Skip to content

Instantly share code, notes, and snippets.

@jthack
Created September 22, 2022 18:11
  • Star 3 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
Star You must be signed in to star a gist
Save jthack/ba2c5a1061a913a5c698b9e2b152a362 to your computer and use it in GitHub Desktop.
Info disclosure scanner
# Before the first run, read the comments and change the script for your company
# Before anything, install ffuf with `go install github.com/ffuf/ffuf@latest`
# Change the WEBROOT variable below to the location of the webroot
WEBROOT=/var/www/html/CHANGE/ME
# This changes to the webroot directory
cd $WEBROOT
# This makes a directory for storing the files used for this script. Change it to be whatever path you want.
PROJPATH=/home/changeme/project
mkdir -p $PROJPATH
# This finds all the files and writes their paths to the file
find . -name "*" -print | cut -d/ -f2- > $PROJPATH/all_files.txt
# Change to projpath director
cd $PROJPATH
# This fuzzes for all the files and matches 200 response code and saves output in the file. You can use ffuf's other nice outputs if desired but it will break the rest of the script.
ffuf -c -u https://example.com/FUZZ -w all_files.txt -mc 200 -ac -o output.csv
# The first run of this will put all exposed paths into the file. After that, only newly exposed files will be output.
cat output.csv | cut -d, -f2 | anew all_exposed_paths.txt
# You can now review all_exposed_pathss.txt or output.csv or to make sure nothing is exposed that shouldn't be.
# Alternatively (what I recommend) is to pipe the output of the previous command into a slack or discord hook. If you do that, comment out the last line and use this one. Here's my tool I use to send messages to slack (it's 3 lines of code): https://github.com/jthack/toslack
cat output.csv | cut -d, -f2 | anew all_exposed_paths.txt | to_slack
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment