Search Engine Dorking by l3v1athan

This tutorial is about Search Engine Dorking. It was created by l3v1athan.
first off some explanation.. dark d0rk3r is a script that searches a search engine for urls that contain a specific dork
now what is a dork? it's the part of the url that goes like: 'index.php?page='
why are they interesting? well, sometimes you can force the site to return sql errors
if a site returns those, chances are reasonable that it contains an sqli, which we can further exploit using sqlmap or so
okay.. let's get the script from : http://packetstorm.tacticalflex.com/UNIX/scanners/darkd0rk3r-0.7.py.txt
okay.. now let's run it. it will ask you for a target.. either balcan, all domains or tld's
you can run it, and give as dork index.php?page= or index.php?id=
oh and one thing i forgot to say, i advise you to only use it over vpn or tor it asked for number of threads
choose 5 or 10 pages, and let it run
yes.. there you can enter something like 100 pages is the number of pages on the search engine it will scan for urls
while this runs. you probably will have noticed that the target selection is a bit wide
when we search for dorks, we would like to have something more specific instead of 'balcan'
what's more, this only searches for 1 dork.. now i have several dork lists that contain between 5000-10000 dorks total
so it's imo a bit like having a gatlin gun with 1 bullet to shoot at alot of targets
also.. you might see it scans all the pages you specified, even when it doesnt find anything
not really efficient
now, when it finished searching it will ask you what todo.. it has several scan options, but for now we'll use 1 - sqli
in this stage it will start to test all the urls it collected to see if they return sql errors (which would mean it might be sqli vuln)
now, let's have a look at my modified version
http://pastebin.com/LmDQfvb1
i did several things to it, please check out the comments at the top
to be clear, i only have changed the search phase and i am very sure there's still room for improvement but we can discuss that later
this is a bit brute forcing to enumerate url's. i figure, if you have a specific target or domain, you probably would like to search for alot of dorks to optimize chances of finding an sqli
you can, but that'll take a long while, i suggest to try 10 for now
you should notice that if it doesnt find anything on a page, it skips directly to the next dork. so you could specify 25 pages. but if page = 0, it skips to next one.. so it doesnt waste alot of time on empty search results anymore
just that one change made it go 10 times faster at least so i have 15 unsorted and 10 sorted URLS
this is very much a numbers game
find 10000 urls, maybe it are 2000 unique ones, maybe 20 possible sqli's are reported. of which maybe half work.
if we increase the number of dorks, it will take longer, but it will find more. my suggestion is to play with it some, and give it time to come up with stuff
i do it over tor, and searching a tld with all dorks and a max of 25 pages takes literally 5 or 6 hours. so i just do em, and work with the results the day after.
how do would you use this script over tor? i do it with proxychains.
i also would like to recommend is to read the code, and modify it to your own liking.. you will learn tons from studying and changing tools like this.
as you will have noticed the tool also can scan for lfi/rce and xss. those are very basic, but might be improvable.
i think this concludes the tut part, now let's discuss what else we can do with it what if i search comes back and says.....URLS unsorted and sorted: 0 then start over.
also i think the lfi testing can be done alot quicker.. i think that if ../../../../etc/passwd works, ../../../../../../../../../../../etc/passwd will work too
you can try it with some more dorks, like 100 or so. it'll take a bit.
but with 100 i think you shoulrd be lucky enough to have a possible sqli or two.
This concludes the tutorial. Support the Free Anons Foundation http://freeanons.org or #freeanons
Thank you.