pathbuster

A path-normalization pentesting tool using path replacements.

Todos • Installation • Usage • Examples • Contributing • License • Join Discord

Todos

[x] Implement multiple host scanning using the replacement {hosts}.
- [ ] Implement --drop-after-fail which will ignore requests with the same response code multiple times in a row.

Installation

Install rust

bash curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh

Install pathbuster

bash cargo install pathbuster

Usage

bash pathbuster -h

This command will show the tool's help information and present a list of all the switches that are available.

``` USAGE: pathbuster [OPTIONS] --url --payloads --paths --deviation

OPTIONS: -c, --concurrency The amount of concurrent requests [default: 100]

    --deviation <deviation>
        The distance between the responses [default: 3]

-h, --help
        Print help information

    --hosts <hosts>
        the file containing the list of root domains [default: .hosts.tmp]

    --match-status <match-status>
        [default: 200]

-o, --out <out>
        The output file

    --paths <paths>
        the file containing the list of routes (crawl the host to collect routes) [default:
        .paths.tmp]

    --payloads <payloads>
        the file containing the traversal payloads [default: ]

-r, --rate <rate>
        Maximum in-flight requests per second [default: 1000]

    --stop-at-first-match <stop-at-first-match>
        stops execution flow on the first match [default: false]

-u, --url <url>
        the url you would like to test

-V, --version
        Print version information

-w, --workers <workers>
        The amount of workers [default: 1]

    --wordlist <wordlist>
        the file containing the technology paths [default: .wordlist.tmp]

```

Examples

Fingerprinting the proxy

rust $ pathbuster -u "https://example.com/{paths}/{payloads}" --payloads traversals.txt --paths paths.txt --match-status 400 --deviation 2 -o output.txt

Discovery process for a single URL

rust $ pathbuster -u "https://example.com/{paths}/{payloads}/{words}" --payloads traversals.txt --paths paths.txt --wordlist raft-medium-directories.txt --match-status 200 --deviation 2 -o output.txt

Discovery process using host replacements

rust $ pathbuster -u "https://{hosts}/{paths}/{payloads}/{words}" --hosts roots.txt --payloads traversals.txt --paths paths.txt --wordlist raft-medium-directories.txt --match-status 200 --deviation 2 -o output.txt

Screenshot

Contributing

Pull requests are welcome. For major changes, please open an issue first to discuss what you would like to change.

Please make sure to update tests as appropriate.

License

Pathbuster is distributed under MIT License