Installation
from Binary
The installation is easy. You can download a prebuilt binary from releases page, unpack and run! or with
▶ curl -sSfL https://git.io/crlfuzz | sh -s -- -b /usr/local/bin
from Source
If you have go1.13+ compiler installed and configured:
▶ GO111MODULE=on go get -v github.com/dwisiswant0/crlfuzz/cmd/crlfuzz
In order to update the tool, you can use -u flag with go get command.
from GitHub
▶ git clone https://github.com/dwisiswant0/crlfuzz ▶ cd crlfuzz/cmd/crlfuzz ▶ go build . ▶ mv crlfuzz /usr/local/bin
Usage
Basic Usage
Simply, CRLFuzz can be run with:
▶ crlfuzz -u "http://target"
Flags
▶ crlfuzz -h
This will display help for the tool. Here are all the switches it supports.
| Flag | Description |
|---|---|
| -u, –url | Define single URL to fuzz |
| -l, –list | Fuzz URLs within file |
| -X, –method | Specify request method to use (default: GET) |
| -o, –output | File to save results |
| -d, –data | Define request data |
| -H, –header | Pass custom header to target |
| -x, –proxy | Use specified proxy to fuzz |
| -c, –concurrent | Set the concurrency level (default: 25) |
| -s, –silent | Silent mode |
| -v, –verbose | Verbose mode |
| -V, –version | Show current CRLFuzz version |
| -h, –help | Display its help |
Target
You can define a target in 3 ways:
Single URL
▶ crlfuzz -u "http://target"
URLs from list
▶ crlfuzz -l /path/to/urls.txt
from Stdin
In case you want to chained with other tools.
▶ subfinder -d target -silent | httpx -silent | crlfuzz
Method
By default, CRLFuzz makes requests with GET method. If you want to change it, you can use the -X flag.
▶ crlfuzz -u "http://target" -X "GET"
Output
You can also save fuzzing results to a file with -o flag.
▶ crlfuzz -l /path/to/urls.txt -o /path/to/results.txt
Data
If you want to send a data request using POST, DELETE. PATCH or other methods, you just need to use -d flag.
▶ crlfuzz -u "http://target" -X "POST" -d "data=body"
Adding Headers
May you want to use custom headers to add cookies or other header parts.
▶ crlfuzz -u "http://target" -H "Cookie: ..." -H "User-Agent: ..."
Using Proxy
Using a proxy, proxy string can be specified with a protocol:// prefix to specify alternative proxy protocols.
▶ crlfuzz -u "http://target" -x http://127.0.0.1:8080
Concurrency
Concurrency is the number of fuzzing at the same time. Default value CRLFuzz provide is 25, you can change it by using -c flag.
▶ crlfuzz -l /path/to/urls.txt -c 50
Silent
If you activate this silent mode with the -s flag, you will only see vulnerable targets.
▶ crlfuzz -l /path/to/urls.txt -s | tee vuln-urls.txt
Verbose
Unlike silent mode, it will display error details if there is an error with the -v flag.
▶ crlfuzz -l /path/to/urls.txt -v
Version
To display the current version of CRLFuzz with the -V flag.
▶ crlfuzz -V
Library
You can use CRLFuzz as a library.
package main
import (
"fmt"
"github.com/dwisiswant0/crlfuzz/pkg/crlfuzz"
)
func main() {
target := "http://target"
method := "GET"
// Generates a potentially CRLF vulnerable URLs
for _, url := range crlfuzz.GenerateURL(target) {
// Scan against target
vuln, err := crlfuzz.Scan(url, method, "", []string{}, "")
if err != nil {
panic(err)
}
if vuln {
fmt.Printf("VULN! %s\n", url)
}
}
}Download: https://github.com/dwisiswant0/crlfuzz
