How To Hack Website Login Page Using Wfuzz Tool [2022]
Table of Content
- What is the wfuzz tool?
- How to Brute force login page using wfuzz?
What is the wfuzz tool?
Wfuzz is a free & Open-Source tool that allows an attacker to brute-forcing Web Applications. It provides various features, for example, login page bypass, brute force GET and POST parameters, finding hidden credentials (directories, scripts, etc). Wfuzz tool comes with pre-install in Kali Linux. If you desire to install the wfuzz tool in Ubuntu or Kali Linux, follow the below command.
sudo apt-get install wfuzz
Wfuzz features:
- Multiple Injection points capability with multiple dictionaries
- Recursion (When doing directory brute force)
- Post, headers, and authentication data brute forcing
- Output to HTML
- Colored output
- Hide results by return code, word numbers, line numbers, regex
- Cookies fuzzing
- Multi threading
- Proxy support
- SOCK support
- Time delays between requests
- Authentication support (NTLM, Basic)
- All parameters brute-forcing (POST and GET)
- Multiple encoders per payload
- Payload combinations with iterators
- Baseline request (to filter results against)
- Brute force HTTP methods
- Multiple proxy support (each request through a different proxy)
- HEAD scan (faster for resource discovery)
- Dictionaries tailored for known applications (Weblogic, iPlanet, Tomcat, Domino, Oracle 9i, Vignette, Coldfusion, and many more
Source: https://github.com/xmendez/wfuzz/
How to Brute Force login page using wfuzz?
Before starting to hack the target website, we need to know some basic commands of the wfuzz tool. For that, we can open its help page. Let’s follow the below command.
wfuzz -h
Information gathering is a crucial phase for website hacking. It might be a challenging task to hack a website without information gathering. We spent more time gathering information about the target website, such as name, phone, email, etc. After that, we generated password wordlists using the crunch tool. If you don’t know how to make password wordlists, first, read the below blog.
We opened the target website in our browser that looks pretty charming. Remember, we have used our website for demo purposes. It is only a virtual environment, Don’t try to hack this website.
We will scan the website admin page, for that dirbuster is a good tool that can be used to perform brute force attacks on each website. It could be a comfortable tool to obtain hidden directory, URI, robots.txt file, htacces file, etc.
Excellent! We have discovered the admin page of the target website.
We noticed a suspicious file extension developed in PHP language. I think that there is more malicious code available on the Internet. It depends on the PHP version. Let’s enter some malicious code on the target website.
I found malicious code is not working. Let’s intercept post requests by entering the default username&password on the target website. For that, we will use the Burp suite tool. Burp Suite is one of the most popular penetration testing and bug bounty tools. It comes both free and paid, But the paid version is more reliable compare to free. Burp Suite Community Edition comes pre-installed in Kali Linux.
We have mentioned its essential parameter often used to bypass the login page.
We have obtained the post request data of the target website. The next step! We will append to all credentials with the wfuzz Tool. Let’s follow the below image.
wfuzz -c -u http://pentestblog/cdn-cgi/login/index.php -d 'username=admin&password=subscribe' -w --hc 200
As you know, our mission is to hack the pentestblog website. For that, we need a username & password. Wfuzz tool allows an attacker to use the password wordlists during the brute force attack mentioned above.
Username: admin
Password: password_disctionary.txt
wfuzz -c -u http://pentestblog/cdn-cgi/login/index.php -d 'username=admin&password=FUZZ' -w password_disctionary.txt --hc 200
Excellent! We have discovered the username & password of the target website.
Username: admin
Password: MEGACORP_4dmln!!
Let’s log in with valid credentials.
We have logged in target website with valid credentials. “So that” we could enter in website server.
Recent Posts
- Protected: How To Mount USB Drive in Ubuntu Linux
- CVE-2022-30190 (Follina)-Microsoft Support Diagnostic Tool Vulnerability
- SQL INJECTION – Extracting Username and Password From Database
- How To Dump Username And Password Using SQLMap Tool?
- Protected: Exploit Apache Log4j Security Vulnerabilities – CVE-2021-44228
Most Popular Posts
Very Intresting blog for me, such awsome content
I was aƄle to find good advice from your articles.
Hello there! Do you use Twitter? I’d like to follow you if that would be okay.
I’m undoubtedly enjoying your blog and look forward to new posts.
follow pentestblogin
The professional hacker true out the word that I believed in him is only Henryclarkethicalhacker Group Hackers Checked Google and see everybody comments on him he a professional that I believed in him if you have problems on any stuffed like a bank, company, school grades change examinations, database, Social media hacks, Email hacks, Phone hacks, Bitcoin hacks, increased Credit score boost to 800, School result upgrading, cryptocurrency, Binary option funds recovery, Bitcoin Mining, Instagram, WhatsApp, Twitter, Monitor your colleague, access your spouse social media, and a lot more, via, , on whatsapp 18134211326..
Contact him for any type of hacking, he is a professional hacker that specializes in exposing cheating spouses, and every other hacking related issues. he is a cyber guru, he helps catch cheating spouses by hacking their communications like call, Facebook, text, emails, Skype, whats-app and many more. I have used this service before and he did a very good job, he gave me every proof I needed to know that my fiancee was cheating. You can contact him on his email to help you catch your cheating spouse, or for any other hacking related problems, like hacking websites, bank statement, grades and many more. he will definitely help you, he has helped a lot of people, contact him on, , and you can Text/Call &WhatsApp: +1 (773)-609-2741, or +1201-430-5865, and figure out your relationship status. I wish you the best.