gobuster icon indicating copy to clipboard operation
gobuster copied to clipboard

Published 20 hours ago verified publisher icon OJ

Unable to exclude status code

Open duraki opened this issue 3 years ago • 7 comments

Hii! For some reason, I can't exclude (or better say include) the status code that makes up issue with wildcards.

See below for example:

# => includes only HTTP 200 OK
$ gobuster dir -u https://www.example.com/ -w ~/util/SecLists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt -s 200
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     https://www.example.com/
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                ~/util/SecLists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.1.0
[+] Timeout:                 10s
[+] // Missing "Status Code"
===============================================================
2021/02/05 15:35:27 Starting gobuster in directory enumeration mode
===============================================================
Error: the server returns a status code that matches the provided options for non existing urls. https://www.example.com/da8306e5-10c0-416a-9c63-4f125bc96878 => 302 (Length: 26). To continue please exclude the status code, the length or use the --wildcard switch

Why does it even check for 302 if I only included 200 OK? Why is there no information about status code(s) I included in the stdout tty banner?

duraki avatar Feb 05 '21 14:02 duraki

I've submitted a pull request (Update dir.go #286) to fix this issue. You can make the changes yourself to 2 lines of code to fix this behavior.

sloftis2016 avatar Mar 02 '21 13:03 sloftis2016

This works as expected. Everything except 404 is handled a "good hit". The Pre check tries some random urls that do not exist and every one of those result in a 302 so there is no real way to detect this. So you need to update the -b switch with 404,302 or exclude the length to continue

firefart avatar Mar 02 '21 15:03 firefart

Will this ever be fixed? Still an issue in 3.1.0

Error: the server returns a status code that matches the provided options for non existing urls. https://acf51fdf1ef3226bc0c107b5001d0039.web-security-academy.net/5a5ad98b-471c-4dee-a868-dbf7b56088d5 => 302 (Length: 0). To continue please exclude the status code, the length or use the --wildcard switch

If it's only 2 lines of code to fix, wondering why in 8 months there hasn't been a release w/ a fix... Is this tool no longer supported or under maintenance?

What version was this bug introduced in so I can downgrade?

ZackInMA avatar Nov 18 '21 02:11 ZackInMA

Will this ever be fixed? Still an issue in 3.1.0

Error: the server returns a status code that matches the provided options for non existing urls. https://acf51fdf1ef3226bc0c107b5001d0039.web-security-academy.net/5a5ad98b-471c-4dee-a868-dbf7b56088d5 => 302 (Length: 0). To continue please exclude the status code, the length or use the --wildcard switch

If it's only 2 lines of code to fix, wondering why in 8 months there hasn't been a release w/ a fix... Is this tool no longer supported or under maintenance?

What version was this bug introduced in so I can downgrade?

You can simply use the -b switch to define bad codes. -b 302 does the trick.

Admonstrator avatar Jan 10 '22 22:01 Admonstrator

Will this ever be fixed? Still an issue in 3.1.0 Error: the server returns a status code that matches the provided options for non existing urls. https://acf51fdf1ef3226bc0c107b5001d0039.web-security-academy.net/5a5ad98b-471c-4dee-a868-dbf7b56088d5 => 302 (Length: 0). To continue please exclude the status code, the length or use the --wildcard switch If it's only 2 lines of code to fix, wondering why in 8 months there hasn't been a release w/ a fix... Is this tool no longer supported or under maintenance? What version was this bug introduced in so I can downgrade?

You can simply use the -b switch to define bad codes. -b 302 does the trick.

Looks like -b doesnt exist in 3.1.0 either.

gobuster vhost -u $dns -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt -t 200 -r -b 302 Error: unknown shorthand flag: 'b' in -b

AirHeadsbuirse avatar Jan 20 '22 06:01 AirHeadsbuirse

Just use the latest version:

go install github.com/OJ/gobuster/v3@latest

firefart avatar Jan 20 '22 06:01 firefart

The exclusion thing is working now, this issue needs to be closed @Admonstrator @FireFart

Rushour0 avatar Mar 21 '22 11:03 Rushour0

thank you work perfectly fine

Cryptic-error avatar Mar 26 '23 15:03 Cryptic-error

Will this ever be fixed? Still an issue in 3.1.0 Error: the server returns a status code that matches the provided options for non existing urls. https://acf51fdf1ef3226bc0c107b5001d0039.web-security-academy.net/5a5ad98b-471c-4dee-a868-dbf7b56088d5 => 302 (Length: 0). To continue please exclude the status code, the length or use the --wildcard switch If it's only 2 lines of code to fix, wondering why in 8 months there hasn't been a release w/ a fix... Is this tool no longer supported or under maintenance? What version was this bug introduced in so I can downgrade?

You can simply use the -b switch to define bad codes. -b 302 does the trick.

Looks like -b doesnt exist in 3.1.0 either.

gobuster vhost -u $dns -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt -t 200 -r -b 302 Error: unknown shorthand flag: 'b' in -b

Is the flag back? 3.6 doesn't have -b neither.

HuliKos avatar Sep 02 '23 15:09 HuliKos

As commented on the other thread, vhost mode does not have a b flag. Please don't spam old issues.

firefart avatar Sep 02 '23 16:09 firefart