SecLists icon indicating copy to clipboard operation
SecLists copied to clipboard

Published 20 hours ago verified publisher icon danielmiessler

Inconsistent leading slashes in Discovery/Web-Content wordlists

Open denandz opened this issue 2 years ago • 1 comments

Some wordlists in Web-Content include a leading slash, some do not. This leads to an additional step being required before using some wordlists (since some webservers treat /index.html and //index.html differently).

It would be handy if all of these wordlists could follow the same pattern, either with or without the leading slash. Happy to make these changes and send a pull request, my preference would be no leading slash.

Here are some examples:

doi@DESKTOP-43210-1:~/tools/SecLists/Discovery/Web-Content$ head aem2.txt 
{0}.1.json
.1.json
.1.xml
.4.2.1...json
a.css
admin
adminui
aem/apps.html/content/phonegap
aem/forms.html/content/dam/formsanddocuments
aem/publications.html/content/publications
doi@DESKTOP-43210-1:~/tools/SecLists/Discovery/Web-Content$ head AdobeCQ-AEM.txt 
/libs/granite/core/content/login.html
/libs/cq/core/content/login.html
/crx/explorer/index.jsp
/crx/packmgr/index.jsp
/bin/querybuilder.json?type=rep:User&p.hits=selective&p.properties=rep:principalName%20rep:password&p.limit=100
/.json
/.1.json
/.tidy.6.json
/.tidy.infinity.json
/bin.tidy.infinity.json
doi@DESKTOP-43210-1:~/tools/SecLists/Discovery/Web-Content$ head quickhits.txt 
/!.gitignore
/!.htaccess
/!.htpasswd
/%3f/
/%ff/
/.7z
/.access
/.addressbook
/.adm
/.admin
doi@DESKTOP-43210-1:~/tools/SecLists/Discovery/Web-Content$ head common.txt 
.bash_history
.bashrc
.cache
.config
.cvs
.cvsignore
.forward
.git
.git-rewrite
.git/HEAD

denandz avatar May 30 '22 06:05 denandz

Totally agree with this ! I use quickhits.txt wordlist a lot and it always makes me crazy when I forget that it has leading slashes. Can help with unification as well !

blabut avatar Jun 08 '22 15:06 blabut

Looks like the pull request got, err, unmerged... somehow...

@g0tmi1k this issue needs to be re-opened

denandz avatar Sep 19 '22 06:09 denandz

Looks like the pull request got, err, unmerged... somehow...

@g0tmi1k this issue needs to be re-opened

What makes you say that?

ItsIgnacioPortal avatar Sep 27 '22 20:09 ItsIgnacioPortal

Pull #791 was merged back in August, but if you take a look at https://github.com/danielmiessler/SecLists/blob/master/Discovery/Web-Content/quickhits.txt it's not in the commit history and the leading slashes have returned.

Did someone maybe force-push master recently?

denandz avatar Sep 27 '22 20:09 denandz

Oh you're right, someone messed up. @g0tmi1k did you force-push?

ItsIgnacioPortal avatar Sep 27 '22 20:09 ItsIgnacioPortal

@g0tmi1k please run git reflog and share the output here so we can diagnose how this happened. I've looked everywhere else, and it just looks as if that Pull Request had never been merged, but every other change before and after that is fine. It's very strange.

ItsIgnacioPortal avatar Oct 01 '22 08:10 ItsIgnacioPortal

@g0tmi1k any updates? Looks like the PR is still missing in the current HEAD. I can re-do the pull request if that'll help?

denandz avatar Jan 09 '23 04:01 denandz

@g0tmi1k any updates? Looks like the PR is still missing in the current HEAD. I can re-do the pull request if that'll help?

g0tmik comes here once every blue moon, so don't worry, that's just his regular schedule 😂

ItsIgnacioPortal avatar Jan 13 '23 10:01 ItsIgnacioPortal

Haha, no problem. @ me if we need to do some kind of summoning ritual at some point 😹

denandz avatar Jan 13 '23 10:01 denandz