webbreacher / tilde_enum Goto Github PK
View Code? Open in Web Editor NEWTakes a URL and checks the system for the tilde enum vuln and then find the files.
License: Other
Takes a URL and checks the system for the tilde enum vuln and then find the files.
License: Other
Introduce a -w param that inserts a "wait" time for x msec between requests
Make this go fast using multi-threads or multi-process
Take what the https://code.google.com/p/iis-shortname-scanner-poc/ does an implement them in Python.
Can't seem to get this tool to accept the wordlist I specified.
python2 tilde_enum.py -u 'https://www.sometarget.com' -d '/root/tools/fuzzdb/discovery/predictable-filepaths/filename-dirname-bruteforce/raft-small-words-lowercase.txt'
[-] Testing with dummy file request https://www.sometarget.com/whVrHG1NsM.htm
[-] URLNotThere -> HTTP Code: 404, Response Length: 725
[-] Testing with user-submitted https://www.sometarget.com
[-] URLUser -> HTTP Code: 200, Response Length: 18159
[!] [Error] Can't read the wordlist file you entered.
tilde_enum.py` --no-check-certificate -u https://sometarget -d ../fuzzdb/discovery/predictable-filepaths/filename-dirname-bruteforce/raft-large-directories.txt -w ../fuzzdb/discovery/predictable-filepaths/filename-dirname-bruteforce/raft-large-files.txt
[-] Testing with dummy file request https://sometarget/B9s35gaJQh.htm
[-] URLNotThere -> HTTP Code: 404, Response Length: 1245
[-] Testing with user-submitted https://sometarget
[-] URLUser -> HTTP Code: 200, Response Length: 4027
[+] The server is reporting that it is IIS (Microsoft-IIS/7.0).
[+] The server is vulnerable to the tilde enumeration vulnerability (IIS/5|6.x)..
[-] Finished doing the 8.3 enumeration for /.
[-] Now starting the word guessing using word list calls
Traceback (most recent call last):
File "tilde_enum.py", line 669, in <module>
if __name__ == "__main__": main()
File "tilde_enum.py", line 522, in main
performLookups(findings, url_good)
File "tilde_enum.py", line 375, in performLookups
test_response_length = url_response.headers['Content-Length']
File "/usr/lib/python2.7/rfc822.py", line 393, in __getitem__
return self.dict[name.lower()]
KeyError: 'content-length'
python2.7 tilde_enum.py -u "http://iis" -d raft-small-words-lowercase.txt
[-] Testing with dummy file request http://iis/z2iTM60Jt3.htm
[-] URLNotThere -> HTTP Code: 404, Response Length: 1899
[-] Testing with user-submitted http://iis
[-] URLUser -> HTTP Code: 200, Response Length: 12128
[!] [Error] Can't read the wordlist file you entered.
Currently the script just dies on us if the server cert can't be verified. You can fix this by creating a urllib2
context:
# Ignore SSL issues context
import ssl
ctx = ssl.create_default_context()
ctx.check_hostname = False
ctx.verify_mode = ssl.CERT_NONE
and in getWebServerResponse
:
response = urllib2.urlopen(req, context=ctx)
Surprisingly, still finding this script useful from time to time, but need support for self-signed certs :)
Hi,
got 200 code back error,
Server is vulnerable and this script working well https://github.com/irsdl/IIS-ShortName-Scanner....
Server vulnerable with HTTP method OPTIONS. Is it able to choose a http method using Your code, or need to reprogram ?
Thanks
Right now, if you pass http://www.example.com/testing/ to the script it'll do the test of that full URL but it'll strip off the "dir" part when finding files. Fix dat!
For all responses, display content length
Have the script descend into subdirs instead of just doing root
Current we only work on IIS5/6 servers. IIS7 according to the paper uses response codes inside the body of the response instead of server header response codes.
for each file found in the 8.3 format, try a ~2 and ~3 in addition to the ~1 to see if there are multiple files there with the same root.
Will need to come up with a way of presenting this. Actually, does this matter since each of them would have the same "lookup" in the word list? So if we found 'parame1.htm' and 'parame2.htm' we'd look up in the word list PARAME and so both of the files could be found.
Running the following command I get the error below. I have tried multiple wordlists and get the same results.
./tilde_enum.py -u https://iis -w /usr/share/dirb/wordlists/vulns/iis.txt
[-] Testing with dummy file request https://iis/cl3qBgsLMr.htm
[-] URLNotThere -> HTTP Code: 404, Response Length: 5199
[-] Testing with user-submitted https://iis
[-] URLUser -> HTTP Code: 200, Response Length: 0
[+] The server is reporting that it is IIS (Microsoft-IIS/7.5).
[+] The server is vulnerable to the tilde enumeration vulnerability (IIS/5|6.x)..
[+] Found file: ac_run . js
[+] Found a directory: afrore
[+] Found a directory: alanfl
Traceback (most recent call last):
File "./tilde_enum.py", line 672, in
if name == "main": main()
File "./tilde_enum.py", line 515, in main
findings = checkEightDotThreeEnum(url.scheme + '://' + url.netloc, check_string, url.path)
File "./tilde_enum.py", line 317, in checkEightDotThreeEnum
fileOrDir(files, url, stub)
File "./tilde_enum.py", line 252, in fileOrDir
checkForDirectory(url+stub)
File "./tilde_enum.py", line 241, in checkForDirectory
if resp.code == 404:
AttributeError: 'URLError' object has no attribute 'code'
In final output note which files/dirs were and were not expanded.
When running the script with options -v -f -w /usr/share/golismero/wordlist/fuzzdb/Discovery/PredictableRes/raft-small-directories-lowercase.txt --no-check-certificate
I get the following:
[-] URLUser -> HTTP Code: 200, Response Length: 89616
[+] HTTP Response Codes: {'user_length': 89616, 'not_there_length': 46926, 'user_code': 200, 'not_there_code': 404}
[+] Opened wordlist /usr/share/golismero/wordlist/fuzzdb/Discovery/PredictableRes/raft-small-directories-lowercase.txt successfully
[+] The server is reporting that it is IIS (Microsoft-IIS/7.5).
[+] The server is vulnerable to the tilde enumeration vulnerability (IIS/5|6.x)..
[+] Found file: asp . a
[+] Found file: ind . a
[+] Found file: web . a
[-] Finished doing the 8.3 enumeration for /.
Files: {'/': ['asp.a', 'ind.a', 'web.a']}
Dirs: []
[-] Now starting the word guessing using word list calls
[-] File name (asp) too short to look up in word list. We will use it to bruteforce.
Traceback (most recent call last):
File "./tilde_enum.py", line 668, in
if name == "main": main()
File "./tilde_enum.py", line 521, in main
performLookups(findings, url_good)
File "./tilde_enum.py", line 339, in performLookups
filename_matches.append(filename)
UnboundLocalError: local variable 'filename_matches' referenced before assignment
Any assistance would be helpful.
Line 47 sets the chars variable to include the space character. However, the program does not URL encode the space before making a web request. As a result, the program issues invalid HTTP requests.
The space should be URL encoded before making the web request or removed from the list of characters to test
right now when we find a new dir we check http://url/dirname/ if the web server is not configured to display some default page there, we'll get a 404 (dir listings forbidden) which gives us a false negative.
This enhancement is to cycle through a list of default file names (iisstart.ht, default.asp, index.htm...) when checking if the dir is there or not.
Add the ability to send requests through a proxy (like Burp Suite Pro) for logging, inspection, tunneling, etc.
The following code is a quick way add support for this feature:
import urllib2
parser.add_argument('-p', dest='proxy',default='', help='Use a proxy host:port')
if args.proxy:
print bcolors.PURPLE + '[-] Using proxy for requests: ' + args.proxy
proxy = urllib2.ProxyHandler({'http': args.proxy, 'https': args.proxy})
opener = urllib2.build_opener(proxy)
urllib2.install_opener(opener)
Hi. I contacted you on Twitter, here are the issues I'm having with the scanner...
I ran this scan on 3 different websites and received 3 different errors, one for each scan...
(1)
File "C:\Users\Me\Desktop\Downloads\tilde_enum-master (1)\tilde_enum-master\tilde_enum.py", line 255, in checkEightDotThreeEnum
if resp1.code == 404: # Got the first valid char
AttributeError: 'int' object has no attribute 'code'
(2)
File "C:\Users\Me\Desktop\Downloads\tilde_enum-master (1)\tilde_enum-master\tilde_enum.py", line 231, in checkForDirectory
if resp.code == 404:
AttributeError: 'URLError' object has no attribute 'code'
(3)
[Error] Can't read the wordlist file you entered.
Details: The word list I am using is the one recommended in the tilde_enum instructions (the ones from fuzzdb) I downloaded fuzzdb-1.09.tgz then copied the folders PredictableRes and FileNameBruteForce and placed them into my tilde_enum master file just to keep things organized.
The wordlists I used were: raft small-words.txt and raft medium-words.txt
I also ran the scan using the small-words and medium words text found in the original PredictableRes and FileNameBruteForce folders from the fuzzdb download directory to make sure the error wasn't a result of the files being screwed or something when I copied them to my tilde_enum folder...I received the same error
My system: I am running Windows 8.1 (rolls eyes)
Thanks for your help!!
Going inside protected dirs:
/AuthNeeded::$Index_Allocation/~1/.aspx
Or
/AuthNeeded:$I30:$Index_Allocation/~1/.aspx
I have been getting this error with the last couple of sites I have tried to scan.
Traceback (most recent call last):
File "../../Tools/tilde_enum-master/tilde_enum.py", line 669, in
if name == "main": main()
File "../../Tools/tilde_enum-master/tilde_enum.py", line 512, in main
findings = checkEightDotThreeEnum(url.scheme + '://' + url.netloc, check_string, url.path)
File "../../Tools/tilde_enum-master/tilde_enum.py", line 314, in checkEightDotThreeEnum
fileOrDir(files, url, stub)
File "../../Tools/tilde_enum-master/tilde_enum.py", line 245, in fileOrDir
filename = findExtension(url, stub)
File "../../Tools/tilde_enum-master/tilde_enum.py", line 203, in findExtension
if resp1a.code == 404: # Got the first valid char
AttributeError: 'int' object has no attribute 'code'
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.