class Controller(object): def __init__(self, script_path, arguments, output): global VERSION program_banner = (open( FileUtils.build_path(script_path, "lib", "controller", "banner.txt")).read().format(**VERSION)) self.directories = Queue() self.script_path = script_path self.exit = False self.arguments = arguments self.output = output self.done_dirs = [] if arguments.raw_file: _raw = Raw(arguments.raw_file, arguments.scheme) self.url_list = [_raw.url()] self.httpmethod = _raw.method() self.data = _raw.data() self.headers = _raw.headers() else: default_headers = { "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36", "Accept-Language": "*", "Accept-Encoding": "*", "Keep-Alive": "300", "Cache-Control": "max-age=0", } self.url_list = list( filter(None, dict.fromkeys(arguments.url_list))) self.httpmethod = arguments.httpmethod.lower() self.data = arguments.data self.headers = {**default_headers, **arguments.headers} if arguments.cookie: self.headers["Cookie"] = arguments.cookie if arguments.useragent: self.headers["User-Agent"] = arguments.useragent self.recursion_depth = arguments.recursion_depth if arguments.logs_location and self.validate_path( arguments.logs_location): self.logs_path = FileUtils.build_path(arguments.logs_location) elif self.validate_path(self.script_path): self.logs_path = FileUtils.build_path(self.script_path, "logs") if not FileUtils.exists(self.logs_path): FileUtils.create_directory(self.logs_path) if arguments.output_location and self.validate_path( arguments.output_location): self.save_path = FileUtils.build_path(arguments.output_location) elif self.validate_path(self.script_path): self.save_path = FileUtils.build_path(self.script_path, "reports") if not FileUtils.exists(self.save_path): FileUtils.create_directory(self.save_path) self.blacklists = self.get_blacklists() self.include_status_codes = arguments.include_status_codes self.exclude_status_codes = arguments.exclude_status_codes self.exclude_sizes = arguments.exclude_sizes self.exclude_texts = arguments.exclude_texts self.exclude_regexps = arguments.exclude_regexps self.exclude_redirects = arguments.exclude_redirects self.recursive = arguments.recursive self.deep_recursive = arguments.deep_recursive self.force_recursive = arguments.force_recursive self.recursion_status_codes = arguments.recursion_status_codes self.minimum_response_size = arguments.minimum_response_size self.maximum_response_size = arguments.maximum_response_size self.maxtime = arguments.maxtime self.scan_subdirs = arguments.scan_subdirs self.exclude_subdirs = arguments.exclude_subdirs self.dictionary = Dictionary( paths=arguments.wordlist, extensions=arguments.extensions, suffixes=arguments.suffixes, prefixes=arguments.prefixes, lowercase=arguments.lowercase, uppercase=arguments.uppercase, capitalization=arguments.capitalization, forced_extensions=arguments.force_extensions, exclude_extensions=arguments.exclude_extensions, no_extension=arguments.no_extension, only_selected=arguments.only_selected) self.all_jobs = len(self.scan_subdirs) if self.scan_subdirs else 1 self.current_job = 0 self.start_time = time.time() self.error_log = None self.error_log_path = None self.threads_lock = Lock() self.batch = False self.batch_session = None self.output.header(program_banner) self.print_config() if arguments.use_random_agents: self.random_agents = FileUtils.get_lines( FileUtils.build_path(script_path, "db", "user-agents.txt")) self.report_manager = EmptyReportManager() self.report = EmptyReport() if arguments.autosave_report or arguments.output_file: if len(self.url_list) > 1: self.setup_batch_reports() self.setup_reports() self.setup_error_logs() self.output.error_log_file(self.error_log_path) try: for url in self.url_list: try: gc.collect() url = url if url.endswith("/") else url + "/" self.output.set_target(url, self.arguments.scheme) try: self.requester = Requester( url, max_pool=arguments.threads_count, max_retries=arguments.max_retries, timeout=arguments.timeout, ip=arguments.ip, proxy=arguments.proxy, proxylist=arguments.proxylist, redirect=arguments.redirect, request_by_hostname=arguments.request_by_hostname, httpmethod=self.httpmethod, data=self.data, scheme=arguments.scheme, ) for key, value in self.headers.items(): self.requester.set_header(key, value) if arguments.auth: self.requester.set_auth(arguments.auth_type, arguments.auth) self.requester.request("") if arguments.autosave_report or arguments.output_file: self.report = Report(self.requester.host, self.requester.port, self.requester.protocol, self.requester.base_path) except RequestException as e: self.output.error(e.args[0]["message"]) raise SkipTargetInterrupt if arguments.use_random_agents: self.requester.set_random_agents(self.random_agents) # Initialize directories Queue with start Path self.base_path = self.requester.base_path self.status_skip = None for subdir in self.scan_subdirs: self.directories.put(subdir) else: self.directories.put("") match_callbacks = [self.match_callback] not_found_callbacks = [self.not_found_callback] error_callbacks = [ self.error_callback, self.append_error_log ] self.fuzzer = Fuzzer( self.requester, self.dictionary, suffixes=arguments.suffixes, prefixes=arguments.prefixes, exclude_content=arguments.exclude_content, threads=arguments.threads_count, delay=arguments.delay, maxrate=arguments.maxrate, match_callbacks=match_callbacks, not_found_callbacks=not_found_callbacks, error_callbacks=error_callbacks, ) try: self.prepare() except RequestException as e: self.output.error(e.args[0]["message"]) raise SkipTargetInterrupt except SkipTargetInterrupt: self.report.completed = True continue except KeyboardInterrupt: self.output.error("\nCanceled by the user") exit(0) finally: if not self.error_log.closed: self.error_log.close() self.output.warning("\nTask Completed") # Print dirsearch metadata (threads, HTTP method, ...) def print_config(self): self.output.config( ', '.join(self.arguments.extensions), ', '.join(self.arguments.prefixes), ', '.join(self.arguments.suffixes), str(self.arguments.threads_count), str(len(self.dictionary)), str(self.httpmethod), ) # Check if the runtime exceeded the maximum runtime set by user def is_timed_out(self): if self.maxtime and time.time() - self.start_time > self.maxtime: return True return False # Get ignore paths for status codes # TODO: Move this to /lib/core/dictionary.py def get_blacklists(self): reext = re.compile(r'\%ext\%', re.IGNORECASE) blacklists = {} for status in [400, 403, 500]: blacklist_file_name = FileUtils.build_path(self.script_path, "db") blacklist_file_name = FileUtils.build_path( blacklist_file_name, "{}_blacklist.txt".format(status)) if not FileUtils.can_read(blacklist_file_name): # Skip if cannot read file continue blacklists[status] = [] for line in FileUtils.get_lines(blacklist_file_name): # Skip comments if line.lstrip().startswith("#"): continue if line.startswith("/"): line = line[1:] # Classic dirsearch blacklist processing (with %EXT% keyword) if "%ext%" in line.lower(): for extension in self.arguments.extensions: entry = reext.sub(extension, line) blacklists[status].append(entry) # Forced extensions is not used here because -r is only used for wordlist, # applying in blacklist may create false negatives else: blacklists[status].append(line) return blacklists # Create error log file def setup_error_logs(self): file_name = "errors-{0}.log".format(time.strftime("%y-%m-%d_%H-%M-%S")) self.error_log_path = FileUtils.build_path(self.logs_path, file_name) try: self.error_log = open(self.error_log_path, "w") except PermissionError: self.output.error( "Couldn't create the error log. Try running again with highest permission" ) sys.exit(1) # Create batch report folder def setup_batch_reports(self): self.batch = True if not self.arguments.output_file: self.batch_session = "BATCH-{0}".format( time.strftime("%y-%m-%d_%H-%M-%S")) self.batch_directory_path = FileUtils.build_path( self.save_path, self.batch_session) if not FileUtils.exists(self.batch_directory_path): FileUtils.create_directory(self.batch_directory_path) if not FileUtils.exists(self.batch_directory_path): self.output.error( "Couldn't create batch folder at {}".format( self.batch_directory_path)) sys.exit(1) # Get file extension for report format def get_output_extension(self): if self.arguments.output_format and self.arguments.output_format not in [ "plain", "simple" ]: return ".{0}".format(self.arguments.output_format) else: return ".txt" # Create report file def setup_reports(self): if self.arguments.output_file: output_file = FileUtils.get_abs_path(self.arguments.output_file) self.output.output_file(output_file) else: if self.batch: file_name = "BATCH" file_name += self.get_output_extension() directory_path = self.batch_directory_path else: local_requester = Requester(self.url_list[0]) file_name = ("{}_".format( local_requester.base_path.replace(os.path.sep, ".")[:-1])) file_name += time.strftime("%y-%m-%d_%H-%M-%S") file_name += self.get_output_extension() directory_path = FileUtils.build_path(self.save_path, local_requester.host) output_file = FileUtils.build_path(directory_path, file_name) if FileUtils.exists(output_file): i = 2 while FileUtils.exists(output_file + "_" + str(i)): i += 1 output_file += "_" + str(i) if not FileUtils.exists(directory_path): FileUtils.create_directory(directory_path) if not FileUtils.exists(directory_path): self.output.error( "Couldn't create the reports folder at {}".format( directory_path)) sys.exit(1) self.output.output_file(output_file) if self.arguments.output_file and self.arguments.output_format: self.report_manager = ReportManager(self.arguments.output_format, self.arguments.output_file) elif self.arguments.output_format: self.report_manager = ReportManager(self.arguments.output_format, output_file) else: self.report_manager = ReportManager("plain", output_file) # Check if given path is valid (can read/write) def validate_path(self, path): if not FileUtils.exists(path): self.output.error("{} does not exist".format(path)) exit(1) if FileUtils.exists(path) and not FileUtils.is_dir(path): self.output.error( "{} is a file, should be a directory".format(path)) exit(1) if not FileUtils.can_write(path): self.output.error("Directory {} is not writable".format(path)) exit(1) return True # Validate the response by different filters def valid(self, path): if not path: return False if path.status in self.exclude_status_codes: return False if self.include_status_codes and path.status not in self.include_status_codes: return False if self.blacklists.get( path.status) and path.path in self.blacklists.get(path.status): return False if self.exclude_sizes and FileUtils.size_human(len( path.response.body)).strip() in self.exclude_sizes: return False if self.minimum_response_size and self.minimum_response_size > len( path.response.body): return False if self.maximum_response_size and self.maximum_response_size < len( path.response.body): return False for exclude_text in self.exclude_texts: if exclude_text in path.response.body.decode('iso8859-1'): return False for exclude_regexp in self.exclude_regexps: if (re.search(exclude_regexp, path.response.body.decode('iso8859-1')) is not None): return False for exclude_redirect in self.exclude_redirects: if path.response.redirect and ( (re.match(exclude_redirect, path.response.redirect) is not None) or (exclude_redirect in path.response.redirect)): return False return True # Callback for found paths def match_callback(self, path): self.index += 1 for status in self.arguments.skip_on_status: if path.status == status: self.status_skip = status return if not self.valid(path): del path return added_to_queue = False if (any([self.recursive, self.deep_recursive, self.force_recursive ])) and (not self.recursion_status_codes or path.status in self.recursion_status_codes): if path.response.redirect: added_to_queue = self.add_redirect_directory(path) else: added_to_queue = self.add_directory(path.path) self.output.status_report(path.path, path.response, self.arguments.full_url, added_to_queue) if self.arguments.replay_proxy: self.requester.request(path.path, proxy=self.arguments.replay_proxy) new_path = self.current_directory + path.path self.report.add_result(new_path, path.status, path.response) self.report_manager.update_report(self.report) del path # Callback for invalid paths def not_found_callback(self, path): self.index += 1 self.output.last_path(path, self.index, len(self.dictionary), self.current_job, self.all_jobs, self.fuzzer.rate) del path # Callback for errors while fuzzing def error_callback(self, path, error_msg): if self.arguments.exit_on_error: self.exit = True self.fuzzer.stop() self.output.error("\nCanceled due to an error") exit(1) else: self.output.add_connection_error() # Write error to log file def append_error_log(self, path, error_msg): with self.threads_lock: line = time.strftime("[%y-%m-%d %H:%M:%S] - ") line += self.requester.base_url + " - " + self.base_path + self.current_directory + path + " - " + error_msg self.error_log.write(os.linesep + line) self.error_log.flush() # Handle CTRL+C def handle_pause(self, message): self.output.warning(message) self.fuzzer.pause() # If one of the tasks is broken, don't let the user wait forever for i in range(300): if self.fuzzer.stopped == len(self.fuzzer.threads): break time.sleep(0.025) self.fuzzer.stopped = 0 while True: msg = "[q]uit / [c]ontinue" if not self.directories.empty(): msg += " / [n]ext" if len(self.url_list) > 1: msg += " / [s]kip target" self.output.in_line(msg + ": ") option = input() if option.lower() == "q": self.exit = True self.fuzzer.stop() self.output.error("\nCanceled by the user") self.report_manager.update_report(self.report) exit(0) elif option.lower() == "c": self.fuzzer.resume() return elif option.lower() == "n" and not self.directories.empty(): self.fuzzer.stop() return elif option.lower() == "s" and len(self.url_list) > 1: self.output.new_line() raise SkipTargetInterrupt # Monitor the fuzzing process def process_paths(self): while True: try: while not self.fuzzer.wait(0.25): # Check if the "skip status code" was returned if self.status_skip: self.fuzzer.pause() time.sleep(1.5) self.output.error( "\nSkipped the target due to {0} status code". format(self.status_skip)) raise SkipTargetInterrupt elif self.is_timed_out(): self.output.error( "\nCanceled because the runtime exceeded the maximal set by user" ) exit(0) break except KeyboardInterrupt: self.handle_pause( "CTRL+C detected: Pausing threads, please wait...") # Preparation between subdirectory scans def prepare(self): while not self.directories.empty(): gc.collect() self.current_job += 1 self.index = 0 self.current_directory = self.directories.get() self.output.warning("[{1}] Starting: {0}".format( self.current_directory, time.strftime("%H:%M:%S"))) self.fuzzer.requester.base_path = self.output.base_path = self.base_path + self.current_directory self.fuzzer.start() self.process_paths() self.report.completed = True self.report_manager.update_report(self.report) self.report = None return # Add directory to the recursion queue def add_directory(self, path): added = False path = path.split("?")[0].split("#")[0] if any( [path.startswith(directory) for directory in self.exclude_subdirs]): return False full_path = self.current_directory + path dirs = [] if self.deep_recursive: for i in range(1, path.count("/") + 1): dir = full_path.replace(path, "") + "/".join( path.split("/")[:i]) dirs.append(dir.rstrip("/") + "/") if self.force_recursive: if not full_path.endswith("/"): full_path += "/" dirs.append(full_path) elif self.recursive and full_path.endswith("/"): dirs.append(full_path) for dir in dirs: if dir in self.scan_subdirs: continue elif dir in self.done_dirs: continue elif self.recursion_depth and dir.count( "/") > self.recursion_depth: continue self.directories.put(dir) self.done_dirs.append(dir) self.all_jobs += 1 added = True return added # Add port to the URL def add_port(self, url): chunks = url.split("/") if ":" not in chunks[2]: chunks[2] += (":80" if chunks[0] == "http:" else ":443") url = "/".join(chunks) return url # Resolve the redirect and add the path to the recursion queue # if it's a subdirectory of the current URL def add_redirect_directory(self, path): base_url = self.requester.base_url + self.base_path + self.current_directory + path.path redirect_url = urljoin(self.requester.base_url, path.response.redirect) redirect_url = self.add_port(redirect_url) if redirect_url.startswith(base_url + "/"): path = redirect_url[len(self.requester.base_url + self.base_path + self.current_directory):] return self.add_directory(path) return False