├── README.md
└── SourceMapping.py


/README.md:
--------------------------------------------------------------------------------
 1 | # SourceMapping
 2 | Creates, validates and analyse potential list of URLS for a target based on the source code provided. This is a direct comparison based on the directory structures.
 3 | Does not take into account routing or advance MVC type applications.
 4 | 
 5 | Useful when obtaining source code from a target and you want to check of any files is accesible without auth, or during code reviews to identify potential pages which can be reviewed first. Wrote as part of prep for OSWE.
 6 | 
 7 | ### Usage
 8 | 
 9 | ```
10 |  python .\SourceMapping.py -w 'c:\source\appname' -t 'https://localhost'
11 |  -d for debug mode which will attempt to use a proxy as well
12 |  --wordlist to print only a wordlist of the files
13 |  -o for output location in csv format
14 | ```
15 | ### Configurable options in code
16 | 
17 | Some of the extensions which is configurable inside the source:
18 | 
19 | ```
20 | ['*.txt', '*.json', '*.xml', '*.sql', '*.conf', '*.zip', '*.php', '*.ini', '*.cs', '*.js', '*.aspx', '*.asp', '*.java', '*.dll', '*.dat']
21 | ```
22 | 
23 | Limited functionality available to "review" potential pages for inputs, these pages should be primary targets and can easily be modified on this function:
24 | 
25 | ```
26 | def analyseVuln(rqResponse):
27 |     if "<form action" in str(rqResponse.content):
28 |         return "InputForm"
29 |     elif "<form name" in str(rqResponse.content):
30 |         return "InputForm"
31 |     elif 'type="submit"' in str(rqResponse.content):
32 |         return "SubmitForm"
33 |     else:
34 |         return ""
35 | ```
36 | 
37 | ### Some new features:
38 | - Progress bar
39 | - Output write to file in CSV format
40 | - Threading
41 | - Debug mode, will have verbose output on each request and use proxy if one is found
42 | 
43 | ### Screenshots:
44 | In the below example, we could either have found a backup file on blackbox engagement, or we are doing an whitebox engagement with the source.
45 | We've used the ATutor example from the OSWE coursework. The script will automatically check which pages is accessible based on response, then check for potential form inputs on the pages that is accessible. This will allow us to target pages instead of sifting through large volumes.
46 | 
47 | ![image](https://user-images.githubusercontent.com/954507/136694737-74a18c1f-5e43-4c24-b78e-289be2a52b26.png)
48 | ![image](https://user-images.githubusercontent.com/954507/136694756-87b7bbeb-983b-4c8e-97d5-48a1cae1c9e1.png)
49 | 
50 | 


--------------------------------------------------------------------------------
/SourceMapping.py:
--------------------------------------------------------------------------------
  1 | #!/usr/bin/python3
  2 | 
  3 | #python3 -m pip install requests, tabulate
  4 | import argparse
  5 | import requests
  6 | import sys
  7 | import glob
  8 | import concurrent
  9 | import concurrent.futures
 10 | from tqdm import tqdm
 11 | from itertools import repeat
 12 | import csv
 13 | from tabulate import tabulate
 14 | from requests.packages.urllib3.exceptions import InsecureRequestWarning
 15 | requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
 16 | 
 17 | # Interface class to display terminal messages
 18 | class Interface():
 19 |     def __init__(self):
 20 |         self.red = '\033[91m'
 21 |         self.green = '\033[92m'
 22 |         self.white = '\033[37m'
 23 |         self.yellow = '\033[93m'
 24 |         self.bold = '\033[1m'
 25 |         self.end = '\033[0m'
 26 | 
 27 |     def header(self):
 28 |         print(f"\n {self.bold}*************** Source Code Mapping ***************{self.end}")
 29 |         print(f"@initroot \n")
 30 | 
 31 |     def info(self, message):
 32 |         print(f"[{self.white}*{self.end}] {message}")
 33 | 
 34 |     def warning(self, message):
 35 |         print(f"[{self.yellow}!{self.end}] {message}")
 36 | 
 37 |     def error(self, message):
 38 |         print(f"[{self.red}x{self.end}] {message}")
 39 | 
 40 |     def success(self, message):
 41 |         print(f"[{self.green}✓{self.end}] {self.bold}{message}{self.end}")
 42 | 
 43 | 
 44 | def sendGet(url, debug):
 45 |     #debug = False;
 46 |     try:
 47 |         if debug is True:
 48 |             proxies = {'http': 'http://127.0.0.1:8080', 'https': 'http://127.0.0.1:8080'}
 49 |             r = requests.get(url, proxies = proxies,verify=False)
 50 |             pot = analyseVuln(r)
 51 |             output.info([r.url, r.status_code,len(r.content),pot])
 52 |         else:
 53 |             r = requests.get(url,verify=False)
 54 |             pot = analyseVuln(r)
 55 |     except requests.exceptions.ProxyError:                 
 56 |         r = requests.get(url,verify=False)
 57 |         pot = analyseVuln(r)
 58 |         output.info([r.url, r.status_code,len(r.content),pot])
 59 |         return [r.url, r.status_code,len(r.content),pot]
 60 | 
 61 |     return [r.url, r.status_code,len(r.content),pot]
 62 | 
 63 | 
 64 | def analyseVuln(rqResponse):
 65 |     if "<form action" in str(rqResponse.content):
 66 |         return "InputForm"
 67 |     elif "<form name" in str(rqResponse.content):
 68 |         return "InputForm"
 69 |     elif 'type="submit"' in str(rqResponse.content):
 70 |         return "SubmitForm"
 71 |     else:
 72 |         return ""
 73 | 
 74 | 
 75 | def remDuplicates(x):
 76 |   return list(dict.fromkeys(x))
 77 | 
 78 | def main():
 79 |     # Parse Argumentsxs
 80 |     parser = argparse.ArgumentParser()
 81 |     parser.add_argument('-w', '--dir',	 help='Root directory holding the source code', required=True)
 82 |     parser.add_argument('-t', '--target', help='Target web application URL e.g. http://localhost', required=True)
 83 |     parser.add_argument('-d', '--debug', help='Instruct our web requests to use our defined proxy', action='store_true', required=False)
 84 |     parser.add_argument('--wordlist', help='Only creates the wordlist based on source files',action='store_true')
 85 |     parser.add_argument('-o', '--output', help='Write results to output file', required=False)
 86 |     args = parser.parse_args()
 87 | 
 88 |     # Instantiate our interface class
 89 |     global output
 90 |     output = Interface()
 91 | 
 92 |     # Banner
 93 |     output.header()
 94 | 
 95 |     # Debugging
 96 |     if args.debug:
 97 |         for k,v in sorted(vars(args).items()):
 98 |             if k == 'debug':
 99 |                 output.warning(f"Debugging Mode: {v}")
100 |             else:
101 |                 output.info(f"{k}: {v}")
102 | 
103 |     #Let's get a list of all files in the dir
104 |     exts = ['*.txt', '*.json', '*.xml', '*.config', '*.svc','*.asmx', '*.sql', '*.conf', '*.zip', '*.php', '*.ini', '*.cs', '*.js', '*.aspx', '*.asp', '*.java', '*.dll', '*.dat', '*.ascx', '*.html']
105 |     files = [f for ext in exts 
106 |          for f in glob.glob(args.dir + '/**/' + ext, recursive=True)]
107 |     output.info('List of files generated with success!')
108 |     #Lets convert it to our target
109 |     potUrls = [file.replace(args.dir,args.target) for file in files]
110 |     potUrls = [url.replace('\\','/') for url in potUrls]
111 |        
112 |     #Let's now check access
113 |     if args.wordlist:
114 |         print(*potUrls, sep="\n")
115 |         output.success('Done!')
116 |     else:
117 |         output.info('Now checking each file against ' + str(len(potUrls)) + ' targets, please wait:\n')
118 |         with concurrent.futures.ThreadPoolExecutor(10) as executor:
119 |             #accessible = executor.map(sendGet, potUrls, repeat(args.debug))
120 |             accessible = list(tqdm(executor.map(sendGet, potUrls, repeat(args.debug)), total=len(potUrls)))        
121 |             output.info(tabulate(accessible))
122 |             if args.output:
123 |                 output_file = args.output             
124 |                 with open(output_file, 'w') as file:
125 |                     write = csv.writer(file) 
126 |                     write.writerows(accessible)
127 |         output.success('Done!') 
128 |     
129 | if __name__ == '__main__':
130 |     main()
131 | 


--------------------------------------------------------------------------------