Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

dirscan admin 扫描重复结果 #1700

Open
zerokeeper opened this issue Dec 17, 2022 · 3 comments
Open

dirscan admin 扫描重复结果 #1700

zerokeeper opened this issue Dec 17, 2022 · 3 comments
Labels
bug Something isn't working

Comments

@zerokeeper
Copy link

dirscan/admin/default 扫描会出现不同后缀的结果
好像也是1.9.x新版本的问题,之前1.8.x的版本没发现这个问题

https://example.com/admin.html
https://example.com/admin.jsp
https://example.com/admin.do
https://example.com/admin.asp
https://example.com/admin
https://example.com/admin/
@zerokeeper
Copy link
Author 

https://example.com/.bashrc	dirscan/system/config	
https://example.com/.zshrc	dirscan/system/config	
https://example.com/.bash_profile	dirscan/system/config	
https://example.com/.bash_logout	dirscan/system/config	
https://example.com/code.tar.gz	dirscan/backup/code	
https://example.com/src.tar.gz	dirscan/backup/code	
https://example.com/htdocs.tar.gz	dirscan/backup/code	
https://example.com/webserver.tar.gz	dirscan/backup/code	
https://example.com/tools.tar.gz	dirscan/backup/code	
........                            dirscan/backup/code

再补充一个就是dirscan扫描会出现大量误报结果,源站实际是访问任意路径都会下载一个文件,但是文件大小都是相同的。
可否先请求一个不存在的文件验证一下文件大小,然后排除这些误报的结果。

@shmilylty
Copy link
Contributor

可以判断响应头,响应头里有响应类型,把常见的文件类型响应捋一捋,能减少误判。

@Jarcis-cy
Copy link
Collaborator

收到建议,我们后续回优化一下dirscan这个插件

@Jarcis-cy Jarcis-cy added the bug Something isn't working label Dec 22, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@zerokeeper @shmilylty @Jarcis-cy