SourceLeakHacker – A Multi Threads Web Application Source Leak Scanner

SourceLeakHacker is a muilt-threads web directories scanner.

Installation

pip install -r requirements.txt

Usage 

dictionary scale –output OUTPUT output folder, default: result/YYYY-MM-DD hh:mm:ss –threads THREADS, -t THREADS threads numbers, default: 4 –timeout TIMEOUT HTTP request timeout –level {CRITICAL,ERROR,WARNING,INFO,DEBUG}, -v {CRITICAL,ERROR,WARNING,INFO,DEBUG} log level –version, -V show program’s version number and exit “>

usage: SourceLeakHacker.py [options]

optional arguments:
-h, --help show this help message and exit
--url URL url to scan, eg: 'http://127.0.0.1/'
--urls URLS file contains urls to scan, one line one url.
--scale {full,tiny} build-in dictionary scale
--output OUTPUT output folder, default: result/YYYY-MM-DD hh:mm:ss
--threads THREADS, -t THREADS
threads numbers, default: 4
--timeout TIMEOUT HTTP request timeout
--level {CRITICAL,ERROR,WARNING,INFO,DEBUG}, -v {CRITICAL,ERROR,WARNING,INFO,DEBUG}
log level
--version, -V show program's version number and exit

Example

$ python SourceLeakHacker.py --url=http://baidu.com --threads=4 --timeout=8
[302] 0 3.035766 text/html; charset=iso-8859-1 http://baidu.com/_/_index.php
[302] 0 3.038096 text/html; charset=iso-8859-1 http://baidu.com/_/__index.php.bak
...
[302] 0 0.063973 text/html; charset=iso-8859-1 http://baidu.com/_adm/_index.php
[302] 0 0.081672 text/html; charset=iso-8859-1 http://baidu.com/_adm/_index.php.bak
Result save in file: result/2020-02-27 07:07:47.csv
$ cat url.txt                 
http://baidu.com/
http://google.com/

$ python SourceLeakHacker.py --urls=url.txt --threads=4 --timeout=8
[302] 0 2.363600 text/html; charset=iso-8859-1 http://baidu.com/_/__index.php.bak
[302] 0 0.098417 text/html; charset=iso-8859-1 http://baidu.com/_adm/__index.php.bak
...
[302] 0 0.060524 text/html; charset=iso-8859-1 http://google.com/_adm/_index.php.bak
[302] 0 0.075042 text/html; charset=iso-8859-1 http://baidu.com/_adm/_index.php.back
Result save in file: result/2020-02-27 07:08:54.csv

Demo

AVvXsEhrTF16 jNo9Xpd8fvdoSzH2dvJ5fX VeHuKpgzTGp15v8SyvheK4vUxeI0Eo0s1 5bSD5 SEhct4uiRfYjxetMSsBMQXRMsYxsY2qmmK0calYLLOr oxPlxPNSitl9An7ky ZSS5 QyT47pohwFv07znx3uZnSd9WBuBUJb9H1ERMnCU0PfpB7Y ZDFA=w640 h250

AVvXsEg2ZSBj e0bT VQ2EdQl5hGNK94aT47vYz8Tvyhy2xL9GpPIZKmCyAw4Mb28h0V22uPiyb8TJ9nBT7THVO l5WeTXg56hv43ExxkmpSfJkAJWtat p 7C4LaR6LvgumpEWQv5j8Cr28dGkue9wxl a5lP1YtTAQkIHNwdv1tqtdTAsSku4OBnW2rZ5 ag=w640 h238

AVvXsEiOGCv00CrdyqNnX7VDqoyoUbGM9cCVpa4 ZnMb2opuddiHOFcmawhZuYieo 50TVvBO jyCFCPr vkwroLiFPt mBWNofx4bUIb5KQoW05yVTJRDicxKrklIbmY0H 2uUDoaUMYgQaewrOZ2LHTfrDPD8smZ bNnWOFjVGuuJL60jKl6HCu aDGJsOaQ=w640 h338

TODOs

  • Arguments parser.
  • Store scan result into csv file.
  • Support for multiple urls (from file).
  • Add help comments for every params.
  • Update Usage.
  • Adjust dictionary elements order systematically.
  • Change logger in order to suite for both windows and linux.
  • Add log level.
  • Update Screenshots.
  • Retry and avoid dead lock
  • Store scan result into sqlite database.
  • Download small url contents, then store them into sqlite database.

Known Bugs

  • CTRL C does not works on windows platform

click here to read full Article

Read More on Pentesting Tools

You may also like...

Leave a Reply

Your email address will not be published. Required fields are marked *

%d bloggers like this: