Recursive dir search

Tutorials Tools
1

Hi folks,

I’m looking for reliable and fast tool like ffuf but with more advanced recursive search. Example with ffuf:

ffuf -w wordlist.txt -u http://somewebsite/blah.php?file=../../../../../../FUZZ/specific-file.txt

Here I try to look for ‘specific-file.txt’ via LFI in uknown dir. The disadvantage of ffuf here is it requires FUZZ keyword to be at the end of url like:

http://somewebsite/FUZZ

I’m looking for a tool which will add another layer of subdir to search for.
For example, if it won’t find the desired file in any of dir name given in wordlist, it’ll try to search recursively.
This question is related to specific machine on HTB which I already pwned.

2

Hi.
I’m not sure if i understand well the problem, but i think that dirsearch will work fine for you: GitHub - maurosoria/dirsearch: Web path scanner

I’ve tried a lot of tools to discover content, and this one it’s my first choice.
The param -r seems what u need.


 _|. _ _  _  _  _ _|_    v0.3.9
(_||| _) (/_(_|| (_| )

Extensions: php, html | HTTP method: get | Threads: 15 | Wordlist size: 56162 | Recursion level: 1

Error Log: /home/****/code/dirsearch/logs/errors-20-01-25_20-31-59.log

Target: https://******.htb

[20:31:59] Starting: 
[20:32:03] 301 -   39B  - /v2  ->  /v2/

[20:37:39] Starting: v2/
[20:39:33] 401 -  145B  - /v2/_catalog

Task Completed

It will try every word in your list appending each one of your selected extensions:

word1.php
word1.html
word1
word2.php
word2.html
word2
...

Dirseach also will try the word without extension (it have a param to add ‘/’ when no extension given).

If it founds any directory with that, when finish checking the wordlist against root (/) of the host, it will take any hit (without extension) and starts again from there.

In the output you can see, after trying all wordlist permutations in root level one hit it’s found: v2.
As it is a folder, it will iterate again the whole wordlist + extensions from that folder (with every folder it founds) /v2/.
Another hit found inside the folder /v2/_catalog.

Dirsearch allows to specify how many recursion levels you want to check, in the example i only want 1 level deep, that’s why it din’t continue after found _catalog even if it hasn’t any extension.

Hope it helps!

3

Hi @Nism0 ,

Dirsearch is a great tool, yes.

But pay attention if you specify some extensions with -e. Indeed, another important parameter is -f, it indicates to try every word of the wordlist with the extensions specified. Without it won’t do it.

For your needs, the parameter is -r, as indicated by @rulzgz and you can indicates the level indeed, like this -r 2.

Ofthen I use lowercase too -l and the threads limit -t 50.

A complete command will be:

./dirsearch.py -u http://[victim]/ -e tar,tar.gz,t.gz -t 50 -r 2 -l -f -w wordlists.txt

4

check out wfuzz

5

Thanks for replies. Anyways, wfuzz is not able to do what I want since it requires (in recursive mode) to have FUZZ keyword at the and of URL. That’s not what I’m looking for.

I tried dirsearch but it also won’t help me, because of trailing /.
As @rulzgz wrote, if I’d search for dirs with wordlist recursively, dirsearch will append / to the end of path. While this is fine for dirs, it won’t work for files.
Example:

dirsearch will find recursively directories, but it won’t find a specific file in a dir.
It’ll find this: http://somesite/blah.php?file=../../../../../some/hidden/dir
but won’t find this: http://somesite/blah.php?file=../../../../../some/hidden/dir/myfile.txt
because it’ll append slash to the path like this:
http://somesite/blah.php?file=../../../../../some/hidden/dir/myfile.txt/ which will return error.

@choupit0 - thanks, but ur command didn’t work for me either :<

Maybe I’m trying to knock out open door but how else I’d find that dir in Tabby machine?
You know what dir I mean rigth? Was the only way to find it educated guess? Or was it possible with tool? Which one?

6

Type your comment> @Nism0 said:

@choupit0 - thanks, but ur command didn’t work for me either :<

An example with all my parameters, 2 extensions and default list:

root@HTB:~/HTB/Jet# …/dirsearch/dirsearch.py -u http://www.securewebinc.jet/ -e txt,pdf -t 50 -r 2 -l -f

|. _ _ _ _ _ | v0.3.9
(||| ) (/(|| (| )

Extensions: txt, pdf | HTTP method: get | Threads: 50 | Wordlist size: 14657 | Recursion level: 1

And the same without the parameter -f:

root@HTB:~/HTB/Jet# …/dirsearch/dirsearch.py -u http://www.securewebinc.jet/ -e txt,pdf -t 50 -r 2 -l

|. _ _ _ _ _ | v0.3.9
(||| ) (/(|| (| )

Extensions: txt, pdf | HTTP method: get | Threads: 50 | Wordlist size: 6229 | Recursion level: 1

As you can see, the command is functioning and the word-list size is not the same :wink:

7

Yes it works, but I meant that it didn’t find the path for me.