Urlbuster是一款功能强大的Web目录模糊测试工具,该工具可以帮助广大研究人员定位目标应用程序中现有和隐藏的文件以及目录。该工具的功能类似于dirb和gobuster,但Urlbuster还提供了大量变异选项。
功能介绍
代理支持
Cookie支持
基本身份验证
摘要授权
重试(对于慢速服务器)
持久性和非持久性HTTP连接
请求方法:GET、POST、PUT、DELETE、PATCH、HEAD、OPTIONS
自定义HTTP头
修改POST,PUT和PATCHPayload
使用不同的请求方法进行变异
使用不同的HTTP头进行变异
使用不同的文件扩展名进行变异
使用斜杠进行变异
枚举GET参数值
工具安装
广大研究人员在配置好Python和pip环境之后,可以直接使用下列命令安装Urlbuster:
pip install urlbuster
工具使用
usage: urlbuster [options] -w /-W BASE_URL
urlbuster -V, --help
urlbuster -h, --version
URL bruteforcer to locate existing and/or hidden files or directories.
Similar to dirb or gobuster, but also allows to iterate over multiple HTTP request methods,
multiple useragents and multiple host header values.
positional arguments:
BASE_URL The base URL to scan.
required arguments:
-w str, --word str Word to use.
-W f, --wordlist f Path to wordlist to use.
optional global arguments:
-n, --new Use a new connection for every request.
If not specified persistent http connection will be used for all requests.
Note, using a new connection will decrease performance,
but ensure to have a clean state on every request.
A persistent connection on the other hand will use any additional cookie values
it has received from a previous request.
-f, --follow Follow redirects.
-k, --insecure Do not verify TLS certificates.
-v, --verbose Show also missed URLs.
--code str [str ...] HTTP status code to treat as success.
You can use a '.' (dot) as a wildcard.
Default: 2.. 3.. 403 407 411 426 429 500 505 511
--payload p [p ...] POST, PUT and PATCH payloads for all requests.
Note, multiple values are allowed for multiple payloads.