bitquark / shortscan Goto Github PK

How do we create or upload a wordlist like the default one?

i've got loads of files the shortscan isn't finding full names for as it's PHP which is fine but when i choose the PHP wordlist it doesn't find them but if i use a dirbuster it does?

trying to add https://wordlists-cdn.assetnote.io/data/automated/httparchive_php_2023_12_28.txt

I would like to ask if there are any plans to support "autocomplete" for DLL Source Code Disclosure, quoted from Source Code Disclosure in ASP.NET apps

best wishes.

First of all I wanted to say thank you for the great tool! I was looking into using a wordlist with your shortutil tool, but I'm unsure of what the wordlist should contain. Would it be possible to include a few samples?

I'm unsure if it can contain directories like /iishelp/iis/misc/default.asp

Or the end directory like /misc/

Of if the word list can contain actual pages like admin.aspx

$> shortscan target.url

access to target via web browser and via ping indicate server is up and running prior to scan

Shortscan v0.5 · an IIS short filename enumeration tool by bitquark
Target: xxxxxxxxxxxxxxxxxxxx
Running: Microsoft-IIS/7.5 (ASP.NET v4.0.30319)
Vulnerable: Yes!

Finished! Requests: 722; Retries: 0; Sent 139614 bytes; Received 274905 bytes

no shortnames are found and after running scan, and now the website is not reachable from my machine via ping or web browser.

isitdownrightnow.com also reports site as down

Could you please add more examples to the README about adding multiple headers or how to send a request to an IP with a different HOST header?

Is there any way to use NTLM authentication with this?

I can do this via a web proxy but the tool does not provide a way to use a web proxy either.

Hi,
I am working on a site and using shortscan. I get a list of 40-50 possible files and folders with different extensions. Could you add a flag to output the results in an organised matter so that they can be used in Burp Intruder or FFUF.
Example output:

ACTIVi~2.ASP         ACTIVI?.ASP? 
DATAPR~2.ASP         DATAPR?.ASP? 
RISKRE~2.ASP         RISKRE?.ASP? 
RISKGR~2.ASM         RISKGR?.ASM? 
RISKIN~2.ASP         RISKIN?.ASP? 
ZENDES~1.ASH         ZENDES?.ASH?

I would like an output similar to this (sorted and unique), if possible (printed to terminal or stored in txt files):

ASP? files (might require some fuzzing as these are not complete names):
ACTIVI
DATAPR
RISKRE
RISKIN

ASH? files  (might require some fuzzing as these are not complete names):
ZENDES

Folders  (might require some fuzzing as these are not complete names):
TMP
usersd

Known files:
test.aspx
test123.aspx

Known folders:
javascript
js

This way, it is much easier to go to the next step and ffuz.

Thanks <3

Hey :)
Just adding this here for next time I have the same issue!
Once I installed shortscan, I couldn't run it just by typing shortscan but I had to type:
$HOME/go/bin/shortscan

Is there any way to bypass 403? I have used many tools but it did not work. Any tip?

Shortscan finds folders, make it recursive so that for each found folder, you run shortscan against them.

Hey dude,

Can you add WMSCalendar and manifest.json and productimg and NEW FOLDER to the wordlist as this has come up a few times for me so far.

Cheers

Hey dude,

Got an idea can we get an option to add a prefix to the wordlist.

that way we can do something like ASP as the prefix and then bruteforce the rest of the folder

When I use shortscan on the webroot, I sometimes get few results and the tool cannot find certain folders, unless you know the name.
For example, even though I have the folder "handlers" in my wordlist, shortscan does not find it.
If I point shortscan to site/handlers though, shortscan see the directory as vulnerable and finds files/folders.

I was wondering if it would be possible to add another flag so that shortscan goes through a wordlist of folders so that instead of me scripting it via bash, shortscan will try its magic with:
site/admin
site/js
site/docs
site/upload
site/...

You could have a short check to find vulnerable folders first and then do a complete check only on those folders that are vulnerable to reduce the amount of requests.