API tools faq
paste
Advertisement
0xCor3

ENV SUBDOMAINS SCANNER

0xCor3
Sep 26th, 2019
1,320
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
PHP 4.54 KB | None | 0 0
raw download clone embed print report
  1. <?php
  2. // ENV SCANNER by 0xCor3 | Security Ghost
  3. // ini_set('display_errors', 1);
  4. ini_set('default_socket_timeout', 5);
  5. error_reporting(E_ALL);
  6. class env_scanner
  7. {
  8.     public $list;
  9.     private $ch;
  10.     public function __construct($file)
  11.     {
  12.         if(is_file($file) && file_exists($file))
  13.         {
  14.             $this->list = explode("\r\n", file_get_contents($file));
  15.         }else
  16.         {
  17.             die(sprintf("file %s not found.", $file));
  18.         }
  19.     }
  20.     public function run(){
  21.         sprintf("[#] List Total : %s", count($this->list));
  22.         foreach($this->list as $url)
  23.         {
  24.             $url = $this->domain_parser($url);
  25.             echo sprintf("[>] Scanning based domain of %s status %s", $url['domain'], $this->check_env($url['domain_protocol']) == true ? "[OK]" : "[NF]").PHP_EOL;
  26.             echo sprintf("[*] Getting Subdomains and Reversing IP of %s", $url['domain_protocol']).PHP_EOL;
  27.             $leecher = $this->subdomain_leecher($url['domain']);
  28.             if(isset($leecher[1])){
  29.                 echo sprintf("[*] Total Subdomain of %s is %d", $url['domain'], count($this->subdomain_leecher($url['domain_protocol']))).PHP_EOL;
  30.                 foreach($leecher as $result){
  31.                     echo sprintf("\t[/] Subdomains %s status %s",$result, $this->check_env("http://".$result."/.env") == true ? "[OK]" : "[NF]").PHP_EOL;
  32.                 }
  33.             }else{
  34.                 echo "\t[!] Domain doesn't have subdomains.".PHP_EOL;
  35.             }
  36.         }
  37.     }
  38.     private function domain_parser($url){
  39.         $domain = explode("/", $url);
  40.         return array(
  41.             "domain" => str_replace(array("http://", "https://"), array("", ""), $domain[2]),
  42.             "domain_protocol" => $domain[0]."//".$domain[2]
  43.         );
  44.     }
  45.     private function check_env($env_url)
  46.     {
  47.         return preg_match("/DB_CONNECTION|APP_ENV|PUSHER_APP_ID/i", $this->cURL($env_url."/.env")) ? true : false;
  48.     }
  49.     private function subdomain_leecher($domain)
  50.     {
  51.         $domain = str_replace(array("www.", "https://", "http://"), "", $domain);
  52.         $headers = array();
  53.         $headers[] = 'Sec-Fetch-Mode: cors';
  54.         $headers[] = 'Origin: https://hackertarget.com';
  55.         $headers[] = 'Accept-Language: en-US,en;q=0.9,id;q=0.8';
  56.         $headers[] = 'X-Requested-With: XMLHttpRequest';
  57.         $headers[] = 'Cookie: _ga=GA1.2.1946554911.1569521943; _gid=GA1.2.958707370.1569521943; _gat=1';
  58.         $headers[] = 'Pragma: no-cache';
  59.         $headers[] = 'User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.90 Safari/537.36';
  60.         $headers[] = 'Content-Type: application/x-www-form-urlencoded; charset=UTF-8';
  61.         $headers[] = 'Accept: text/html, */*; q=0.01';
  62.         $headers[] = 'Cache-Control: no-cache';
  63.         $headers[] = 'Authority: hackertarget.com';
  64.         $headers[] = 'Referer: https://hackertarget.com/find-dns-host-records/';
  65.         $headers[] = 'Sec-Fetch-Site: same-origin';
  66.         $post = $this->cURL("https://hackertarget.com/find-dns-host-records/", $headers, "theinput=".trim($domain)."&thetest=hostsearch&name_of_nonce_field=d385c70e4e&_wp_http_referer=%2Ffind-dns-host-records%2F");
  67.         preg_match('#<pre id="formResponse">(.*?)<\/pre>#si', $post, $hasil);
  68.         if(!preg_match('/error check your search parameter/i', $hasil[1])){
  69.             foreach(explode("\n", $hasil[1]) as $res){
  70.                 $explode = explode(",", $res);
  71.                 if($explode[0] != NULL){
  72.                     $hasilz[] = $explode[0];
  73.                 }
  74.             }
  75.             return $hasilz;
  76.         }else{
  77.             return "[!] Domain doesn't have subdomains.".PHP_EOL;
  78.         }
  79.     }
  80.     private function cURL($url, array $headers = NULL, $post = 0)
  81.     {
  82.         $this->ch = curl_init();
  83.         $curl_options = array(
  84.             CURLOPT_URL => $url,
  85.             CURLOPT_RETURNTRANSFER  => true,
  86.             CURLOPT_SSL_VERIFYPEER  => false,
  87.             CURLOPT_SSL_VERIFYHOST  => false,
  88.             CURLOPT_TIMEOUT         => 7,
  89.             CURLOPT_CONNECTTIMEOUT  => 7,
  90.         );
  91.         if ($headers != NULL){ $curl_options[CURLOPT_HTTPHEADER] = $headers; }
  92.         if ($post){ $curl_options[CURLOPT_POST] = true; $curl_options[CURLOPT_POSTFIELDS] = $post; }
  93.         curl_setopt_array($this->ch, $curl_options);
  94.         return curl_exec($this->ch);
  95.         curl_close($this->ch);
  96.     }
  97. }
  98.  
  99. echo ">> Lists file : "; $file = trim(fgets(STDIN));
  100. $hyper_env = new env_scanner($file);
  101. print_r($hyper_env->run());
  102. ?>
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!