@soulofzephir/pi-skill-pentesting 1.0.0 → 1.0.2
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/package.json +2 -2
- package/skills/pentesting/SKILL.md +189 -224
- package/skills/pentesting/checklists/cors.md +183 -0
- package/skills/pentesting/checklists/exposed-files.md +311 -0
- package/skills/pentesting/checklists/graphql.md +375 -0
- package/skills/pentesting/checklists/jwt.md +225 -0
- package/skills/pentesting/tools/exposed-files-scan.ps1 +333 -0
- package/skills/pentesting/tools/exposed-files-scan.sh +291 -0
- package/skills/pentesting/tools/full-scan.ps1 +508 -0
- package/skills/pentesting/tools/full-scan.sh +454 -0
- package/skills/pentesting/tools/test-skill.ps1 +291 -0
- package/skills/pentesting/tools/test-skill.sh +345 -0
|
@@ -0,0 +1,333 @@
|
|
|
1
|
+
# Exposed Files Scanner v1.0
|
|
2
|
+
# Detects dangerous exposed files and directories
|
|
3
|
+
|
|
4
|
+
param(
|
|
5
|
+
[Parameter(Mandatory=$false)]
|
|
6
|
+
[string]$Target = "",
|
|
7
|
+
|
|
8
|
+
[Parameter(Mandatory=$false)]
|
|
9
|
+
[string]$OutputDir = "site"
|
|
10
|
+
)
|
|
11
|
+
|
|
12
|
+
$ErrorActionPreference = "Continue"
|
|
13
|
+
|
|
14
|
+
# Get current date
|
|
15
|
+
$Date = Get-Date -Format "yyyy-MM-dd"
|
|
16
|
+
|
|
17
|
+
# Parse target URL
|
|
18
|
+
if ($Target -match "https?://") {
|
|
19
|
+
$Uri = [System.Uri]$Target
|
|
20
|
+
$Domain = $Uri.Host
|
|
21
|
+
$Scheme = $Uri.Scheme
|
|
22
|
+
} else {
|
|
23
|
+
$Domain = $Target
|
|
24
|
+
$Target = "https://$Target"
|
|
25
|
+
}
|
|
26
|
+
|
|
27
|
+
# Create output filename
|
|
28
|
+
$OutputFile = "$OutputDir/$Domain-exposed-$Date.md"
|
|
29
|
+
|
|
30
|
+
# ═══════════════════════════════════════════════════════════
|
|
31
|
+
# COMMON EXPOSED PATHS
|
|
32
|
+
# ═══════════════════════════════════════════════════════════
|
|
33
|
+
|
|
34
|
+
$ExposedPaths = @(
|
|
35
|
+
# Configuration Files
|
|
36
|
+
@{ Path = "/.env"; Risk = "CRITICAL"; Desc = "Environment variables - may contain secrets" },
|
|
37
|
+
@{ Path = "/.env.local"; Risk = "CRITICAL"; Desc = "Local environment - secrets" },
|
|
38
|
+
@{ Path = "/.env.production"; Risk = "CRITICAL"; Desc = "Production environment" },
|
|
39
|
+
@{ Path = "/.git/config"; Risk = "CRITICAL"; Desc = "Git repository config - may expose remote" },
|
|
40
|
+
@{ Path = "/.git/HEAD"; Risk = "HIGH"; Desc = "Git branch information" },
|
|
41
|
+
@{ Path = "/.git/"; Risk = "CRITICAL"; Desc = "Full .git directory exposed" },
|
|
42
|
+
@{ Path = "/wp-config.php"; Risk = "CRITICAL"; Desc = "WordPress config - DB + keys" },
|
|
43
|
+
@{ Path = "/config.php"; Risk = "CRITICAL"; Desc = "PHP configuration" },
|
|
44
|
+
@{ Path = "/settings.py"; Risk = "CRITICAL"; Desc = "Django/Python settings" },
|
|
45
|
+
@{ Path = "/config.js"; Risk = "HIGH"; Desc = "Node.js configuration" },
|
|
46
|
+
@{ Path = "/application.properties"; Risk = "CRITICAL"; Desc = "Java Spring config" },
|
|
47
|
+
@{ Path = "/.htaccess"; Risk = "MEDIUM"; Desc = "Apache config" },
|
|
48
|
+
@{ Path = "/.htpasswd"; Risk = "CRITICAL"; Desc = "HTTP Basic Auth hashes" },
|
|
49
|
+
|
|
50
|
+
# Backup Files
|
|
51
|
+
@{ Path = "/backup.zip"; Risk = "CRITICAL"; Desc = "Compressed backup" },
|
|
52
|
+
@{ Path = "/backups.zip"; Risk = "CRITICAL"; Desc = "Compressed backup" },
|
|
53
|
+
@{ Path = "/database.zip"; Risk = "CRITICAL"; Desc = "Database backup" },
|
|
54
|
+
@{ Path = "/db.zip"; Risk = "CRITICAL"; Desc = "Database backup" },
|
|
55
|
+
@{ Path = "/database.sql"; Risk = "CRITICAL"; Desc = "Database dump" },
|
|
56
|
+
@{ Path = "/db.sql"; Risk = "CRITICAL"; Desc = "Database dump" },
|
|
57
|
+
@{ Path = "/dump.sql"; Risk = "CRITICAL"; Desc = "Database dump" },
|
|
58
|
+
@{ Path = "/backup.sql"; Risk = "CRITICAL"; Desc = "Database backup" },
|
|
59
|
+
@{ Path = "/site.tar.gz"; Risk = "CRITICAL"; Desc = "Full site backup" },
|
|
60
|
+
@{ Path = "/backup.tar.gz"; Risk = "CRITICAL"; Desc = "Full backup archive" },
|
|
61
|
+
@{ Path = "/www.zip"; Risk = "CRITICAL"; Desc = "Web root backup" },
|
|
62
|
+
@{ Path = "/backup/"; Risk = "HIGH"; Desc = "Backup directory" },
|
|
63
|
+
@{ Path = "/backups/"; Risk = "HIGH"; Desc = "Backups directory" },
|
|
64
|
+
@{ Path = "/db/"; Risk = "HIGH"; Desc = "Database directory" },
|
|
65
|
+
@{ Path = "/*.bak"; Risk = "HIGH"; Desc = "Backup files" },
|
|
66
|
+
@{ Path = "/*.backup"; Risk = "HIGH"; Desc = "Backup files" },
|
|
67
|
+
@{ Path = "/old/"; Risk = "MEDIUM"; Desc = "Old files directory" },
|
|
68
|
+
@{ Path = "/tmp/"; Risk = "MEDIUM"; Desc = "Temporary files" },
|
|
69
|
+
|
|
70
|
+
# Admin & Debug Panels
|
|
71
|
+
@{ Path = "/admin/"; Risk = "HIGH"; Desc = "Admin panel" },
|
|
72
|
+
@{ Path = "/wp-admin/"; Risk = "HIGH"; Desc = "WordPress admin" },
|
|
73
|
+
@{ Path = "/administrator/"; Risk = "HIGH"; Desc = "Administrator panel" },
|
|
74
|
+
@{ Path = "/manage/"; Risk = "MEDIUM"; Desc = "Management panel" },
|
|
75
|
+
@{ Path = "/phpmyadmin/"; Risk = "CRITICAL"; Desc = "Database UI - major exposure" },
|
|
76
|
+
@{ Path = "/pma/"; Risk = "CRITICAL"; Desc = "phpMyAdmin alias" },
|
|
77
|
+
@{ Path = "/mysql/"; Risk = "CRITICAL"; Desc = "MySQL admin" },
|
|
78
|
+
@{ Path = "/debug/"; Risk = "CRITICAL"; Desc = "Debug mode enabled" },
|
|
79
|
+
@{ Path = "/api/debug/"; Risk = "CRITICAL"; Desc = "API debug endpoint" },
|
|
80
|
+
@{ Path = "/console/"; Risk = "HIGH"; Desc = "Debug console" },
|
|
81
|
+
@{ Path = "/debug.php"; Risk = "CRITICAL"; Desc = "Debug script" },
|
|
82
|
+
@{ Path = "/test.php"; Risk = "HIGH"; Desc = "Test script" },
|
|
83
|
+
@{ Path = "/info.php"; Risk = "HIGH"; Desc = "PHP info exposure" },
|
|
84
|
+
@{ Path = "/phpinfo.php"; Risk = "HIGH"; Desc = "PHP info exposure" },
|
|
85
|
+
|
|
86
|
+
# Spring Boot Actuator
|
|
87
|
+
@{ Path = "/actuator/"; Risk = "HIGH"; Desc = "Spring Boot actuator" },
|
|
88
|
+
@{ Path = "/actuator/env"; Risk = "CRITICAL"; Desc = "Environment variables" },
|
|
89
|
+
@{ Path = "/actuator/heapdump"; Risk = "CRITICAL"; Desc = "Heap dump - contains secrets" },
|
|
90
|
+
@{ Path = "/actuator/threaddump"; Risk = "HIGH"; Desc = "Thread information" },
|
|
91
|
+
@{ Path = "/actuator/metrics"; Risk = "MEDIUM"; Desc = "Application metrics" },
|
|
92
|
+
@{ Path = "/actuator/configprops"; Risk = "CRITICAL"; Desc = "Configuration properties" },
|
|
93
|
+
@{ Path = "/health"; Risk = "MEDIUM"; Desc = "Health check endpoint" },
|
|
94
|
+
|
|
95
|
+
# API Documentation
|
|
96
|
+
@{ Path = "/swagger/"; Risk = "MEDIUM"; Desc = "Swagger UI" },
|
|
97
|
+
@{ Path = "/swagger-ui/"; Risk = "MEDIUM"; Desc = "Swagger documentation" },
|
|
98
|
+
@{ Path = "/swagger-ui.html"; Risk = "MEDIUM"; Desc = "Swagger HTML" },
|
|
99
|
+
@{ Path = "/api-docs/"; Risk = "MEDIUM"; Desc = "API documentation" },
|
|
100
|
+
@{ Path = "/v2/api-docs/"; Risk = "MEDIUM"; Desc = "OpenAPI v2" },
|
|
101
|
+
@{ Path = "/v3/api-docs/"; Risk = "MEDIUM"; Desc = "OpenAPI v3" },
|
|
102
|
+
@{ Path = "/graphiql/"; Risk = "HIGH"; Desc = "GraphQL IDE" },
|
|
103
|
+
@{ Path = "/graphql"; Risk = "MEDIUM"; Desc = "GraphQL endpoint" },
|
|
104
|
+
@{ Path = "/api/"; Risk = "LOW"; Desc = "API base path" },
|
|
105
|
+
@{ Path = "/api/v1/"; Risk = "LOW"; Desc = "API v1" },
|
|
106
|
+
|
|
107
|
+
# Log Files
|
|
108
|
+
@{ Path = "/logs/"; Risk = "HIGH"; Desc = "Log directory" },
|
|
109
|
+
@{ Path = "/error.log"; Risk = "HIGH"; Desc = "Error log" },
|
|
110
|
+
@{ Path = "/access.log"; Risk = "HIGH"; Desc = "Access log" },
|
|
111
|
+
@{ Path = "/debug.log"; Risk = "HIGH"; Desc = "Debug log" },
|
|
112
|
+
@{ Path = "/application.log"; Risk = "HIGH"; Desc = "Application log" },
|
|
113
|
+
@{ Path = "/console.log"; Risk = "MEDIUM"; Desc = "Console log" },
|
|
114
|
+
|
|
115
|
+
# Information Disclosure
|
|
116
|
+
@{ Path = "/robots.txt"; Risk = "LOW"; Desc = "Reveals hidden paths" },
|
|
117
|
+
@{ Path = "/sitemap.xml"; Risk = "LOW"; Desc = "Site structure" },
|
|
118
|
+
@{ Path = "/security.txt"; Risk = "LOW"; Desc = "Security contact" },
|
|
119
|
+
@{ Path = "/humans.txt"; Risk = "LOW"; Desc = "Developer information" },
|
|
120
|
+
@{ Path = "/crossdomain.xml"; Risk = "LOW"; Desc = "Flash policy" },
|
|
121
|
+
@{ Path = "/.well-known/security.txt"; Risk = "LOW"; Desc = "Security policy" }
|
|
122
|
+
)
|
|
123
|
+
|
|
124
|
+
# ═══════════════════════════════════════════════════════════
|
|
125
|
+
# SCAN FUNCTION
|
|
126
|
+
# ═══════════════════════════════════════════════════════════
|
|
127
|
+
|
|
128
|
+
Write-Host ""
|
|
129
|
+
Write-Host "╔═══════════════════════════════════════════════════╗" -ForegroundColor Cyan
|
|
130
|
+
Write-Host "║ 🔍 Exposed Files Scanner v1.0 ║" -ForegroundColor Cyan
|
|
131
|
+
Write-Host "╚═══════════════════════════════════════════════════╝" -ForegroundColor Cyan
|
|
132
|
+
Write-Host ""
|
|
133
|
+
Write-Host "Target: $Target" -ForegroundColor White
|
|
134
|
+
Write-Host ""
|
|
135
|
+
|
|
136
|
+
$FoundIssues = @()
|
|
137
|
+
$Scanned = 0
|
|
138
|
+
|
|
139
|
+
foreach ($item in $ExposedPaths) {
|
|
140
|
+
$Scanned++
|
|
141
|
+
$Progress = [math]::Round(($Scanned / $ExposedPaths.Count) * 100)
|
|
142
|
+
Write-Progress -Activity "Scanning exposed files..." -Status "$Progress% complete" -PercentComplete $Progress
|
|
143
|
+
|
|
144
|
+
$URL = "$Target$($item.Path)"
|
|
145
|
+
|
|
146
|
+
try {
|
|
147
|
+
$Response = Invoke-WebRequest -Uri $URL -Method Head -TimeoutSec 5 -ErrorAction SilentlyContinue
|
|
148
|
+
|
|
149
|
+
if ($Response.StatusCode -ne 404 -and $Response.StatusCode -ne 403) {
|
|
150
|
+
$ContentType = $Response.Headers["Content-Type"] -join ", "
|
|
151
|
+
|
|
152
|
+
$Finding = [PSCustomObject]@{
|
|
153
|
+
Path = $item.Path
|
|
154
|
+
StatusCode = $Response.StatusCode
|
|
155
|
+
Risk = $item.Risk
|
|
156
|
+
Description = $item.Desc
|
|
157
|
+
ContentType = $ContentType
|
|
158
|
+
}
|
|
159
|
+
$FoundIssues += $Finding
|
|
160
|
+
|
|
161
|
+
$Color = switch ($item.Risk) {
|
|
162
|
+
"CRITICAL" { "Red" }
|
|
163
|
+
"HIGH" { "Yellow" }
|
|
164
|
+
"MEDIUM" { "Cyan" }
|
|
165
|
+
"LOW" { "Gray" }
|
|
166
|
+
}
|
|
167
|
+
|
|
168
|
+
Write-Host "⚠️ FOUND [$($item.Risk)]: $($item.Path)" -ForegroundColor $Color
|
|
169
|
+
Write-Host " Status: $($Response.StatusCode) | Type: $($ContentType.Substring(0, [Math]::Min(50, $ContentType.Length)))" -ForegroundColor Gray
|
|
170
|
+
}
|
|
171
|
+
} catch {
|
|
172
|
+
# Connection error or timeout - not found
|
|
173
|
+
}
|
|
174
|
+
}
|
|
175
|
+
|
|
176
|
+
Write-Progress -Activity "Scanning" -Completed
|
|
177
|
+
|
|
178
|
+
# ═══════════════════════════════════════════════════════════
|
|
179
|
+
# SUMMARY
|
|
180
|
+
# ═══════════════════════════════════════════════════════════
|
|
181
|
+
|
|
182
|
+
Write-Host ""
|
|
183
|
+
Write-Host "═══════════════════════════════════════════════════" -ForegroundColor Cyan
|
|
184
|
+
Write-Host "📊 SCAN SUMMARY" -ForegroundColor Cyan
|
|
185
|
+
Write-Host "═══════════════════════════════════════════════════" -ForegroundColor Cyan
|
|
186
|
+
Write-Host ""
|
|
187
|
+
|
|
188
|
+
$CriticalCount = ($FoundIssues | Where-Object { $_.Risk -eq "CRITICAL" }).Count
|
|
189
|
+
$HighCount = ($FoundIssues | Where-Object { $_.Risk -eq "HIGH" }).Count
|
|
190
|
+
$MediumCount = ($FoundIssues | Where-Object { $_.Risk -eq "MEDIUM" }).Count
|
|
191
|
+
$LowCount = ($FoundIssues | Where-Object { $_.Risk -eq "LOW" }).Count
|
|
192
|
+
|
|
193
|
+
Write-Host "Files Scanned: $Scanned" -ForegroundColor White
|
|
194
|
+
Write-Host "Issues Found: $($FoundIssues.Count)" -ForegroundColor Yellow
|
|
195
|
+
Write-Host ""
|
|
196
|
+
Write-Host "🔴 CRITICAL: $CriticalCount" -ForegroundColor Red
|
|
197
|
+
Write-Host "🟠 HIGH: $HighCount" -ForegroundColor Yellow
|
|
198
|
+
Write-Host "🟡 MEDIUM: $MediumCount" -ForegroundColor Cyan
|
|
199
|
+
Write-Host "🟢 LOW: $LowCount" -ForegroundColor Gray
|
|
200
|
+
|
|
201
|
+
# ═══════════════════════════════════════════════════════════
|
|
202
|
+
# GENERATE REPORT
|
|
203
|
+
# ═══════════════════════════════════════════════════════════
|
|
204
|
+
|
|
205
|
+
if (-not (Test-Path $OutputDir)) {
|
|
206
|
+
New-Item -ItemType Directory -Path $OutputDir -Force | Out-Null
|
|
207
|
+
}
|
|
208
|
+
|
|
209
|
+
$Report = @"
|
|
210
|
+
# 🔍 Exposed Files Report
|
|
211
|
+
|
|
212
|
+
**Target:** $Target
|
|
213
|
+
**Date:** $Date
|
|
214
|
+
**Scanner:** Exposed Files Scanner v1.0
|
|
215
|
+
|
|
216
|
+
---
|
|
217
|
+
|
|
218
|
+
## 📋 Summary
|
|
219
|
+
|
|
220
|
+
| Metric | Value |
|
|
221
|
+
|--------|-------|
|
|
222
|
+
| Files Scanned | $Scanned |
|
|
223
|
+
| Issues Found | $($FoundIssues.Count) |
|
|
224
|
+
| 🔴 CRITICAL | $CriticalCount |
|
|
225
|
+
| 🟠 HIGH | $HighCount |
|
|
226
|
+
| 🟡 MEDIUM | $MediumCount |
|
|
227
|
+
| 🟢 LOW | $LowCount |
|
|
228
|
+
|
|
229
|
+
---
|
|
230
|
+
|
|
231
|
+
## 🚨 Critical Issues
|
|
232
|
+
|
|
233
|
+
$(if ($CriticalCount -gt 0) {
|
|
234
|
+
$FoundIssues | Where-Object { $_.Risk -eq "CRITICAL" } | ForEach-Object {
|
|
235
|
+
@"
|
|
236
|
+
### Found: $($_.Path)
|
|
237
|
+
|
|
238
|
+
| Field | Value |
|
|
239
|
+
|-------|-------|
|
|
240
|
+
| Status Code | $($_.StatusCode) |
|
|
241
|
+
| Risk Level | 🔴 $($_.Risk) |
|
|
242
|
+
| Content Type | $($_.ContentType) |
|
|
243
|
+
|
|
244
|
+
**Description:** $($_.Description)
|
|
245
|
+
|
|
246
|
+
**Recommendation:** Immediate action required. Remove or restrict access.
|
|
247
|
+
|
|
248
|
+
---
|
|
249
|
+
"@
|
|
250
|
+
}
|
|
251
|
+
} else {
|
|
252
|
+
"✅ No critical issues found"
|
|
253
|
+
})
|
|
254
|
+
|
|
255
|
+
## 🟠 High Risk Issues
|
|
256
|
+
|
|
257
|
+
$(if ($HighCount -gt 0) {
|
|
258
|
+
$FoundIssues | Where-Object { $_.Risk -eq "HIGH" } | ForEach-Object {
|
|
259
|
+
@"
|
|
260
|
+
- **$($_.Path)** - $($_.Description) (HTTP $($_.StatusCode))
|
|
261
|
+
"@
|
|
262
|
+
}
|
|
263
|
+
} else {
|
|
264
|
+
"✅ No high-risk issues found"
|
|
265
|
+
})
|
|
266
|
+
|
|
267
|
+
## 🟡 Medium Risk Issues
|
|
268
|
+
|
|
269
|
+
$(if ($MediumCount -gt 0) {
|
|
270
|
+
$FoundIssues | Where-Object { $_.Risk -eq "MEDIUM" } | ForEach-Object {
|
|
271
|
+
@"
|
|
272
|
+
- **$($_.Path)** - $($_.Description) (HTTP $($_.StatusCode))
|
|
273
|
+
"@
|
|
274
|
+
}
|
|
275
|
+
} else {
|
|
276
|
+
"✅ No medium-risk issues found"
|
|
277
|
+
})
|
|
278
|
+
|
|
279
|
+
## 🟢 Low Risk Issues
|
|
280
|
+
|
|
281
|
+
$(if ($LowCount -gt 0) {
|
|
282
|
+
$FoundIssues | Where-Object { $_.Risk -eq "LOW" } | ForEach-Object {
|
|
283
|
+
@"
|
|
284
|
+
- **$($_.Path)** - $($_.Description) (HTTP $($_.StatusCode))
|
|
285
|
+
"@
|
|
286
|
+
}
|
|
287
|
+
} else {
|
|
288
|
+
"✅ No low-risk issues found"
|
|
289
|
+
})
|
|
290
|
+
|
|
291
|
+
---
|
|
292
|
+
|
|
293
|
+
## 📝 All Findings
|
|
294
|
+
|
|
295
|
+
| Path | Status | Risk | Description |
|
|
296
|
+
|------|--------|------|-------------|
|
|
297
|
+
$(foreach ($issue in $FoundIssues) {
|
|
298
|
+
"| $($issue.Path) | $($issue.StatusCode) | $($issue.Risk) | $($issue.Description) |"
|
|
299
|
+
})
|
|
300
|
+
|
|
301
|
+
---
|
|
302
|
+
|
|
303
|
+
## 🛡️ Remediation Checklist
|
|
304
|
+
|
|
305
|
+
- [ ] Block .env files in web server config
|
|
306
|
+
- [ ] Disable .git directory listing
|
|
307
|
+
- [ ] Remove backup files from web root
|
|
308
|
+
- [ ] Protect admin panels with IP restriction
|
|
309
|
+
- [ ] Disable debug mode in production
|
|
310
|
+
- [ ] Secure Spring Boot actuator endpoints
|
|
311
|
+
- [ ] Add authentication to API documentation
|
|
312
|
+
- [ ] Disable directory listing
|
|
313
|
+
- [ ] Remove test/debug files
|
|
314
|
+
|
|
315
|
+
---
|
|
316
|
+
|
|
317
|
+
**Report Generated:** $(Get-Date -Format "yyyy-MM-dd HH:mm:ss")
|
|
318
|
+
"@
|
|
319
|
+
|
|
320
|
+
# Save report
|
|
321
|
+
$Report | Out-File -FilePath $OutputFile -Encoding UTF8
|
|
322
|
+
|
|
323
|
+
Write-Host ""
|
|
324
|
+
Write-Host "═══════════════════════════════════════════════════" -ForegroundColor Cyan
|
|
325
|
+
Write-Host "✅ Scan Complete!" -ForegroundColor Green
|
|
326
|
+
Write-Host "═══════════════════════════════════════════════════" -ForegroundColor Cyan
|
|
327
|
+
Write-Host ""
|
|
328
|
+
Write-Host "📄 Report: $OutputFile" -ForegroundColor White
|
|
329
|
+
Write-Host ""
|
|
330
|
+
|
|
331
|
+
if ($CriticalCount -gt 0) {
|
|
332
|
+
Write-Host "⚠️ IMMEDIATE ACTION REQUIRED for critical findings!" -ForegroundColor Red
|
|
333
|
+
}
|
|
@@ -0,0 +1,291 @@
|
|
|
1
|
+
#!/bin/bash
|
|
2
|
+
# Exposed Files Scanner v1.0
|
|
3
|
+
# Usage: ./exposed-files-scan.sh https://target.com
|
|
4
|
+
|
|
5
|
+
TARGET=${1:-https://example.com}
|
|
6
|
+
DATE=$(date +%Y-%m-%d)
|
|
7
|
+
|
|
8
|
+
echo "========================================"
|
|
9
|
+
echo "🔍 Exposed Files Scanner"
|
|
10
|
+
echo "Target: $TARGET"
|
|
11
|
+
echo "Date: $DATE"
|
|
12
|
+
echo "========================================"
|
|
13
|
+
echo ""
|
|
14
|
+
|
|
15
|
+
# Parse domain from URL
|
|
16
|
+
DOMAIN=$(echo "$TARGET" | sed -E 's|https?://||' | cut -d'/' -f1)
|
|
17
|
+
|
|
18
|
+
# Output file
|
|
19
|
+
OUTPUT="site/${DOMAIN}-exposed-${DATE}.md"
|
|
20
|
+
mkdir -p site
|
|
21
|
+
|
|
22
|
+
# Counters
|
|
23
|
+
CRITICAL=0
|
|
24
|
+
HIGH=0
|
|
25
|
+
MEDIUM=0
|
|
26
|
+
LOW=0
|
|
27
|
+
FOUND_COUNT=0
|
|
28
|
+
|
|
29
|
+
# Color codes
|
|
30
|
+
RED='\033[0;31m'
|
|
31
|
+
YELLOW='\033[1;33m'
|
|
32
|
+
CYAN='\033[0;36m'
|
|
33
|
+
GREEN='\033[0;32m'
|
|
34
|
+
NC='\033[0m' # No Color
|
|
35
|
+
|
|
36
|
+
# ═══════════════════════════════════════════════════════════
|
|
37
|
+
# EXPOSED PATHS TO CHECK
|
|
38
|
+
# ═══════════════════════════════════════════════════════════
|
|
39
|
+
|
|
40
|
+
check_path() {
|
|
41
|
+
local PATH=$1
|
|
42
|
+
local RISK=$2
|
|
43
|
+
local DESC=$3
|
|
44
|
+
|
|
45
|
+
STATUS=$(curl -s -o /dev/null -w "%{http_code}" "${TARGET}${PATH}" --max-time 5)
|
|
46
|
+
|
|
47
|
+
if [ "$STATUS" != "404" ] && [ "$STATUS" != "000" ] && [ "$STATUS" != "403" ]; then
|
|
48
|
+
FOUND_COUNT=$((FOUND_COUNT + 1))
|
|
49
|
+
|
|
50
|
+
case $RISK in
|
|
51
|
+
"CRITICAL")
|
|
52
|
+
CRITICAL=$((CRITICAL + 1))
|
|
53
|
+
echo -e "${RED}⚠️ FOUND [CRITICAL]: ${PATH}${NC}"
|
|
54
|
+
echo " Status: $STATUS | $DESC"
|
|
55
|
+
echo "$PATH|$STATUS|CRITICAL|$DESC" >> /tmp/found_issues.tmp
|
|
56
|
+
;;
|
|
57
|
+
"HIGH")
|
|
58
|
+
HIGH=$((HIGH + 1))
|
|
59
|
+
echo -e "${YELLOW}⚠️ FOUND [HIGH]: ${PATH}${NC}"
|
|
60
|
+
echo " Status: $STATUS | $DESC"
|
|
61
|
+
echo "$PATH|$STATUS|HIGH|$DESC" >> /tmp/found_issues.tmp
|
|
62
|
+
;;
|
|
63
|
+
"MEDIUM")
|
|
64
|
+
MEDIUM=$((MEDIUM + 1))
|
|
65
|
+
echo -e "${CYAN}⚠️ FOUND [MEDIUM]: ${PATH}${NC}"
|
|
66
|
+
echo " Status: $STATUS | $DESC"
|
|
67
|
+
echo "$PATH|$STATUS|MEDIUM|$DESC" >> /tmp/found_issues.tmp
|
|
68
|
+
;;
|
|
69
|
+
"LOW")
|
|
70
|
+
LOW=$((LOW + 1))
|
|
71
|
+
echo -e "${NC}ℹ️ FOUND [LOW]: ${PATH}"
|
|
72
|
+
echo " Status: $STATUS | $DESC"
|
|
73
|
+
echo "$PATH|$STATUS|LOW|$DESC" >> /tmp/found_issues.tmp
|
|
74
|
+
;;
|
|
75
|
+
esac
|
|
76
|
+
fi
|
|
77
|
+
}
|
|
78
|
+
|
|
79
|
+
echo "Scanning for exposed files..."
|
|
80
|
+
echo ""
|
|
81
|
+
|
|
82
|
+
# Configuration Files
|
|
83
|
+
check_path "/.env" "CRITICAL" "Environment variables with secrets"
|
|
84
|
+
check_path "/.env.local" "CRITICAL" "Local environment variables"
|
|
85
|
+
check_path "/.env.production" "CRITICAL" "Production environment"
|
|
86
|
+
check_path "/.git/config" "CRITICAL" "Git repository config"
|
|
87
|
+
check_path "/.git/HEAD" "HIGH" "Git branch info"
|
|
88
|
+
check_path "/.git/" "CRITICAL" "Full .git directory"
|
|
89
|
+
check_path "/wp-config.php" "CRITICAL" "WordPress config - DB + keys"
|
|
90
|
+
check_path "/config.php" "CRITICAL" "PHP configuration"
|
|
91
|
+
check_path "/settings.py" "CRITICAL" "Django/Python settings"
|
|
92
|
+
check_path "/config.js" "HIGH" "Node.js configuration"
|
|
93
|
+
check_path "/application.properties" "CRITICAL" "Java Spring config"
|
|
94
|
+
check_path "/.htaccess" "MEDIUM" "Apache config"
|
|
95
|
+
check_path "/.htpasswd" "CRITICAL" "HTTP Basic Auth hashes"
|
|
96
|
+
|
|
97
|
+
# Backup Files
|
|
98
|
+
check_path "/backup.zip" "CRITICAL" "Compressed backup"
|
|
99
|
+
check_path "/backups.zip" "CRITICAL" "Compressed backup"
|
|
100
|
+
check_path "/database.zip" "CRITICAL" "Database backup"
|
|
101
|
+
check_path "/database.sql" "CRITICAL" "Database dump"
|
|
102
|
+
check_path "/db.sql" "CRITICAL" "Database dump"
|
|
103
|
+
check_path "/dump.sql" "CRITICAL" "Database dump"
|
|
104
|
+
check_path "/site.tar.gz" "CRITICAL" "Full site backup"
|
|
105
|
+
check_path "/www.zip" "CRITICAL" "Web root backup"
|
|
106
|
+
check_path "/backup.tar.gz" "CRITICAL" "Backup archive"
|
|
107
|
+
check_path "/backup/" "HIGH" "Backup directory"
|
|
108
|
+
check_path "/backups/" "HIGH" "Backups directory"
|
|
109
|
+
|
|
110
|
+
# Admin & Debug Panels
|
|
111
|
+
check_path "/admin/" "HIGH" "Admin panel"
|
|
112
|
+
check_path "/wp-admin/" "HIGH" "WordPress admin"
|
|
113
|
+
check_path "/administrator/" "HIGH" "Administrator panel"
|
|
114
|
+
check_path "/phpmyadmin/" "CRITICAL" "Database UI"
|
|
115
|
+
check_path "/pma/" "CRITICAL" "phpMyAdmin alias"
|
|
116
|
+
check_path "/debug/" "CRITICAL" "Debug mode enabled"
|
|
117
|
+
check_path "/api/debug/" "CRITICAL" "API debug endpoint"
|
|
118
|
+
check_path "/console/" "HIGH" "Debug console"
|
|
119
|
+
check_path "/debug.php" "CRITICAL" "Debug script"
|
|
120
|
+
check_path "/test.php" "HIGH" "Test script"
|
|
121
|
+
check_path "/info.php" "HIGH" "PHP info exposure"
|
|
122
|
+
check_path "/phpinfo.php" "HIGH" "PHP info exposure"
|
|
123
|
+
|
|
124
|
+
# Spring Boot Actuator
|
|
125
|
+
check_path "/actuator/" "HIGH" "Spring Boot actuator"
|
|
126
|
+
check_path "/actuator/env" "CRITICAL" "Environment variables"
|
|
127
|
+
check_path "/actuator/heapdump" "CRITICAL" "Heap dump - secrets"
|
|
128
|
+
check_path "/actuator/threaddump" "HIGH" "Thread information"
|
|
129
|
+
check_path "/actuator/configprops" "CRITICAL" "Configuration properties"
|
|
130
|
+
check_path "/health" "MEDIUM" "Health check"
|
|
131
|
+
|
|
132
|
+
# API Documentation
|
|
133
|
+
check_path "/swagger/" "MEDIUM" "Swagger UI"
|
|
134
|
+
check_path "/swagger-ui/" "MEDIUM" "Swagger documentation"
|
|
135
|
+
check_path "/swagger-ui.html" "MEDIUM" "Swagger HTML"
|
|
136
|
+
check_path "/api-docs/" "MEDIUM" "API documentation"
|
|
137
|
+
check_path "/v2/api-docs/" "MEDIUM" "OpenAPI v2"
|
|
138
|
+
check_path "/v3/api-docs/" "MEDIUM" "OpenAPI v3"
|
|
139
|
+
check_path "/graphiql/" "HIGH" "GraphQL IDE"
|
|
140
|
+
check_path "/graphql" "MEDIUM" "GraphQL endpoint"
|
|
141
|
+
|
|
142
|
+
# Log Files
|
|
143
|
+
check_path "/logs/" "HIGH" "Log directory"
|
|
144
|
+
check_path "/error.log" "HIGH" "Error log"
|
|
145
|
+
check_path "/access.log" "HIGH" "Access log"
|
|
146
|
+
check_path "/debug.log" "HIGH" "Debug log"
|
|
147
|
+
check_path "/application.log" "HIGH" "Application log"
|
|
148
|
+
|
|
149
|
+
# Information Disclosure
|
|
150
|
+
check_path "/robots.txt" "LOW" "Reveals hidden paths"
|
|
151
|
+
check_path "/sitemap.xml" "LOW" "Site structure"
|
|
152
|
+
check_path "/security.txt" "LOW" "Security contact"
|
|
153
|
+
check_path "/humans.txt" "LOW" "Developer information"
|
|
154
|
+
|
|
155
|
+
# ═══════════════════════════════════════════════════════════
|
|
156
|
+
# SUMMARY
|
|
157
|
+
# ═══════════════════════════════════════════════════════════
|
|
158
|
+
|
|
159
|
+
echo ""
|
|
160
|
+
echo "========================================"
|
|
161
|
+
echo "📊 SCAN SUMMARY"
|
|
162
|
+
echo "========================================"
|
|
163
|
+
echo ""
|
|
164
|
+
echo "Files Scanned: 50+"
|
|
165
|
+
echo "Issues Found: $FOUND_COUNT"
|
|
166
|
+
echo ""
|
|
167
|
+
echo -e "${RED}🔴 CRITICAL: $CRITICAL${NC}"
|
|
168
|
+
echo -e "${YELLOW}🟠 HIGH: $HIGH${NC}"
|
|
169
|
+
echo -e "${CYAN}🟡 MEDIUM: $MEDIUM${NC}"
|
|
170
|
+
echo -e "${NC}🟢 LOW: $LOW${NC}"
|
|
171
|
+
|
|
172
|
+
# ═══════════════════════════════════════════════════════════
|
|
173
|
+
# GENERATE REPORT
|
|
174
|
+
# ═══════════════════════════════════════════════════════════
|
|
175
|
+
|
|
176
|
+
cat > "$OUTPUT" << 'REPORT_EOF'
|
|
177
|
+
# 🔍 Exposed Files Report
|
|
178
|
+
|
|
179
|
+
**Target:** TARGET_PLACEHOLDER
|
|
180
|
+
**Date:** DATE_PLACEHOLDER
|
|
181
|
+
**Scanner:** Exposed Files Scanner v1.0
|
|
182
|
+
|
|
183
|
+
---
|
|
184
|
+
|
|
185
|
+
## 📋 Summary
|
|
186
|
+
|
|
187
|
+
| Metric | Value |
|
|
188
|
+
|--------|-------|
|
|
189
|
+
| Files Scanned | 50+ |
|
|
190
|
+
| Issues Found | FOUND_COUNT_PLACEHOLDER |
|
|
191
|
+
| 🔴 CRITICAL | CRITICAL_PLACEHOLDER |
|
|
192
|
+
| 🟠 HIGH | HIGH_PLACEHOLDER |
|
|
193
|
+
| 🟡 MEDIUM | MEDIUM_PLACEHOLDER |
|
|
194
|
+
| 🟢 LOW | LOW_PLACEHOLDER |
|
|
195
|
+
|
|
196
|
+
---
|
|
197
|
+
|
|
198
|
+
## 🚨 Critical Issues
|
|
199
|
+
|
|
200
|
+
CRITICAL_ISSUES_PLACEHOLDER
|
|
201
|
+
|
|
202
|
+
## 🟠 High Risk Issues
|
|
203
|
+
|
|
204
|
+
HIGH_ISSUES_PLACEHOLDER
|
|
205
|
+
|
|
206
|
+
## 🟡 Medium Risk Issues
|
|
207
|
+
|
|
208
|
+
MEDIUM_ISSUES_PLACEHOLDER
|
|
209
|
+
|
|
210
|
+
## 🟢 Low Risk Issues
|
|
211
|
+
|
|
212
|
+
LOW_ISSUES_PLACEHOLDER
|
|
213
|
+
|
|
214
|
+
---
|
|
215
|
+
|
|
216
|
+
## 📝 All Findings
|
|
217
|
+
|
|
218
|
+
| Path | Status | Risk | Description |
|
|
219
|
+
|------|--------|------|-------------|
|
|
220
|
+
ALL_FINDINGS_PLACEHOLDER
|
|
221
|
+
|
|
222
|
+
---
|
|
223
|
+
|
|
224
|
+
## 🛡️ Remediation Checklist
|
|
225
|
+
|
|
226
|
+
- [ ] Block .env files in web server config
|
|
227
|
+
- [ ] Disable .git directory listing
|
|
228
|
+
- [ ] Remove backup files from web root
|
|
229
|
+
- [ ] Protect admin panels with IP restriction
|
|
230
|
+
- [ ] Disable debug mode in production
|
|
231
|
+
- [ ] Secure Spring Boot actuator endpoints
|
|
232
|
+
- [ ] Add authentication to API documentation
|
|
233
|
+
- [ ] Disable directory listing
|
|
234
|
+
- [ ] Remove test/debug files
|
|
235
|
+
|
|
236
|
+
---
|
|
237
|
+
|
|
238
|
+
**Report Generated:** TIMESTAMP_PLACEHOLDER
|
|
239
|
+
REPORT_EOF
|
|
240
|
+
|
|
241
|
+
# Replace placeholders
|
|
242
|
+
sed -i "s|TARGET_PLACEHOLDER|$TARGET|g" "$OUTPUT"
|
|
243
|
+
sed -i "s|DATE_PLACEHOLDER|$DATE|g" "$OUTPUT"
|
|
244
|
+
sed -i "s|FOUND_COUNT_PLACEHOLDER|$FOUND_COUNT|g" "$OUTPUT"
|
|
245
|
+
sed -i "s|CRITICAL_PLACEHOLDER|$CRITICAL|g" "$OUTPUT"
|
|
246
|
+
sed -i "s|HIGH_PLACEHOLDER|$HIGH|g" "$OUTPUT"
|
|
247
|
+
sed -i "s|MEDIUM_PLACEHOLDER|$MEDIUM|g" "$OUTPUT"
|
|
248
|
+
sed -i "s|LOW_PLACEHOLDER|$LOW|g" "$OUTPUT"
|
|
249
|
+
sed -i "s|TIMESTAMP_PLACEHOLDER|$(date '+%Y-%m-%d %H:%M:%S')|g" "$OUTPUT"
|
|
250
|
+
|
|
251
|
+
# Add critical issues
|
|
252
|
+
if [ $CRITICAL -gt 0 ]; then
|
|
253
|
+
sed -i 's|CRITICAL_ISSUES_PLACEHOLDER||g' "$OUTPUT"
|
|
254
|
+
while IFS='|' read -r path status risk desc; do
|
|
255
|
+
if [ "$risk" = "CRITICAL" ]; then
|
|
256
|
+
sed -i "s|CRITICAL_ISSUES_PLACEHOLDER|CRITICAL_ISSUES_PLACEHOLDER\n\n### Found: $path\n\n| Field | Value |\n|-------|-------|\n| Status Code | $status |\n| Risk Level | 🔴 CRITICAL |\n\n**Description:** $desc\n\n**Recommendation:** Immediate action required.|\n|g" "$OUTPUT"
|
|
257
|
+
fi
|
|
258
|
+
done < /tmp/found_issues.tmp
|
|
259
|
+
sed -i 's|CRITICAL_ISSUES_PLACEHOLDER|✅ No critical issues found|g' "$OUTPUT"
|
|
260
|
+
else
|
|
261
|
+
sed -i 's|CRITICAL_ISSUES_PLACEHOLDER|✅ No critical issues found|g' "$OUTPUT"
|
|
262
|
+
fi
|
|
263
|
+
|
|
264
|
+
# Add all findings
|
|
265
|
+
if [ -f /tmp/found_issues.tmp ]; then
|
|
266
|
+
ALL_FINDINGS=""
|
|
267
|
+
while IFS='|' read -r path status risk desc; do
|
|
268
|
+
ALL_FINDINGS="$ALL_FINDINGS\n| $path | $status | $risk | $desc |"
|
|
269
|
+
done < /tmp/found_issues.tmp
|
|
270
|
+
sed -i "s|ALL_FINDINGS_PLACEHOLDER|$ALL_FINDINGS|g" "$OUTPUT"
|
|
271
|
+
rm /tmp/found_issues.tmp
|
|
272
|
+
else
|
|
273
|
+
sed -i 's|ALL_FINDINGS_PLACEHOLDER||g' "$OUTPUT"
|
|
274
|
+
fi
|
|
275
|
+
|
|
276
|
+
# Clear remaining placeholders
|
|
277
|
+
sed -i 's|HIGH_ISSUES_PLACEHOLDER|✅ No high-risk issues found|g' "$OUTPUT"
|
|
278
|
+
sed -i 's|MEDIUM_ISSUES_PLACEHOLDER|✅ No medium-risk issues found|g' "$OUTPUT"
|
|
279
|
+
sed -i 's|LOW_ISSUES_PLACEHOLDER|✅ No low-risk issues found|g' "$OUTPUT"
|
|
280
|
+
|
|
281
|
+
echo ""
|
|
282
|
+
echo "========================================"
|
|
283
|
+
echo "✅ Scan Complete!"
|
|
284
|
+
echo "========================================"
|
|
285
|
+
echo ""
|
|
286
|
+
echo "📄 Report: $OUTPUT"
|
|
287
|
+
echo ""
|
|
288
|
+
|
|
289
|
+
if [ $CRITICAL -gt 0 ]; then
|
|
290
|
+
echo -e "${RED}⚠️ IMMEDIATE ACTION REQUIRED for critical findings!${NC}"
|
|
291
|
+
fi
|