Added support for reading a list of URLs to scan from a file by using @-syntax (see docs)

bitquark · thezakman · bitquark · commit 2ba744fe4bfb · 2024-11-25T00:23:54.000Z
Co-authored-by: TheZakMan &lt;TheZakMan@ctf-br.org&gt;
diff --git a/README.md b/README.md
@@ -37,6 +37,12 @@ Shortscan is easy to use with minimal configuration. Basic usage looks like:
 $ shortscan http://example.org/
 ```
 
+You can also specify a file containing a list of URLs to be scanned:
+
+```
+$ shortscan @urls.txt
+```
+
 ### Examples
 
 This example sets multiple custom headers by using `--header`/`-H` multiple times:
@@ -54,11 +60,11 @@ shortscan --isvuln
 The following options allow further tweaks:
 
 ```
-Shortscan v0.7 · an IIS short filename enumeration tool by bitquark
-Usage: shortscan [--wordlist FILE] [--header HEADER] [--concurrency CONCURRENCY] [--timeout SECONDS] [--output type] [--verbosity VERBOSITY] [--fullurl] [--stabilise] [--patience LEVEL] [--characters CHARACTERS] [--autocomplete mode] [--isvuln] URL
+🌀 Shortscan v0.9.2 · an IIS short filename enumeration tool by bitquark
+Usage: main [--wordlist FILE] [--header HEADER] [--concurrency CONCURRENCY] [--timeout SECONDS] [--output format] [--verbosity VERBOSITY] [--fullurl] [--norecurse] [--stabilise] [--patience LEVEL] [--characters CHARACTERS] [--autocomplete mode] [--isvuln] URL [URL ...]
 
 Positional arguments:
-  URL                    url to scan
+  URL                    url to scan (multiple URLs can be provided; a file containing URLs can be specified with an «at» prefix, for example: @urls.txt)
 
 Options:
   --wordlist FILE, -w FILE
@@ -69,11 +75,12 @@ Options:
                          number of requests to make at once [default: 20]
   --timeout SECONDS, -t SECONDS
                          per-request timeout in seconds [default: 10]
-  --output type, -o type
+  --output format, -o format
                          output format (human = human readable; json = JSON) [default: human]
   --verbosity VERBOSITY, -v VERBOSITY
                          how much noise to make (0 = quiet; 1 = debug; 2 = trace) [default: 0]
   --fullurl, -F          display the full URL for confirmed files rather than just the filename [default: false]
+  --norecurse, -n        don't detect and recurse into subdirectories (disabled when autocomplete is disabled) [default: false]
   --stabilise, -s        attempt to get coherent autocomplete results from an unstable server (generates more requests) [default: false]
   --patience LEVEL, -p LEVEL
                          patience level when determining vulnerability (0 = patient; 1 = very patient) [default: 0]
diff --git a/pkg/shortscan/shortscan.go b/pkg/shortscan/shortscan.go
@@ -109,7 +109,7 @@ type statsOutput struct {
 }
 
 // Version, rainbow table magic, default character set
-const version = "0.9.1"
+const version = "0.9.2"
 const rainbowMagic = "#SHORTSCAN#"
 const alphanum = "JFKGOTMYVHSPCANDXLRWEBQUIZ8549176320"
 
@@ -138,7 +138,7 @@ var checksumRegex *regexp.Regexp
 
 // Command-line arguments and help
 type arguments struct {
-	Urls         []string `arg:"positional,required" help:"url to scan (multiple URLs can be specified)" placeholder:"URL"`
+	Urls         []string `arg:"positional,required" help:"url to scan (multiple URLs can be provided; a file containing URLs can be specified with an «at» prefix, for example: @urls.txt)" placeholder:"URL"`
 	Wordlist     string   `arg:"-w" help:"combined wordlist + rainbow table generated with shortutil" placeholder:"FILE"`
 	Headers      []string `arg:"--header,-H,separate" help:"header to send with each request (use multiple times for multiple headers)"`
 	Concurrency  int      `arg:"-c" help:"number of requests to make at once" default:"20"`
@@ -1047,6 +1047,41 @@ func Run() {
 		p.Fail("output must be one of: human, json")
 	}
 
+	// Build the list of URLs to scan
+	var urls []string
+	for _, url := range args.Urls {
+
+		// If this is a filename rather than a URL
+		if strings.HasPrefix(url, "@") {
+
+			// Open the file
+			path := strings.TrimPrefix(url, "@")
+			fh, err := os.Open(path)
+			if err != nil {
+				log.WithFields(log.Fields{"path": path, "err": err}).Fatal("Unable to open URL list file")
+			}
+			defer fh.Close()
+
+			// Add each line to the URL list
+			sc := bufio.NewScanner(fh)
+			for sc.Scan() {
+				urls = append(urls, sc.Text())
+			}
+
+			// Check for file read errors
+			if err := sc.Err(); err != nil {
+				log.WithFields(log.Fields{"path": path, "err": err}).Fatal("Error reading URL list file")
+			}
+
+		} else {
+
+			// This is a plain URL, add it to the list
+			urls = append(urls, url)
+
+		}
+
+	}
+
 	// Say hello
 	printHuman(getBanner())
 
@@ -1160,6 +1195,6 @@ func Run() {
 	}
 
 	// Let's go!
-	Scan(args.Urls, hc, st, wc, mk)
+	Scan(urls, hc, st, wc, mk)
 
 }
