Overview of Path and Sensitive Information Discovery Generally, there is relatively little information on the main website of a website. We need to use automated tools to obtain other paths to the website during the information collection stage of the penetration test process, such as: background, other unauthorized access paths, and sensitive files obtained by scanning Path to find sensitive data.
According to the characteristics of the path blasting tool for use and evaluation and analysis tools, batch access to the discovered paths to find sensitive paths. The tool crawler scans the path of the sensitive file and finds the sensitive data.
Use the blasting tool to crack the reference tool:
dirsearch: https://github.com/maurosoria/dirsearch
OneForAll: https://github.com/shmilylty/OneForAll.git
virustotal: https://www.virustotal.com
Subdomain automation Search: https://d.chinacycc.com
dnsdumpster: https://dnsdumpster.com
FeeiCN: [url=]https://github.com/FeeiCN/esd[/url] Imperial
Sword
DirBuster
intellitamper
dirmap
tool introduction Dirsearch: An advanced command line tool designed to brute force the directories and files in the web server.
(1) Download dirsearch step
1. git clone https://github.com/maurosoria/dirsearch.git //Enter the command on kali to download the source installation package
2. cd dirsearch // switch path
3. python3 dirsearch.py -u < URL> -e <EXTENSION> //-u(url address)-e (EXTENSION refers to website language, such as php, asp)
(2) Attach the dirsearch manual:
https://blog.csdn.net/yigaoyu/article /details/108473952
The README.md file in the dirsearch directory on kali can also be used. 
(3) Simulate the sensitive path of brute-force cracking (target ip/510cms of the target machine)
The dictionary required for brute-force cracking is stored in the Dirsearch/db directory. Add fields from it to enrich and strengthen the dictionary library. 
(4) Next, enter ./dirsearch.py -u http://10.10.10.1/510cms -e php --plain-text-report=/su.txt in kali to
brute force the path.
The information returned is: The status code status of the access webpage html, the length of the reply packet, and the path of the website 
(5) --plain-text-report=/su.txt This command is to put the output report under the path specified by kali
(6) The default output report location is as follows: /dirsearch/reports 
OneForAll: a powerful subdomain collection tool
Subdomain automatic search: expand the scope of penetration testing, find the breach of the target site, and secure the business boundary
(1) Installation process:
1. Download update: git clone https://github.com/shmilylty/OneForAll.git
2. Install dependent packages:
3. cd /OneForALL
4. pip install -r requirements.txt
5. OneForALL source code link: https://github. com/shmilylty/OneForAll
6. Execute the operation command./oneforall.py --target http://xxx.com run 
(2) The scanned output file is stored in the /OneForALL/results directory and
a table data file (.csv) will be generated ), enabling users to view 
(c) csv file can be copied to the windows system, see xxx.com.csv file (csv file information are: domain name, url, ip, reply packet status code, title, banner, isp, etc.)
to Path for batch access to find sensitive paths. Sensitive paths: background paths and paths to return files containing important sensitive information, such as database files, code backup files or svn, git version control files, etc.
First understand the suffix of sensitive information files, such as .mdb .zip .rar .txt .git .svn, etc.
Then construct an access request of url + suffix name to find and verify the existence of sensitive files
(1) Simple enumeration of sensitive path scripts , Access the website through url+suffix name, and judge whether the path exists from the status code obtained.
Note: This website is the test website of this machine
# -*- coding:utf-8 -*-
from typing import TextIO
import requests
url ='http:
//www.xxx.com/ ' with open("web.txt" ,"r") as web:
webs=web.readlines()
for web in webs:
web=web.strip()
u = url+web
r = requests.get(u)
# print("url为:"+u )
print("url is:"+u+''+" status is:%d"%r.status_code)
w=open('write.txt','w+')
for web in webs:
web = web.strip( )
u = url + web
r = requests.get(u)
w.
The running result is as follows
(2) Yujian background scanner, similarly, you can get the written domain name + path configuration file, and finally judge whether the status code is 200, if it is, it will be echoed, otherwise it will not be echoed.
Note: This website is the test website of this machine
(3) Intellitamper software path enumeration
Note: This website is the test website of this machine
(4) Acquire sensitive files
Note: This website is the test website of this machine. The
source code backup file is stored in The root directory, so that users can access and download the website source code backup files. 
Source code backup contains sensitive database backup files (.sql) and sensitive files such as sensitive path and configuration file information.
Attackers can further penetrate the website through methods such as code auditing. 
config.php is the configuration file of the website, which stores sensitive information such as ip, user, password, and database name of the host connected to the database. The 
510cms.sql file is a backup database file, which may store sensitive information of the website (the account of the website backend) Password, etc.) 
Usually the database password is md5 encryption, we can put it on the online md5 decryption website to decrypt. 
Access the background path 10.10.10.1/510cms/admin, the webpage has sensitive path leakage (directory traversal), users can realize path traversal
Summary: In the process of infiltration, directory blasting is a more important link. The more sufficient subdomains and sensitive paths are obtained, the more beneficial it will be for subsequent infiltration and utilization. In fact, there are differences in systems and site builders, sensitive paths, and some site construction, so we still need to learn more about them.