:::info
💘渗透全流程：
信息👣收集 – 漏洞发现 – 漏洞利用 – 权限提升 – 隧道搭建 – 内网渗透 – 横向移动 – 后渗透
:::

目录扫描

思路分析：
完整的 URL，由域名、目录、文件名组成
实现步骤：

1. 指定域名
2. 整理目录字典，例：按照后缀名整理将字典分类。遍历目录&文件名
3. 识别返回包

V1.0

基本功能实现

#! usr/bin/env python3

'''
1. 打开 dirpath 字典
2. 构造完整 url，发起请求

优化：多线程
'''

from multiprocessing import Queue
from collections.abc import Callable, Iterator, Mapping
import requests
import threading

class DirScan(threading.Thread):
    def __init__(self, queue):
        threading.Thread.__init__(self)
        self.queue = queue

    def run(self):
        # 获取队列中的 url
        while not self.queue.empty():
            url = self.queue.get()

            try:
                r = requests.get(url)
                if r.status_code == 200:
                    print(f'[*] {url} ')
                else:
                    print(f'[-] {url} not fount ')
            except:
                print(f'[-] {url} exception ')

# 多线程扫描。
def start(url, ext, count):
    queue = Queue()
    f = open('./02.dirpathscaner/%s.txt' % ext, 'r', encoding='utf-8')
    for i in f:
        queue.put(url + i.rstrip('\n'))

    threads = []
    thread_count = int(count)
    for i in range(thread_count):
        threads.append(DirScan(queue))

    for t in threads:
        t.start()

    for t in threads:
        t.join()

if __name__ == '__main__':
    url = 'https://www.baidu.com/'
    ext = 'asp'
    count = 16
    start(url, ext, count)

示例目录字典：

/admin/index.asp
/dede/index.asp
/edit/index.asp
/login.asp
/database/index.asp
/tmp/
/manager/
/manage/
/web/login.asp

V2.0

功能优化。

1. 伪造请求头（fake_useragent 模块）通过以下两行代码获取
   1. from fake_useragent import UserAgent
   2. UserAgent().random

#! usr/bin/env python3

'''
1. 打开 dirpath 字典
2. 构造完整 url，发起请求

优化：多线程

优化：伪造随机请求头
'''

from multiprocessing import Queue
from collections.abc import Callable, Iterator, Mapping
import requests
import threading

from fake_useragent import UserAgent

ua = UserAgent()

class DirScan(threading.Thread):
    def __init__(self, queue):
        threading.Thread.__init__(self)
        self.queue = queue

    def run(self):
        # 获取队列中的 url
        while not self.queue.empty():
            url = self.queue.get()

            try:
                # 伪造随机 UA
                headers = {
                    'User-Agent': ua.random
                }
                print(ua.random)

                r = requests.get(url=url, headers=headers, timeout=2)
                if r.status_code == 200:
                    print(f'[*] {url} \n')
                else:
                    print(f'[-] {url} not fount \n')
            except:
                print(f'[-] {url} exception \n')

# 多线程扫描。
def start(url, ext, count):
    queue = Queue()
    f = open('./02.dirpathscaner/%s.txt' % ext, 'r', encoding='utf-8')
    for i in f:
        queue.put(url + i.rstrip('\n'))

    threads = []
    thread_count = int(count)
    for i in range(thread_count):
        threads.append(DirScan(queue))

    for t in threads:
        t.start()

    for t in threads:
        t.join()

if __name__ == '__main__':
    url = 'https://www.baidu.com/'
    ext = 'asp'
    count = 16
    start(url, ext, count)

最终效果