IIS-Shortname-Enumeration-Vulnerability-Checker-Script/IIS-Scanner.py at main · Steiner-254/IIS-Shortname-Enumeration-Vulnerability-Checker-Script · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
import requests
from requests.packages.urllib3.exceptions import InsecureRequestWarning, ConnectTimeoutError

# Suppress InsecureRequestWarning
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)

def generate_payloads(filename):
    payloads = []

    # Append common short filename representations
    for i in range(1, 101):  # Changed from 1001 to 101
        payloads.append(f"{filename}~{i}")

    # Append variations with different extensions
    extensions = ['.txt', '.php', '.html', '.asp', '.aspx']
    for ext in extensions:
        payloads.append(filename + ext)
        payloads.append(filename + ext.upper())  # Add uppercase extensions as well

    # Append variations with additional characters
    characters = ['_', '-', '.', ' ', '$', '%', '&', '#', '@']
    for char in characters:
        payloads.append(filename + char)

    return payloads

def check_shortname_vulnerability(url, filename):
    payloads = generate_payloads(filename)
    vulnerability_detected = False

    for payload in payloads:
        target_url = f"{url}/{payload}"

        # Send the HTTP request
        try:
            response = requests.get(target_url, verify=False, timeout=5)  # Added timeout parameter
        except (requests.exceptions.SSLError, requests.exceptions.ConnectionError) as e:
            print(f"Error testing {target_url}: {e}")
            continue  # Continue to the next payload if there's an error
        except ConnectTimeoutError as e:
            print(f"Connection timeout occurred for {target_url}: {e}")
            continue  # Continue to the next payload if there's a connection timeout

        # Check if shortname enumeration is possible
        if response.status_code == 200:
            print(f"The server returned a 200 status code for the filename {payload}, indicating that shortname enumeration is possible.")
            vulnerability_detected = True
            break  # Exit loop once vulnerability is detected

    if not vulnerability_detected:
        print(f"Shortname enumeration vulnerability not detected for {url}.")

if __name__ == "__main__":
    # Read target URLs from the file "targets.txt"
    with open("targets.txt", "r") as file:
        target_urls = file.readlines()

    # Remove leading/trailing whitespaces and ignore empty lines
    target_urls = [url.strip() for url in target_urls if url.strip()]

    # Specify the filename to test
    filename = "test"

    # Test each target URL
    for target_url in target_urls:
        print(f"Testing {target_url}")
        check_shortname_vulnerability(target_url, filename)
        print()  # Add a blank line for readability