-
Notifications
You must be signed in to change notification settings - Fork 1.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
--discover-backup not working as advertised, looks for files even if they weren't found #298
Comments
the total requests are calculated before gobuster is run, so this shows the maximum requests that would be issued. That's a hard problem because updating the total requests during the run also comes with problems as you can't estimate anything because the number is not fixed and subject to change anytime. This problem is somehow solved with the next version as the disover-backup option checks for those files everytime and not only on a found entry |
I'm not sure I follow. Just to confirm:
Is all of this correct? |
The current version checks for backup versions of all files, not only if the original was found. That's why the calculation is now correct because the overall requests are known before running the enumeration |
Oh. So you decided to skip the "only check if the original was found" part and always look for backups of all files? Well that sucks. I guess I won't be using it then. Maybe you could add a separate option to check for backup files only if the original was found? Otherwise the scans start to take too long (7x increase in scan time) and it becomes impractical. |
I am not exactly sure what was changed, but if you pull from the version where I introduced the feature (https://github.com/IppSec/gobuster), it behaves as you expect (only downloading backups after the original file was found). |
It appears it broke back in June 20, 2020. The commit which appears to changed the logic and broke how I pulled successful pages is: aa3f514 Unfortunately, out of time to look into this issue. |
Yes we've changed the behaviour so the request calculation is correct and there are also cases where only the backup file exists without the original |
If you just want to discover if the backup exists without the original, can't you just use the pattern flag? The purpose of DiscoverBackup was to only trigger on successful find otherwise your wordlist gets enormous. #200 |
Yeah you've basically taken the best thing about the Please revert it so that it only checks for backup versions of files it has already found. |
IK will have a look at this at the |
allow for a totalrequests change from within a plugin
Thanks for having a look at it, I just wanted to create the same issue. I even went back a version to be able to use the feature again. Now I'm missing --exclude-length^^ Really looking forward to seeing it working again. |
* update to go 1.17 * more go 1.17 updates * update sponsors * update makefile * gitignore * remove todo * Fixed errors mixing with progress in stderr by removing progress string with \r * Added --retry option for dir, fuzz, s3 and vhost modes * first dev version * wording * fix retries * update help text * first work for #298 allow for a totalrequests change from within a plugin * use defer * ignore invalid control character urls * add goreleaser * gitignore * output color, better status printing * more color output * fix nil panics * Added support for Google Cloud Storage (GCS) bucket scanning. The scanning finds all public buckets listable by anonymous users * fix gcs module * update readme * go 1.18 * go mod tidy * makefile * readme * readme * better error message * use generics for set * use the new netip type * update version * colors * cspell * improve readability of GobusterVhost (#334) * improve readability of GobusterVhost * fix for the merge side effect * lint * update * update * more work * remove unused method * retries * colored output * Closes issue #349 (#356) * fix version * Closes issue #349 Co-authored-by: firefart <[email protected]> * Closes issue #315 (#359) * Closes issue #315 * Syntax fix * support mtls * readme * check for fuzz keyword * allow for http header fuzzing * better description * new option to not canonicalize header names * basic auth fuzzing * fix typo in vhost command (#361) * update * check error * error handling * dev * enable tls1.0 and 1.1 support * Bump golang.org/x/term from 0.1.0 to 0.2.0 (#369) Bumps [golang.org/x/term](https://github.com/golang/term) from 0.1.0 to 0.2.0. - [Release notes](https://github.com/golang/term/releases) - [Commits](golang/term@v0.1.0...v0.2.0) --- updated-dependencies: - dependency-name: golang.org/x/term dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Bump golang.org/x/crypto from 0.1.0 to 0.2.0 (#368) Bumps [golang.org/x/crypto](https://github.com/golang/crypto) from 0.1.0 to 0.2.0. - [Release notes](https://github.com/golang/crypto/releases) - [Commits](golang/crypto@v0.1.0...v0.2.0) --- updated-dependencies: - dependency-name: golang.org/x/crypto dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Adds LF after the work end (#373) * typo * Reformat: Add `\n` after the end Co-authored-by: firefart <[email protected]> * Bump golang.org/x/crypto from 0.2.0 to 0.3.0 (#374) Bumps [golang.org/x/crypto](https://github.com/golang/crypto) from 0.2.0 to 0.3.0. - [Release notes](https://github.com/golang/crypto/releases) - [Commits](golang/crypto@v0.2.0...v0.3.0) --- updated-dependencies: - dependency-name: golang.org/x/crypto dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Bump golang.org/x/crypto from 0.3.0 to 0.4.0 (#376) Bumps [golang.org/x/crypto](https://github.com/golang/crypto) from 0.3.0 to 0.4.0. - [Release notes](https://github.com/golang/crypto/releases) - [Commits](golang/crypto@v0.3.0...v0.4.0) --- updated-dependencies: - dependency-name: golang.org/x/crypto dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Bump actions/checkout from 3.1.0 to 3.2.0 (#377) Bumps [actions/checkout](https://github.com/actions/checkout) from 3.1.0 to 3.2.0. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](actions/checkout@v3.1.0...v3.2.0) --- updated-dependencies: - dependency-name: actions/checkout dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * add tftp mode * better output on tftp mode * Bump goreleaser/goreleaser-action from 3 to 4 (#378) Bumps [goreleaser/goreleaser-action](https://github.com/goreleaser/goreleaser-action) from 3 to 4. - [Release notes](https://github.com/goreleaser/goreleaser-action/releases) - [Commits](goreleaser/goreleaser-action@v3...v4) --- updated-dependencies: - dependency-name: goreleaser/goreleaser-action dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <[email protected]> Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * readme Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: alexmozzhakov <[email protected]> Co-authored-by: Nicolas Lykke Iversen <[email protected]> Co-authored-by: Neal Caffery <[email protected]> Co-authored-by: n30nx <[email protected]> Co-authored-by: IPv4v6 <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: _Magenta_ <[email protected]>
I noticed that without the
--discover-backup
flag, I had 800k requests lined up in the progress bar, but with the--discover-backup
option, I had ~6 million. Reading the help text, it says that backup files are only enumerated if a file is found. Given that, wouldn't it make sense to display only the 800k requests in the progress bar, and update the amount of requests when files get found?I'm using Kali's version of gobuster.
I initially thought the progress bar would maybe jump to 100% when all 800k requests have been completed without a single found file.
However, after playing around with it, it seems the help text is wrong.
--discover-backup
will search for files even if they haven't been found.Proof: (look at the time stamps and how long it took to run the scans - 3 seconds vs 20 seconds)
The help entry says:
Given that not a single file was found, I would have expected the directory enumeration to take the same amount of time on both occasions.
The text was updated successfully, but these errors were encountered: