FuzzDB is the most comprehensive Open Source database of malicious inputs, predictable resource names, greppable strings for server response messages, and other resources like web shells. It's like an application security scanner, without the scanner.
# Download #
**Preferred method is to check out sources via git, new payloads are added frequently**
```
git clone git@github.com:fuzzdb-project/fuzzdb.git fuzzdb
```
While in the FuzzDB dir, you can update your local repo with the command
```
git pull
```
You can also browse the [FuzzDB github sources](https://github.com/fuzzdb-project/fuzzdb/tree/master) and there is always a [zip file](https://github.com/fuzzdb-project/fuzzdb/archive/master.zip)
# What's in FuzzDB? #
Some examples:
**Predictable Resource Locations -**
Because of the popularity of a small number of server types, platforms, and package formats, resources such as [logfiles and administrative directories](http://www.owasp.org/index.php/Forced_browsing) are typically located in a small number of [predictable locations](http://projects.webappsec.org/Predictable-Resource-Location).
FuzzDB contains a comprehensive database of these, sorted by platform type, language, and application, making brute force testing less brutish.
(https://github.com/fuzzdb-project/fuzzdb/tree/master/discovery/predictable-filepaths)
**Attack Patterns -**
Categorized by platform, language, and attack type, malicious and malformed inputs known to cause information leakage and exploitation have been collected into sets of test cases.
FuzzDB contains comprehensive lists of [attack payloads](https://github.com/fuzzdb-project/fuzzdb/tree/master/attack-payloads) known to cause issues like OS command injection, directory listings, directory traversals, source exposure, file upload bypass, authentication bypass, http header crlf injections, and more.
(https://github.com/fuzzdb-project/fuzzdb/tree/master/attack)
**Response Analysis -**
Since system responses also contain predictable strings, FuzzDB contains a set of regex pattern dictionaries such as interesting error messages to aid detection software security defects, lists of common Session ID cookie names, and more.
(https://github.com/fuzzdb-project/fuzzdb/wiki/regexerrors)
**Other useful stuff -**
Webshells, common password and username lists, and some handy wordlists.
(https://github.com/fuzzdb-project/fuzzdb/tree/master/web-backdoors) etc etc etc
**Documentation -**
Helpful documentation and cheatsheets sourced from around the web that are relevant to the payload categories are also provided. Many directories contain a README.md file with usage notes.
(https://github.com/fuzzdb-project/fuzzdb/tree/master/docs)
# Why was FuzzDB created? #
The sets of payloads currently built in to open source fuzzing and scanning software are poorly representative of the total body of potential attack patterns. Commercial scanners are a bit better, but not much. However, commercial tools also have a downside, in that that they tend to lock these patterns away in obfuscated binaries.
Furthermore, it's impossible for a human pentester to encounter and memorize all permutations of the meta characters and hex encoding likely to cause error conditions to arise.
FuzzDB was created to aggregate all known attack payloads and common predictable resource names into usable fuzzer payload lists, categorized by function and platform, and make them freely available under an Open Source license. It is immediately usable by web application penetration testers and security researchers.
Released under the dual New BSD and Creative Commons by Attribution licenses, FuzzDB can be leveraged to improve the test cases built into open source and commercial testing software.
# How was the data collected? #
Lots of hours of research while performing penetration tests:
* analysis of default app installs
* analysis of system and application documentation
* analysis of error messages
* researching old web exploits for repeatable attack strings
* scraping scanner payloads from http logs
* various books, articles, blog posts, mailing list threads
* other open source fuzzers and pentest tools
and the input of contributors: https://github.com/fuzzdb-project/fuzzdb/graphs/contributors
# How to Use fuzzdb #
FuzzDB is like an open source application security scanner, without the scanner.
The most common use case is with HTTP proxy and fuzzing tools such as
* OWASP Zap proxy, for which FuzzDB is available as a plugin. (https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project).
* With Burp Proxy's [intruder](http://portswigger.net/intruder/) module. The regex/errors.txt file can be loaded to [pattern match the server responses](https://github.com/fuzzdb-project/fuzzdb/wiki/regexerrors).
Other ways fuzzdb is often used:
* to test web services
* as malicious input payloads for testing non-HTTP network aware application with custom fuzzing tools
* as malicious input payloads for testing GUI or command line software with standard test automation tools
* incorporating the patterns into Open Source software, or into your own commercial product
* in training materials and documentation
* to learn about software exploitation techniques
# Who #
FuzzDB was created by Adam Muntner (amuntner @ gmail.com)
The FuzzDB license is New BSD and Creative Commons by Attribution. I want this project to be freely available in order to make the patterns contained within obsolete. If you use this project in your work, research, or commercial product, you are required to cite it. That's it.
FuzzDB (c) Copyright Adam Muntner, 2010-2016
Portions copyrighted by others, as noted in commit comments and README.md files.
没有合适的资源?快使用搜索试试~ 我知道了~
fuzzdb渗透工具burpsuite扩展套件
共336个文件
txt:222个
php:22个
md:19个
需积分: 50 27 下载量 162 浏览量
2016-03-31
20:04:33
上传
评论 2
收藏 5.33MB ZIP 举报
温馨提示
fuzzdb渗透工具burpsuite扩展套件,官方更新网址https://github.com/fuzzdb-project/fuzzdb。
资源推荐
资源详情
资源评论
收起资源包目录
fuzzdb渗透工具burpsuite扩展套件 (336个子文件)
ntdaddy.asp 42KB
proxy.asp 13KB
file.asp 6KB
up.asp 4KB
dns.asp 4KB
shell.asp 3KB
cmdasp.asp 1KB
list.asp 1KB
cmd-asp-5.1.asp 1KB
cmd.asp 923B
shell.aspx 4KB
cmd.aspx 2KB
cmdasp.aspx 1KB
cmd.c 1KB
shell.cfm 4KB
cfExec.cfm 2KB
cfSQL.cfm 2KB
cmd.cfm 807B
perlcmd.cgi 585B
ListServlet.class 2KB
UpServlet.class 2KB
CmdServlet.class 2KB
.directory 60B
.directory 59B
nc.exe 28KB
known-uri-types.fuzz 1KB
POC_img_phpinfo.gif 33KB
uber.gif 33KB
htmlcodes-cheatsheet.htm 29KB
ScriptMapping_Release_26Nov2007.html 190KB
docs.sql_injection_cheatsheet.html 72KB
source-directory-file-indexing-cheatsheet.html 42KB
KL0209LIT_fffap.html 26KB
docs.http-method-defs.html 20KB
rfi-cheatsheet.html 8KB
ListServlet.java 2KB
ListServlet.java 2KB
UpServlet.java 2KB
UpServlet.java 2KB
CmdServlet.java 1KB
CmdServlet.java 1KB
lottapixel.jpg 33KB
browser.jsp 68KB
up.jsp 4KB
up_win32.jsp 4KB
jsp-reverse.jsp 2KB
list.jsp 2KB
cmd.jsp 1KB
cmd.jsp 864B
cmd_win32.jsp 853B
cmdjsp.jsp 725B
simple.jsp 63B
README.md 6KB
README.md 3KB
README.md 3KB
README.md 2KB
README.md 730B
README.md 711B
README.md 707B
README.md 492B
README.md 458B
README.md 419B
README.md 343B
README.md 272B
README.md 173B
README.md 172B
README.md 158B
README.md 119B
README.md 104B
README.md 85B
README.md 2B
MANIFEST.MF 67B
Web-Shells-rev2.pdf 164KB
windows_command_line_sheet_v1.pdf 131KB
netcat_cheat_sheet_v1.pdf 127KB
docs.oracle_cheat.pdf 95KB
Wireshark_Display_Filters.pdf 38KB
shell.php 13KB
shell.php 13KB
proxy.php 11KB
proxy.php 11KB
file.php 6KB
file.php 6KB
php-reverse-shell.php 5KB
php-reverse-shell.php 5KB
dns.php 5KB
dns.php 5KB
host.php 4KB
host.php 4KB
killnc.php 4KB
killnc.php 3KB
laudanum.php 3KB
php-backdoor.php 3KB
settings.php 3KB
ipcheck.php 2KB
up.php 696B
list.php 589B
cmd.php 345B
simple-backdoor.php 328B
up.pl 13KB
共 336 条
- 1
- 2
- 3
- 4
资源评论
茶木牟夕由
- 粉丝: 44
- 资源: 59
上传资源 快速赚钱
- 我的内容管理 展开
- 我的资源 快来上传第一个资源
- 我的收益 登录查看自己的收益
- 我的积分 登录查看自己的积分
- 我的C币 登录后查看C币余额
- 我的收藏
- 我的下载
- 下载帮助
安全验证
文档复制为VIP权益,开通VIP直接复制
信息提交成功