Skip to content

Instantly share code, notes, and snippets.

@chrisdlangton
Last active July 8, 2022 21:18
Show Gist options
  • Save chrisdlangton/4b385e168d8ea251c478c552b1828be5 to your computer and use it in GitHub Desktop.
Save chrisdlangton/4b385e168d8ea251c478c552b1828be5 to your computer and use it in GitHub Desktop.
The real dark web - find and exploit forgotten files on servers
#!/usr/bin/env bash
if [ -z $(which retire) ]; then
echo "retire not found. try npm install -g retire"
exit 1
fi
if [ -z $(which parallel) ]; then
echo "parallel not found. try 'apt install -y parallel'"
exit 1
fi
if [ -z $(which waybackurls) ]; then
echo "waybackurls not found. try 'go get github.com/tomnomnom/waybackurls'"
exit 1
fi
if [ -z $(which searchsploit) ]; then
echo "optional: searchsploit not found"
fi
target_host=$1
severity=$2
workdir=`pwd`
target_dir=${workdir}/target_${target_host}
exploits_dir=${target_dir}/exploits
urls_file=${target_dir}/url_list.txt
retirejs_file=${target_dir}/retirejs.json
searchsploit_file=${target_dir}/searchsploit.json
if [ -z "${severity}" ]; then
severity=low
fi
embed_newline()
{
local p="$1"
shift
for i in "$@"
do
p="$p"$'\n'"$i" # Append
done
echo "$p" # No need -e
}
if [ -z ${target_host} ]; then
echo -e "pass in a domain"
exit 1
fi
mkdir -p ${target_dir}
mkdir -p ${exploits_dir}
rm ${urls_file} 2>/dev/null
rm ${urls_file}.tmp 2>/dev/null
waybackurls ${target_host} | grep "\.js" | uniq | sort >>${urls_file}.tmp
if [ -z "$(cat ${urls_file}.tmp)" ]; then
echo "no urls found in waybackmachine for ${target_host}"
exit 0
fi
# use the output to get only urls with Status:200
cat ${urls_file}.tmp | \
parallel -j50 -q curl -Lw 'Status:%{http_code}\t Size:%{size_download}\t %{url_effective}\n' -o /dev/null -sk | \
grep 'Status:200' | \
egrep -o 'https?://[^ ]+' >>${urls_file}
rm ${urls_file}.tmp
# TODO get list of redirects from tmp_${urls_file} and try https, add to ${urls_file}
# if [ "$rewrite_to_https" = "true" ]; then
# while read -r line; do
# url=`echo ${line/http:/https:}`
# urls="$( embed_newline ${url} ${urls} )"
# done <<< "${waybackurls}"
# else
# urls=${waybackurls}
# fi
cd ${target_dir}
cat ${urls_file} | xargs wget 2>/dev/null
cd ${workdir}
if [ -z $(which searchsploit) ]; then
retire --path ${target_dir} --severity ${severity} --colors
else
retire --path ${target_dir} --severity ${severity} --outputformat json --outputpath ${retirejs_file}
jq -r '.data[].results[].component' ${retirejs_file} | uniq | paste -sd ' ' \
| xargs searchsploit --json > ${searchsploit_file}
echo "Searched: $(jq -r '.SEARCH' ${searchsploit_file})"
jq -r '.RESULTS_EXPLOIT[].Path' ${searchsploit_file} | xargs cp -t ${exploits_dir} 2>/dev/null
jq -r '.data[].results[].component + " " + .data[].results[].version' ${retirejs_file} | uniq | paste -sd ' ' \
| xargs searchsploit --json > ${searchsploit_file}
echo "Searched: $(jq -r '.SEARCH' ${searchsploit_file})"
jq -r '.RESULTS_EXPLOIT[].Path' ${searchsploit_file} | xargs cp -t ${exploits_dir} 2>/dev/null
jq -r '.data[].results[].vulnerabilities[].identifiers.CVE[]' ${retirejs_file} | uniq | paste -sd ' ' \
| xargs searchsploit --json > ${searchsploit_file}
echo "Searched: $(jq -r '.SEARCH' ${searchsploit_file})"
jq -r '.RESULTS_EXPLOIT[].Path' ${searchsploit_file} | xargs cp -t ${exploits_dir} 2>/dev/null
echo "Check for exploits in: ${exploits_dir}"
fi
@chrisdlangton
Copy link
Author

chrisdlangton commented Nov 8, 2018

try s3.amazonaws.com to find javascript in buckets
also look at jordanpotti/CloudScraper to search live sites for current cloud hosted files

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment