Jump to content
Fi8sVrs

GooDork.py as a Vulnerability Scanner

Recommended Posts

  • Active Members

“GooDork is for the few people who enjoy being creative about hacking/information gathering!”

Some of you may have heard about Google Dorking/Hacking and even fewer have heard about GooDork.py a new designed to super charge you’re google dorking, and can even be used as front end for sqlmap (mass pwnage!) if you’re bash scripting is good enough!

GooDork?

Very simply put GooDork is a python script that allows you to perform Google Search queries from the comfort of your command line (Bleach fans, you can think of this as a Shikai). The real power of GooDork lies in its ability to let you run regular expressions on the attributes of the results of a Google Search (BANKAI!).

Let me rephrase that, you run a query, this query will return a couple of results (URLs), these results will be web pages (or rather URLs to web pages), you then have the ability to run regular expressions on these web pages and be returned a list of results containing links to only those pages that satisfied your regular expression(s).

So whats these regular expression stuff?

Before you can come to truly appreciate the power of GooDork, you need to master regular expressions!

Regular expressions can be thought of as little programs that help you specify how a string should be matched. They are expressions that detail the structure of a string. For instance, we can write a regex that will match all strings with a given range of characters in them, or one that matches strings with only a specific repetition of chars. These little buggers are incredibly powerful!

If you wanna read more about them check out the links at the end of the post

Vulnerability Scanning:

Okay so how do use GooDork to find vulnerabilities? Actually quite easily! It just takes a bit of practice. I’m actually gonna show you what I personally use GooDork for.

If we are to do vulnerability scanning with GooDork, we need to make sure we know what to look for, in this example I’ll show you how do find a specific SQL injection vulnerability in a CMS. Basically what ill be showing you is how I fingerprint CMSs (learn to recognize them) and then we will write a regex for GooDork that will make sure to find links to only the vulnerable web applications. So we gonna look for web pages with the MediaSolusi SQLi (MediaSolusi - SQL Injection Vulnerability | Inj3ct0r - exploit database : vulnerability : 0day : shellcode) i know its quite random, but I need to show you guys how to use GooDork properly, as an information gathering tool!

So lets get started, our aim is to find out the few details that “tag” or mark all these vulnerable web pages, over here half the job is done by knowing that if they are running the mentioned CMS then theres a good chance that the web page is vulnerable at least in the way described. The report will have you believe that the best way to find these vulnerable servers is by Dorking:

inurl:"/products/category/?id=" nm="
intext:"All rights reserved. - By Media Kreasi"

But I never settle for just a google dork, there are details that a Google dork cannot specify, this is why I make use of regex to hunt vulnerabilities in GooDork so lets see what we can find out, I start with this command

GooDorkHack-300x168.png

GooDork starting up

./GooDork.py intext:%22All%20rights%20reserved.%20-%20By%20Media%20Kreasi%22 -a[\\w]*

I’ve urlencoded the ” and space chars, to make it appear as a single argument to python. the first argument to

the script is the dork I want to run, the one quoted above using the “intext:” directive, I choose not to use the inurl, because

  1. Google blows a gasket, if you use it in general
  2. Im not interested in the known vulnerabilities, I’m interested in fingerprinting the CMS

The second argument is a lil hack I came up with, -a is the argument to specify regex to search for in the anchor tag of the pages, the regex I give it matches any alphanumeric character, which will cause GooDork to print out all the anchors on all the pages / you should spend some time checking out the anchors, you might find some interesting stuff, for instance what i found is in the screen shot:

Success1-300x168.png

GooDork loot

The vulnerability report above details that we find it based on URL value, and that the script in the category sub directory is the vulnerable, I bet the script in the product subdirectory is as well. So what we established here as well is that the anchors of vulnerable CMS contain hrefs like the ones in the screen shot. So our next task will be to find all the pages with anchor tags like the ones above.

Oh wait heres something interesting i found when i ran this dork as well

Interesting-300x168.png

authd?IDKEY= lols you’ve gotta be insane to put that in an anchor!

Anyway back to the hunt! We wanna find specific URLs in a pages anchor tags , one of the example URLS looks as follows:

PT. Duta Plastik Industri - Plastic Forming - Plastik Kemasan - Kemasan Plastik

We need to write a regex that matches every part of the string. Basically the string consits of a protocol spec,domain and a query-string. I skipped the “http://” part of the regex purely because I was lazy lols! But the regex I came up with was:

“([\w]+)\.([\w]+)\.([\w]+)/([\w_-]|/)*\?([\w_-].*?)(=|%3D)([\d].*?)”

I know it looks ascii art that grew up next to a nuclear power plant, but if you start trying to build your won regexes you’ll see how easy they are to use! I’ll break down that regex, this what everything is there for:

  • ([\w]+) — matches the first part of the domain
  • \. — matches a dot
  • ([\w]+) — matches the second part of the domain
  • \. — another dot
  • ([\w]+) — the final part of the domain
  • / — the slash demarcating the path
  • ([\w_-]|/)* — matches the first work after the path
  • \? — the query delimiter
  • ([\w_-].*?) — the keyword
  • (=|%3D) — an = sign or its urlencoding
  • ([\d].*?) — an argument for the keyword, im betting on only decimal data here!

Oh I should have used number instead of bullets here, but just do you know (if you don’t), order does matter!!

This regex is pretty generic, but i did build it straight from one of the sample URLs to make sure it works, at returns exactly what i want, here’s me building the regex

BuildingRegex-300x168.png

Building a regex

There is something you need to remember when running a regex, and thats escaping properly, remeber that you will be supplying your regex via the command line. you will need to escape somethings for bash and somethings for regex, the things you escape for regexes sake! for instance notice in the following screen shot how i escape the parenthesis and | chars so bash doesn’t interpret them but them! You also need to wary of the \w special chars because of the \ in them, bash will assume you are escaping the “w” with the “\” so to make sure it doesn’t escape the w we need to escape the escape character its self like this: “\\w”, the first \ protects the second \

RunningDork-1024x575.png

Running the dork

And the results? We actually get only sites vulnerable to the SQL injection

Results-1024x575.png

Proofs in the pudding

GooDork:

https://github.com/k3170makan/GooDork <— Download

Keith (k3170) Makan: GooDork : Super Charging your Google Hacking

Regular expressions:

7.2. re — Regular expression operations — Python v2.7.2 documentation

Regular expression - Wikipedia, the free encyclopedia

8 Regular Expressions You Should Know | Nettuts+

Scr: GooDork.py as a Vulnerability Scanner | The ProjectX Blog – Information Security Redefined

Link to comment
Share on other sites

Tpu : Iti dau o idee .. Dute pe Tpu.

backdoorhk ON : Ai dreptate : 5. Oferiti credite si dati sursele originale. Daca (virgula ca sa evitam cacofonia) copiati un link sau un tutorial de pe alt forum, oferiti credit posterului initial ..

backdoorhk OFF : dak chem creatorul adevarat al acestui tutorial pe aici, ce se va intampla? (Isi va loa ban , daca comenteaz . Aici nu facem diferenta. Toti gresim toti lom warn / ban...)

INAINTE DE A POSTA PROSTESTE DAI CU OCHIUL AICI : https://rstcenter.com/forum/3968-regulile-forumului-cititi-cu-atentie.rst (backdoorhk) Nu ameninta tu pe aici.

PS : Da stiu ultimul post este pe data de 29-03-2012 ... dar nu ma puteam aptine ..

Edited by AltraX
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.



×
×
  • Create New...