FCKR – The Ultimate Brute Forcer
Project description
FCKR – The Ultimate Brute Forcer
FCKR is a command-line tool designed for security researchers and penetration testers to perform HTTP brute-forcing or test XSS payload reflection. It supports two modes: brute for replacing placeholders in URLs, POST bodies, or raw request parameters with wordlist entries, and xss for checking exact payload reflection in response HTML. Traditional mode uses FCK placeholders in URLs (for GET) or bodies (for POST). Advanced mode loads full raw HTTP requests from files and fuzzes specific parameters, supporting JSON, form-urlencoded, and other formats.
✨ Developed by @IMApurbo
🛡️ Use responsibly. Authorized testing only.
🚀 Features
- Dual Modes
brute: Replace placeholders in URLs, POST bodies, or request parameters with wordlist entries for brute-forcing.xss: Test XSS payloads for exact reflection in response HTML, replacing placeholders or parameters.
- HTTP Method Support
- Supports
GET,POST, and other methods via raw request files. - Traditional:
FCKrequired in URLs (GET) or bodies (POST). - Raw files: Auto-detects method from file.
- Supports
- Raw Request File Support (-R)
- Load full HTTP requests from raw files (method, URL, headers, body).
- Fuzz specific parameters (-p) in query strings, form data, or JSON bodies.
- Handles JSON (replaces key values), form-urlencoded, and fallbacks to string replacement for other formats.
- Advanced Filtering (brute mode)
- Response Filters (-f): Filter based on:
s: status codel: content lengthc: response body
- Filter types:
e: exact matchc: containsnc: not contains
- Response Filters (-f): Filter based on:
- XSS Reflection Checking (xss mode)
- Detects exact payload reflection in response HTML, with optional URL encoding (
--encode).
- Detects exact payload reflection in response HTML, with optional URL encoding (
- Response Inspection (-r)
- Fetch full HTML responses for any specific word or payload in both modes.
- Output Saving (-o)
- Save results to a file (e.g.,
result.txt).
- Save results to a file (e.g.,
- Custom Headers (-H)
- Add/override HTTP headers as a semicolon-separated string (e.g.,
Cookie:JSESSIONID=abc123;Content-Type:application/json).
- Add/override HTTP headers as a semicolon-separated string (e.g.,
- Debug Mode (-d)
- Logs all requests and mismatched filters (brute mode) or non-reflected payloads (xss mode).
- Threading (-T)
- Speed up operations with concurrent threads (default: 10).
- Progress Bar
- Stylish visual feedback during operations.
- User-Friendly Output
- Concise results like:
Word: <word> | Status: <status> | Length: <length> | Time: <time>s(brute mode)
Payload: <payload> | Status: <status> | Length: <length> | Time: <time>s(xss mode)
- Concise results like:
🧪 Installation
Install directly from PyPI:
pip install fckr
Requirements
- Python 3.6+
- Terminal with ANSI support (Linux, macOS, or Windows Terminal)
⚙️ Usage
fckr <mode> <options>
Modes
brute: Perform traditional brute-forcing with wordlist and filters.xss: Test XSS payloads for exact reflection in response HTML.
Common Flags
| Short | Long | Description | Required | Default | Modes |
|---|---|---|---|---|---|
-u |
--url |
Target URL with FCK placeholder (e.g., https://example.com/?q=FCK) |
🟡 | - | brute, xss |
-b |
--body |
POST body with FCK (required for POST) |
🟡 | - | brute, xss |
-w |
--wordlist |
Path to wordlist file | 🟡 | - | brute, xss |
-m |
--method |
HTTP method (GET or POST) (ignored with -R) |
❌ | GET | brute, xss |
-t |
--timeout |
Timeout in seconds | ❌ | 5.0 | brute, xss |
-f |
--filter |
Filter response (e.g., s:e:200, c:c:success) |
❌ | - | brute |
-o |
--output |
Save results to a file (e.g., result.txt) |
❌ | - | brute, xss |
-r |
--fetch-response |
Fetch full HTML for a specific word/payload (any string) | ❌ | - | brute, xss |
-d |
--debug |
Show request and filter/payload logs | ❌ | False | brute, xss |
-H |
--header |
HTTP headers (semicolon-separated) | ❌ | - | brute, xss |
-T |
--threads |
Number of concurrent threads | ❌ | 10 | brute, xss |
--encode |
URL-encode payloads before sending | ❌ | False | xss | |
-R |
--request |
Load raw HTTP request file (method, URL, headers, body) | ❌ | - | brute, xss |
-p |
--param |
Parameter name to fuzz (required with -R) |
🟡 | - | brute, xss |
-h |
--help |
Show this help message and exit | ❌ | - | brute, xss |
Notes:
-w/--wordlistis required unless-r/--fetch-responseis used.- Traditional mode:
FCKrequired in URL (GET) or body (POST).- Raw mode (
-R): Ignores-u,-b,-m;-prequired. Supports JSON/form/other formats.-b/--bodyrequired for POST (traditional) and not allowed for GET.- Multiple
-fflags allowed for combined filters.
🔍 Filtering Syntax (brute mode only)
Format:
<field>:<type>:<value>
Fields
s: HTTP status codel: Content lengthc: Response body content
Types
e: Exact matchc: Contains (case-insensitive, HTML attributes normalized)nc: Not contains (case-insensitive, HTML attributes normalized)
Examples
-f s:e:200 # Show only 200 OK
-f c:nc:error # Show results without "error"
-f 'c:c:signup here' # Show responses containing "signup here" (quote multi-word values)
-f l:e:1000 # Show only 1000-byte responses
🔧 Examples
Brute Mode
Brute-force with GET (traditional):
fckr brute -u "https://test.com/search?q=FCK" -w list.txt -m GET
POST request with body (traditional):
fckr brute -u "http://test.com/search" -b "query=FCK&submit=1" -w list.txt -m POST
Filter by content (traditional):
fckr brute -u "https://test.com/?q=FCK" -w list.txt -f c:nc:'"<h2>Not found</h2>"'
Brute-force using raw request file (JSON POST):
# req.txt example:
# POST /api/login HTTP/1.1
# Host: test.com
# Content-Type: application/json
#
# {"username":"admin","password":"FCK"}
fckr brute -R req.txt -p password -w list.txt
Filter with raw request (form-urlencoded):
fckr brute -R req.txt -p pass -w list.txt -f c:nc:'signup here'
Inspect full response for a word:
fckr brute -u "https://test.com/?q=FCK" -w list.txt -r "admin"
# Or with raw: fckr brute -R req.txt -p pass -r "secret"
XSS Mode
Test XSS payloads with GET (traditional):
fckr xss -u "https://test.com/search?q=FCK" -w payloads.txt -m GET --encode
Test XSS payloads with POST (traditional):
fckr xss -u "http://test.com/search" -b "query=FCK&submit=1" -w payloads.txt -m POST
Test XSS with raw request file (JSON):
fckr xss -R req.txt -p input -w payloads.txt --encode
Inspect full response for a payload:
fckr xss -u "https://test.com/?q=FCK" -w payloads.txt -r "<script>alert('xss')</script>" --encode
# Or with raw: fckr xss -R req.txt -p input -r "<img src=x onerror=alert(1)>"
Verbose debugging:
fckr xss -u "https://test.com/?q=FCK" -w payloads.txt -d
📂 Wordlist Format
Plain text file, one word or payload per line:
For brute mode:
admin
test
search
For xss mode:
<script>alert('xss')</script>
<img src=x onerror=alert(1)>
test' onload='alert(1)'
🛠️ Installation
pip install fckr
fckr brute -u "https://example.com/?q=FCK" -w list.txt
⚠️ Legal Notice
🛑 Use only on systems you have explicit permission to test.
Misuse may violate laws and ethical guidelines.
⭐ Credits
- Developed by IMApurbo
📃 License
This project is licensed under the MIT License. See the LICENSE file for details.
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distributions
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file fckr-1.2-py3-none-any.whl.
File metadata
- Download URL: fckr-1.2-py3-none-any.whl
- Upload date:
- Size: 13.5 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.13.5
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
e15bd6ae020c14558eec34abbcc0719306c9797494e04871cbf6ba9ecc43d853
|
|
| MD5 |
5405a67a2f89a35c7321bb645a121fb7
|
|
| BLAKE2b-256 |
5f1f65ff92a302f7b7f5ad9c0cfed6ad9b35e72772ada536b58d4bbaff921d88
|
