pathbuster 0.4.7

A path-normalization pentesting tool.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298

use std::{error::Error, process::exit, time::Duration};

use colored::Colorize;
use differ::{Differ, Tag};
use governor::{Quota, RateLimiter};
use indicatif::ProgressBar;
use itertools::iproduct;
use reqwest::{redirect, Proxy};
use tokio::{fs::File, io::AsyncWriteExt, sync::mpsc};

use crate::utils;

// the BruteResult struct which will be used as jobs
// to save the data to a file
#[derive(Clone, Debug)]
pub struct BruteResult {
    pub data: String,
}

// the Job struct which will be used as jobs for directory bruteforcing
#[derive(Clone, Debug)]
pub struct BruteJob {
    pub url: Option<String>,
    pub word: Option<String>,
}

// this asynchronous function will send the results to another set of workers
// for each worker to perform a directory brute force operation on each url.
pub async fn send_word_to_url(
    mut tx: spmc::Sender<BruteJob>,
    urls: Vec<String>,
    wordlists: Vec<String>,
    rate: u32,
) -> Result<(), Box<dyn Error + Send + Sync + 'static>> {
    //set rate limit
    let lim = RateLimiter::direct(Quota::per_second(std::num::NonZeroU32::new(rate).unwrap()));

    // start the scan
    for (word, url) in iproduct!(wordlists, urls) {
        let url_cp = url.clone();
        let msg = BruteJob {
            url: Some(url_cp),
            word: Some(word.clone()),
        };
        if let Err(_) = tx.send(msg) {
            continue;
        }
        lim.until_ready().await;
    }
    Ok(())
}

// runs the directory bruteforcer on the job
pub async fn run_bruteforcer(
    pb: ProgressBar,
    rx: spmc::Receiver<BruteJob>,
    tx: mpsc::Sender<BruteResult>,
    timeout: usize,
    http_proxy: String,
) -> BruteResult {
    let mut headers = reqwest::header::HeaderMap::new();
    headers.insert(
        reqwest::header::USER_AGENT,
        reqwest::header::HeaderValue::from_static(
            "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:95.0) Gecko/20100101 Firefox/95.0",
        ),
    );

    let client;
    if http_proxy.is_empty() {
        //no certs
        client = reqwest::Client::builder()
            .default_headers(headers)
            .redirect(redirect::Policy::none())
            .timeout(Duration::from_secs(timeout.try_into().unwrap()))
            .danger_accept_invalid_hostnames(true)
            .danger_accept_invalid_certs(true)
            .build()
            .unwrap();
    } else {
        let proxy = match Proxy::all(http_proxy) {
            Ok(proxy) => proxy,
            Err(e) => {
                pb.println(format!("Could not setup proxy, err: {:?}", e));
                exit(1);
            }
        };
        //no certs
        client = reqwest::Client::builder()
            .default_headers(headers)
            .redirect(redirect::Policy::none())
            .timeout(Duration::from_secs(timeout.try_into().unwrap()))
            .danger_accept_invalid_hostnames(true)
            .danger_accept_invalid_certs(true)
            .proxy(proxy)
            .build()
            .unwrap();
    }

    while let Ok(job) = rx.recv() {
        let job_url = job.url.unwrap();
        let job_word = job.word.unwrap();
        let job_url_new = job_url.clone();

        let mut web_root_url: String = String::from("");
        let mut internal_web_root_url: String = String::from(job_url);
        let url = match reqwest::Url::parse(&job_url_new) {
            Ok(url) => url,
            Err(_) => {
                continue;
            }
        };

        pb.inc(1);

        let schema = url.scheme().to_string();
        let host = match url.host_str() {
            Some(host) => host,
            None => continue,
        };

        web_root_url.push_str(&schema);
        web_root_url.push_str("://");
        web_root_url.push_str(&host);
        web_root_url.push_str("/");
        web_root_url.push_str(&job_word);

        internal_web_root_url.push_str(&job_word);
        let internal_url = internal_web_root_url.clone();
        let internal_web_url = internal_url.clone();

        if pb.eta().as_secs_f32() >= 60.0 {
            if (pb.eta().as_secs_f32() / 60.0) >= 60.0 {
                pb.set_message(format!(
                    "eta: {}h {} {}",
                    ((pb.eta().as_secs_f32() / 60.0) / 60.0).round().to_string(),
                    "directory bruteforcing ::".bold().white(),
                    internal_url.bold().blue(),
                ));
            } else {
                pb.set_message(format!(
                    "eta: {}m {} {}",
                    (pb.eta().as_secs_f32() / 60.0).round().to_string(),
                    "directory bruteforcing ::".bold().white(),
                    internal_url.bold().blue(),
                ));
            }
        } else {
            pb.set_message(format!(
                " eta: {}s {} {}",
                (pb.eta().as_secs_f32()).round().to_string(),
                "directory bruteforcing ::".bold().white(),
                internal_url.bold().blue(),
            ));
        }

        let get = client.get(internal_web_url);
        let internal_get = client.get(internal_web_root_url);
        let public_get = client.get(web_root_url);

        let public_req = match public_get.build() {
            Ok(req) => req,
            Err(_) => {
                continue;
            }
        };

        let internal_req = match internal_get.build() {
            Ok(req) => req,
            Err(_) => {
                continue;
            }
        };

        let public_resp = match client.execute(public_req).await {
            Ok(public_resp) => public_resp,
            Err(_) => {
                continue;
            }
        };

        let internal_resp = match client.execute(internal_req).await {
            Ok(internal_resp) => internal_resp,
            Err(_) => {
                continue;
            }
        };

        let public_resp_text = match public_resp.text().await {
            Ok(public_cl) => public_cl,
            Err(_) => continue,
        };

        let internal_resp_text = match internal_resp.text().await {
            Ok(internal_cl) => internal_cl,
            Err(_) => continue,
        };

        let req = match get.build() {
            Ok(req) => req,
            Err(_) => {
                continue;
            }
        };

        let resp = match client.execute(req).await {
            Ok(resp) => resp,
            Err(_) => {
                continue;
            }
        };

        let (ok, distance_between_responses) =
            utils::get_response_change(&internal_resp_text, &public_resp_text);
        if ok && resp.status().as_str() != "404" && resp.status().as_str() != "400" {
            let internal_resp_text_lines = internal_resp_text.lines().collect::<Vec<_>>();
            let public_resp_text_lines = public_resp_text.lines().collect::<Vec<_>>();
            let character_differences =
                Differ::new(&internal_resp_text_lines, &public_resp_text_lines);

            if character_differences.spans().len() > 0 {
                pb.println(format!(
                    "\n{}{}{} {}",
                    "(".bold().white(),
                    "*".bold().blue(),
                    ")".bold().white(),
                    "found some response changes:".bold().green(),
                ));
                for span in character_differences.spans() {
                    match span.tag {
                        Tag::Equal => (),  // ignore
                        Tag::Insert => (), // ignore
                        Tag::Delete => (), // ignore
                        Tag::Replace => {
                            if span.b_end < internal_resp_text_lines.len() {
                                for line in &internal_resp_text_lines[span.b_start..span.b_end] {
                                    if line.to_string() == "" {
                                        pb.println(format!("\n{}", line.bold().white(),));
                                    } else {
                                        pb.println(format!("{}", line.bold().white(),));
                                    }
                                }
                            } else {
                                for line in &internal_resp_text_lines[span.a_start..span.a_end] {
                                    if line.to_string() == "" {
                                        pb.println(format!("\n{}", line.bold().white(),));
                                    } else {
                                        pb.println(format!("{}", line.bold().white(),));
                                    }
                                }
                            }
                        }
                    }
                }
            }
            pb.println(format!("\n"));
            pb.println(format!(
                "{} {}{}{} {} {}",
                "found something interesting".bold().green(),
                "(".bold().white(),
                distance_between_responses.to_string().bold().white(),
                ")".bold().white(),
                "deviations from webroot ::".bold().white(),
                internal_url.bold().blue(),
            ));
            pb.inc_length(1);

            // send the result message through the channel to the workers.
            let result_msg = BruteResult {
                data: internal_url.to_owned(),
            };
            let result = result_msg.clone();
            if let Err(_) = tx.send(result_msg).await {
                continue;
            }

            return result;
        }
    }
    return BruteResult {
        data: "".to_string(),
    };
}

// Saves the output to a file
pub async fn save_discoveries(
    _: ProgressBar,
    mut outfile: File,
    mut brx: mpsc::Receiver<BruteResult>,
) {
    while let Some(result) = brx.recv().await {
        let mut outbuf = result.data.as_bytes().to_owned();
        outbuf.extend_from_slice(b"\n");
        if let Err(_) = outfile.write(&outbuf).await {
            continue;
        }
    }
}