Skip to content

Instantly share code, notes, and snippets.

@MrMoshkovitz

MrMoshkovitz/GoogleDorks.md

Last active May 1, 2024 20:55
Show Gist options
  • Save MrMoshkovitz/bd7fb3427deee4679af6df07f71e4611 to your computer and use it in GitHub Desktop.
Save MrMoshkovitz/bd7fb3427deee4679af6df07f71e4611 to your computer and use it in GitHub Desktop.
Download ZIP
Google Dorks
Raw
dork-cli_dork-cli.py
#!/usr/bin/env python
from __future__ import print_function
try:
from urllib.request import urlopen
from urllib.parse import urlencode,urlparse
from urllib.error import HTTPError
except ImportError:
from urllib import urlencode
from urllib2 import urlopen, HTTPError
from urlparse import urlparse
import json
import sys
import time
import argparse
domain = ''
engine = ''
key = ''
max_queries = 10
sleep = 0
dynamic_filetypes = "asp,aspx,cfm,cgi,jsp,php,phtm,phtml,shtm,shtml"
def main():
parser = argparse.ArgumentParser(description='Find dynamic pages via Google dorks.')
parser.add_argument('-d', '--domain', default=domain,
help='Specific domain to search (instead of all domains defined in CSE)')
parser.add_argument('-e', '--engine', default=engine,
help='Google custom search engine id (cx value)')
parser.add_argument('-f', '--filetypes', nargs='?', default=[],
const=dynamic_filetypes,
help='File extensions to return (if present but no extensions specified, builtin dynamic list is used)')
parser.add_argument('-k', '--key', default=key,
help='Google API key')
parser.add_argument('-m', '--max-queries', type=int, default=max_queries,
help='Maximum number of queries to issue')
parser.add_argument('-s', '--sleep', type=int, default=sleep,
help='Seconds to sleep before retry if daily API limit is reached (0=disable)')
parser.add_argument('terms', metavar='T', nargs='*',
help='additional search term')
args = parser.parse_args()
if not args.key or not args.engine:
print("ERROR: [key] and [engine] must be set", file=sys.stderr)
parser.print_help()
sys.exit(1)
data = {}
data['key'] = args.key
data['cx'] = args.engine
data['siteSearch'] = args.domain
data['q'] = ' '.join(args.terms)
if args.filetypes:
filetypes = args.filetypes.split(',')
data['q'] += ' filetype:' + ' OR filetype:'.join(filetypes)
data['num'] = 10
data['start'] = 1
pages = set()
found = 0
query_max_reached = False
query_count = 0
data_saved = data['q']
while query_count < args.max_queries:
url = 'https://www.googleapis.com/customsearch/v1?'+ urlencode(data)
try:
response_str = urlopen(url)
query_count += 1
response_str = response_str.read().decode('utf-8')
response = json.loads(response_str)
except HTTPError as e:
response_str = e.read().decode('utf-8')
response = json.loads(response_str)
if "Invalid Value" in response['error']['message']:
sys.exit(0)
elif response['error']['code'] == 500:
data['q'] = data_saved
query_max_reached = True
continue
print("error: " + str(response['error']['code']) + " - " + str(response['error']['message']), file=sys.stderr)
for error in response['error']['errors']:
print(error['domain'] + "::" + error['reason'] + "::" + error['message'], file=sys.stderr)
if "User Rate Limit Exceeded" in response['error']['message']:
print("sleeping " + str(args.sleep) + " seconds", file=sys.stderr)
time.sleep(5)
elif args.sleep and "Daily Limit Exceeded" in response['error']['message']:
print("sleeping " + str(args.sleep) + " seconds", file=sys.stderr)
time.sleep(args.sleep)
continue
else:
sys.exit(1)
data_saved = data['q']
for request in response['queries']['request']:
if int(request['totalResults']) == 0:
sys.exit(0)
for item in response['items']:
item_url = urlparse(item['link'])
if item_url.path in pages:
if not query_max_reached:
data['q'] += " -inurl:" + item_url.path
else:
pages.add(item_url.path)
found += 1
print(item['link'])
if found >= data['num'] or query_max_reached:
data['start'] += data['num']
if __name__ == "__main__":
main()
Raw
dork-cli_REAMDE.md

dork-cli

Command-line Google dork tool.

dork-cli performs searches against a Google custom search engine and returns a list of all the unique page results it finds, optionally filtered by a set of dynamic page extensions. Any number of additional query terms / dorks can be specified. dork-cli was designed to be piped into an external tool such as a vulnerability scanner for automated testing purposes.

Setup

In order to use this program you need to configure at a minimum two settings: a Google API key and a custom search engine id.

Custom Search Engine:

  • Create a custom search engine via https://www.google.com/cse/
  • Add your desired domain(s) under "Sites to search"
  • Click "Search engine ID" button to reveal the id, or grab it from the "cx" url paramter

API key:

  • Open the Google API console at https://code.google.com/apis/console
  • Enable the Custom Search API via APIs & auth > APIs
  • Create a new API key via APIs & auth > Credentials > Create new Key
  • Select "Browser key", leave HTTP Referer blank and click Create

Usage

$ ./dork-cli.py -h
usage: dork-cli.py [-h] [-e ENGINE] [-f [FILETYPES]] [-k KEY] [-m MAX_QUERIES]
                   [-s SLEEP]
                   [T [T ...]]

Find dynamic pages via Google dorks.

positional arguments:
  T                     additional search term

optional arguments:
  -h, --help            show this help message and exit
  -e ENGINE, --engine ENGINE
                        Google custom search engine id (cx value)
  -f [FILETYPES], --filetypes [FILETYPES]
                        File extensions to return (if present but no
                        extensions specified, builtin dynamic list is used)
  -k KEY, --key KEY     Google API key
  -m MAX_QUERIES, --max-queries MAX_QUERIES
                        Maximum number of queries to issue
  -s SLEEP, --sleep SLEEP
                        Seconds to sleep before retry if daily API limit is
                        reached (0=disable)

examples:

  • NOTE: including -f/--filetypes without an argument, e.g. followed by --, defaults to filtering by a builtin list of dynamic file extensions.
$ ./dork-cli.py inurl:login
https://www.example.com/usher/Login.aspx
https://www.example.com/login/
http://www.example.com/rooms/index.php?option=com_user&view=login&Itemid=8
http://www.example.com/index.php?cmd=login
[...]

$ ./dork-cli.py --filetypes -- inurl:id
http://www.example.com/its/sla/sla.php?id=1617
http://www.example.com/bbucks/index.php?site=5&scode=0&id=720
http://www.example.com/directory/details.aspx?id=33
http://www.example.com/SitePages/VOIP%20ID.aspx
http://www.example.com/personnel_ext.php?id=44
http://www.example.com/its/alerts/event.php?id=7220
[...]

$ ./dork-cli.py --filetypes=php,aspx intitle:login inurl:admin
https://www.example.com/users/lab/admin/portal.php
https://www.example.com/admin/start/login.aspx?ReturnUrl=%2Fadmin%2Fscheduling%2Faudit%2Fdefault.aspx
http://www.example.com/admin/admin.php
[...]

API Limitations

The free Google API limits you to 100 searches per day, with a maximum of 10 results per search. This means if you configure dork-cli.py to return 100 results, it will issue 10 queries (1/10th of your daily limit) each time it is run. You have the option to pay for additional searches via the Google API console. At the time of writing, signing up for billing on the Google API site gets you $300 free to spend on API calls for 60 days.

Raw
dorks_dorks.bat
@REM @phantomjs.exe --proxy=socks5://127.0.0.1:9150 --proxy-type=socks5 dorks.js %*
@REM @phantomjs.exe --proxy=http://127.0.0.1:8080 dorks.js %*
@phantomjs.exe dorks.js %*
Raw
dorks_dorks.js
var fs = require('fs')
var system = require('system')
var pages = []
var userAgents = [
"Mozilla/5.0 (X11; Linux i686; rv:40.0) Gecko/20100101 Firefox/40.0",
"Opera/9.80 (X11; Linux i686; Ubuntu/14.10) Presto/2.12.388 Version/12.16",
"Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36",
"Mozilla/5.0 (Windows NT 6.2) AppleWebKit/535.7 (KHTML, like Gecko) Comodo_Dragon/16.1.1.0 Chrome/16.0.912.63 Safari/535.7",
"Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1)"
]
function Google( site )
{
var web_browser = require('webpage').create()
var uri = 'http://www.google.com/'
var dorks = []
var query = ( site.trim() != '' ) ? 'site:' + site : ''
var found_pages = 0
var timeout = 0
var captcha_retry_timeout = 0
this.done = false
web_browser.viewportSize = { width: 1280, height: 800 }
web_browser.settings.userAgent = userAgents[ parseInt( Math.random() * userAgents.length ) ]
web_browser.__this = this
web_browser.onConsoleMessage = function(msg)
{
console.log(msg)
}
this.set_timeout = function( ms )
{
timeout = ms
return this
}
this.set_captcha_retry_timeout = function( ms )
{
captcha_retry_timeout = ms
return this
}
this.set_dork = function( dork )
{
dorks = dorks.concat( dork )
return this
}
this.set_dorks = function( dorks_file )
{
dorks = dorks.concat( fs.isFile(dorks_file) ? fs.read(dorks_file).replace(/\r/g, '').split('\n').reverse().filter( function(a) { return a } ) : [] )
return this
}
var save_state = function( session_file, state )
{
fs.write( session_file, JSON.stringify( state ), 'w' )
}
var load_state = function( session_file )
{
if( fs.isFile(session_file) )
{
console.log("resume " + session_file)
return JSON.parse( fs.read(session_file) )
}
}
this.filter = function( filter )
{
query += ' ' + filter
return this
}
this.attack = function( out_file )
{
var session_file = ( ( site.trim() ) ? '__' + site.trim().replace(/[\.:\/]/g, '_') : '__state' ) + '.json'
var dork, captcha = false
dorks = load_state( session_file ) || dorks
web_browser.onResourceReceived = function(resp) { if(! captcha) captcha = (resp.status == 403) }
web_browser.onLoadFinished = function(status)
{
web_browser.render( ( ( site.trim() ) ? site.trim().replace(/\./g, '_') : 'page' ) + '.png' )
if(! captcha)
captcha = web_browser.evaluate( function() { if(document.getElementById('captcha')) return true } )
if( /q=/.test(web_browser.url) && !captcha )
{
var result = web_browser.evaluateJavaScript(
"function() {\n\
var href_results = [], a = document.getElementsByTagName('a'), match\n\
for( var i = 0; i < a.length; i++ )\n\
if( /*a[i].getAttribute('target') == '_blank' &&*/ a[i].parentNode.tagName.toLowerCase() == 'h3' && a[i].getAttribute('href').indexOf('" + ( (site.trim()) ? site.trim().replace(/'/g, '') : '') + "') != -1 )\n\
{\n\
if( 0 /*( match = a[i].getAttribute('href').match(/q=(.*)/) ) && match.length == 2 && ( uri = match[1] )*/ )\n\
{\n\
console.log( '+ ' + uri )\n\
href_results.push( uri )\n\
}\n\
else\n\
{\n\
console.log( '+ ' + a[i].getAttribute('href') )\n\
href_results.push( a[i].getAttribute('href') )\n\
}\n\
}\n\
return href_results\n\
}"
)
if(result.length)
{
//web_browser.render( ( (site.trim()) ? site.trim().replace(/\./g, '_') : 'page' ) + '_' + (++found_pages) + '.png')
if( out_file )
fs.write( out_file, query + ' ' + dork + '\n', 'a' )
}
}
save_state( session_file, dorks )
if(captcha)
{
if( dorks.indexOf(dork) == -1 )
dorks.splice( dorks.length, 0, dork )
if( captcha_retry_timeout ) /* easy anti-captcha */
{
console.log("warn: captcha, sleeping " + captcha_retry_timeout + " ms")
setTimeout( function() {
web_browser.open( uri, function(status) { console.log("reopen " + uri + " (another UserAgent)") } )
}, captcha_retry_timeout )
web_browser.settings.userAgent = userAgents[ parseInt( Math.random() * userAgents.length ) ]
}
else
{
var intr = setInterval( function() {
if(! fs.isFile('captcha.png') )
{
web_browser.render('captcha.png')
console.log('warn: enter chars from captcha.png')
}
if( captcha = system.stdin.readLine().trim() )
{
fs.remove('captcha.png')
var error = web_browser.evaluateJavaScript(
"function() {\n\
var captcha = document.getElementById('captcha')\n\
if(! captcha)\n\
return 'captcha field not found'\n\
captcha.value = '" + captcha.replace(/[\r\n]/g, '') + "'\n\
node = captcha\n\
while( node = node.parentNode )\n\
if( node.tagName.toLowerCase() == 'form' || node.tagName.toLowerCase() == 'body' )\n\
break\n\
if( node.tagName.toLowerCase() != 'form')\n\
return 'captcha form not found'\n\
}"
)
web_browser.sendEvent('keypress', web_browser.event.key.Enter)
captcha = false
clearInterval(intr)
if(error)
console.log(error)
}
else
console.log('warn: enter chars from captcha.png')
}, 500 )
}
}
else
{
if( dork = dorks.pop() )
{
console.log("dork: " + dork)
var error = web_browser.evaluateJavaScript(
"function() {\n\
setTimeout( function() {\n\
var search_query, inp = document.getElementsByTagName('input')\n\
for(var i = 0; i<inp.length; i++)\n\
{\n\
if( inp[i].getAttribute('type') == 'text' || inp[i].getAttribute('type') == null )\n\
{\n\
search_query = inp[i]\n\
break\n\
}\n\
}\n\
if(! search_query)\n\
return 'search query input not found'\n\
search_query.value = '" + query.replace(/'/g, "\\'").replace(/\r/g, '') + " " + dork.replace(/'/g, "\\'").replace(/\r/g, '') + "'\n\
node = search_query\n\
while( node = node.parentNode )\n\
if( node.tagName.toLowerCase() == 'form' || node.tagName.toLowerCase() == 'body' )\n\
break\n\
if(! node.tagName.toLowerCase() == 'form')\n\
return 'search form not found'\n\
node.submit()\n\
}, " + timeout + ")\n\
}"
)
if(error)
{
dorks.splice( dorks.length, 0, dork )
console.log('err: ' + error)
}
}
else
{
fs.remove( session_file )
web_browser.__this.done = true
exit()
}
}
}
web_browser.open( uri, function(status) {
if(status != 'success')
console.log( 'warn: ' + uri + ': ' + status)
} )
return this
}
}
function GHDB()
{
var web_browser = require('webpage').create()
var uri = 'https://www.exploit-db.com/google-hacking-database/'
var dorks = []
var filename = ''
var dork_descriptions = []
var need_to_extract_dorks = false
this.done = false
web_browser.viewportSize = { width: 1280, height: 800 }
web_browser.__this = this
web_browser.onConsoleMessage = function(msg)
{
console.log(msg)
}
this.save = function(result_filename)
{
filename = result_filename
return this
}
this.file = function(source_filename)
{
if( fs.isFile( source_filename ) )
{
var custom_dorks = fs.read( source_filename ).split('\n')
for( var i = 0; i < custom_dorks.length; i++ )
if( dork = custom_dorks[i].replace(/\r/g, '') )
dorks.push( dork )
}
if( filename )
fs.write( filename, dorks.join('\n'), 'w' )
this.done = true
exit()
}
var get_onLoadFinished_handler = function( evaluate_code, query )
{
return function(status)
{
//web_browser.render('ghdb.png')
if(query != null)
{
query = null
if( error = web_browser.evaluateJavaScript( evaluate_code ) )
console.log(error)
}
else if(need_to_extract_dorks)
{
var uri,
dork = web_browser.evaluate( function() {
var a = document.getElementsByTagName('a')
for(var i = 0; i < a.length; i++)
if( a[i].getAttribute('target') == '_blank' && /google/.test( a[i].getAttribute('href') ) )
return a[i].innerHTML.replace(/&amp;/g, '&').replace(/(&quot;|&ldquo;|&rdquo;)/g, '"')
.replace(/&gt;/g, '>').replace(/&lt;/g, '<').trim()
} )
console.log( dork )
dorks.push( dork )
if( uri = dork_descriptions.pop() )
web_browser.open( uri )
else
{
if( filename )
fs.write( filename, dorks.join('\n'), 'w' )
web_browser.__this.done = true
exit()
}
}
else
{
var result = web_browser.evaluate( function() {
var uri,dork_descriptions = [], a = document.getElementsByTagName('a')
for( var i = 0; i < a.length; i++)
if( /\/ghdb\//.test( uri = a[i].getAttribute('href') ) )
dork_descriptions.push( uri )
return dork_descriptions
} )
dork_descriptions = dork_descriptions.concat( result )
var next_page = web_browser.evaluate( function() {
var href_results = [], a = document.getElementsByTagName('a')
for( var i = 0; i < a.length; i++)
if( a[i].innerHTML.toLowerCase() == 'next' )
return a[i].getAttribute('href')
} )
if( next_page )
web_browser.open( next_page.replace(/\t/g, '') )
else
{
need_to_extract_dorks = true
web_browser.open( dork_descriptions.pop() )
}
}
}
}
this.categories = [
'Any Category',
'Footholds',
'Files containing usernames',
'Sensitive Directories',
'Web Server Detection',
'Vulnerable Files',
'Vulnerable Servers',
'Error Messages',
'Files containing juicy info',
'Files containing passwords',
'Sensitive Online Shopping Info',
'Network or vulnerability data',
'Pages containing login portals',
'Various Online Devices',
'Advisories and Vulnerabilities'
]
this.print_categories = function()
{
console.log("categories:")
this.categories.forEach( function(val,key) {
console.log("[" + key + "] " + "'" + val + "'")
} )
}
this.category = function(category)
{
var category_id
if( parseInt(category) != NaN && String( parseInt(category) ).length == category.length )
category_id = parseInt( category )
else
category_id = ( this.categories.indexOf(category) != -1 ) ? this.categories.indexOf(category) : ( function(categories, category) {
for(var i=0; i < categories.length; i++)
if( categories[i].toLowerCase().search( category.toLowerCase() ) != -1 )
return i
} )(this.categories, category)
if( category_id == null )
{
console.log('category ' + category + ' not found')
return this
}
web_browser.onLoadFinished = get_onLoadFinished_handler(
"function() {\n\
var select_element = document.getElementById('ghdb_search_cat_id')\n\
if(! select_element)\n\
return 'categories element not found'\n\
select_element.value = '" + category_id + "'\n\
node = select_element\n\
while( node = node.parentNode )\n\
if( node.tagName.toLowerCase() == 'form' || node.tagName.toLowerCase() == 'body' )\n\
break\n\
if(! node.tagName.toLowerCase() == 'form')\n\
return 'search form not found'\n\
node.submit()\n\
}", category_id
)
web_browser.open( uri, function(status) {
if(status != 'success')
console.log( 'warn: ' + uri + ': ' + status)
} )
return this
}
this.search = function(query)
{
web_browser.onLoadFinished = get_onLoadFinished_handler(
"function() {\n\
var search_query, inp = document.getElementsByTagName('input')\n\
for(var i = 0; i<inp.length; i++)\n\
{\n\
if( inp[i].getAttribute('type') == 'text' || inp[i].getAttribute('type') == null )\n\
{\n\
search_query = inp[i]\n\
break\n\
}\n\
}\n\
if(! search_query)\n\
return 'search query input not found'\n\
search_query.value = '" + query + "'\n\
node = search_query\n\
while( node = node.parentNode )\n\
if( node.tagName.toLowerCase() == 'form' || node.tagName.toLowerCase() == 'body' )\n\
break\n\
if(! node.tagName.toLowerCase() == 'form')\n\
return 'search form not found'\n\
node.submit()\n\
}", query
)
web_browser.open( uri, function(status) {
if(status != 'success')
console.log( 'warn: ' + uri + ': ' + status)
} )
return this
}
}
function print_help( script_name )
{
console.log( "\n\
USAGE: \n\
phantomjs " + script_name + " [command] [options]\n\
commands: ghdb, google\n\
options (ghdb):\n\
-q [words] query from exploit-db GHDB\n\
-c [name or id] category from exploit-db GHDB\n\
-l list exploit-db GHDB categories\n\
options (google):\n\
-d [dork] specify google dork\n\
-D [dork_file] specify google dorks\n\
-s [site] set site name\n\
-S [sites_file] set sites filename\n\
-f [filter] set custom filter\n\
-t [msec] set timeout between query\n\
-T [msec] set captcha retry timeout\n\
options common:\n\
-o [result_file] save data in file\n\
\n\
EXAMPLES:\n\
phantomjs " + script_name + " ghdb -q oracle -o oracle_dorks.txt\n\
phantomjs " + script_name + " ghdb -c \"vulnerable files\" -o vuln_files.txt\n\
phantomjs " + script_name + " ghdb -c 0 -o all_dorks.txt\n\
\n\
phantomjs " + script_name + " google -D all_dorks.txt -s \"somesite.com\" -o result.txt\n\
phantomjs " + script_name + " google -d \"mysql running.on\" -S \"sites.txt\"\n\
phantomjs " + script_name + " google -D vuln_files.txt -S \"sites.txt\" -o result.txt\n\
phantomjs " + script_name + " google -D vuln_servers.txt -f \"inurl:com\" -f \"inurl:net\"\n\
" )
}
function exit()
{
for(var i = 0; i < pages.length; i++)
if(! pages[i].done )
return
phantom.exit()
}
function remove_old_files()
{
if( fs.isFile('captcha.png') )
fs.remove('captcha.png')
}
var settings = {
'words': '',
'category': null,
'print_categories': false,
'dorks': [],
'dork_file': 'dorks.json',
'sites': [],
'filters': [],
'timeout': 0,
'captcha_timeout': 0,
'output': ''
}, command
if( system.args.length > 1 )
{
command = system.args[1].toLowerCase()
if( command != 'ghdb' && command != 'google' )
{
console.log("bad command")
exit()
}
for( var i = 2; i < system.args.length; i++ )
{
switch( system.args[i] )
{
case '-q':
settings.words = system.args[++i]
break
case '-c':
settings.category = system.args[++i]
break
case '-l':
settings.print_categories = true
break
case '-f':
settings.filters[ settings.filters.length ] = system.args[++i]
break
case '-d':
settings.dorks[ settings.dorks.length ] = system.args[++i]
break
case '-D':
settings.dork_file = system.args[++i]
break
case '-s':
settings.sites[ settings.sites.length ] = system.args[++i]
break
case '-S':
var sites_file = system.args[++i]
if( sites_file && fs.isFile(sites_file) )
settings.sites = fs.read(sites_file).replace(/\r/g, '').split('\n')
break
case '-t':
settings.timeout = system.args[++i]
break
case '-T':
settings.captcha_timeout = system.args[++i]
break
case '-o':
settings.output = system.args[++i]
break
default:
console.log('unknown option')
print_help()
exit()
}
}
if( settings.print_categories )
{
new GHDB().print_categories()
exit()
}
else
{
switch( command )
{
case 'ghdb':
if( settings.category )
pages.push( new GHDB().category( settings.category ).save( settings.output ) )
else
pages.push( new GHDB().search( settings.words ).save( settings.output ) )
break
case 'google':
remove_old_files()
if( settings.filters && settings.sites.length == 0 )
settings.sites.push(" ")
for(var i = 0; i < settings.sites.length; i++)
if( settings.sites[i] )
pages.push(
new Google( settings.sites[i] )
.filter( settings.filters.join(' ') )
.set_dorks( settings.dork_file )
.set_dork( settings.dorks )
.set_timeout( settings.timeout )
.set_captcha_retry_timeout( settings.captcha_timeout )
.attack( settings.output )
)
break
}
}
}
else
{
print_help( system.args[0] )
exit()
}
Raw
dorks_dorks.sh
#!/bin/bash
PATH="$PATH":.
#phantomjs --proxy=socks5://127.0.0.1:9050 --proxy-type=socks5 dorks.js $*
#phantomjs --proxy=http://127.0.0.1:8080 dorks.js $*
phantomjs dorks.js $*
Raw
dorks_README.md

dorks

google hack database automation tool

USAGE:

phantomjs dorks.js [command] [options]

commands: ghdb, google

options (ghdb):

-q [words]                  query from exploit-db GHDB
-c [name or id]             category from exploit-db GHDB
-l                          list exploit-db GHDB categories

options (google):

-d [dork]                   specify google dork
-D [dork_file]              specify google dorks
-s [site]                   set site name
-S [sites_file]             set sites filename
-f [filter]                 set custom filter
-t [msec]                   set timeout between query
-T [msec]                   set captcha retry timeout

options common:

-o [result_file]            save data in file

EXAMPLES:

phantomjs dorks.js ghdb -q oracle -o oracle_dorks.txt
phantomjs dorks.js ghdb -c "vulnerable files" -o vuln_files.txt
phantomjs dorks.js ghdb -c 0 -o all_dorks.txt

phantomjs dorks.js google -D all_dorks.txt -s "somesite.com" -o result.txt
phantomjs dorks.js google -d "mysql running.on" -S "sites.txt"
phantomjs dorks.js google -D vuln_files.txt -S "sites.txt" -o result.txt
phantomjs dorks.js google -D vuln_servers.txt -f "inurl:com" -f "inurl:net"

REQUIRE: phantomjs

Raw
fastr-recon_fastr-recon.py
#!/usr/bin/env python2
# -*- coding: utf8 -*-
import sys
import time
import random
import argparse
from selenium import webdriver
from selenium.webdriver.support.ui import Select, WebDriverWait
from selenium.common.exceptions import NoSuchFrameException
from selenium.webdriver.common.keys import Keys
import os
os.environ['MOZ_FORCE_DISABLE_E10S'] = '1'
# If this script no longer fetches any results check the XPath
def parse_args():
""" Script arguments """
parser = argparse.ArgumentParser()
parser.add_argument('-d', '--domain', help='Enter the domain')
return parser.parse_args()
def start_browser():
""" Start the browser """
br = webdriver.Firefox()
br.implicitly_wait(10)
return br
def get_ua():
""" Get a random user agent form this list for each request """
ua_list = ['Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.131 Safari/537.36',
'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.131 Safari/537.36',
'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.75.14 (KHTML, like Gecko) Version/7.0.3 Safari/537.75.14',
'Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20100101 Firefox/29.0',
'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.137 Safari/537.36',
'Mozilla/5.0 (Windows NT 6.1; WOW64; rv:28.0) Gecko/20100101 Firefox/28.0']
ua = random.choice(ua_list)
return ua
def open_page(br, domain):
""" Open URLs each in its own tab """
g_search_base = 'https://www.google.com/webhp?#num=100&start=0&q='
google_queries = ('+intitle:index.of', # Dir indexing
'+ext:xml+|+ext:conf+|+ext:cnf+|+ext:reg+|+ext:inf+|+ext:rdp+|+ext:cfg+|+ext:txt+|+ext:ora+|+ext:ini', # config
'+ext:sql+|+ext:dbf+|+ext:mdb', #d db files
'+ext:log', # logs
'+ext:bkf+|+ext:bkp+|+ext:bak+|+ext:old+|+ext:backup', # backups
'+intext:"sql+syntax+near"+|+intext:"syntax+error+has+occurred"+|+intext:"incorrect+syntax+near"+|+intext:\
"unexpected+end+of+SQL+command"+|+intext:"Warning:+mysql_connect()"+|+intext:"Warning:+mysql_query()"+|+intext:"Warning:+pg_connect()"', # sql errors
'+filetype:asmx+|+inurl:jws?wsdl+|+filetype:jws+|+inurl:asmx?wsdl', # wsdls
'+ext:doc+|+ext:docx+|+ext:odt+|+ext:pdf+|+ext:rtf+|+ext:sxw+|+ext:psw+|+ext:ppt+|+ext:pptx+|+ext:pps+|+ext:csv') # docs
# Make Google queries
urls = [g_search_base+'site:'+domain+q for q in google_queries]
# Make pastebin searches
urls.append(g_search_base+'site:pastebin.com+'+domain)
# Add quotes around domain for pastebin search
urls.append(g_search_base+'site:pastebin.com+"'+domain+'"')
tabHandle = 0
for u in urls:
br.switch_to_window(br.window_handles[tabHandle])
br.get(u)
# Just grab an element that exists in all pages
html_elem = br.find_element_by_tag_name('html')
if u != urls[-1]:
html_elem.send_keys(Keys.CONTROL + 't')
tabHandle+=1
# time.sleep(10) # Optional
br.switch_to_window(br.window_handles[0])
def main():
args = parse_args()
if args.domain.startswith('http'):
sys.exit('[*] Do: -d example.com Do not: -d http://example.com')
br = start_browser()
if not args.domain:
sys.exit('[!] Enter a domain to perform the recon on: ./fast-recon.py -d "danmcinerney.org"')
domain = args.domain
open_page(br, domain)
main()
Raw
fastr-recon_README.md

A very simple script to open a bunch of google and pastebin dorks at once. Run it against a domain and it'll google dork for possibly sensitive files.

git clone https://github.com/DanMcInerney/fast-recon

pip install -r requirements.txt

python fast-recon.py -d "danmcinerney.org"

Do not include http:// or https:// in the domain name.

Raw
requirements.txt
selenium>=2.44.0
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment