“
dirsearch是一种高级命令行工具,旨在暴力破解网络服务器中的目录和文件,又名网络路径扫描器。
”
一、基本介绍
当公司服务上线后,我们需要探测服务是有敏感文件信息泄漏,需要对服务进行一个整体探测。例如公司服务上线,但swagger文件仍然暴露在公网、服务配置不当,.git文件泄漏等等场景,而今天的主角dirsearch就可以针对这种场景进行扫描探测
二、安装和使用
要求:python 3.7 或更高版本
选择以下安装选项之一:
-
使用 git 安装:
git clone https://github.com/maurosoria/dirsearch.git
-
使用Docker安装:
docker build -t "dirsearch:v0.4.2"
-
使用 Kali Linux 安装:
sudo apt-get install dirsearch
-
使用 PyPi 安装:
pip3 install dirsearch
注意:要使用 SOCKS 代理功能,请安装带有requirements.txt 的包:pip3 install -r requirements.txt
最好的安装方式如下:
git clone https://github.com/maurosoria/dirsearch.git
cd dirsearch
pip3 install -r requirements.txt
python3 dirsearch.py -u <URL> -e <EXTENSIONS>
三、字典库
dirsearch内置了一个字典库,存放在db目录下面,默认是db/dicc.txt文件,当然你也可以用-w指定自己的字典库。
-
字典库是一个文本文件,每一行都是一个路径。 -
与其他工具不同,dirsearch 是用%EXT%来替换 -e标志的参数替换关键字。例如字典里写入index.%EXT%关键词,而执行命令 -e指定php,那么字典会变成index.php。 -
对于没有%EXT%的词表,-f | –force-extensions参数需要将扩展名附加到 wordlist 中的每个单词,以及/。例如字典里使用amdin,那么使用-f/–force-extensions参数传递“php”和“html”扩展名将生成以下字典:admin,admin.php,admin.html,admin/。 -
要使用多个词表,您可以用逗号分隔词表。例子:wordlist1.txt,wordlist2.txt。
四、如何使用
关于如何使用 dirsearch 的一些示例,这些是最常见的参数。如果您需要全部,只需使用-h参数。
-
简单用法
python3 dirsearch.py -u https://target
python3 dirsearch.py -e php,html,js -u https://target
python3 dirsearch.py -e php,html,js -u https://target -w /path/to/wordlist
-
递归扫描
通过使用-r|–recursive参数,dirsearch将递归地强制所有目录。
python3 dirsearch.py -e php,html,js -u https://target -r
-
线程
线程数(-t|–threads ) 反映了爆破进程的数量。所以线程数越大,dirsearch 运行得越快。默认情况下,线程数为30,但如果您想加快进度,可以增加它。尽管如此,速度仍然在很大程度上取决于服务器的响应时间。作为警告,我们建议您保持线程数不要太大,因为它可能导致DoS。
python3 dirsearch.py -e php,htm,js,bak,zip,tgz,txt -u https://target -t 20
更多参数使用,请使用-h查看文档
admindeMacBook-Pro:brute admin$ dirsearch -h
Usage: dirsearch [-u|--url] target [-e|--extensions] extensions [options]
Options:
--version show program's version number and exit
-h, --help show this help message and exit
Mandatory:
-u URL, --url=URL Target URL
-l FILE, --url-list=FILE
Target URL list file
--stdin Target URL list from STDIN
--cidr=CIDR Target CIDR
--raw=FILE Load raw HTTP request from file (use `--scheme` flag
to set the scheme)
-e EXTENSIONS, --extensions=EXTENSIONS
Extension list separated by commas (Example: php,asp)
-X EXTENSIONS, --exclude-extensions=EXTENSIONS
Exclude extension list separated by commas (Example:
asp,jsp)
-f, --force-extensions
Add extensions to every wordlist entry. By default
dirsearch only replaces the %EXT% keyword with
extensions
Dictionary Settings:
-w WORDLIST, --wordlists=WORDLIST
Customize wordlists (separated by commas)
--prefixes=PREFIXES
Add custom prefixes to all wordlist entries (separated
by commas)
--suffixes=SUFFIXES
Add custom suffixes to all wordlist entries, ignore
directories (separated by commas)
--only-selected Remove paths have different extensions from selected
ones via `-e` (keep entries don't have extensions)
--remove-extensions
Remove extensions in all paths (Example: admin.php ->
admin)
-U, --uppercase Uppercase wordlist
-L, --lowercase Lowercase wordlist
-C, --capital Capital wordlist
General Settings:
-t THREADS, --threads=THREADS
Number of threads
-r, --recursive Brute-force recursively
--deep-recursive Perform recursive scan on every directory depth
(Example: api/users -> api/)
--force-recursive Do recursive brute-force for every found path, not
only paths end with slash
-R DEPTH, --recursion-depth=DEPTH
Maximum recursion depth
--recursion-status=CODES
Valid status codes to perform recursive scan, support
ranges (separated by commas)
--subdirs=SUBDIRS Scan sub-directories of the given URL[s] (separated by
commas)
--exclude-subdirs=SUBDIRS
Exclude the following subdirectories during recursive
scan (separated by commas)
-i CODES, --include-status=CODES
Include status codes, separated by commas, support
ranges (Example: 200,300-399)
-x CODES, --exclude-status=CODES
Exclude status codes, separated by commas, support
ranges (Example: 301,500-599)
--exclude-sizes=SIZES
Exclude responses by sizes, separated by commas
(Example: 123B,4KB)
--exclude-texts=TEXTS
Exclude responses by texts, separated by commas
(Example: 'Not found', 'Error')
--exclude-regexps=REGEXPS
Exclude responses by regexps, separated by commas
(Example: 'Not foun[a-z]{1}', '^Error$')
--exclude-redirects=REGEXPS
Exclude responses by redirect regexps or texts,
separated by commas (Example: 'https://okta.com/*')
--exclude-content=PATH
Exclude responses by response content of this path
--skip-on-status=CODES
Skip target whenever hit one of these status codes,
separated by commas, support ranges
--minimal=LENGTH Minimal response length
--maximal=LENGTH Maximal response length
--max-time=SECONDS Maximal runtime for the scan
-q, --quiet-mode Quiet mode
--full-url Full URLs in the output (enabled automatically in
quiet mode)
--no-color No colored output
Request Settings:
-m METHOD, --http-method=METHOD
HTTP method (default: GET)
-d DATA, --data=DATA
HTTP request data
-H HEADERS, --header=HEADERS
HTTP request header, support multiple flags (Example:
-H 'Referer: example.com')
--header-list=FILE File contains HTTP request headers
-F, --follow-redirects
Follow HTTP redirects
--random-agent Choose a random User-Agent for each request
--auth-type=TYPE Authentication type (basic, digest, bearer, ntlm)
--auth=CREDENTIAL Authentication credential (user:password or bearer
token)
--user-agent=USERAGENT
--cookie=COOKIE
Connection Settings:
--timeout=TIMEOUT Connection timeout
-s DELAY, --delay=DELAY
Delay between requests
--proxy=PROXY Proxy URL, support HTTP and SOCKS proxies (Example:
localhost:8080, socks5://localhost:8088)
--proxy-list=FILE File contains proxy servers
--replay-proxy=PROXY
Proxy to replay with found paths
--scheme=SCHEME Default scheme (for raw request or if there is no
scheme in the URL)
--max-rate=RATE Max requests per second
--retries=RETRIES Number of retries for failed requests
-b, --request-by-hostname
By default dirsearch requests by IP for speed. This
will force dirsearch to request by hostname
--ip=IP Server IP address
--exit-on-error Exit whenever an error occurs
Reports:
-o FILE, --output=FILE
Output file
--format=FORMAT Report format (Available: simple, plain, json, xml,
md, csv, html)
You can change the dirsearch default configurations (default extensions,
timeout, wordlist location, ...) by editing the "default.conf" file. More
information at https://github.com/maurosoria/dirsearch.
admindeMacBook-Pro:brute admin$ dirsearch -h
admindeMacBook-Pro:brute admin$ dirsearch -h
Usage: dirsearch [-u|--url] target [-e|--extensions] extensions [options]
Options:
--version show program's version number and exit
-h, --help show this help message and exit
Mandatory:
-u URL, --url=URL Target URL
-l FILE, --url-list=FILE
Target URL list file
--stdin Target URL list from STDIN
--cidr=CIDR Target CIDR
--raw=FILE Load raw HTTP request from file (use `--scheme` flag
to set the scheme)
-e EXTENSIONS, --extensions=EXTENSIONS
Extension list separated by commas (Example: php,asp)
-X EXTENSIONS, --exclude-extensions=EXTENSIONS
Exclude extension list separated by commas (Example:
asp,jsp)
-f, --force-extensions
Add extensions to every wordlist entry. By default
dirsearch only replaces the %EXT% keyword with
extensions
Dictionary Settings:
-w WORDLIST, --wordlists=WORDLIST
Customize wordlists (separated by commas)
--prefixes=PREFIXES
Add custom prefixes to all wordlist entries (separated
by commas)
--suffixes=SUFFIXES
Add custom suffixes to all wordlist entries, ignore
directories (separated by commas)
--only-selected Remove paths have different extensions from selected
ones via `-e` (keep entries don't have extensions)
--remove-extensions
Remove extensions in all paths (Example: admin.php ->
admin)
-U, --uppercase Uppercase wordlist
-L, --lowercase Lowercase wordlist
-C, --capital Capital wordlist
General Settings:
-t THREADS, --threads=THREADS
Number of threads
-r, --recursive Brute-force recursively
--deep-recursive Perform recursive scan on every directory depth
(Example: api/users -> api/)
--force-recursive Do recursive brute-force for every found path, not
only paths end with slash
-R DEPTH, --recursion-depth=DEPTH
Maximum recursion depth
--recursion-status=CODES
Valid status codes to perform recursive scan, support
ranges (separated by commas)
--subdirs=SUBDIRS Scan sub-directories of the given URL[s] (separated by
commas)
--exclude-subdirs=SUBDIRS
Exclude the following subdirectories during recursive
scan (separated by commas)
-i CODES, --include-status=CODES
Include status codes, separated by commas, support
ranges (Example: 200,300-399)
-x CODES, --exclude-status=CODES
Exclude status codes, separated by commas, support
ranges (Example: 301,500-599)
--exclude-sizes=SIZES
Exclude responses by sizes, separated by commas
(Example: 123B,4KB)
--exclude-texts=TEXTS
Exclude responses by texts, separated by commas
(Example: 'Not found', 'Error')
--exclude-regexps=REGEXPS
Exclude responses by regexps, separated by commas
(Example: 'Not foun[a-z]{1}', '^Error$')
--exclude-redirects=REGEXPS
Exclude responses by redirect regexps or texts,
separated by commas (Example: 'https://okta.com/*')
--exclude-content=PATH
Exclude responses by response content of this path
--skip-on-status=CODES
Skip target whenever hit one of these status codes,
separated by commas, support ranges
--minimal=LENGTH Minimal response length
--maximal=LENGTH Maximal response length
--max-time=SECONDS Maximal runtime for the scan
-q, --quiet-mode Quiet mode
--full-url Full URLs in the output (enabled automatically in
quiet mode)
--no-color No colored output
Request Settings:
-m METHOD, --http-method=METHOD
HTTP method (default: GET)
-d DATA, --data=DATA
HTTP request data
-H HEADERS, --header=HEADERS
HTTP request header, support multiple flags (Example:
-H 'Referer: example.com')
--header-list=FILE File contains HTTP request headers
-F, --follow-redirects
Follow HTTP redirects
--random-agent Choose a random User-Agent for each request
--auth-type=TYPE Authentication type (basic, digest, bearer, ntlm)
--auth=CREDENTIAL Authentication credential (user:password or bearer
token)
--user-agent=USERAGENT
--cookie=COOKIE
Connection Settings:
--timeout=TIMEOUT Connection timeout
-s DELAY, --delay=DELAY
Delay between requests
--proxy=PROXY Proxy URL, support HTTP and SOCKS proxies (Example:
localhost:8080, socks5://localhost:8088)
--proxy-list=FILE File contains proxy servers
--replay-proxy=PROXY
Proxy to replay with found paths
--scheme=SCHEME Default scheme (for raw request or if there is no
scheme in the URL)
--max-rate=RATE Max requests per second
--retries=RETRIES Number of retries for failed requests
-b, --request-by-hostname
By default dirsearch requests by IP for speed. This
will force dirsearch to request by hostname
--ip=IP Server IP address
--exit-on-error Exit whenever an error occurs
Reports:
-o FILE, --output=FILE
Output file
--format=FORMAT Report format (Available: simple, plain, json, xml,
md, csv, html)
You can change the dirsearch default configurations (default extensions,
timeout, wordlist location, ...) by editing the "default.conf" file. More
information at https://github.com/maurosoria/dirsearch.
原文始发于微信公众号(洋洋自语):黑客必备工具之dirsearch
版权声明:本文内容由互联网用户自发贡献,该文观点仅代表作者本人。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌侵权/违法违规的内容, 请发送邮件至 举报,一经查实,本站将立刻删除。
文章由极客之音整理,本文链接:https://www.bmabk.com/index.php/post/272976.html
