目录
requests
Requests: HTTP for Humans™ — Requests 2.27.1 documentation
python -m pip install requests>>> import requests
>>> r=requests.get('http://challenge-f11947463cd47902.sandbox.ctfhub.com:10800/flag_in_here/3/2/flag.txt')
>>> r.text
'ctfhub{b750b20c17d7a9e975f71dca}\n'
>>> exit()dirsearch
官方网站: GitHub - maurosoria/dirsearch: Web path scanner
python dirsearch.py --help
Usage: dirsearch.py [-u|--url] target [-e|--extensions] extensions [options]
Options:
--version show program's version number and exit
-h, --help show this help message and exit
Mandatory:
-u URL, --url=URL Target URL
-l FILE, --url-list=FILE
Target URL list file
--stdin Target URL list from STDIN
--cidr=CIDR Target CIDR
--raw=FILE Load raw HTTP request from file (use `--scheme` flag
to set the scheme)
-e EXTENSIONS, --extensions=EXTENSIONS
Extension list separated by commas (Example: php,asp)
-X EXTENSIONS, --exclude-extensions=EXTENSIONS
Exclude extension list separated by commas (Example:
asp,jsp)
-f, --force-extensions
Add extensions to every wordlist entry. By default
dirsearch only replaces the %EXT% keyword with
extensions
Dictionary Settings:
-w WORDLIST, --wordlists=WORDLIST
Customize wordlists (separated by commas)
--prefixes=PREFIXES
Add custom prefixes to all wordlist entries (separated
by commas)
--suffixes=SUFFIXES
Add custom suffixes to all wordlist entries, ignore
directories (separated by commas)
--only-selected Remove paths have different extensions from selected
ones via `-e` (keep entries don't have extensions)
--remove-extensions
Remove extensions in all paths (Example: admin.php ->
admin)
-U, --uppercase Uppercase wordlist
-L, --lowercase Lowercase wordlist
-C, --capital Capital wordlist
General Settings:
-t THREADS, --threads=THREADS
Number of threads
-r, --recursive Brute-force recursively
--deep-recursive Perform recursive scan on every directory depth
(Example: api/users -> api/)
--force-recursive Do recursive brute-force for every found path, not
only paths end with slash
-R DEPTH, --recursion-depth=DEPTH
Maximum recursion depth
--recursion-status=CODES
Valid status codes to perform recursive scan, support
ranges (separated by commas)
--subdirs=SUBDIRS Scan sub-directories of the given URL[s] (separated by
commas)
--exclude-subdirs=SUBDIRS
Exclude the following subdirectories during recursive
scan (separated by commas)
-i CODES, --include-status=CODES
Include status codes, separated by commas, support
ranges (Example: 200,300-399)
-x CODES, --exclude-status=CODES
Exclude status codes, separated by commas, support
ranges (Example: 301,500-599)
--exclude-sizes=SIZES
Exclude responses by sizes, separated by commas
(Example: 123B,4KB)
--exclude-texts=TEXTS
Exclude responses by texts, separated by commas
(Example: 'Not found', 'Error')
--exclude-regexps=REGEXPS
Exclude responses by regexps, separated by commas
(Example: 'Not foun[a-z]{1}', '^Error$')
--exclude-redirects=REGEXPS
Exclude responses by redirect regexps or texts,
separated by commas (Example: 'https://okta.com/*')
--exclude-content=PATH
Exclude responses by response content of this path
--skip-on-status=CODES
Skip target whenever hit one of these status codes,
separated by commas, support ranges
--minimal=LENGTH Minimal response length
--maximal=LENGTH Maximal response length
--max-time=SECONDS Maximal runtime for the scan
-q, --quiet-mode Quiet mode
--full-url Full URLs in the output (enabled automatically in
quiet mode)
--no-color No colored output
Request Settings:
-m METHOD, --http-method=METHOD
HTTP method (default: GET)
-d DATA, --data=DATA
HTTP request data
-H HEADERS, --header=HEADERS
HTTP request header, support multiple flags (Example:
-H 'Referer: example.com')
--header-list=FILE File contains HTTP request headers
-F, --follow-redirects
Follow HTTP redirects
--random-agent Choose a random User-Agent for each request
--auth-type=TYPE Authentication type (basic, digest, bearer, ntlm)
--auth=CREDENTIAL Authentication credential (user:password or bearer
token)
--user-agent=USERAGENT
--cookie=COOKIE
Connection Settings:
--timeout=TIMEOUT Connection timeout
-s DELAY, --delay=DELAY
Delay between requests
--proxy=PROXY Proxy URL, support HTTP and SOCKS proxies (Example:
localhost:8080, socks5://localhost:8088)
--proxy-list=FILE File contains proxy servers
--replay-proxy=PROXY
Proxy to replay with found paths
--scheme=SCHEME Default scheme (for raw request or if there is no
scheme in the URL)
--max-rate=RATE Max requests per second
--retries=RETRIES Number of retries for failed requests
-b, --request-by-hostname
By default dirsearch requests by IP for speed. This
will force dirsearch to request by hostname
--ip=IP Server IP address
--exit-on-error Exit whenever an error occurs
Reports:
-o FILE, --output=FILE
Output file
--format=FORMAT Report format (Available: simple, plain, json, xml,
md, csv, html)
You can change the dirsearch default configurations (default extensions,
timeout, wordlist location, ...) by editing the "default.conf" file. More
information at https://github.com/maurosoria/dirsearch.报错
>python dirsearch.py -u http://challenge-aee21970e2e10e44.sandbox.ctfhub.com:10800/www.zip -e tar,tar.gz,zip,rar
NotADirectoryError: [WinError 267] 目录名称无效。: 'D:\\Software\\Python\\Lib\\site-packages\\dirsearch\\reports\\challenge-aee21970e2e10e44.sandbox.ctfhub.com:10800'解决(Windows文件名不允许“:”)
>python dirsearch.py -u http://challenge-aee21970e2e10e44.sandbox.ctfhub.com:10800/www.zip -e tar,tar.gz,zip,rar -o reports/1.txt疑问1:指定-x 503之后就没有结果了
d:\Software\Python\Lib\site-packages\dirsearch>python dirsearch.py -u http://challenge-356877c01dee5b8d.sandbox.ctfhub.com:10800/ -e * -o reports/1.txt -x 503
_|. _ _ _ _ _ _|_ v0.4.2
(_||| _) (/_(_|| (_| )
Extensions: php, jsp, jsf, asp, aspx, do, action, cgi, pl, html, htm, js, json, json, tar.gz, tgz | HTTP method: GET | Threads: 30 | Wordlist size: 15971
Output File: d:\Software\Python\Lib\site-packages\dirsearch\reports\1.txt
Error Log: D:\Software\Python\Lib\site-packages\dirsearch\logs\errors-22-03-08_11-13-21.log
Target: http://challenge-356877c01dee5b8d.sandbox.ctfhub.com:10800/
[11:13:21] Starting:
Task Completed疑问2:指定-e zip还是会有其他后缀的结果
d:\Software\Python\Lib\site-packages\dirsearch>python dirsearch.py -u http://challenge-356877c01dee5b8d.sandbox.ctfhub.com:10800/ -e zip -o reports/1.txt
_|. _ _ _ _ _ _|_ v0.4.2
(_||| _) (/_(_|| (_| )
Extensions: zip | HTTP method: GET | Threads: 30 | Wordlist size: 8976
Output File: d:\Software\Python\Lib\site-packages\dirsearch\reports\1.txt
Error Log: D:\Software\Python\Lib\site-packages\dirsearch\logs\errors-22-03-08_11-08-35.log
Target: http://challenge-356877c01dee5b8d.sandbox.ctfhub.com:10800/
[11:08:35] Starting:
[11:08:35] 503 - 605B - /%C0%AE%C0%AE%C0%AF
[11:08:35] 503 - 605B - /zip.txt
[11:08:35] 503 - 605B - /.actionScriptProperties
[11:08:35] 503 - 605B - /.admin/
[11:08:35] 503 - 605B - /zip
[11:08:35] 503 - 605B - /+CSCOT+/translation-table?type=mst&textdomain=/%2bCSCOE%2b/portal_inc.lua&default-language&lang=../
[11:08:35] 503 - 605B - /.accdb
[11:08:35] 503 - 605B - /.agilekeychain
[11:08:35] 503 - 605B - /.analysis_options
[11:08:35] 503 - 605B - /.all-contributorsrc
[11:08:35] 503 - 605B - /.apdiskGitHack
pip install githack官方网站:GitHub - BugScanTeam/GitHack: .git 泄漏利用工具,可还原历史版本
>python githack -h
usage: githack [-h] [-o OUTPUT] [--level {NOTSET,DEBUG,INFO,WARNING,ERROR,CRITICAL}] [-k] URI
.git/ leakage exploit
positional arguments:
URI target uri to exploit (eg. http://example.com/.git)
optional arguments:
-h, --help show this help message and exit
-o OUTPUT, --output OUTPUT
output dir, all the file will download to this directory
--level {NOTSET,DEBUG,INFO,WARNING,ERROR,CRITICAL}
log level (default: INFO)
-k, --insecure Ignore ssl verify
OwenChia <https://github.com/OwenChia/githack>
6478
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
