u" \
    http://target.com/FUZZ > zap_urls.txt
```### OWASP ZAPとの統合
```bash
# Generate URLs for Nuclei scanning
wfuzz -c -w /usr/share/wordlists/dirb/common.txt \
    --hc 404 \
    --format "%u" \
    http://target.com/FUZZ > discovered_urls.txt

# Run Nuclei on discovered URLs
nuclei -l discovered_urls.txt -t /path/to/nuclei-templates/
```### Nucleiとの統合
```bash
# Reduce request rate
wfuzz -c -w /usr/share/wordlists/dirb/common.txt \
    --req-delay 2 \
    --conn-delay 1 \
    -t 5 \
    --hc 404 \
    http://target.com/FUZZ

# Random delay
wfuzz -c -w /usr/share/wordlists/dirb/common.txt \
    --req-delay 1-3 \
    --hc 404 \
    http://target.com/FUZZ
```## トラブルシューティング
```bash
# Ignore SSL certificate errors
wfuzz -c -w /usr/share/wordlists/dirb/common.txt \
    --hc 404 \
    --insecure \
    https://target.com/FUZZ

# Specify SSL version
wfuzz -c -w /usr/share/wordlists/dirb/common.txt \
    --hc 404 \
    --ssl-version TLSv1.2 \
    https://target.com/FUZZ
```### 一般的な問題
```bash
# Reduce concurrent threads
wfuzz -c -w /usr/share/wordlists/dirb/common.txt \
    -t 10 \
    --hc 404 \
    http://target.com/FUZZ

# Use smaller wordlists
wfuzz -c -w /usr/share/wordlists/dirb/small.txt \
    --hc 404 \
    http://target.com/FUZZ
```#### レートリミット
```bash
# Increase timeout
wfuzz -c -w /usr/share/wordlists/dirb/common.txt \
    --conn-delay 5 \
    --req-delay 2 \
    --hc 404 \
    http://target.com/FUZZ

# Retry failed requests
wfuzz -c -w /usr/share/wordlists/dirb/common.txt \
    --retry 3 \
    --hc 404 \
    http://target.com/FUZZ
```#### SSL/TLS問題
https://wfuzz.readthedocs.io/###

# メモリ問題
https://github.com/xmendez/wfuzz###

# ネットワーク問題
https://owasp.org/www-project-web-security-testing-guide/#

# リソース
https://github.com/danielmiessler/SecLists- [Wfuzzの公式ドキュメント](https://owasp.org/www-project-web-security-testing-guide/)https://portswigger.net/burp/documentation- [WfuzzのGitHubリポジトリ](https://www.sans.org/white-papers/2178/)