利用Python对DVWA网站应用的子目录和文件进行枚举

 　　需要用到requests.Session发起请求，否则无法遍历只有登录成功以后的页面。

import requests
import optparse
import sys
import os
import threading

class DirectoryFinder:
    def __init__(self) -> None:
        self.target = self.suffix_url(self.preprocess_url(self.get_params()[0]))
        self.filename = self.get_params()[1]
        self.session = ''
        self.extension = '.php'
        self.banner()
    
    def banner(self):
        banner= """
                **************************************************

                **********Directory Finder Tool by Jason Wong*****     

                **************************************************

              
        """
        print(banner)

    def get_params(self):
        parser = optparse.OptionParser('Usage:  <Program>   -t target url -f wordlist')
        parser.add_option('-t', '--target', dest='target', type='string', help='Specify target url')
        parser.add_option('-f', '--filename', dest='filename', type='string', help='Specify wordlist')
        options, args = parser.parse_args()
        if options.target is None or options.filename is None:
            print(parser.usage)
            sys.exit()
        if not os.path.exists(options.filename):
            print('[-] The file does not exist')
            sys.exit(0)

        return options.target, options.filename
    
    def preprocess_url(self, url):    #判断用户输入的URL的前缀以及后缀，并进行处理使其格式化，方便后续的流程
        if url.startswith('http://'):
            return url
        elif url.startswith('https://'):
            return url
        else:
            return 'http://'+url
    
    def suffix_url(self,url):
        if url.endswith('/'):
            return url
        else:
            return url+'/'
    
    def check_web_status(self):    #对初始URL进行访问，看目标网站是否存在，如果否，那么表明无需继续进行后续的枚举
        try:
            response = requests.get(self.target)
            if response.status_code == 200:
                return True
            else:
                return False
        except:
            return False

    def login(self):
        try:
            login_url = self.target+'login.php'               #利用Session，一旦输入用户名与密码成功登陆，那么该Session将用来后面目录的枚举
            self.session = requests.Session()
            post_data = {
            "username": "admin",
            "password": "password",
            "Login": "Login"
            }
            response = self.session.post(url=login_url, data=post_data).text
          
            if 'You have logged' in response:
                return True
            return False
        except Exception as e:
            print(e)
            sys.exit(0)

    
    def request_verify(self,url):
        try:
            response = self.session.get(url=url)
            if response.status_code == 200:
                print(url)
        except:
            pass

    
    def run(self):
        if not self.check_web_status():
            print("No web service is running over the target: %s" % self.target)
            sys.exit()
        
        if self.login():
        
            with open(self.filename, 'r') as f:
                
                while True:
                    line = f.readline()
                    if not line:
                        break
                    if line.startswith('#'):   #有些字典文件的前面部分是文件的注释，那么需要对是否为注释进行判断
                        continue

                    if line.strip() == 'logout':   #如果是logout就不要去发起请求，否则会话结束
                        continue

                    if line.strip() == 'setup':
                        continue

                    url = self.target + line.strip() +  self.extension
                    t = threading.Thread(target=self.request_verify, args=(url, ))
                    t.start()
        else:
            print("[-] Failed to authenticate")

if __name__ == '__main__':
    directoryfinder = DirectoryFinder()
    directoryfinder.run()