DiabloHorn

1. #!/usr/bin/env python
2. # mod_negotiation file bruteforce
3. #Author: DiabloHorn
4.  
5. import string
6. import sys
7. import getopt
8. import httplib
9. import re
10.  
11.  
12. def txthelp():
13.     print "[*] DiabloHorn http://diablohorn.wordpress.com"
14.     print "[*] Mod Negotiate File Brute Force"
15.     print "[*] " + sys.argv[0] + " -t <target> -d <dir list> -f <file list> [-v]"
16.     print "[*] -t target to scan"
17.     print "[*] -d directories which will be scanned"
18.     print "[*] -f files which will be scanned"
19.     print "[*] -v verbose"
20.     print "[*] -h this help"
21.  
22. #dirty regex way to parse response items in the alternates header
23. def parsehdrdata(hdr,rl):
24.     if hdr == None:
25.         return
26.    
27.     foundfiles = dict()    
28.     m = re.findall('"(.+?)"',hdr)
29.     for a in m:
30.         if a not in foundfiles:
31.             foundfiles[a] = rl
32.     if verbose:
33.         for k,v in foundfiles.iteritems():
34.             print string.join([v,k],'')        
35.     return foundfiles
36.  
37. #main :)
38. if __name__ == "__main__":
39.     if len(sys.argv) <=1:
40.         txthelp()
41.         sys.exit(0)
42.  
43.     verbose = False
44.     dirfile = None
45.     filefile = None
46.     targetscan = None
47.  
48.     try:
49.         opts, args = getopt.getopt(sys.argv[1:],"t:d:f:vh")
50.     except getopt.GetoptError, err:
51.         print str(err)
52.         sys.exit(0)
53.  
54.     for o,a in opts:
55.         if o == "-h":
56.             txthelp()
57.             sys.exit(0)            
58.         elif o == "-v":
59.             verbose = True
60.         elif o == "-t":
61.             targetscan = a
62.         elif o == "-d":
63.             dirfile = a
64.         elif o == "-f":
65.             filefile = a
66.         else:
67.             txthelp()
68.             sys.exit(0)
69.     #read all dirs into memory, yeah this will hog your computer if it's a large list.
70.     bdir = []
71.     df = open(dirfile)
72.     try:
73.         for line in df:
74.             line = line.rstrip()
75.             if line.endswith("/"):
76.                 bdir.append(line)
77.             else:
78.                 bdir.append(line + "/")
79.     finally:
80.         df.close()
81.  
82.     httpheaders = {"Host":targetscan,"Accept":"a/b","User-Agent":"Googlebot-Image/1.0"}
83.     conn = httplib.HTTPConnection(targetscan)
84.     print "[*] Target set to: " + targetscan
85.     ff = open(filefile)
86.     try:
87.         for d in bdir:
88.             print "[*] Scanning: " + d
89.             ebresults = []
90.             ff.seek(0)
91.             for line in ff:
92.                 line = line.rstrip()
93.                 reqline = d +  line
94.                 if verbose:
95.                     print "[*] Testing: " + reqline
96.                 conn.request("GET",reqline,headers=httpheaders)
97.                 r2 = conn.getresponse()
98.                 r2.read()
99.                 tempparseresult = parsehdrdata(r2.getheader("Alternates"),d)
100.                 if None != tempparseresult:
101.                     ebresults.append(tempparseresult)
102.                 r2 = None
103.             for ebresult in ebresults:
104.                 for k,v in ebresult.iteritems():
105.                     print string.join([v,k],'')
106.     finally:
107.         ff.close()      
108.         conn.close()