Directory Fuzzing
2020-11-03 06:06:52 Author: medium.com(查看原文) 阅读量:386 收藏

Let python automate your work!

c0d3x27

Dictories

Image by c0d3x27 all right reserved.

When fuzzing a subdomain, You may find admin panels or even sensitive files. Let’s say you got .git directory during directory fuzzing, You can download source code of the application using git dumper tool https://github.com/arthaud/git-dumper. Source code may contain credentials. You can find many articles related to this issue online.

Before even starting, we need to check if the domain is alive or not, Because large number of requests to a dead domain is just a waste of time. Let’s write a script to check for this

Code:

import requests
import urllib3 urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) def isdomainlive(domain): httpsUrl = "https://" + domain httpUrl = "http://" + domain urls = []
try: requests.get(httpsUrl + "/robots.txt", timeout = 5, verify = False) urls.append(httpsUrl) except: pass
try: requests.get(httpUrl + "/robots.txt", timeout = 5, verify = False)
urls.append(httpUrl)
except:
pass
if urls:
return urls
else: return False

Save this code as whatever.py. this send requests to both port 80 and 443 to check the domain. we are only going to hit robots.txt endpoint because other than this endpoints are large in size. pass key word does nothing in python it is used to just fill up except block. Isdomainlive function return list of domains with respective scheme if available otherwise return False.

Code

import requests
import wfuzz
import checkdomains wordlist = requests.get(
'https://raw.githubusercontent.com/maurosoria/dirsearch/master/db/dicc.txt'
)
.text.split("\n") domains = open("bug-bounty-domains-2.txt", "r") payloads =
wfuzz.get_payload(wordlist) for domain in domains.readlines():
subdomains = open(domain.rstrip("\n") + "_subdomains.txt", "r") for subdomain in
subdomains.readlines(): urls = checkdomains.isdomainlive(subdomain.rstrip(
"\n")) if urls: for url in urls: print("Fuzzing - " + url) try:
fuzzer = payloads.fuzz(url = url + "/FUZZ", sc = [200]) for result in
fuzzer: print(result) except: pass

Here we downloaded the directory wordlist from dirsearch repository. We have checked whether the domain is live or not. If the domain is live then fuzzing starts, otherwise it will just go to the next subdomain. The whole process takes a while because the number of domains and subdomains. if you want to run this script in the background you can use screen.

Happy Hunting !!


文章来源: https://medium.com/bugbountywriteup/directory-fuzzing-24265834552b?source=rss----7b722bfd1b8d--bug_bounty
如有侵权请联系:admin#unsafe.sh