OJ / gobuster

Directory/File, DNS and VHost busting tool written in Go
Apache License 2.0
9.98k stars 1.2k forks source link

Feature Request - taking in a file containing domains/subdomains for directory bruteforcing #93

Closed anshumanbh closed 2 years ago

anshumanbh commented 6 years ago

Hi there,

This was really weird/surprising for me to not see any Feature Requests for this but it would be awesome if we can get a way to ingest a file containing domains/subdomains instead of a single domain/subdomain.

I might as well start working on this at some point but just wanted to track it here so that if someone else is already working on it / is planning to work on it, it would be good to know beforehand.

Thanks, Anshuman

OJ commented 5 years ago

Hmm.. need to think about this a little more. My concern with this is the easy of "spray and pray". I'm obviously interested in providing a useful tool to people, but the addition of multiple domains is something I'm not sure I'm keen on.

I do get the notion, and in past engagements I can see that it would have been of value (especially when there's a webserver farm in place and you want to see if you can brute different things on each), but I don't like the idea of producing a tool that people can run across hundreds of domains and find one that contains a weakness.

Leave it with me :)

altjx commented 5 years ago

Hi @OJ,

Thanks for chiming in on this. The current help menu of gobuster says that it can take input from file. Am I missing something or is this just a typo by chance?

[root:kali:...numeration/http/gobuster/80]# gobuster -h
Usage:
  gobuster [command]

Available Commands:
  dir         Uses directory/file brutceforcing mode
  dns         Uses DNS subdomain bruteforcing mode
  help        Help about any command
  vhost       Uses VHOST bruteforcing mode

Flags:
  -h, --help              help for gobuster
  -z, --noprogress        Don't display progress
  -o, --output string     Output file to write results to (defaults to stdout)
  -q, --quiet             Don't print the banner and other noise
  -t, --threads int       Number of concurrent threads (default 10)
  -v, --verbose           Verbose output (errors)
  -w, --wordlist string   Path to the wordlist

Use "gobuster [command] --help" for more information about a command.

Is this not the case? An alternative would simply be to pipe multiple gobuster commands into parallel.

Is this feature not in the pipeline for implementation?

yunylz commented 2 years ago

Updates?

firefart commented 2 years ago

please use an external script to accomplish this or a simple loop. Currently this feature will not be implemented

ashawe commented 1 year ago

I would've loved this feature