dirsearch

dirsearch

功能强大的Web目录和文件扫描工具

dirsearch是一款功能丰富的Web路径发现工具,可快速扫描网站目录和文件。它支持多线程、递归扫描、自定义字典等特性,能高效发现隐藏资源。该工具采用Python开发,具有良好的跨平台兼容性,广泛应用于Web应用安全评估。dirsearch通过暴力枚举方式工作,有助于识别潜在的安全风险。安全研究人员和渗透测试人员可利用它快速发现敏感路径,提高评估效率。其灵活的过滤机制和可扩展性使其成为网络安全领域的重要工具。

dirsearchWeb路径发现暴力破解Python目录扫描Github开源项目
<img src="static/logo.png#gh-light-mode-only" alt="dirsearch logo (light)" width="675px"> <img src="static/logo-dark.png#gh-dark-mode-only" alt="dirsearch logo (dark)" width="675px">

dirsearch - Web path discovery

Build License Stars Release Sponsors Discord Twitter

An advanced web path brute-forcer

dirsearch is being actively developed by @maurosoria and @shelld3v

Reach to our Discord server to communicate with the team at best

Table of Contents

Installation & Usage

Requirement: python 3.7 or higher

Choose one of these installation options:

  • Install with git: git clone https://github.com/maurosoria/dirsearch.git --depth 1 (RECOMMENDED)
  • Install with ZIP file: Download here
  • Install with Docker: docker build -t "dirsearch:v0.4.3" . (more information can be found here)
  • Install with PyPi: pip3 install dirsearch or pip install dirsearch
  • Install with Kali Linux: sudo apt-get install dirsearch (deprecated)

Wordlists (IMPORTANT)

Summary:

  • Wordlist is a text file, each line is a path.
  • About extensions, unlike other tools, dirsearch only replaces the %EXT% keyword with extensions from -e flag.
  • For wordlists without %EXT% (like SecLists), -f | --force-extensions switch is required to append extensions to every word in wordlist, as well as the /.
  • To apply your extensions to wordlist entries that have extensions already, use -O | --overwrite-extensions (Note: some extensions are excluded from being overwritted such as .log, .json, .xml, ... or media extensions like .jpg, .png)
  • To use multiple wordlists, you can separate your wordlists with commas. Example: wordlist1.txt,wordlist2.txt.

Examples:

  • Normal extensions:
index.%EXT%

Passing asp and aspx as extensions will generate the following dictionary:

index
index.asp
index.aspx
  • Force extensions:
admin

Passing php and html as extensions with -f/--force-extensions flag will generate the following dictionary:

admin
admin.php
admin.html
admin/
  • Overwrite extensions:
login.html

Passing jsp and jspa as extensions with -O/--overwrite-extensions flag will generate the following dictionary:

login.html
login.jsp
login.jspa

Options

Usage: dirsearch.py [-u|--url] target [-e|--extensions] extensions [options]

Options:
  --version             show program's version number and exit
  -h, --help            show this help message and exit

  Mandatory:
    -u URL, --url=URL   Target URL(s), can use multiple flags
    -l PATH, --url-file=PATH
                        URL list file
    --stdin             Read URL(s) from STDIN
    --cidr=CIDR         Target CIDR
    --raw=PATH          Load raw HTTP request from file (use '--scheme' flag
                        to set the scheme)
    -s SESSION_FILE, --session=SESSION_FILE
                        Session file
    --config=PATH       Path to configuration file (Default:
                        'DIRSEARCH_CONFIG' environment variable, otherwise
                        'config.ini')

  Dictionary Settings:
    -w WORDLISTS, --wordlists=WORDLISTS
                        Customize wordlists (separated by commas)
    -e EXTENSIONS, --extensions=EXTENSIONS
                        Extension list separated by commas (e.g. php,asp)
    -f, --force-extensions
                        Add extensions to the end of every wordlist entry. By
                        default dirsearch only replaces the %EXT% keyword with
                        extensions
    -O, --overwrite-extensions
                        Overwrite other extensions in the wordlist with your
                        extensions (selected via `-e`)
    --exclude-extensions=EXTENSIONS
                        Exclude extension list separated by commas (e.g.
                        asp,jsp)
    --remove-extensions
                        Remove extensions in all paths (e.g. admin.php ->
                        admin)
    --prefixes=PREFIXES
                        Add custom prefixes to all wordlist entries (separated
                        by commas)
    --suffixes=SUFFIXES
                        Add custom suffixes to all wordlist entries, ignore
                        directories (separated by commas)
    -U, --uppercase     Uppercase wordlist
    -L, --lowercase     Lowercase wordlist
    -C, --capital       Capital wordlist

  General Settings:
    -t THREADS, --threads=THREADS
                        Number of threads
    -r, --recursive     Brute-force recursively
    --deep-recursive    Perform recursive scan on every directory depth (e.g.
                        api/users -> api/)
    --force-recursive   Do recursive brute-force for every found path, not
                        only directories
    -R DEPTH, --max-recursion-depth=DEPTH
                        Maximum recursion depth
    --recursion-status=CODES
                        Valid status codes to perform recursive scan, support
                        ranges (separated by commas)
    --subdirs=SUBDIRS   Scan sub-directories of the given URL[s] (separated by
                        commas)
    --exclude-subdirs=SUBDIRS
                        Exclude the following subdirectories during recursive
                        scan (separated by commas)
    -i CODES, --include-status=CODES
                        Include status codes, separated by commas, support
                        ranges (e.g. 200,300-399)
    -x CODES, --exclude-status=CODES
                        Exclude status codes, separated by commas, support
                        ranges (e.g. 301,500-599)
    --exclude-sizes=SIZES
                        Exclude responses by sizes, separated by commas (e.g.
                        0B,4KB)
    --exclude-text=TEXTS
                        Exclude responses by text, can use multiple flags
    --exclude-regex=REGEX
                        Exclude responses by regular expression
    --exclude-redirect=STRING
                        Exclude responses if this regex (or text) matches
                        redirect URL (e.g. '/index.html')
    --exclude-response=PATH
                        Exclude responses similar to response of this page,
                        path as input (e.g. 404.html)
    --skip-on-status=CODES
                        Skip target whenever hit one of these status codes,
                        separated by commas, support ranges
    --min-response-size=LENGTH
                        Minimum response length
    --max-response-size=LENGTH
                        Maximum response length
    --max-time=SECONDS  Maximum runtime for the scan
    --exit-on-error     Exit whenever an error occurs

  Request Settings:
    -m METHOD, --http-method=METHOD
                        HTTP method (default: GET)
    -d DATA, --data=DATA
                        HTTP request data
    --data-file=PATH    File contains HTTP request data
    -H HEADERS, --header=HEADERS
                        HTTP request header, can use multiple flags
    --header-file=PATH  File contains HTTP request headers
    -F, --follow-redirects
                        Follow HTTP redirects
    --random-agent      Choose a random User-Agent for each request
    --auth=CREDENTIAL   Authentication credential (e.g. user:password or
                        bearer token)
    --auth-type=TYPE    Authentication type (basic, digest, bearer, ntlm, jwt,
                        oauth2)
    --cert-file=PATH    File contains client-side certificate
    --key-file=PATH     File contains client-side certificate private key
                        (unencrypted)
    --user-agent=USER_AGENT
    --cookie=COOKIE

  Connection Settings:
    --timeout=TIMEOUT   Connection timeout
    --delay=DELAY       Delay between requests
    --proxy=PROXY       Proxy URL (HTTP/SOCKS), can use multiple flags
    --proxy-file=PATH   File contains proxy servers
    --proxy-auth=CREDENTIAL
                        Proxy authentication credential
    --replay-proxy=PROXY
                        Proxy to replay with found paths
    --tor               Use Tor network as proxy
    --scheme=SCHEME     Scheme for raw request or if there is no scheme in the
                        URL (Default: auto-detect)
    --max-rate=RATE     Max requests per second
    --retries=RETRIES   Number of retries for failed requests
    --ip=IP             Server IP address
    --interface=NETWORK_INTERFACE
                        Network interface to use

  Advanced Settings:
    --crawl             Crawl for new paths in responses

  View Settings:
    --full-url          Full URLs in the output (enabled automatically in
                        quiet mode)
    --redirects-history
                        Show redirects history
    --no-color          No colored output
    -q, --quiet-mode    Quiet mode

  Output Settings:
    -o PATH, --output=PATH
                        Output file
    --format=FORMAT     Report format (Available: simple, plain, json, xml,
                        md, csv, html, sqlite)
    --log=PATH          Log file

Configuration

By default, config.ini inside your dirsearch directory is used as the configuration file but you can select another file via --config flag or DIRSEARCH_CONFIG environment variable.

# If you want to edit dirsearch default configurations, you can # edit values in this file. Everything after `#` is a comment # and won't be applied [general] threads = 25 recursive = False deep-recursive = False force-recursive = False recursion-status = 200-399,401,403 max-recursion-depth = 0 exclude-subdirs = %%ff/,.;/,..;/,;/,./,../,%%2e/,%%2e%%2e/ random-user-agents = False max-time = 0 exit-on-error = False # subdirs = /,api/ # include-status = 200-299,401 # exclude-status = 400,500-999 # exclude-sizes = 0b,123gb # exclude-text = "Not found" # exclude-regex = "^403$" # exclude-redirect = "*/error.html" # exclude-response = 404.html # skip-on-status = 429,999 [dictionary] default-extensions = php,aspx,jsp,html,js force-extensions = False overwrite-extensions = False lowercase = False uppercase = False capitalization = False # exclude-extensions = old,log # prefixes = .,admin # suffixes = ~,.bak # wordlists = /path/to/wordlist1.txt,/path/to/wordlist2.txt [request] http-method = get follow-redirects = False # headers-file = /path/to/headers.txt # user-agent = MyUserAgent # cookie = SESSIONID=123 [connection] timeout = 7.5 delay = 0 max-rate = 0 max-retries = 1 ## By disabling `scheme` variable, dirsearch will automatically identify the URI scheme # scheme = http # proxy = localhost:8080 # proxy-file = /path/to/proxies.txt # replay-proxy = localhost:8000 [advanced] crawl = False [view] full-url = False quiet-mode = False color = True show-redirects-history = False [output] ## Support: plain, simple, json, xml, md, csv, html, sqlite report-format = plain autosave-report = True autosave-report-folder = reports/ # log-file = /path/to/dirsearch.log # log-file-size = 50000000

How to use

Dirsearch demo

Some examples for how to use dirsearch - those are the most common arguments. If you need all, just use the -h argument.

Simple usage

python3 dirsearch.py -u https://target
python3 dirsearch.py -e php,html,js -u https://target
python3 dirsearch.py -e php,html,js -u https://target -w /path/to/wordlist

Pausing progress

dirsearch allows you to pause the scanning progress with CTRL+C, from here, you can save the progress (and continue later), skip the current target, or skip the current sub-directory.

<img src="static/pause.png" alt="Pausing dirsearch" width="475px">

Recursion

  • Recursive brute-force is brute-forcing continuously the after of found directories. For example, if dirsearch finds admin/, it will brute-force admin/* (* is where it brute forces). To enable this feature, use -r (or --recursive) flag
python3 dirsearch.py -e php,html,js -u https://target -r
  • You can set the max recursion depth with --max-recursion-depth, and status codes to recurse with --recursion-status
python3 dirsearch.py -e php,html,js -u https://target -r --max-recursion-depth 3 --recursion-status 200-399
  • There are 2 more options: --force-recursive and --deep-recursive

    • Force recursive: Brute force recursively all found paths, not just paths end with /
    • Deep recursive: Recursive brute-force all depths of a path (a/b/c => add a/, a/b/)
  • If there are sub-directories that you do not want to brute-force recursively, use --exclude-subdirs

python3 dirsearch.py -e php,html,js -u https://target -r --exclude-subdirs image/,media/,css/

Threads

The thread number (-t | --threads) reflects the number of separated brute force processes. And so the bigger the thread number is, the faster dirsearch runs. By default, the number of threads is 25, but you can increase it if you want to speed up the progress.

In spite of that, the speed still depends a lot on the response time of the server. And as a warning, we advise you to keep the threads number not too big because it can cause DoS (Denial of Service).

python3 dirsearch.py -e php,htm,js,bak,zip,tgz,txt -u https://target -t 20

Prefixes / Suffixes

  • --prefixes: Add custom prefixes to all entries
python3 dirsearch.py -e php -u https://target --prefixes .,admin,_

Wordlist:

tools

Generated with prefixes:

tools
.tools
admintools
_tools
  • --suffixes: Add custom suffixes to all entries
python3 dirsearch.py -e php -u https://target --suffixes ~

Wordlist:

index.php
internal

Generated with suffixes:

index.php
internal
index.php~
internal~

Blacklist

Inside the db/ folder, there are several "blacklist files". Paths in those files will be filtered from the scan result if they have the same status as mentioned in the filename.

Example: If you add admin.php into db/403_blacklist.txt, whenever you do a scan that admin.php returns 403, it will be filtered from the result.


Filters

Use **-i |

编辑推荐精选

小云雀

小云雀

字节旗下AI内容创作Agent

小云雀是字节跳动旗下剪映团队推出的AI内容创作Agent,主打”一句话打造一个爆款”的零门槛创作体验。用户只需输入一句指令,可自动生成15-60秒短视频、数字人口播视频、风格化海报等内容,支持200+可商用数字人形象和19种语言及方言。小云雀核心功能包括智能成片、AI设计、照片会说话、爆款复刻等,已接入豆包大模型、DeepSeek Chat及自研Seedance 2.0视频生成模型、Seedream 5.0图像生成模型。目前支持安卓APP和网页版,每日登录可领取120积分。适合自媒体创作者、电商营销人员、教育工作者及普通用户使用,近期因用户量激增,视频生成排队时长可达8小时。

豆包

豆包

字节跳动旗下 AI 智能助手

字节跳动旗下 AI 智能助手

Pixmax

Pixmax

一站式AI短剧创作平台

Pixmax专注打造下一代“ AI 视觉创作引擎”,整合行业顶尖 AI 大模型、工工业级精准控制及企业级协同管理功能,是全方位的 AI 内容创作平台。

GPT Plus|Pro充值

GPT Plus|Pro充值

GPT充值

支持 ChatGPT Plus / Pro 充值服务,支付便捷,自动发货,售后可查。

GPT Image 2中文站

GPT Image 2中文站

AI 图片生成平台

GPT Image 2 是面向用户的 AI 图片生成平台,支持文生图、图生图及多模型创意工作流。

Vecbase

Vecbase

你的AI Agent团队

Vecbase 是专为 AI 团队打造的智能工作空间,将数据管理、模型协作与知识沉淀整合于一处。算法、产品与业务在同一平台无缝协同,让从数据到 AI 应用的落地更快一步。

音述AI

音述AI

全球首个AI音乐社区

音述AI是全球首个AI音乐社区,致力让每个人都能用音乐表达自我。音述AI提供零门槛AI创作工具,独创GETI法则帮助用户精准定义音乐风格,AI润色功能支持自动优化作品质感。音述AI支持交流讨论、二次创作与价值变现。针对中文用户的语言习惯与文化背景进行专门优化,支持国风融合、C-pop等本土音乐标签,让技术更好地承载人文表达。

QoderWork

QoderWork

阿里Qoder团队推出的桌面端AI智能体

QoderWork 是阿里推出的本地优先桌面 AI 智能体,适配 macOS14+/Windows10+,以自然语言交互实现文件管理、数据分析、AI 视觉生成、浏览器自动化等办公任务,自主拆解执行复杂工作流,数据本地运行零上传,技能市场可无限扩展,是高效的 Agentic 生产力办公助手。

lynote.ai

lynote.ai

一站式搞定所有学习需求

不再被海量信息淹没,开始真正理解知识。Lynote 可摘要 YouTube 视频、PDF、文章等内容。即时创建笔记,检测 AI 内容并下载资料,将您的学习效率提升 10 倍。

AniShort

AniShort

为AI短剧协作而生

专为AI短剧协作而生的AniShort正式发布,深度重构AI短剧全流程生产模式,整合创意策划、制作执行、实时协作、在线审片、资产复用等全链路功能,独创无限画布、双轨并行工业化工作流与Ani智能体助手,集成多款主流AI大模型,破解素材零散、版本混乱、沟通低效等行业痛点,助力3人团队效率提升800%,打造标准化、可追溯的AI短剧量产体系,是AI短剧团队协同创作、提升制作效率的核心工具。

下拉加载更多