# 第二十九课:发现目标WEB程序敏感目录第一季 DIRB官方地址: ## 简介(摘自官方原文): > DIRB is a Web Content Scanner. It looks for existing (and/or hidden) Web Objects. It basically works by launching a dictionary based attack against a web server and analizing the response. ## 介绍: DIRB是一个基于命令行的工具,依据字典来爆破目标Web路径以及敏感文件,它支持自定义UA,cookie,忽略指定响应吗,支持代理扫描,自定义毫秒延迟,证书加载扫描等。是一款非常优秀的全方位的目录扫描工具。同样Kaili内置了dirb。 **攻击机:**\ 192.168.1.104 Debian\ **靶机:**\ 192.168.1.102 Windows 2003 IIS ![](https://1465213733-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LZJtlFN7NOR8zMCiJsm%2F-LZXjML3_FcKKksF7yox%2F-LZJx7qRIQYrb2CJD5jI%2Fc3fcc5b823e0595a4cfc3182450ede90.jpg?generation=1551066097515042\&alt=media) ## 普通爆破: ```bash root@John:~/wordlist/small# dirb http://192.168.1.102 ./ASPX.txt ‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐ DIRB v2.22 By The Dark Raver ‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐ START_TIME: Sun Feb 17 23:26:52 2019 URL_BASE: http://192.168.1.102/ WORDLIST_FILES: ./ASPX.txt ‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐ GENERATED WORDS: 822 ‐‐‐‐ Scanning URL: http://192.168.1.102/ ‐‐‐‐ + http://192.168.1.102//Index.aspx (CODE:200|SIZE:2749) + http://192.168.1.102//Manage/Default.aspx (CODE:302|SIZE:203) ‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐ END_TIME: Sun Feb 17 23:26:56 2019 DOWNLOADED: 822 ‐ FOUND: 2 ``` ![](https://1465213733-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LZJtlFN7NOR8zMCiJsm%2F-LZXjML3_FcKKksF7yox%2F-LZJx7qY9ZGP6AmtFdu5%2Fdb482720c37469309590eccaa2eebb95.jpg?generation=1551066099543844\&alt=media) ## 多字典挂载: ```bash root@John:~/wordlist/small# dirb http://192.168.1.102 ./ASPX.txt,./DIR.txt ‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐ DIRB v2.22 By The Dark Raver ‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐ START_TIME: Sun Feb 17 23:31:02 2019 URL_BASE: http://192.168.1.102/ WORDLIST_FILES: ./ASPX.txt,./DIR.txt ‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐ GENERATED WORDS: 1975 ‐‐‐‐ Scanning URL: http://192.168.1.102/ ‐‐‐‐ + http://192.168.1.102//Index.aspx (CODE:200|SIZE:2749) + http://192.168.1.102//Manage/Default.aspx (CODE:302|SIZE:203) + http://192.168.1.102//bbs (CODE:301|SIZE:148) + http://192.168.1.102//manage (CODE:301|SIZE:151) + http://192.168.1.102//manage/ (CODE:302|SIZE:203) + http://192.168.1.102//kindeditor/ (CODE:403|SIZE:218) + http://192.168.1.102//robots.txt (CODE:200|SIZE:214) + http://192.168.1.102//Web.config (CODE:302|SIZE:130) + http://192.168.1.102//files (CODE:301|SIZE:150) + http://192.168.1.102//install (CODE:301|SIZE:152) (!) FATAL: Too many errors connecting to host (Possible cause: EMPTY REPLY FROM SERVER) ‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐ END_TIME: Sun Feb 17 23:31:06 2019 DOWNLOADED: 1495 ‐ FOUND: 10 ``` ![](https://1465213733-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LZJtlFN7NOR8zMCiJsm%2F-LZXjML3_FcKKksF7yox%2F-LZJx7qccJklAx_fMrDo%2F544ad274590fbcca704dd16b8186fb39.jpg?generation=1551066073829525\&alt=media) ## 自定义UA: ```bash root@John:~/wordlist/small# dirb http://192.168.1.102 ./ASPX.txt ‐a "M ozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)" ‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐ DIRB v2.22 By The Dark Raver ‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐ START_TIME: Sun Feb 17 23:34:51 2019 URL_BASE: http://192.168.1.102/ WORDLIST_FILES: ./ASPX.txt USER_AGENT: Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html) ‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐ GENERATED WORDS: 822 ‐‐‐‐ Scanning URL: http://192.168.1.102/ ‐‐‐‐ + http://192.168.1.102//Index.aspx (CODE:200|SIZE:2735) + http://192.168.1.102//Manage/Default.aspx (CODE:302|SIZE:203) ‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐ END_TIME: Sun Feb 17 23:34:54 2019 DOWNLOADED: 822 ‐ FOUND: 2 ``` ![](https://1465213733-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LZJtlFN7NOR8zMCiJsm%2F-LZXjML3_FcKKksF7yox%2F-LZJx7qgJ3rR__z-q-_U%2F3d67b8846183b7172757f29b6420349f.jpg?generation=1551066085580051\&alt=media) ## 自定义cookie: ```bash root@John:~/wordlist/small# dirb http://192.168.1.102/Manage ./DIR.txt ‐a "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.ht ml)" ‐c "ASP.NET_SessionId=jennqviqmc2vws55o4ggwu45" ‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐ DIRB v2.22 By The Dark Raver ‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐ START_TIME: Sun Feb 17 23:53:08 2019 URL_BASE: http://192.168.1.102/Manage/ WORDLIST_FILES: ./DIR.txt USER_AGENT: Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.googl e.com/bot.html) COOKIE: ASP.NET_SessionId=jennqviqmc2vws55o4ggwu45 ‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐ GENERATED WORDS: 1153 ‐‐‐‐ Scanning URL: http://192.168.1.102/Manage/ ‐‐‐‐ + http://192.168.1.102/Manage//include/ (CODE:403|SIZE:218) + http://192.168.1.102/Manage//news/ (CODE:403|SIZE:218) + http://192.168.1.102/Manage//include (CODE:301|SIZE:159) + http://192.168.1.102/Manage//images/ (CODE:403|SIZE:218) + http://192.168.1.102/Manage//sys/ (CODE:403|SIZE:218) + http://192.168.1.102/Manage//images (CODE:301|SIZE:158) (!) FATAL: Too many errors connecting to host (Possible cause: EMPTY REPLY FROM SERVER) ‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐ END_TIME: Sun Feb 17 23:53:10 2019 DOWNLOADED: 673 ‐ FOUND: 6 ``` ## 自定义毫秒延迟: ```bash root@John:~/wordlist/small# dirb http://192.168.1.102/Manage ./DIR.txt ‐a "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.ht ml)" ‐c "ASP.NET_SessionId=jennqviqmc2vws55o4ggwu45" ‐z 100 ‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐ DIRB v2.22 By The Dark Raver ‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐ START_TIME: Sun Feb 17 23:54:29 2019 URL_BASE: http://192.168.1.102/Manage/ WORDLIST_FILES: ./DIR.txt USER_AGENT: Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.googl e.com/bot.html) COOKIE: ASP.NET_SessionId=jennqviqmc2vws55o4ggwu45 SPEED_DELAY: 100 milliseconds ‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐ GENERATED WORDS: 1153 ‐‐‐‐ Scanning URL: http://192.168.1.102/Manage/ ‐‐‐‐ + http://192.168.1.102/Manage//include/ (CODE:403|SIZE:218) + http://192.168.1.102/Manage//news/ (CODE:403|SIZE:218) + http://192.168.1.102/Manage//include (CODE:301|SIZE:159) + http://192.168.1.102/Manage//images/ (CODE:403|SIZE:218) + http://192.168.1.102/Manage//sys/ (CODE:403|SIZE:218) + http://192.168.1.102/Manage//images (CODE:301|SIZE:158) (!) FATAL: Too many errors connecting to host (Possible cause: EMPTY REPLY FROM SERVER) ‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐ END_TIME: Sun Feb 17 23:55:50 2019 DOWNLOADED: 673 ‐ FOUND: 6 ``` ![](https://1465213733-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LZJtlFN7NOR8zMCiJsm%2F-LZXjML3_FcKKksF7yox%2F-LZJx7qoMAoQegv6WKmo%2F5c184a09832f6e4b1d2df8b80c2b7c1f.jpg?generation=1551066063907786\&alt=media) ## 其他更多有趣的功能: ```bash DIRB v2.22 By The Dark Raver ‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐ dirb [] [options] ========================= NOTES ========================= : Base URL to scan. (Use ‐resume for session resuming) : List of wordfiles. (wordfile1,wordfile2,wordfile3...) ======================== HOTKEYS ======================== 'n' ‐> Go to next directory. 'q' ‐> Stop scan. (Saving state for resume) 'r' ‐> Remaining scan stats. ======================== OPTIONS ======================== ‐a : Specify your custom USER_AGENT. ‐b : Use path as is. ‐c : Set a cookie for the HTTP request. ‐E : path to the client certificate. ‐f : Fine tunning of NOT_FOUND (404) detection. ‐H : Add a custom header to the HTTP request. ‐i : Use case‐insensitive search. ‐l : Print "Location" header when found. ‐N : Ignore responses with this HTTP code. ‐o : Save output to disk. ‐p : Use this proxy. (Default port is 1080) ‐P : Proxy Authentication. ‐r : Don't search recursively. ‐R : Interactive recursion. (Asks for each directory) ‐S : Silent Mode. Don't show tested words. (For dumb terminals) ‐t : Don't force an ending '/' on URLs. ‐u : HTTP Authentication. ‐v : Show also NOT_FOUND pages. ‐w : Don't stop on WARNING messages. ‐X / ‐x : Append each word with this extensions. ‐z : Add a milliseconds delay to not cause excessive Flood. ======================== EXAMPLES ======================= dirb http://url/directory/ (Simple Test) dirb http://url/ ‐X .html (Test files with '.html' extension) dirb http://url/ /usr/share/dirb/wordlists/vulns/apache.txt (Test wit hapache.txt wordlist) dirb https://secure_url/ (Simple Test with SSL) ``` ![](https://1465213733-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LZJtlFN7NOR8zMCiJsm%2F-LZXjML3_FcKKksF7yox%2F-LZJx7qsxEs9H9s5QNgV%2F41381c9747125487e30cbbdc3acd039f.jpg?generation=1551066076961390\&alt=media) > Micropoor