search

phra / rustbuster

A Comprehensive Web Fuzzer and Content Discovery Tool
https://iwantmore.pizza
GNU General Public License v3.0
522 stars 59 forks source link

IIS short scanner module (Tilde enumeration) - multiple files with same prefix #28

Closed 0xea31 closed 5 years ago

0xea31 commented 5 years ago

There might be a problem with files with multiple dots.

For instance, web.config.old is discovered as web~1.con

Screenshot from 2019-07-11 21-45-27

iis_shortname_Scan.py finds the same file as *`webcon~1.old`**

Screenshot from 2019-07-11 21-53-11

Side question: is there room to spot file with multiple dots?

phra commented 5 years ago

I investigated the issue and I discovered that both Rustbuster and the python IIS short name scanner implementation are bugged when multiple files with the same prefix exist.

Given two existing files web.config and web.config.old, we will see the following results:

  1. Rustbuster will stop at the shortest match, i.e. web.config
  2. IIS short name scanner won't match on web.config and will match on the longer web.config.old

I fixed Rustbuster and I am going to release a patched version.

image

Thanks for the report.

phra commented 5 years ago

https://github.com/phra/rustbuster/releases/tag/v3.0.2 was released to address this issue.