A lightning-fast CLI tool for generating target-specific wordlists to fuzz backup files
FBack is a powerful command-line tool designed for security professionals and penetration testers. It generates comprehensive wordlists for fuzzing backup files by analyzing target URLs and applying customizable patterns with dates, extensions, and URL components.
- Target-Specific: Generates wordlists based on actual URL components
- Date Patterns: Supports year, month, and day ranges for time-based backups
- Customizable: Flexible pattern system with JSON configuration
- Multiple Sources: Supports wordlists, extensions, and number ranges
- Fast: Optimized for performance with large datasets
npm install @spix0r/fback -ggit clone https://github.com/Spix0r/fback.git
cd fback
chmod +x main.js
npm install . -gGenerate a wordlist from a single URL:
echo "https://example.com/admin/config.php" | fbackGenerate from multiple URLs with custom patterns:
fback -l urls.txt -o backup_wordlist.txt -y 2020-2024 -m 1-12fback --help| Option | Description | Default |
|---|---|---|
-s, --silent |
Suppress console output | false |
-u, --update |
Refresh public suffix/TLD list (requires internet) | false |
-l, --urls <file> |
URLs input file (uses stdin if omitted) | stdin |
-p, --pattern <file> |
Pattern JSON file | data/pattern.json |
-w, --wordlist <file> |
Wordlist file | data/wordlist.txt |
-e, --extension <file> |
Extensions file | data/extension.txt |
-o, --output <file> |
Output file (uses stdout if omitted) | stdout |
-n, --numbers <range> |
Number ranges (e.g., "1-100") | - |
-y, --year <range> |
Year ranges (e.g., "2020-2024") | - |
-m, --month <range> |
Month ranges (1-12) | - |
-d, --day <range> |
Day ranges (1-31) | - |
FBack uses a flexible pattern system with the following variables:
Example URL: https://www.example.com/admin/dashboard/config.php?id=1
| Variable | Description | Example Output |
|---|---|---|
$domain_name |
Domain name only | example |
$full_domain |
Complete domain | www.example.com |
$subdomain |
Subdomain part | www |
$path |
Directory path | /admin/dashboard |
$full_path |
Complete path with file | /admin/dashboard/config.php |
$file_name |
File name with extension | config.php |
$word |
Words from wordlist | backup, old, temp |
$num |
Numbers from range | 1, 2, 3 |
$ext |
Extensions from list | .bak, .old, .tmp |
$y |
Years from range | 2023, 2024 |
$m |
Months from range | 01, 02, 12 |
$d |
Days from range | 01, 15, 31 |
Create a custom pattern.json file:
{
"patterns": [
"$file_name.$ext",
"$file_name_$y$m$d.$ext",
"$path/$word.$ext",
"$domain_name_$word_$y.$ext"
]
}# Generate wordlist from stdin
echo "https://example.com/admin/config.php" | fback
# Process multiple URLs from file
fback -l target_urls.txt -o wordlist.txt# Generate comprehensive wordlist with date ranges
fback -l urls.txt \
-p custom-patterns.json \
-w security-wordlist.txt \
-e backup-extensions.txt \
-y 2020-2024 \
-m 1-12 \
-d 1-31 \
-o comprehensive_wordlist.txt
# Silent mode with number ranges
fback -l urls.txt -s -n 1-1000 -o output.txt# Update TLD list (requires internet connection)
fback -uWe welcome contributions! Please feel free to submit issues, feature requests, or pull requests.
- Fork the repository
- Create your feature branch (
git checkout -b feature/amazing-feature) - Commit your changes (
git commit -m 'Add amazing feature') - Push to the branch (
git push origin feature/amazing-feature) - Open a Pull Request
This project is licensed under the MIT License. See the LICENSE file for details.
Made with ❤️ by 🕷Spix0r
⭐ Star this repository if you find it useful!