Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- This tutorial is about Search Engine Dorking. It was created by l3v1athan.
- first off some explanation.. dark d0rk3r is a script that searches a search engine for urls that contain a specific dork
- now what is a dork? it's the part of the url that goes like: 'index.php?page='
- why are they interesting? well, sometimes you can force the site to return sql errors
- if a site returns those, chances are reasonable that it contains an sqli, which we can further exploit using sqlmap or so
- okay.. let's get the script from : http://packetstorm.tacticalflex.com/UNIX/scanners/darkd0rk3r-0.7.py.txt
- okay.. now let's run it. it will ask you for a target.. either balcan, all domains or tld's
- you can run it, and give as dork index.php?page= or index.php?id=
- oh and one thing i forgot to say, i advise you to only use it over vpn or tor it asked for number of threads
- choose 5 or 10 pages, and let it run
- yes.. there you can enter something like 100 pages is the number of pages on the search engine it will scan for urls
- while this runs. you probably will have noticed that the target selection is a bit wide
- when we search for dorks, we would like to have something more specific instead of 'balcan'
- what's more, this only searches for 1 dork.. now i have several dork lists that contain between 5000-10000 dorks total
- so it's imo a bit like having a gatlin gun with 1 bullet to shoot at alot of targets
- also.. you might see it scans all the pages you specified, even when it doesnt find anything
- not really efficient
- now, when it finished searching it will ask you what todo.. it has several scan options, but for now we'll use 1 - sqli
- in this stage it will start to test all the urls it collected to see if they return sql errors (which would mean it might be sqli vuln)
- now, let's have a look at my modified version
- http://pastebin.com/LmDQfvb1
- i did several things to it, please check out the comments at the top
- to be clear, i only have changed the search phase and i am very sure there's still room for improvement but we can discuss that later
- this is a bit brute forcing to enumerate url's. i figure, if you have a specific target or domain, you probably would like to search for alot of dorks to optimize chances of finding an sqli
- you can, but that'll take a long while, i suggest to try 10 for now
- you should notice that if it doesnt find anything on a page, it skips directly to the next dork. so you could specify 25 pages. but if page = 0, it skips to next one.. so it doesnt waste alot of time on empty search results anymore
- just that one change made it go 10 times faster at least so i have 15 unsorted and 10 sorted URLS
- this is very much a numbers game
- find 10000 urls, maybe it are 2000 unique ones, maybe 20 possible sqli's are reported. of which maybe half work.
- if we increase the number of dorks, it will take longer, but it will find more. my suggestion is to play with it some, and give it time to come up with stuff
- i do it over tor, and searching a tld with all dorks and a max of 25 pages takes literally 5 or 6 hours. so i just do em, and work with the results the day after.
- how do would you use this script over tor? i do it with proxychains.
- i also would like to recommend is to read the code, and modify it to your own liking.. you will learn tons from studying and changing tools like this.
- as you will have noticed the tool also can scan for lfi/rce and xss. those are very basic, but might be improvable.
- i think this concludes the tut part, now let's discuss what else we can do with it what if i search comes back and says.....URLS unsorted and sorted: 0 then start over.
- also i think the lfi testing can be done alot quicker.. i think that if ../../../../etc/passwd works, ../../../../../../../../../../../etc/passwd will work too
- you can try it with some more dorks, like 100 or so. it'll take a bit.
- but with 100 i think you shoulrd be lucky enough to have a possible sqli or two.
- This concludes the tutorial. Support the Free Anons Foundation http://freeanons.org or #freeanons
- Thank you.
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement