I noticed that the GHDB-plugin from w3af was a bit deprecated and not quite flexible enough for my purposes, so I wrote a little tool to use GHDB database to find vulnerabilites for a site. Google has deprecated the old Soap-api in favour for a new Ajax-api which was really nice to work with.

To use the tool it, you do this :

python googlyhack.py -domain foobar.com

And then it goes through the entire GHDB (which is an XML-file, just drop in a new replacement if you find a newer one. Please also send it to me!). One feature which I missed in w3af and therefore implemented was that If google blocks you, GooglyHack pause until you tell it to continue:

Aborted after 1200 requests
Stopped after 1200 requests (of 1466). Press any key to continue, or ctrl-c to quit

If you choose to abort, you can start it later (or on another computer) to continue again where it left off:
python googlyhack.py -domain foobar.com -i 1200

Here is a snippet of an example run against domain microsoft.com :
List loaded, length 1466
Starting at index 0
0:0 hits
1:0 hits
2:0 hits
3:0 hits
4:0 hits
5:0 hits
6:0 hits
7:2 hits
Example urls:
-Title: http://social.msdn.microsoft.com/Forums/en-US/sqlexpress/thread/30d3b3c9-9bf8-4265-82bb-d192f232cf24
-Url: Need to convert the following mysql to sql server
-Title: http://social.msdn.microsoft.com/forums/pt-BR/520/thread/0e964ff4-0b2e-4a1b-80f6-1151e05aabb5/
-Url: SQL Server Management Studio Express - Exportar com dados?
Query used : site:microsoft.com "# Dumping data for table"
GHDB Description: SQL database dumps. LOTS of data in these. So much data, infact, I'm pressed to think of what else an ev1l hax0r would like to know about a target database.. What's that? Usernames and passwords you say? Patience, grasshopper.....


I thought that google-blocking would be an issue, but using the ajax-api I had no such problems. So no additional steps are taken to bypass blocking, such as using alterating useragents or randomizing the ghdb-list. Apparantly the ajax-api is pretty nice against robotic behaviour.

Complete source can be found at http://martin.swende.se/hgwebdir.cgi/GooglyHack/
Get it either by :
hg clone http://martin.swende.se/hgwebdir.cgi/GooglyHack/

-OR-
wget http://martin.swende.se/hgwebdir.cgi/GooglyHack/raw-file/tip/src/googlyhack.py
wget http://martin.swende.se/hgwebdir.cgi/GooglyHack/raw-file/tip/src/GHDB.xml


Enjoy! (and remember : don’t be evil!)

This entry was posted on Saturday, April 10th, 2010 at 10:11 pm and is filed under Uncategorized. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.