{"id":13722281,"url":"https://github.com/Adversis/PandorasBox","last_synced_at":"2025-05-07T14:31:24.229Z","repository":{"id":190258556,"uuid":"174639476","full_name":"Adversis/PandorasBox","owner":"Adversis","description":"Security tool to quickly audit Public Box files and folders.","archived":false,"fork":false,"pushed_at":"2019-09-29T21:20:37.000Z","size":46,"stargazers_count":55,"open_issues_count":4,"forks_count":24,"subscribers_count":5,"default_branch":"master","last_synced_at":"2024-02-15T10:35:19.218Z","etag":null,"topics":["bugbounty","cloud-security","penetration-testing","security-tools"],"latest_commit_sha":null,"homepage":null,"language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"bsd-3-clause","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/Adversis.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null}},"created_at":"2019-03-09T02:37:23.000Z","updated_at":"2023-12-06T08:25:52.000Z","dependencies_parsed_at":"2023-08-23T21:39:48.077Z","dependency_job_id":null,"html_url":"https://github.com/Adversis/PandorasBox","commit_stats":null,"previous_names":["adversis/pandorasbox"],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Adversis%2FPandorasBox","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Adversis%2FPandorasBox/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Adversis%2FPandorasBox/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Adversis%2FPandorasBox/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/Adversis","download_url":"https://codeload.github.com/Adversis/PandorasBox/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":252895639,"owners_count":21821196,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["bugbounty","cloud-security","penetration-testing","security-tools"],"created_at":"2024-08-03T01:01:26.825Z","updated_at":"2025-05-07T14:31:23.844Z","avatar_url":"https://github.com/Adversis.png","language":"Python","readme":"# PandorasBox\n\n#### Pandoras Box is a tool to find Enterprise Box accounts and enumerate for shared files and folders\n\n#### Writeup can be found here: [adversis.io](https://adversis.io/research/pandorasbox)\n\n#### [@adversis_io](https://twitter.com/adversis_io)\n \n## Pre-Requisites\nNon-Standard Python Libraries:\n\n* requests\n* argparse\n* xmltodict\n\nCreated with Python 3.6\n\n### Install with virtualenv\n```virtualenv-3.6 venv\nsource venv/bin/activate\npip install -r requirements.txt\n```\n\n## General\n\nThis tool can be used to enumerate for companies that currently have a Box enterprise account, and then to brute force files and folders inside those account that are shared publicly. \n\n  `-l` : Feed a line delimited target list to check for a Box account and begin enumeration.\n  \n  `-w` : Feed a word list to brute force documents in the identified target Box account.\n\n  `-t` switch, you can set the number of threads you want to use. Be careful here, Box does enforce rate limiting and your IP may get blocked. \n\n  `-v` : Verbose logging\n  \n  `-s` : By supplying a Slack WebHook URL, you can send results to Slack.\n\n  `-c` : You can give the tool a known shared Box file. This allows the tool to verify access to Box, if access to the known Box is denied, then Box is rate limiting your requests and you will need to change you IP. The defaul Box belongs to Dell and was found by a Google Dork. If this Box file gets taken down, a new Box file will have to be supplied. A work around would be to simply put google.com here. \n\nThe example worlist is an exact copy of: https://github.com/first20hours/google-10000-english/blob/master/google-10000-english.txt\n\n## Usage:\n\n    usage: pandoras_box.py [-h] -l TARGETLIST [-w WORDLIST] [-v] [-t THREADS]\n                           [-s WEBHOOK_URL] [-c LOCKOUT_CHECK]\n\n    optional arguments:\n      -h, --help        show this help message and exit\n      -l TARGETLIST     Provide a list of targets to check Box accounts for.\n      -w WORDLIST       Provide a wordlist for the file/folder bruteforce.\n      -v                Output all webrequests to logfile. Caution size!\n      -t THREADS        Number of threads.\n      -s WEBHOOK_URL    Slack Web Hook URL\n      -c LOCKOUT_CHECK  URL of known shared Box account to verify you are not\n                        being blocked.\n                    \n  \n  \n  \n","funding_links":[],"categories":["General Post Exploitation"],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FAdversis%2FPandorasBox","html_url":"https://awesome.ecosyste.ms/projects/github.com%2FAdversis%2FPandorasBox","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FAdversis%2FPandorasBox/lists"}