Urlbuster是一款功能强大的Web目录模糊测试工具,该工具可以帮助广大研究人员定位目标应用程序中现有和隐藏的文件以及目录。该工具的功能类似于
dirb:http://dirb.sourceforge.net/gobuster:https://github.com/OJ/gobuster
,但Urlbuster还提供了大量变异选项。
功能介绍
代理支持Cookie支持基本身份验证摘要授权重试(对于慢速服务器)持久性和非持久性HTTP连接请求方法:GET、POST、PUT、DELETE、PATCH、HEAD、OPTIONS自定义HTTP头修改POST,PUT和PATCHPayload使用不同的请求方法进行变异使用不同的HTTP头进行变异使用不同的文件扩展名进行变异使用斜杠进行变异枚举GET参数值
工具安装
广大研究人员在配置好Python和pip环境之后,可以直接使用下列命令安装Urlbuster:
pip install urlbuster工具使用
usage: urlbuster [options] -w <str>/-W <file> BASE_URLurlbuster -V, --helpurlbuster -h, --versionURL bruteforcer to locate existing and/or hidden files or directories.Similar to dirb or gobuster, but also allows to iterate over multiple HTTP request methods,multiple useragents and multiple host header values.positional arguments:BASE_URL The base URL to scan.required arguments:-w str, --word str Word to use.-W f, --wordlist f Path to wordlist to use.optional global arguments:-n, --new Use a new connection for every request.If not specified persistent http connection will be used for all requests.Note, using a new connection will decrease performance,but ensure to have a clean state on every request.A persistent connection on the other hand will use any additional cookie valuesit has received from a previous request.-f, --follow Follow redirects.-k, --insecure Do not verify TLS certificates.-v, --verbose Show also missed URLs.--code str [str ...] HTTP status code to treat as success.You can use a '.' (dot) as a wildcard.Default: 2.. 3.. 403 407 411 426 429 500 505 511--payload pPOST, PUT and PATCH payloads for all requests.
Note, multiple values are allowed for multiple payloads.Note, if duplicates are specified, the last one will overwrite.See --mpayload for mutations.Format: <key>=<val> [<key>=<val>]--header h [h ...] Custom http header string to add to all requests.Note, multiple values are allowed for multiple headers.Note, if duplicates are specified, the last one will overwrite.See --mheaders for mutations.Format: <key>:<val> [<key>:<val>]--cookie c [c ...] Cookie string to add to all requests.Format: <key>=<val> [<key>=<val>]--proxy str Use a proxy for all requests.Format: http://<host>:<port>Format: http://<user>:<pass>@<host>:<port>Format: https://<host>:<port>Format: https://<user>:<pass>@<host>:<port>Format: socks5://<host>:<port>Format: socks5://<user>:<pass>@<host>:<port>--auth-basic str Use basic authentication for all requests.Format: <user>:<pass>--auth-digest str Use digest authentication for all requests.Format: <user>:<pass>--timeout sec Connection timeout in seconds for each request.Default: 5.0--retry num Connection retries per request.Default: 3--delay sec Delay between requests to not flood the server.--output file Output file to write results to.optional mutating arguments:The following arguments will increase the total number of requests to be made byapplying various mutations and testing each mutation on a separate request.--method m [m ...] List of HTTP methods to test each request against.Note, each supplied method will double the number of requests.Supported methods: GET POST PUT DELETE PATCH HEAD OPTIONSDefault: GET--mpayload pPOST, PUT and PATCH payloads to mutate all requests..
Note, multiple values are allowed for multiple payloads.Format: <key>=<val> [<key>=<val>]--mheader h [h ...] Custom http header string to add to mutate all requests.Note, multiple values are allowed for multiple headers.Format: <key>:<val> [<key>:<val>]--ext ext [ext ...] List of file extensions to to add to words for testing.Note, each supplied extension will double the number of requests.Format: .zip [.pem]--slash str Append or omit a trailing slash to URLs to test.Note, a slash will be added after the extensions if they are specified as well.Note, using 'both' will double the number of requests.Options: both, yes, noDefault: nomisc arguments:-h, --help Show this help message and exit-V, --version Show version informationexamplesurlbuster -W /path/to/words http://example.com/urlbuster -W /path/to/words http://example.com:8000/urlbuster -k -W /path/to/words https://example.com:10000/
对于某些网站来说,在使用某些特殊用户代理的情况下,即使调用的是相同的路径,Web应用程序的反应和行为也会不同。
变异样例
urlbuster-W /usr/share/dirb/wordlists/common.txt--mheader 'User-Agent:Googlebot/2.1 (+http://www.googlebot.com/bot.html)'--method 'POST,GET,DELETE,PUT,PATCH'http://www.domain.tld/
██╗ ██╗██████╗ ██╗ ██████╗ ██╗ ██╗███████╗████████╗███████╗██████╗██║ ██║██╔══██╗██║ ██╔══██╗██║ ██║██╔════╝╚══██╔══╝██╔════╝██╔══██╗██║ ██║██████╔╝██║ ██████╔╝██║ ██║███████╗ ██║ █████╗ ██████╔╝██║ ██║██╔══██╗██║ ██╔══██╗██║ ██║╚════██║ ██║ ██╔══╝ ██╔══██╗╚██████╔╝██║ ██║███████╗██████╔╝╚██████╔╝███████║ ██║ ███████╗██║ ██║╚═════╝ ╚═╝ ╚═╝╚══════╝╚═════╝ ╚═════╝ ╚══════╝ ╚═╝ ╚══════╝╚═╝ ╚═╝0.5.0 by cytopiaSETTINGSBase URL: https://www.everythingcli.org/Valid codes: 2.., 3.., 403, 407, 411, 426, 429, 500, 505, 511Connection: Non-persistentRedirects: Don't followPayloads: NoneTimeout: 5.0sRetries: 3Delay: NoneMUTATIONSMutating headers: 2Mutating payloads: 0 (POST)Methods: 5 (POST, GET, DELETE, PUT, PATCH)Slashes: noExtensions: 1 (empty extension)Words: 4614TOTAL REQUESTS: 46140START TIME: 2020-01-29 08:52:12--------------------------------------------------------------------------------Connection: keep-aliveAccept-Encoding: gzip, deflateAccept: */*User-Agent: python-requests/2.22.0[301] [GET] http://domain.tld/robots.txt--------------------------------------------------------------------------------Connection: keep-aliveAccept-Encoding: gzip, deflateAccept: */*User-Agent: Googlebot/2.1 (+http://www.googlebot.com/bot.html)[200] [GET] http://domain.tld/robots.txt[301] [POST] http://domain.tld/robots.txt[301] [GET] http://domain.tld/robots.txt[301] [DELETE] http://domain.tld/robots.txt[301] [PUT] http://domain.tld/robots.txt[301] [PATCH] http://domain.tld/robots.tx
工具使用样例
默认使用方式
基本:$ urlbuster -W /path/to/wordlist.txt http://www.domain.tld/Burpsuite代理:$ urlbuster -W /path/to/wordlist.txt --proxy 'http://localhost:8080' http://www.domain.tld/将结果存储至文件:$ urlbuster -W /path/to/wordlist.txt --output out.txt http://www.domain.tld/基础认证扫描:$ urlbuster -W /path/to/wordlist.txt --auth-basic 'user:pass' http://www.domain.tld/使用会话Cookie:$ urlbuster -W /path/to/wordlist.txt --cookie 'PHPSESSID=a79b00e7-035a-2bb4-352a-439d855feabf' http://www.domain.tld/
查找文件
查找站点根目录中的文件:$ urlbuster -W /path/to/wordlist.txt --code 200 301 302 --ext .zip .tar .tar.gz .gz .rar http://www.domain.tld/查找站点子目录中的文件:$ urlbuster -W /path/to/wordlist.txt --code 200 301 302 --ext .zip .tar .tar.gz .gz .rar http://www.domain.tld/wp-content/
高级使用
爆破查询参数:$ urlbuster -W /path/to/wordlist.txt --method GET --code 200 301 302 http://www.domain.tld/search?q=爆破POST请求:$ urlbuster -W /path/to/wordlist.txt --code 200 301 302 --method POST --payload 'user=somename' 'pass=somepass' '[email protected]' 'submit=yes' http://www.domain.tld/爆破变异POST请求:$ urlbuster -w index.php --code 200 301 302 --method POST --mpayload 'user=somename1' 'user=somename2' 'user=somename3' 'pass=somepass1' 'pass=somepass2' 'pass=somepass3' '[email protected]' '[email protected]' '[email protected]' 'submit=yes' http://www.domain.tld/wp-admin/用户代理SQL注入:$ urlbuster -W /path/to/wordlist.txt --code 5.. --method GET POST --mheader "User-Agent: ;" "User-Agent: ' or "" "User-Agent: -- or #" "User-Agent: ' OR '1" "User-Agent: ' OR 1 -- -" "User-Agent: " OR 1 = 1 -- -" "User-Agent: '='" "User-Agent: 'LIKE'" "User-Agent: '=0--+" "User-Agent: OR 1=1" "User-Agent: ' OR 'x'='x" "User-Agent: ' AND id IS NULL; --" http://www.domain.tld/查找潜在的vhost:$ urlbuster -w / --method GET POST --mheader "Host: internal1.lan" "Host: internal2.lan" "Host: internal3.lan" "Host: internal4.lan" "Host: internal5.lan" "Host: internal6.lan" http://10.0.0.1
项目地址
Urlbuster:https://github.com/cytopia/urlbuster
为方便技术交流、接收粉丝建议,贴出了运营小哥哥的微信,可扫码加
依旧是限时加,晚5点后会暂时关闭二维码加好友
欢迎各位大佬加好友
一如既往的学习,一如既往的整理,一如即往的分享。感谢支持
“如侵权请私聊公众号删文”
扫描关注LemonSec
本文始发于微信公众号(LemonSec):一款支持爆破的可变异Web目录模糊测试工具
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论