GitHunt
BE

begininvoke/SensitiveFileFuzzer

A tool for fuzzing files on the website

fuzzinggitfilepenetration-testing-toolspentestingsensitiveshellfinderurlfindervulnerability-scannerswebfuzzerwebscanner

Sensitive File Finder for Websites

A security tool for discovering sensitive files on websites. Scans for multiple categories of sensitive files with customizable output formats.

Features

  • ๐Ÿ” Multiple scan categories:
    • Shell/backdoor files
    • Environment files
    • Git repository files
    • Other sensitive files
  • ๐Ÿ“Š Flexible output formats (JSON, CSV)
  • ๐Ÿ“ Output file support
  • ๐ŸŽฏ Category-based result tracking

Installation

git clone https://github.com/begininvoke/SensitiveFileFuzzer.git
cd SensitiveFileFuzzer
go build

Usage

Basic scan:

./SensitiveFileFuzzer -url https://example.com --shell

Comprehensive scan with JSON output:

./SensitiveFileFuzzer -url https://example.com --all -f json -o ./results

Options

Usage of ./SensitiveFileFuzzer:
  -url string
        Target URL (e.g., https://example.com)
  -all
        Try all file lists
  -env
        Try environment file lists
  -git
        Try git-related file lists
  -sens
        Try sensitive file lists
  -shell
        Try shell/backdoor file lists
  -f string
        Output format: json or csv
  -o string
        Output directory path
  -v    
        Show only successful results
  -config string
        Custom config JSON file path

Output Formats

JSON Output

{
  "total_count": 4,
  "categories": {
    "Git": [
      "https://example.com/.git/config",
      "https://example.com/.gitignore"
    ],
    "Environment": [
      "https://example.com/.env",
      "https://example.com/.env.local"
    ]
  },
  "summary": {
    "Git": 2,
    "Environment": 2
  }
}

CSV Output

Category,URL
Git,https://example.com/.git/config
Git,https://example.com/.gitignore
Environment,https://example.com/.env
Environment,https://example.com/.env.local

Console Output

๐ŸŽฏ Found 4 sensitive files:

๐Ÿ“ Git (2 files):
  โ””โ”€ https://example.com/.git/config
  โ””โ”€ https://example.com/.gitignore

๐Ÿ“ Environment (2 files):
  โ””โ”€ https://example.com/.env
  โ””โ”€ https://example.com/.env.local

Configuration

Customize detection rules using a JSON configuration file:

{
  "path": "/test.txt",
  "content": "#application/json#text/html",
  "length": "*"
}

Content-Type Rules

  • "*": Accept any Content-Type
  • "#application/json#text/html": Exclude specific Content-Types
  • "application/json": Match exact Content-Type

Content-Length Rules

  • "length": "10": Match responses with Content-Length >= 10
  • "length": "*": Accept any Content-Length

Contributing

Pull requests are welcome. For major changes, please open an issue first.

License

MIT

Languages

Go97.9%Shell2.1%

Contributors

BE

Latest Release

1December 8, 2025
Created May 20, 2022
Updated February 21, 2026
begininvoke/SensitiveFileFuzzer | GitHunt