Giters

kk001aa / PSFuzz

Proviesec Fuzz Scanner - dir/path web scanner

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

PSFuzz

PSFuzz - ProvieSec Fuzz Scanner - Web path discovery

License contributions welcome Twitter

Proviesec logo Buy Me A Coffee

Table of Contents

Introduction

⭐ Star us on GitHub — it motivates a lot! ⭐

Web path discovery

Discover with ProSecFuzz hidden files and directories on a web server.

Disclaimer: DONT BE A JERK!

Needless to mention, please use this tool very very carefully. The authors won't be responsible for any consequences.

Installation & Usage

go get https://github.com/Proviesec/PSFuzz

Wordlists

Summary:

Options

Required

  • -u/-url Example: -u https://www.google.com

Optional

  • -o/-output Example: -o google_output Default: output.txt
  • -d/-dirlist Example: -d list.txt Default is https://raw.githubusercontent.com/Proviesec/directory-payload-list/main/directory-full-list.txt
  • -s/-status Example: -s true Default:false only Status Code 200
  • -c/-concurrency Example: -c 5
  • -fscn/-filterStatusCodeNot Example: -fscn 404 Don't show response status code 404
  • -fsc/-filterStatusCode Example: -fsc 200,301 Show only response status code 200 and 301
  • -fl/-filterLength Example: -fl 122,1234,1235,1236 or -fl 122,1234-1236 Show only the response with this length (or length range)
  • -fln/-filterLengthNot Example: -fln 122,1234,1235,1236 or -fln 122,1234-1236 Show not this response with this length (or length range)
  • -fm/-filterMatchWord Example: -fm admin
  • -rah/-requestAddHeader Example: -rah Host:127.0.0.1
  • -b/-bypass Example: -b true -> bypass status code: 401,402,403
  • -g/-generate_payload Example: -g 100 -> generate a,aa,ab,abc,aaa,abb,bbc
  • -od /-onlydomains Example: -od true Show only domains in the outputfile (no status code)
  • fws / filterWrongStatus200 Example: -fws true - Don´t show: in title: "Access Gateway", "Not Found", "Error"/"ERROR", "403", "Bad Request" ,"Forbidden", "500", "Internal Server Error" and body length <= 1

Attack Configuration / Patterns

Response Analysis

Example

go run main.go -url https://www.google.com/ -d dir-full.txt -c 2 -o testest -s true -fscn 404,301,302

go run main.go -url https://www.google.com/ -d dir-full.txt -c 2 -o googletest -s true -fl 122,1565-1569 -fln 1566-1568

image

image

Todos

General

  • Multi requests
  • Optional param output
  • check https or http
  • Logo and Version output
  • Tryhackme room
  • help mode ( -h )
  • optional config file
    • load config
    • save config
    • yaml file
    • config for "dont show" in title/body
  • Proxy
  • throttle
  • detect "too many requests"
  • Output
    • TXT
    • CSV
    • Json
    • HTML
  • Progress bar
  • list of sites
  • Parameter
    • random payload generator
    • choice of dirlist from proviesec github repo
    • subdomain list from proviesec github repo
    • Port List
    • Length
    • Length range show and not show
    • Response Status List show
    • Response Status Range show
    • Response Status List not show
    • Response Status Range not show
    • Filter content type
    • Words match list title/page
    • Set Optional Header
    • Set request Timeout
    • Add Cookies
    • quite Mode
    • random user-agent
    • show only the urls
    • add user agent
    • username /password basic Auth

Attack

  • make GET requests
  • make POST requests
  • try PUT/DELETE/PATCH
  • Wordlist txt parameter
  • Wildcard parameter
  • List of URLs
  • depth by dir
  • Word list
    • Automatic Word list for any file html,txt, php..
      • payload generator, include, start or end with specific word and max length
      • file ending as parameter list
    • get list from any url
    • get list from proviesec github account default
    • multiple word lists
  • Crlf scan
  • open redirect scan
  • fuzzing parameter (from a-z)
  • fuzzing http verbs
  • Wordlist formats, upper lower

Response Analysis

  • show response status
  • show possibile parameter
  • dump the response in files
  • Fingerprint Software (Wordpress/Apache/nginx etc.)
  • CORS analyse
  • bypass
    • 403 Bypass, config
    • Status bypass
  • Words match list title/page/header
    • output the match line
  • Show positiv false: status 200, but title 404
  • Show possible block response, after x requests "403 or too many request"
  • Show possible false 200, same length of startsite...
  • Intilligence
    • Automatically detect false 200 (really 404)
    • too many rediretcs and then restart again, with the exclusion of
    • Show the most unique target
  • Show titel of Page
  • Show Response Body Length
  • show content type
  • Fingerprint check
  • fuzz Parameter check (normal Response vs. with paramter)
  • show reflected cookie
  • show reflected params
  • show reflected base64
  • compare two scans
    • save scan
    • load scan
  • Redirect handler - 301... -> Can be activated via parameter
    • Show Redirect URL
    • Skip Status filter if redirect true (via parameter)

Example

go run main.go -url https://www.google.com -d list.txt -s true -c 2

About

Proviesec Fuzz Scanner - dir/path web scanner

License:MIT License

Languages

Language:Go 98.4%Language:Shell 1.6%