47 lines
1.8 KiB
Python
47 lines
1.8 KiB
Python
import subprocess
|
|
|
|
paths = [
|
|
'web.config', 'Web.config', 'Global.asax', 'elmah.axd', 'trace.axd',
|
|
'iisstart.htm', '_vti_bin/', 'aspnet_client/', 'Telerik.Web.UI.WebResource.axd',
|
|
'ScriptResource.axd', 'WebResource.axd', 'bin/', 'App_Data/', 'packages.config',
|
|
'appsettings.json', 'appsettings.Development.json', 'swagger/index.html',
|
|
'swagger/v1/swagger.json', 'api/swagger.json', '.env', '.git/config',
|
|
'.git/HEAD', 'robots.txt', 'sitemap.xml', 'crossdomain.xml',
|
|
'clientaccesspolicy.xml', '.well-known/security.txt', 'security.txt'
|
|
]
|
|
|
|
results = []
|
|
for path in paths:
|
|
url = f'https://www.realwave.com/{path}'
|
|
r = subprocess.run(['curl', '-s', '-o', '/dev/null', '-w', '%{http_code}', url],
|
|
capture_output=True, text=True, timeout=15)
|
|
code = r.stdout.strip()
|
|
marker = ''
|
|
if code == '200':
|
|
marker = ' *** ACCESSIBLE ***'
|
|
elif code == '403':
|
|
marker = ' [forbidden but exists]'
|
|
line = f'/{path:<50} {code}{marker}'
|
|
results.append(line)
|
|
print(line)
|
|
|
|
with open('phase9-results.txt', 'w') as f:
|
|
f.write('=== PHASE 9: IIS/ASP.NET PATH FUZZING ===\n\n')
|
|
hdr = 'PATH' + ' ' * 48 + 'STATUS'
|
|
f.write(hdr + '\n')
|
|
f.write('-' * 70 + '\n')
|
|
for r in results:
|
|
f.write(r + '\n')
|
|
|
|
f.write('\n=== Content of accessible paths ===\n')
|
|
for path in paths:
|
|
url = f'https://www.realwave.com/{path}'
|
|
r = subprocess.run(['curl', '-s', url], capture_output=True, text=True, timeout=15)
|
|
body = r.stdout
|
|
# Only show if it's NOT the Angular SPA and we got content
|
|
if body and 'RealWave AI' not in body[:300] and len(body) > 10:
|
|
f.write(f'\n--- /{path} (unique content) ---\n')
|
|
f.write(body[:500] + '\n')
|
|
|
|
print("\nDone. Results saved to phase9-results.txt")
|