Directory Fuzzing

Let python automate your work!

Dictories — *Image by c0d3x27 all right reserved.*

When fuzzing a subdomain, You may find admin panels or even sensitive files. Let’s say you got .git directory during directory fuzzing, You can download source code of the application using git dumper tool https://github.com/arthaud/git-dumper. Source code may contain credentials. You can find many articles related to this issue online.

Before even starting, we need to check if the domain is alive or not, Because large number of requests to a dead domain is just a waste of time. Let’s write a script to check for this

Code:

import requests
import urllib3 urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) def isdomainlive(domain): httpsUrl = "https://" + domain httpUrl = "http://" + domain urls = []
try: requests.get(httpsUrl + "/robots.txt", timeout = 5, verify = False) urls.append(httpsUrl) except: pass
try: requests.get(httpUrl + "/robots.txt", timeout = 5, verify = False)
 urls.append(httpUrl)  
except:  
 pass  
if urls:  
    return urls  
else:  return False

Save this code as whatever.py. this send requests to both port 80 and 443 to check the domain. we are only going to hit robots.txt endpoint because other than this endpoints are large in size. pass key word does nothing in python it is used to just fill up except block. Isdomainlive function return list of domains with respective scheme if available otherwise return False.

Code

import requests
import wfuzz
import checkdomains wordlist = requests.get(
    'https://raw.githubusercontent.com/maurosoria/dirsearch/master/db/dicc.txt'
  )
  .text.split("\n") domains = open("bug-bounty-domains-2.txt", "r") payloads =
  wfuzz.get_payload(wordlist) for domain in domains.readlines():
  subdomains = open(domain.rstrip("\n") + "_subdomains.txt", "r") for subdomain in
  subdomains.readlines(): urls = checkdomains.isdomainlive(subdomain.rstrip(
    "\n")) if urls: for url in urls: print("Fuzzing - " + url) try:
  fuzzer = payloads.fuzz(url = url + "/FUZZ", sc = [200]) for result in
  fuzzer: print(result) except: pass

Here we downloaded the directory wordlist from dirsearch repository. We have checked whether the domain is live or not. If the domain is live then fuzzing starts, otherwise it will just go to the next subdomain. The whole process takes a while because the number of domains and subdomains. if you want to run this script in the background you can use screen.

Happy Hunting !!