Enhanced shortscan with custom features

- Fixed merge conflict between PR bitquark#23 and PR bitquark#16
- Added case-insensitive matching for bin::$INDEX_ALLOCATION
- Changed session identifier from (S(x)) to (S(d)) for WAF evasion
- Implemented -R flag for relaxed match mode (tentative matches)
  * Useful for Jakarta/CFM files loaded via 8.3 filenames
  * Tentative matches shown in yellow with [tentative] label
  * JSON output includes 'tentative' field
- Updated README with custom enhancements documentation
- Added usage examples for new features
- Code formatting improvements (gofmt)

Author: irsdl

README.md

@@ -2,6 +2,54 @@
 
 An IIS short filename enumeration tool.
 
+## 🔧 Custom Fork Information
+
+**Fork Status**: Enhanced local version with upstream PRs applied
+**Cloned Date**: October 21, 2025
+**Upstream Repository**: [bitquark/shortscan](https://github.com/bitquark/shortscan)
+**Fork Repository**: [irsdl/shortscan](https://github.com/irsdl/shortscan)
+
+### Applied Upstream Pull Requests
+
+This fork includes the following upstream PRs that have not yet been merged into the main repository:
+
+| PR # | Status | Title | Author | Description |
+|------|--------|-------|--------|-------------|
+| [#16](https://github.com/bitquark/shortscan/pull/16) | ✅ Applied | Added support for detecting Source Code Disclosure while autocomplete | ke0ge | Adds `replaceBinALLOCATION()` function to handle `bin::$INDEX_ALLOCATION` paths for downloading .DLL files. Use `--autocomplete method` to avoid timeout issues with large DLL files. |
+| [#23](https://github.com/bitquark/shortscan/pull/23) | ✅ Applied | Implemented rate limit for shortscan cmd | soerlemans | Adds `-r` flag for rate limiting (supports fractional values like `-r 0.2` for 1 request every 5 seconds). Includes `delayRequest()` function to prevent overwhelming targets during bug bounty testing. |
+| [#24](https://github.com/bitquark/shortscan/pull/24) | ✅ Applied | Updated error handling on inaccessible servers | sp0ilerr | Improves error handling to continue execution when a server is inaccessible, allowing batch scans to proceed even when encountering unreachable servers. |
+
+### Custom Enhancements
+
+Additional features implemented in this fork:
+
+| Feature | Description |
+|---------|-------------|
+| Relaxed Match Mode (`-R`) | Enables detection of tentative matches where the final status matches the negative marker. Useful for Jakarta/CFM files that can be loaded via their 8.3 short filenames. Tentative matches are marked with yellow color in human output and `"tentative": true` in JSON output. |
+| Case-insensitive `INDEX_ALLOCATION` | The `replaceBinALLOCATION()` function now uses case-insensitive matching for `bin::$INDEX_ALLOCATION` paths. |
+| WAF Evasion | Changed session identifier from `(S(x))` to `(S(d))` to avoid detection by sensitive WAFs. |
+
+### Integration Notes
+
+- All three PRs have been successfully merged on the `merge-upstream-prs` branch
+- Merge conflict between PR #23 and PR #16 in `shortscan.go` has been resolved (both `delayRequest()` and `replaceBinALLOCATION()` functions coexist)
+- The `main` branch is kept in sync with `upstream/main` for easier future updates
+
+### Future Upstream Synchronization
+
+When updating from upstream in the future:
+
+1. **If these PRs are merged upstream**: Simply fetch and merge from upstream/main - no conflicts expected
+2. **If these PRs remain unmerged**: Reapply them after syncing with upstream/main
+3. **If upstream changes conflict with these PRs**: Manual conflict resolution will be needed
+
+To check upstream PR status before syncing:
+```bash
+# Check if PRs are still open
+git fetch upstream
+# Visit https://github.com/bitquark/shortscan/pulls to verify PR status
+```
+
 ## Functionality
 
 Shortscan is designed to quickly determine which files with short filenames exist on an IIS webserver. Once a short filename has been identified the tool will try to automatically identify the full filename.
@@ -55,6 +103,23 @@ To check whether a site is vulnerable without performing file enumeration use:
 shortscan --isvuln
 ```
 
+To limit the request rate (useful for bug bounty testing to avoid overwhelming targets):
+```
+shortscan -r 2.5 http://example.org/   # 2.5 requests per second
+shortscan -r 0.2 http://example.org/   # 1 request every 5 seconds
+```
+
+To use method-based autocomplete for downloading DLL files without timeout issues:
+```
+shortscan --autocomplete method --fullurl http://example.org/
+```
+
+To enable relaxed matching for Jakarta/CFM files (reports tentative matches):
+```
+shortscan -R http://example.org/  # Enable relaxed match mode
+shortscan -R -v 1 http://example.org/  # With debug logging to see status details
+```
+
 ### Advanced features
 
 The following options allow further tweaks:

pkg/levenshtein/levenshtein.go

@@ -1,8 +1,8 @@
 package levenshtein
 
 import (
-        "unicode/utf8"
 	"github.com/bitquark/shortscan/pkg/maths"
+	"unicode/utf8"
 )
 
 // Distance returns the Levenshtein edit distance for two strings

pkg/shortscan/shortscan.go

@@ -85,6 +85,7 @@ type attackConfig struct {
 type resultOutput struct {
 	Type      string `json:"type"`
 	FullMatch bool   `json:"fullmatch"`
+	Tentative bool   `json:"tentative"`
 	BaseUrl   string `json:"baseurl"`
 	File      string `json:"shortfile"`
 	Ext       string `json:"shortext"`
@@ -156,6 +157,7 @@ type arguments struct {
 	Characters   string   `arg:"-C" help:"filename characters to enumerate" default:"JFKGOTMYVHSPCANDXLRWEBQUIZ8549176320-_()&'!#$%@^{}~"`
 	Autocomplete string   `arg:"-a" help:"autocomplete detection mode (auto = autoselect; method = HTTP method magic; status = HTTP status; distance = Levenshtein distance; none = disable)" placeholder:"mode" default:"auto"`
 	IsVuln       bool     `arg:"-V" help:"bail after determining whether the service is vulnerable" default:"false"`
+	RelaxMatch   bool     `arg:"-R" help:"relax final negative match check and report tentative matches (useful for Jakarta/CFM files)" default:"false"`
 }
 
 func (arguments) Version() string {
@@ -174,7 +176,6 @@ func pathEscape(url string) string {
 	return strings.Replace(nurl.QueryEscape(url), "+", "%20", -1)
 }
 
-<<<<<<< HEAD
 // Helper variable to the requestDelay function, keeps track of the time since the last request
 var lastRequestTime time.Time
 
@@ -188,24 +189,24 @@ func delayRequest() {
 
 	// Update last request time
 	lastRequestTime = time.Now()
-=======
-// replace bin::$INDEX_ALLOCATION to /(S(x))/b/(S(x))in/ to download .DLL
+}
+
+// replace bin::$INDEX_ALLOCATION to /(S(d))/b/(S(d))in/ to download .DLL
 func replaceBinALLOCATION(url string) string {
 	u, _ := nurl.Parse(url)
 	segments := strings.Split(strings.Trim(u.Path, "/"), "/")
 	lastSegment := segments[len(segments)-1]
 
-	if lastSegment == "bin::$INDEX_ALLOCATION" {
+	if strings.EqualFold(lastSegment, "bin::$INDEX_ALLOCATION") {
 		newPath := strings.Join(segments[:len(segments)-1], "/")
 		if newPath == "" {
-			newPath = "(S(x))/b/(S(x))in/"
+			newPath = "(S(d))/b/(S(d))in/"
 		} else {
-			newPath += "/(S(x))/b/(S(x))in/"
+			newPath += "/(S(d))/b/(S(d))in/"
 		}
 		url = u.Scheme + "://" + u.Host + "/" + newPath
 	}
 	return url
->>>>>>> pr-16
 }
 
 // fetch requests the given URL and returns an HTTP response object, handling retries gracefully
@@ -539,6 +540,7 @@ func enumerate(sem chan struct{}, wg *sync.WaitGroup, hc *http.Client, st *httpS
 							o := resultOutput{
 								Type:      "result",
 								FullMatch: fnr != "",
+								Tentative: false,
 								BaseUrl:   br.url,
 								File:      br.file,
 								Tilde:     br.tilde,
@@ -552,9 +554,52 @@ func enumerate(sem chan struct{}, wg *sync.WaitGroup, hc *http.Client, st *httpS
 
 					} else if err == nil && len(br.ext) > 0 {
 
-						// This gets hit if the full match response is the same as the negative match (may need future work)
-						log.WithFields(log.Fields{"status": res.StatusCode, "statusNeg": mk.statusNeg, "filename": br.file + br.tilde + br.ext + ac.suffix}).
-							Debug("Possible hit, but status is the same as a negative match")
+						// This gets hit if the full match response is the same as the negative match
+						if args.RelaxMatch {
+							// When RelaxMatch is enabled, treat this as a tentative match
+							log.WithFields(log.Fields{"status": res.StatusCode, "statusNeg": mk.statusNeg, "filename": br.file + br.tilde + br.ext + ac.suffix}).
+								Info("Tentative match (status matches negative)")
+
+							// Indicate which parts of the filename are uncertain
+							fn, fe := br.file, br.ext
+							if len(fn) >= 6 {
+								fn = fn + "?"
+							}
+							if len(fe) >= 4 {
+								fe = fe + "?"
+							}
+
+							// Output the tentative match
+							if args.Output == "human" {
+								var fp string
+								if len(br.file) < 6 {
+									fn = color.YellowString(fn)
+								}
+								if len(br.ext) < 4 {
+									fe = color.YellowString(fe)
+								}
+								fp = strings.Replace(fn+fe, "?", color.HiBlackString("?"), -1)
+								printHuman(fmt.Sprintf("%-20s %-28s %s", br.file+br.tilde+br.ext, fp, color.YellowString("[tentative]")))
+							} else {
+								// Output JSON result if requested
+								o := resultOutput{
+									Type:      "result",
+									FullMatch: false,
+									Tentative: true,
+									BaseUrl:   br.url,
+									File:      br.file,
+									Tilde:     br.tilde,
+									Ext:       br.ext,
+									Partname:  fn + fe,
+									Fullname:  "",
+								}
+								printJSON(o)
+							}
+						} else {
+							// Original behavior: just log as debug
+							log.WithFields(log.Fields{"status": res.StatusCode, "statusNeg": mk.statusNeg, "filename": br.file + br.tilde + br.ext + ac.suffix}).
+								Debug("Possible hit, but status is the same as a negative match")
+						}
 
 					}
 

pkg/shortutil/shortutil.go

@@ -8,19 +8,19 @@
 package shortutil
 
 import (
-	"io"
-	"os"
+	"bufio"
 	"fmt"
+	"github.com/alexflint/go-arg"
+	"github.com/bitquark/shortscan/pkg/maths"
+	"github.com/fatih/color"
+	"io"
 	"log"
 	"math"
+	"net/url"
+	"os"
 	"path"
-	"bufio"
 	"regexp"
 	"strings"
-	"net/url"
-	"github.com/fatih/color"
-	"github.com/alexflint/go-arg"
-	"github.com/bitquark/shortscan/pkg/maths"
 )
 
 type wordlistRecord struct {
@@ -82,14 +82,14 @@ func ChecksumOriginal(f string) string {
 
 	var ck uint16
 	ck = (uint16(f[0])<<8 + uint16(f[1])) & 0xffff
-	for i := 2; i < len(f); i+=2 {
-		if ck & 1 == 1 {
+	for i := 2; i < len(f); i += 2 {
+		if ck&1 == 1 {
 			ck = 0x8000 + ck>>1 + uint16(f[i])<<8
 		} else {
 			ck = ck>>1 + uint16(f[i])<<8
 		}
-		if (i+1 < len(f)) {
-		    ck += uint16(f[i+1]) & 0xffff
+		if i+1 < len(f) {
+			ck += uint16(f[i+1]) & 0xffff
 		}
 	}
 
@@ -110,7 +110,7 @@ func Gen8dot3(file string, ext string) (bool, string, string) {
 	er := shortReplacer.Replace(eu)
 
 	// Determine whether a short filename was required
-	r := len(file) > 8 || len (ext) > 3 || fu != fr || eu != er
+	r := len(file) > 8 || len(ext) > 3 || fu != fr || eu != er
 
 	// Trim and return the names
 	return r, fr[:maths.Min(len(fr), 6)], er[:maths.Min(len(er), 3)]
@@ -139,7 +139,7 @@ func ChecksumWords(fh io.Reader, paramRegex *regexp.Regexp) []wordlistRecord {
 		// Split the file and extension
 		var f, e string
 		if p := strings.LastIndex(w, "."); p > 0 && w[0] != '.' {
-			f, e = w[:p], w[p + 1:]
+			f, e = w[:p], w[p+1:]
 		} else {
 			f, e = w, ""
 		}
@@ -181,7 +181,7 @@ func Run() {
 	// Parse command-line arguments
 	p := arg.MustParse(&args)
 	if p.Subcommand() == nil {
-		fmt.Println(color.New(color.FgBlue, color.Bold).Sprint("Shortutil v" + version), "·", color.New(color.FgWhite, color.Bold).Sprint("a short filename utility by bitquark"))
+		fmt.Println(color.New(color.FgBlue, color.Bold).Sprint("Shortutil v"+version), "·", color.New(color.FgWhite, color.Bold).Sprint("a short filename utility by bitquark"))
 		p.WriteHelp(os.Stderr)
 		os.Exit(1)
 	}