Усовершенствованный инструмент командной строки, сканер предназначенный для поиска каталогов и файлов на сервере
Установка и использование:
Требование: Python 3.7 или выше https://www.python.org/
Выберите один из этих вариантов установки:
Установите из архива, рекомендую, чтобы не устанавливать в систему, логи файлов будут записаны в эту же папку:
sudo apt install python3
sudo apt install python3-pip
pip3 install requirements.txt
python3 dirsearch.py
Установите с помощью pip:
sudo apt install python3
sudo apt install python3-pip
pip3 install dirsearch
Установите с Kali Linux:
sudo apt-get install dirsearch
Списки слов:
WordList - это текстовый файл, каждая строка - это путь.
О расширениях, в отличие от других инструментов, Dirsearch заменяет только ключевое слово %EXT% на расширения из -e флага.
Для списков слов без %EXT%, -f | --force-extensions к каждому слову в списке, а также /.
Чтобы применить ваши расширения к записям WordList, которые уже имеют расширения, используйте -O | --overwrite-extensions (Примечание: некоторые расширения исключены из перезагрузки, таких как .log, .json, .xml, ... или расширения медиа, такие как .jpg, .png)
Чтобы использовать несколько списков слов, вы можете разделить свои списки слов с запятыми. Пример: wordlist1.txt, wordlist2.txt.
Примеры:
Нормальные расширения:
index.%EXT%
Передача ASP и ASPX в качестве расширений генерирует следующий словарь:
index
index.asp
index.aspx
Расширения:
admin
Передача PHP и HTML в качестве расширений с флагом -f/--force-extensions генерирует следующий словарь:
admin
admin.php
admin.html
admin/
Перезаписать расширения:
login.html
Передача JSP и JSPA в качестве расширений с флагом -O/--overwrite-extensions генерирует следующий словарь:
login.html
login.jsp
login.jspa
Примеры:
python3 dirsearch.py -u https://target
python3 dirsearch.py -e php,html,js -u https://target
python3 dirsearch.py -e php,html,js -u https://target -w /path/to/wordlist
Python:
dirsearch.py [-u|--url] target [-e|--extensions] extensions [options]
Options:
--version show program's version number and exit
-h, --help show this help message and exit
Mandatory:
-u URL, --url=URL Target URL(s), support multiple flags
-l PATH, --url-file=PATH
URL list file
--stdin Read URL(s) from STDIN
--cidr=CIDR Target CIDR
--raw=PATH Load raw HTTP request from file (use `--scheme` flag
to set the scheme)
-s SESSION_FILE, --session=SESSION_FILE
Session file
--config=PATH Full path to config file, see 'config.ini' for
example (Default: config.ini)
Dictionary Settings:
-w WORDLISTS, --wordlists=WORDLISTS
Customize wordlists (separated by commas)
-e EXTENSIONS, --extensions=EXTENSIONS
Extension list separated by commas (e.g. php,asp)
-f, --force-extensions
Add extensions to the end of every wordlist entry. By
default dirsearch only replaces the %EXT% keyword with
extensions
-O, --overwrite-extensions
Overwrite other extensions in the wordlist with your
extensions (selected via `-e`)
--exclude-extensions=EXTENSIONS
Exclude extension list separated by commas (e.g.
asp,jsp)
--remove-extensions
Remove extensions in all paths (e.g. admin.php ->
admin)
--prefixes=PREFIXES
Add custom prefixes to all wordlist entries (separated
by commas)
--suffixes=SUFFIXES
Add custom suffixes to all wordlist entries, ignore
directories (separated by commas)
-U, --uppercase Uppercase wordlist
-L, --lowercase Lowercase wordlist
-C, --capital Capital wordlist
General Settings:
-t THREADS, --threads=THREADS
Number of threads
-r, --recursive Brute-force recursively
--deep-recursive Perform recursive scan on every directory depth (e.g.
api/users -> api/)
--force-recursive Do recursive brute-force for every found path, not
only directories
-R DEPTH, --max-recursion-depth=DEPTH
Maximum recursion depth
--recursion-status=CODES
Valid status codes to perform recursive scan, support
ranges (separated by commas)
--subdirs=SUBDIRS Scan sub-directories of the given URL[s] (separated by
commas)
--exclude-subdirs=SUBDIRS
Exclude the following subdirectories during recursive
scan (separated by commas)
-i CODES, --include-status=CODES
Include status codes, separated by commas, support
ranges (e.g. 200,300-399)
-x CODES, --exclude-status=CODES
Exclude status codes, separated by commas, support
ranges (e.g. 301,500-599)
--exclude-sizes=SIZES
Exclude responses by sizes, separated by commas (e.g.
0B,4KB)
--exclude-texts=TEXTS
Exclude responses by texts, separated by commas (e.g.
'Not found', 'Error')
--exclude-regex=REGEX
Exclude responses by regex (e.g. '^Error$')
--exclude-redirect=STRING
Exclude responses if this regex (or text) matches
redirect URL (e.g. '/index.html')
--exclude-response=PATH
Exclude responses similar to response of this page,
path as input (e.g. 404.html)
--skip-on-status=CODES
Skip target whenever hit one of these status codes,
separated by commas, support ranges
--min-response-size=LENGTH
Minimum response length
--max-response-size=LENGTH
Maximum response length
--max-time=SECONDS Maximum runtime for the scan
Request Settings:
-m METHOD, --http-method=METHOD
HTTP method (default: GET)
-d DATA, --data=DATA
HTTP request data
--data-file=PATH File contains HTTP request data
-H HEADERS, --header=HEADERS
HTTP request header, support multiple flags
--header-file=PATH File contains HTTP request headers
-F, --follow-redirects
Follow HTTP redirects
--random-agent Choose a random User-Agent for each request
--auth=CREDENTIAL Authentication credential (e.g. user:password or
bearer token)
--auth-type=TYPE Authentication type (basic, digest, bearer, ntlm, jwt,
oauth2)
--cert-file=PATH File contains client-side certificate
--key-file=PATH File contains client-side certificate private key
(unencrypted)
--user-agent=USERAGENT
--cookie=COOKIE
Connection Settings:
--timeout=TIMEOUT Connection timeout
--delay=DELAY Delay between requests
--proxy=PROXY Proxy URL, support HTTP and SOCKS proxies (e.g.
localhost:8080, socks5://localhost:8088)
--proxy-file=PATH File contains proxy servers
--proxy-auth=CREDENTIAL
Proxy authentication credential
--replay-proxy=PROXY
Proxy to replay with found paths
--tor Use Tor network as proxy
--scheme=SCHEME Scheme for raw request or if there is no scheme in the
URL (Default: auto-detect)
--max-rate=RATE Max requests per second
--retries=RETRIES Number of retries for failed requests
--ip=IP Server IP address
--exit-on-error Exit whenever an error occurs
Advanced Settings:
--crawl Crawl for new paths in responses
View Settings:
--full-url Full URLs in the output (enabled automatically in
quiet mode)
--redirects-history
Show redirects history
--no-color No colored output
-q, --quiet-mode Quiet mode
Output Settings:
-o PATH, --output=PATH
Output file
--format=FORMAT Report format (Available: simple, plain, json, xml,
md, csv, html, sqlite)
--log=PATH Log file
Значения по умолчанию для можно отредактировать в файле конфигурации, по умолчанию config.ini, но вы можете выбрать другой файл с флагом --config
[general]
threads = 25
recursive = False
deep-recursive = False
force-recursive = False
recursion-status = 200-399,401,403
max-recursion-depth = 0
exclude-subdirs = %%ff/,.;/,..;/,;/,./,../,%%2e/,%%2e%%2e/
random-user-agents = False
max-time = 0
# subdirs = /,api/
# include-status = 200-299,401
# exclude-status = 400,500-999
# exclude-sizes = 0b,123gb
# exclude-texts = "Not found"
# exclude-regex = "^403$"
# exclude-redirect = "*/error.html"
# exclude-response = 404.html
# skip-on-status = 429,999
[dictionary]
default-extensions = php,aspx,jsp,html,js
force-extensions = False
overwrite-extensions = False
lowercase = False
uppercase = False
capitalization = False
# exclude-extensions = old,log
# prefixes = .,admin
# suffixes = ~,.bak
# wordlists = /path/to/wordlist1.txt,/path/to/wordlist2.txt
[request]
httpmethod = get
follow-redirects = False
# headers-file = /path/to/headers.txt
# user-agent = MyUserAgent
# cookie = SESSIONID=123
[connection]
timeout = 7.5
delay = 0
max-rate = 0
max-retries = 1
exit-on-error = False
## By disabling `scheme` variable, dirsearch will automatically identify the URI scheme
# scheme = http
# proxy = localhost:8080
# proxy-file = /path/to/proxies.txt
# replay-proxy = localhost:8000
[advanced]
crawl = False
[view]
full-url = False
quiet-mode = False
color = True
show-redirects-history = False
[output]
## Support: plain, simple, json, xml, md, csv, html, sqlite
report-format = plain
autosave-report = True
# log-file = /path/to/dirsearch.log
# report-output-folder = /path/to/reports
[HEADING=2]Recursion[/HEADING]
python3 dirsearch.py -e php,html,js -u [URL]https://target[/URL] -r
python3 dirsearch.py -e php,html,js -u [URL]https://target[/URL] -r --recursion-depth 3 --recursion-status 200-399
python3 dirsearch.py -e php,html,js -u [URL]https://target[/URL] -r --exclude-subdirs image/,media/,css/
[HEADING=2]Threads[/HEADING]
python3 dirsearch.py -e php,htm,js,bak,zip,tgz,txt -u [URL]https://target[/URL] -t 20
[HEADING=2]Prefixes / Suffixes[/HEADING]
python3 dirsearch.py -e php -u [URL]https://target[/URL] --prefixes .,admin,_
[HEADING=2]Filters[/HEADING]
python3 dirsearch.py -e php,html,js -u [URL]https://target[/URL] --exclude-sizes 1B,243KB
python3 dirsearch.py -e php,html,js -u [URL]https://target[/URL] --exclude-texts "403 Forbidden"
python3 dirsearch.py -e php,html,js -u [URL]https://target[/URL] --exclude-regexps "^Error$"
python3 dirsearch.py -e php,html,js -u [URL]https://target[/URL] --exclude-redirects "https://(.*).okta.com/*"
python3 dirsearch.py -e php,html,js -u [URL]https://target[/URL] --exclude-response /error.html
[HEADING=2]Exclude extensions[/HEADING]
python3 dirsearch.py -u [URL]https://target[/URL] -X jsp
[HEADING=2]Scan sub-directories[/HEADING]
python3 dirsearch.py -e php,html,js -u [URL]https://target[/URL] --subdirs /,admin/,folder/
[HEADING=2]Proxies[/HEADING]
Dirsearch поддерживает SOCKS и HTTP-прокси, с двумя параметрами: прокси-сервер или список прокси-серверов.
python3 dirsearch.py -e php,html,js -u [URL]https://target[/URL] --proxy 127.0.0.1:8080
python3 dirsearch.py -e php,html,js -u [URL]https://target[/URL] --proxy socks5://10.10.0.1:8080
python3 dirsearch.py -e php,html,js -u [URL]https://target[/URL] --proxylist proxyservers.txt
[HEADING=2]Reports[/HEADING]
python3 dirsearch.py -e php -l URLs.txt --format plain -o report.txt
python3 dirsearch.py -e php -u [URL]https://target[/URL] --format html -o target.json
[HEADING=2]More example commands[/HEADING]
cat urls.txt | python3 dirsearch.py --stdin
python3 dirsearch.py -u [URL]https://target[/URL] --max-time 360
python3 dirsearch.py -u [URL]https://target[/URL] --auth admin:pass --auth-type basic
python3 dirsearch.py -u [URL]https://target[/URL] --header-list rate-limit-bypasses.txt
[CODE=python]dirsearch.py [-u|--url] target [-e|--extensions] extensions [options]
Options:
--version show program's version number and exit
-h, --help show this help message and exit
Mandatory:
-u URL, --url=URL Target URL(s), support multiple flags
-l PATH, --url-file=PATH
URL list file
--stdin Read URL(s) from STDIN
--cidr=CIDR Target CIDR
--raw=PATH Load raw HTTP request from file (use `--scheme` flag
to set the scheme)
-s SESSION_FILE, --session=SESSION_FILE
Session file
--config=PATH Full path to config file, see 'config.ini' for
example (Default: config.ini)
Dictionary Settings:
-w WORDLISTS, --wordlists=WORDLISTS
Customize wordlists (separated by commas)
-e EXTENSIONS, --extensions=EXTENSIONS
Extension list separated by commas (e.g. php,asp)
-f, --force-extensions
Add extensions to the end of every wordlist entry. By
default dirsearch only replaces the %EXT% keyword with
extensions
-O, --overwrite-extensions
Overwrite other extensions in the wordlist with your
extensions (selected via `-e`)
--exclude-extensions=EXTENSIONS
Exclude extension list separated by commas (e.g.
asp,jsp)
--remove-extensions
Remove extensions in all paths (e.g. admin.php ->
admin)
--prefixes=PREFIXES
Add custom prefixes to all wordlist entries (separated
by commas)
--suffixes=SUFFIXES
Add custom suffixes to all wordlist entries, ignore
directories (separated by commas)
-U, --uppercase Uppercase wordlist
-L, --lowercase Lowercase wordlist
-C, --capital Capital wordlist
General Settings:
-t THREADS, --threads=THREADS
Number of threads
-r, --recursive Brute-force recursively
--deep-recursive Perform recursive scan on every directory depth (e.g.
api/users -> api/)
--force-recursive Do recursive brute-force for every found path, not
only directories
-R DEPTH, --max-recursion-depth=DEPTH
Maximum recursion depth
--recursion-status=CODES
Valid status codes to perform recursive scan, support
ranges (separated by commas)
--subdirs=SUBDIRS Scan sub-directories of the given URL[s] (separated by
commas)
--exclude-subdirs=SUBDIRS
Exclude the following subdirectories during recursive
scan (separated by commas)
-i CODES, --include-status=CODES
Include status codes, separated by commas, support
ranges (e.g. 200,300-399)
-x CODES, --exclude-status=CODES
Exclude status codes, separated by commas, support
ranges (e.g. 301,500-599)
--exclude-sizes=SIZES
Exclude responses by sizes, separated by commas (e.g.
0B,4KB)
--exclude-texts=TEXTS
Exclude responses by texts, separated by commas (e.g.
'Not found', 'Error')
--exclude-regex=REGEX
Exclude responses by regex (e.g. '^Error$')
--exclude-redirect=STRING
Exclude responses if this regex (or text) matches
redirect URL (e.g. '/index.html')
--exclude-response=PATH
Exclude responses similar to response of this page,
path as input (e.g. 404.html)
--skip-on-status=CODES
Skip target whenever hit one of these status codes,
separated by commas, support ranges
--min-response-size=LENGTH
Minimum response length
--max-response-size=LENGTH
Maximum response length
--max-time=SECONDS Maximum runtime for the scan
Request Settings:
-m METHOD, --http-method=METHOD
HTTP method (default: GET)
-d DATA, --data=DATA
HTTP request data
--data-file=PATH File contains HTTP request data
-H HEADERS, --header=HEADERS
HTTP request header, support multiple flags
--header-file=PATH File contains HTTP request headers
-F, --follow-redirects
Follow HTTP redirects
--random-agent Choose a random User-Agent for each request
--auth=CREDENTIAL Authentication credential (e.g. user:password or
bearer token)
--auth-type=TYPE Authentication type (basic, digest, bearer, ntlm, jwt,
oauth2)
--cert-file=PATH File contains client-side certificate
--key-file=PATH File contains client-side certificate private key
(unencrypted)
--user-agent=USERAGENT
--cookie=COOKIE
Connection Settings:
--timeout=TIMEOUT Connection timeout
--delay=DELAY Delay between requests
--proxy=PROXY Proxy URL, support HTTP and SOCKS proxies (e.g.
localhost:8080, socks5://localhost:8088)
--proxy-file=PATH File contains proxy servers
--proxy-auth=CREDENTIAL
Proxy authentication credential
--replay-proxy=PROXY
Proxy to replay with found paths
--tor Use Tor network as proxy
--scheme=SCHEME Scheme for raw request or if there is no scheme in the
URL (Default: auto-detect)
--max-rate=RATE Max requests per second
--retries=RETRIES Number of retries for failed requests
--ip=IP Server IP address
--exit-on-error Exit whenever an error occurs
Advanced Settings:
--crawl Crawl for new paths in responses
View Settings:
--full-url Full URLs in the output (enabled automatically in
quiet mode)
--redirects-history
Show redirects history
--no-color No colored output
-q, --quiet-mode Quiet mode
Output Settings:
-o PATH, --output=PATH
Output file
--format=FORMAT Report format (Available: simple, plain, json, xml,
md, csv, html, sqlite)
--log=PATH Log fileЗначения по умолчанию для можно отредактировать в файле конфигурации, по умолчанию config.ini, но вы можете выбрать другой файл с флагом --config
Код:
[general]
threads = 25
recursive = False
deep-recursive = False
force-recursive = False
recursion-status = 200-399,401,403
max-recursion-depth = 0
exclude-subdirs = %%ff/,.;/,..;/,;/,./,../,%%2e/,%%2e%%2e/
random-user-agents = False
max-time = 0
# subdirs = /,api/
# include-status = 200-299,401
# exclude-status = 400,500-999
# exclude-sizes = 0b,123gb
# exclude-texts = "Not found"
# exclude-regex = "^403$"
# exclude-redirect = "*/error.html"
# exclude-response = 404.html
# skip-on-status = 429,999
[dictionary]
default-extensions = php,aspx,jsp,html,js
force-extensions = False
overwrite-extensions = False
lowercase = False
uppercase = False
capitalization = False
# exclude-extensions = old,log
# prefixes = .,admin
# suffixes = ~,.bak
# wordlists = /path/to/wordlist1.txt,/path/to/wordlist2.txt
[request]
httpmethod = get
follow-redirects = False
# headers-file = /path/to/headers.txt
# user-agent = MyUserAgent
# cookie = SESSIONID=123
[connection]
timeout = 7.5
delay = 0
max-rate = 0
max-retries = 1
exit-on-error = False
## By disabling `scheme` variable, dirsearch will automatically identify the URI scheme
# scheme = http
# proxy = localhost:8080
# proxy-file = /path/to/proxies.txt
# replay-proxy = localhost:8000
[advanced]
crawl = False
[view]
full-url = False
quiet-mode = False
color = True
show-redirects-history = False
[output]
## Support: plain, simple, json, xml, md, csv, html, sqlite
report-format = plain
autosave-report = True
# log-file = /path/to/dirsearch.log
# report-output-folder = /path/to/reportsRecursion
python3 dirsearch.py -e php,html,js -u https://target -rpython3 dirsearch.py -e php,html,js -u https://target -r --recursion-depth 3 --recursion-status 200-399
python3 dirsearch.py -e php,html,js -u https://target -r --exclude-subdirs image/,media/,css/
Threads
python3 dirsearch.py -e php,htm,js,bak,zip,tgz,txt -u https://target -t 20Prefixes / Suffixes
python3 dirsearch.py -e php -u https://target --prefixes .,admin,_Filters
python3 dirsearch.py -e php,html,js -u https://target --exclude-sizes 1B,243KBpython3 dirsearch.py -e php,html,js -u https://target --exclude-texts "403 Forbidden"
python3 dirsearch.py -e php,html,js -u https://target --exclude-regexps "^Error$"
python3 dirsearch.py -e php,html,js -u https://target --exclude-redirects "https://(.*).okta.com/*"
python3 dirsearch.py -e php,html,js -u https://target --exclude-response /error.html
Exclude extensions
python3 dirsearch.py -u https://target -X jspScan sub-directories
python3 dirsearch.py -e php,html,js -u https://target --subdirs /,admin/,folder/Proxies
Dirsearch поддерживает SOCKS и HTTP-прокси, с двумя параметрами: прокси-сервер или список прокси-серверов.python3 dirsearch.py -e php,html,js -u https://target --proxy 127.0.0.1:8080
python3 dirsearch.py -e php,html,js -u https://target --proxy socks5://10.10.0.1:8080
python3 dirsearch.py -e php,html,js -u https://target --proxylist proxyservers.txt
Reports
python3 dirsearch.py -e php -l URLs.txt --format plain -o report.txtpython3 dirsearch.py -e php -u https://target --format html -o target.json
More example commands
cat urls.txt | python3 dirsearch.py --stdinpython3 dirsearch.py -u https://target --max-time 360
python3 dirsearch.py -u https://target --auth admin:pass --auth-type basic
python3 dirsearch.py -u https://target --header-list rate-limit-bypasses.txt
Сканит онионы
Последнее редактирование модератором:
