File Disclosure Browser

I was reading the blog post "DirBuster -> Burp, the Missing Link" By Tim Tomes (LaNMaSteR53) on the PaulDotCom blog. The article discusses running DirBuster through Burp to populate Burp with any content found by DirBuster. Having recently found a number of .DS_Store files on a web app test I realised that if I could parse these files and pass them through Burp as well then it would be a good way to introduce Burp to potentially a whole new set of files.

I started looking for a way to parse the .DS_Store files and it turned out to be harder than I thought. After quick a bit of asking I finally found a Perl CPAN module that parses them. I'm not a Perl programmer so, working with their example files and doing a lot of cut and pasting from code samples on the net, I managed to put together fdb, the File Disclosure Browser.

I plan to extend this to work with other disclosure files, including dwsync.xml files created by Dreamweaver and possibly some of the code repository files, cvs, svn, git etc.

To run the app you need to install the CPAN module, I did this by becoming root, entering the CPAN shell then asking it to do the install:

# perl -MCPAN -e shell
cpan[1]> install Mac::Finder::DSStore

If you've not used CPAN before you'll probably have to go through a basic setup process, I just answered with the defaults to everything and it worked OK for me.

The app takes three mandatory options and a fourth optional, for future compatibility you have to say what file type you are giving it, the only one implemented so far is .DS_Store, ds. The second is the file to parse, then the base URL to work with. What I mean here is that if you find the store file in http://digi.ninja/mac_stuff then that is what you pass as the base url and it is what the app prepends to all URLs it generates.

e.g.

./fdb.pl --type ds --filename  ./grabbed_store_file  --base_url http://digi.ninja/mac_stuff

With these parameters you'll get a list of URLs which you can manually browse:

URL: http://digi.ninja/mac_stuff/who_really_killed_jfk.doc
URL: http://digi.ninja/mac_stuff/secret_pic.jpg
URL: http://digi.ninja/mac_stuff/hidden.txt

If you want to get fdb to request all the URLs through a proxy you need to add the --proxy parameter:

./fdb.pl --type ds --filename  ./grabbed_store_file  --base_url http://digi.ninja/mac_stuff --proxy http://localhost:8080

This won't give any output by default, if you want to see what it is doing you need to add the --verbose parameter.

Before you download it I want to warn you that there is no real error checking and probably at least a handful of bugs, if you find any please let me know and I'll see what I can do.

Download fdb

Support The Site

I don't get paid for any of the projects on this site so if you'd like to support my work you can do so by using the affiliate links below where I either get account credits or cash back. Usually only pennies, but they all add up.