shortscan icon indicating copy to clipboard operation
shortscan copied to clipboard
Published 1 year ago verified publisher icon bitquark

[Feature Request] Run shortscan on multiple folders

Open nigawtester opened this issue 1 year ago • 8 comments

When I use shortscan on the webroot, I sometimes get few results and the tool cannot find certain folders, unless you know the name. For example, even though I have the folder "handlers" in my wordlist, shortscan does not find it. If I point shortscan to site/handlers though, shortscan see the directory as vulnerable and finds files/folders.

I was wondering if it would be possible to add another flag so that shortscan goes through a wordlist of folders so that instead of me scripting it via bash, shortscan will try its magic with: site/admin site/js site/docs site/upload site/...

You could have a short check to find vulnerable folders first and then do a complete check only on those folders that are vulnerable to reduce the amount of requests.

nigawtester avatar Feb 22 '24 12:02 nigawtester

Yup "handlers" won't have an 8.3 filename created by Windows (it's too short) so it won't get picked up by shortscan. I've just added support for multiple URLs in v0.8.0 so you can pass in several paths to try at once which would work here, but I'll have a think about how best to support loading multiple paths from a file.

bitquark avatar Feb 27 '24 00:02 bitquark

How do you pass multiple URLs? What's the flag? Also, you could use the list to check which folders return 403 (it has nothing to do with shortname I know) and the folders that return 403 can be scanned with shortscan. The list to be used could be default rainbow table.

nigawtester avatar Feb 29 '24 09:02 nigawtester

To pass in multiple URLs just pass them in the same way as the first:

shortscan https://example.org/ https://example.com/ https://example.net/

Regarding the directory check, normal wordlist parsing skips anything that wouldn't produce a short filename so it'll need its own mechanism. For now though you can juts pass in multiple paths using the above mechanism.

bitquark avatar Feb 29 '24 12:02 bitquark

🌀 Shortscan v0.9.0 · an IIS short filename enumeration tool by bitquark FATAL Unable to access server error="Get "https://example/.aspx": context deadline exceeded (Client.Tim why I always got this output? do I have problem?

fawzianaas03 avatar May 12 '24 11:05 fawzianaas03

To pass in multiple URLs just pass them in the same way as the first:

shortscan https://example.org/ https://example.com/ https://example.net/

Regarding the directory check, normal wordlist parsing skips anything that wouldn't produce a short filename so it'll need its own mechanism. For now though you can juts pass in multiple paths using the above mechanism.

Wouldn't it be better if it was an argument: --list FILE, -l FILE a list of URLs ?

thezakman avatar Jul 24 '24 23:07 thezakman

Better depends on what you're doing, but if you have a large number of URLs to scan it could certainly be a useful option. It's on the list!

bitquark avatar Jul 24 '24 23:07 bitquark

I tried to add it myself and pushed a pull (tested and it's all working like expected), check if you think it fits your whole code.

Thanks in advance for such a great tool!

thezakman avatar Jul 25 '24 00:07 thezakman

It would be nice if you would accept his PR, I also have the same need as him to scan a lot of URLs, so since the job is already done it would be cool :D

boringthegod avatar Sep 25 '24 12:09 boringthegod