第二十九课:发现目标WEB程序敏感目录第一季
DIRB官方地址: http://dirb.sourceforge.net/

简介(摘自官方原文):

DIRB is a Web Content Scanner. It looks for existing (and/or hidden) Web Objects. It basically works by launching a dictionary based attack against a web server and analizing the response.

介绍:

DIRB是一个基于命令行的工具,依据字典来爆破目标Web路径以及敏感文件,它支持自定义UA,cookie,忽略指定响应吗,支持代理扫描,自定义毫秒延迟,证书加载扫描等。是一款非常优秀的全方位的目录扫描工具。同样Kaili内置了dirb。
攻击机: 192.168.1.104 Debian 靶机: 192.168.1.102 Windows 2003 IIS

普通爆破:

1
[email protected]:~/wordlist/small# dirb http://192.168.1.102 ./ASPX.txt
2
3
‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐
4
DIRB v2.22
5
By The Dark Raver
6
‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐
7
8
START_TIME: Sun Feb 17 23:26:52 2019
9
URL_BASE: http://192.168.1.102/
10
WORDLIST_FILES: ./ASPX.txt
11
12
‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐
13
14
GENERATED WORDS: 822
15
16
‐‐‐‐ Scanning URL: http://192.168.1.102/ ‐‐‐‐
17
+ http://192.168.1.102//Index.aspx (CODE:200|SIZE:2749)
18
+ http://192.168.1.102//Manage/Default.aspx (CODE:302|SIZE:203)
19
20
‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐
21
END_TIME: Sun Feb 17 23:26:56 2019
22
DOWNLOADED: 822 ‐ FOUND: 2
Copied!

多字典挂载:

1
[email protected]:~/wordlist/small# dirb http://192.168.1.102 ./ASPX.txt,./DIR.txt
2
3
‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐
4
DIRB v2.22
5
By The Dark Raver
6
‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐
7
8
START_TIME: Sun Feb 17 23:31:02 2019
9
URL_BASE: http://192.168.1.102/
10
WORDLIST_FILES: ./ASPX.txt,./DIR.txt
11
12
‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐
13
14
GENERATED WORDS: 1975
15
16
‐‐‐‐ Scanning URL: http://192.168.1.102/ ‐‐‐‐
17
+ http://192.168.1.102//Index.aspx (CODE:200|SIZE:2749)
18
+ http://192.168.1.102//Manage/Default.aspx (CODE:302|SIZE:203)
19
+ http://192.168.1.102//bbs (CODE:301|SIZE:148)
20
+ http://192.168.1.102//manage (CODE:301|SIZE:151)
21
+ http://192.168.1.102//manage/ (CODE:302|SIZE:203)
22
+ http://192.168.1.102//kindeditor/ (CODE:403|SIZE:218)
23
+ http://192.168.1.102//robots.txt (CODE:200|SIZE:214)
24
+ http://192.168.1.102//Web.config (CODE:302|SIZE:130)
25
+ http://192.168.1.102//files (CODE:301|SIZE:150)
26
+ http://192.168.1.102//install (CODE:301|SIZE:152)
27
28
(!) FATAL: Too many errors connecting to host
29
(Possible cause: EMPTY REPLY FROM SERVER)
30
31
‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐
32
END_TIME: Sun Feb 17 23:31:06 2019
33
DOWNLOADED: 1495 ‐ FOUND: 10
Copied!

自定义UA:

1
[email protected]:~/wordlist/small# dirb http://192.168.1.102 ./ASPX.txt ‐a "M
2
ozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"
3
4
‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐
5
DIRB v2.22
6
By The Dark Raver
7
‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐
8
9
START_TIME: Sun Feb 17 23:34:51 2019
10
URL_BASE: http://192.168.1.102/
11
WORDLIST_FILES: ./ASPX.txt
12
USER_AGENT: Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)
13
14
‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐
15
16
GENERATED WORDS: 822
17
18
‐‐‐‐ Scanning URL: http://192.168.1.102/ ‐‐‐‐
19
+ http://192.168.1.102//Index.aspx (CODE:200|SIZE:2735)
20
+ http://192.168.1.102//Manage/Default.aspx (CODE:302|SIZE:203)
21
22
‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐
23
END_TIME: Sun Feb 17 23:34:54 2019
24
DOWNLOADED: 822 ‐ FOUND: 2
Copied!

自定义cookie:

1
[email protected]:~/wordlist/small# dirb http://192.168.1.102/Manage ./DIR.txt
2
‐a "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.ht
3
ml)" ‐c "ASP.NET_SessionId=jennqviqmc2vws55o4ggwu45"
4
5
‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐
6
DIRB v2.22
7
By The Dark Raver
8
‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐
9
10
START_TIME: Sun Feb 17 23:53:08 2019
11
URL_BASE: http://192.168.1.102/Manage/
12
WORDLIST_FILES: ./DIR.txt
13
USER_AGENT: Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.googl
14
e.com/bot.html)
15
COOKIE: ASP.NET_SessionId=jennqviqmc2vws55o4ggwu45
16
17
‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐
18
19
GENERATED WORDS: 1153
20
21
‐‐‐‐ Scanning URL: http://192.168.1.102/Manage/ ‐‐‐‐
22
+ http://192.168.1.102/Manage//include/ (CODE:403|SIZE:218)
23
+ http://192.168.1.102/Manage//news/ (CODE:403|SIZE:218)
24
+ http://192.168.1.102/Manage//include (CODE:301|SIZE:159)
25
+ http://192.168.1.102/Manage//images/ (CODE:403|SIZE:218)
26
+ http://192.168.1.102/Manage//sys/ (CODE:403|SIZE:218)
27
+ http://192.168.1.102/Manage//images (CODE:301|SIZE:158)
28
29
(!) FATAL: Too many errors connecting to host
30
(Possible cause: EMPTY REPLY FROM SERVER)
31
32
‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐
33
END_TIME: Sun Feb 17 23:53:10 2019
34
DOWNLOADED: 673 ‐ FOUND: 6
Copied!

自定义毫秒延迟:

1
[email protected]:~/wordlist/small# dirb http://192.168.1.102/Manage ./DIR.txt
2
‐a "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.ht
3
ml)" ‐c "ASP.NET_SessionId=jennqviqmc2vws55o4ggwu45" ‐z 100
4
5
‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐
6
DIRB v2.22
7
By The Dark Raver
8
‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐
9
10
START_TIME: Sun Feb 17 23:54:29 2019
11
URL_BASE: http://192.168.1.102/Manage/
12
WORDLIST_FILES: ./DIR.txt
13
USER_AGENT: Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.googl
14
e.com/bot.html)
15
COOKIE: ASP.NET_SessionId=jennqviqmc2vws55o4ggwu45
16
SPEED_DELAY: 100 milliseconds
17
18
‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐
19
20
GENERATED WORDS: 1153
21
22
‐‐‐‐ Scanning URL: http://192.168.1.102/Manage/ ‐‐‐‐
23
+ http://192.168.1.102/Manage//include/ (CODE:403|SIZE:218)
24
+ http://192.168.1.102/Manage//news/ (CODE:403|SIZE:218)
25
+ http://192.168.1.102/Manage//include (CODE:301|SIZE:159)
26
+ http://192.168.1.102/Manage//images/ (CODE:403|SIZE:218)
27
+ http://192.168.1.102/Manage//sys/ (CODE:403|SIZE:218)
28
+ http://192.168.1.102/Manage//images (CODE:301|SIZE:158)
29
30
(!) FATAL: Too many errors connecting to host
31
(Possible cause: EMPTY REPLY FROM SERVER)
32
33
‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐
34
END_TIME: Sun Feb 17 23:55:50 2019
35
DOWNLOADED: 673 ‐ FOUND: 6
Copied!

其他更多有趣的功能:

1
DIRB v2.22
2
By The Dark Raver
3
‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐
4
5
dirb <url_base> [<wordlist_file(s)>] [options]
6
7
========================= NOTES =========================
8
<url_base> : Base URL to scan. (Use ‐resume for session resuming)
9
<wordlist_file(s)> : List of wordfiles. (wordfile1,wordfile2,wordfile3...)
10
11
======================== HOTKEYS ========================
12
'n'> Go to next directory.
13
'q'> Stop scan. (Saving state for resume)
14
'r'> Remaining scan stats.
15
16
======================== OPTIONS ========================
17
‐a <agent_string> : Specify your custom USER_AGENT.
18
‐b : Use path as is.
19
‐c <cookie_string> : Set a cookie for the HTTP request.
20
‐E <certificate> : path to the client certificate.
21
‐f : Fine tunning of NOT_FOUND (404) detection.
22
‐H <header_string> : Add a custom header to the HTTP request.
23
‐i : Use case‐insensitive search.
24
‐l : Print "Location" header when found.
25
‐N <nf_code>: Ignore responses with this HTTP code.
26
‐o <output_file> : Save output to disk.
27
‐p <proxy[:port]> : Use this proxy. (Default port is 1080)
28
‐P <proxy_username:proxy_password> : Proxy Authentication.
29
‐r : Don't search recursively.
30
‐R : Interactive recursion. (Asks for each directory)
31
‐S : Silent Mode. Don't show tested words. (For dumb terminals)
32
‐t : Don't force an ending '/' on URLs.
33
‐u <username:password> : HTTP Authentication.
34
‐v : Show also NOT_FOUND pages.
35
‐w : Don't stop on WARNING messages.
36
‐X <extensions> / ‐x <exts_file> : Append each word with this extensions.
37
‐z <millisecs> : Add a milliseconds delay to not cause excessive Flood.
38
39
======================== EXAMPLES =======================
40
dirb http://url/directory/ (Simple Test)
41
dirb http://url/ ‐X .html (Test files with '.html' extension)
42
dirb http://url/ /usr/share/dirb/wordlists/vulns/apache.txt (Test wit hapache.txt wordlist)
43
dirb https://secure_url/ (Simple Test with SSL)
Copied!
Micropoor
Last modified 2yr ago