-
Notifications
You must be signed in to change notification settings - Fork 6
/
boxer.py
200 lines (176 loc) · 5.34 KB
/
boxer.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
#!/usr/bin/env python
"""
This is the main file for Boxer.
"""
import argparse
import classes
def main(
urls,
extension,
word_list_file,
database,
timeout,
response_codes,
urlsavailable,
server_address,
start_server,
host,
):
print(
"""
______
| ___ \
| |_/ / _____ _____ _ __
| ___ \/ _ \ \/ / _ \ '__|
| |_/ / (_) > < __/ |
\____/ \___/_/\_\___|_|
Directory Bruteforcer
Zack Pettry
"""
)
# Create Operations instance.
operations = classes.Operations()
# Ad-hoc directory bruteforce.
if urls and word_list_file and not database:
if ".txt" in urls:
with open(urls) as f:
urls = f.read().splitlines()
else:
urls = [urls]
urls_modified = []
for url in urls:
if ("http" or "https") not in url:
url_http = "http://" + url
url_https = "https://" + url
urls_modified.append(url_http)
urls_modified.append(url_https)
with open(word_list_file) as l:
word_list = l.read().splitlines()
for url in urls_modified:
operations.start_bruteforce(
url, extension, word_list, database, timeout, response_codes
)
exit()
# Directory bruteforce with database persistence.
if urls and word_list_file and database:
if ".txt" in urls:
with open(urls) as f:
urls = f.read().splitlines()
else:
urls = [urls]
urls_modified = []
for url in urls:
if ("http" or "https") not in url:
url_http = "http://" + url
url_https = "https://" + url
urls_modified.append(url_http)
urls_modified.append(url_https)
with open(word_list_file) as l:
word_list = l.read().splitlines()
all_results = []
for url in urls_modified:
results = operations.start_bruteforce(
url, extension, word_list, database, timeout, response_codes
)
for result in results:
all_results.append(result)
operations.create_database(urls, all_results, database)
exit()
# Query local database for url or get urls available to query.
if (urls or urlsavailable) and database and not server_address:
operations.query_locally(urls, database, urlsavailable)
exit()
# Query the remote server with url or get urls available to query.
if (urls or urlsavailable) and server_address and not database:
operations.query_server(urls, server_address, urlsavailable)
exit()
# Start the server to allow for querying directory database.
if start_server and database and host:
server = classes.Server()
server.start(database, host)
print("Please add an argument for parsing.")
if __name__ == "__main__":
parser = argparse.ArgumentParser(
description="Boxer. A directory bruteforce ecosystem."
)
parser.add_argument(
"-u",
dest="urls",
# nargs="+",
action="store",
required=False,
help="This is a list of URL(s).",
)
parser.add_argument(
"-e",
dest="extension",
# nargs="+",
action="store",
required=False,
help="This will add an additional query with the extension to all words in the wordlist.",
)
parser.add_argument(
"-w",
dest="word_list_file",
action="store",
required=False,
help="This is the wordslist for directory bruteforcing",
)
parser.add_argument(
"-d",
dest="database",
action="store",
required=False,
help="This is the title for the local database. Database will be stored in json automatically.",
)
parser.add_argument(
"-t",
dest="timeout",
action="store",
default=30,
type=int,
required=False,
help="This is to choose how long to wait for replies from the HTTP/S server.",
)
parser.add_argument(
"-r",
dest="response_codes",
nargs="+",
action="store",
default=[200, 204, 301, 302, 307, 403],
type=int,
required=False,
help="This can change the response codes. ex. 200 307 403 .",
)
parser.add_argument(
"-urlsavailable",
dest="urlsavailable",
action="store_true",
required=False,
help="This is to get all available urls to query for sub-directories.",
)
parser.add_argument(
"-s",
dest="server_address",
action="store",
required=False,
help="This is the server address to query for the directory database.",
)
parser.add_argument(
"-server",
dest="start_server",
action="store_true",
required=False,
help="This is for starting the web server.",
)
parser.add_argument(
"-host",
dest="host",
action="store",
default="127.0.0.1",
type=str,
required=False,
help="This is host address for the web server.",
)
args = parser.parse_args()
main(**vars(args))