Quick and dirty php code to enumerate subdomains using Google dorks

gistfile1.php

<?php
function docurl($url) {
        $opts = array(
                CURLOPT_RETURNTRANSFER => true,
                CURLOPT_URL => $url,
                CURLOPT_HEADER => true,
        );
 
        $ch = curl_init();
        curl_setopt_array($ch, $opts);
 
        $data = array();
 
        $res = curl_exec($ch);
 
        $data['info'] = curl_getinfo($ch);
 
        $data['header'] = substr($res, 0, $data['info']['header_size']);
        $data['body'] = substr($res, $data['info']['header_size']);
 
        $data['error'] = curl_error($ch);
        $data['errorno'] = curl_errno($ch);

        curl_close($ch);
 
        return $data;
}
 
function extractSubs($main, $ignores, $filter = '') {
        $ignores = array_map(function($v) { return "+-site:$v"; }, $ignores);
        $url = "http://www.google.com/search?q="
                ."site:$main+$filter"
                .implode('', $ignores);

        echo "Testing URL: $url\n";
 
        $res = docurl($url);
 
        $doc = new DOMDocument();
        $doc->loadHTML($res['body']);
        $xpath = new DOMXPath($doc);
        $nodes = $xpath->query("//cite");
 
        $cites = array();
        foreach ($nodes as $node) {
                $cite = $node->nodeValue;
                $cite = preg_replace('%^https?://%', '', $cite);
                $cite = preg_replace("%/.*%", '', $cite);
                if (!in_array($cite, $cites)) $cites []= $cite;
        }
 
        return $cites;
}
libxml_use_internal_errors(true);
 
$start = $argv[1];
$filter = isset($argv[2])?$argv[2]:'';
$subs = array();
 
do {
        $newSubs = extractSubs($start, $subs, $filter);
        $subs = array_merge($subs, $newSubs);
 
        sleep(1);
} while(!empty($newSubs));

echo implode("\n", $subs);