Número de lecturas: 24255
{lang: 'es-419'}

Quien se inicia en el mundo del hacking y/o el pentesting en sí, ha oído hablar del llamado “Hacking con buscadores“, me refiero a términos como Google hacking, Bing hacking etc…

Han habido distintas herramientas a lo largo del tiempo que se han usado para estos menesteres. El hacer Google hacking no significa que sea solo para encontrar sitios vulnerables. Puede ser que sea por ejemplo para encontrar FTP’s abiertos con MP3 disponibles para descargar. 😀 La otra vertiente de la que podemos sacar provecho es usar estos dorks para encontrar servidores o páginas webs presuntamente vulnerables.

Seguro que mas de uno/a recuerda algunas de las herramientas que pongo a continuación.

Una de las primeras herramientas que personalmente pude ver para hacer Google hacking desde Windows era esta:

¿A alguien le trae buenos recuerdos?

Luego tenemos proyectos como los de Stach&Liu

El artículo de hoy no va sobre este proyecto sino sobre GooDork. Podremos hacer Google Hacking desde la línea de comandos!

Para usar la herramienta la clonamos desde el GitHub.

darkmac:~ marc$ git clone https://github.com/k3170makan/GooDork.git
Cloning into ‘GooDork’…
remote: Counting objects: 103, done.
remote: Compressing objects: 100% (52/52), done.
remote: Total 103 (delta 53), reused 95 (delta 46)
Receiving objects: 100% (103/103), 32.96 KiB, done.
Resolving deltas: 100% (53/53), done.

Para poder usarlo hay que instalar dependencias, en mi caso solo ha echo falta instalar BeautifulSoup4. Se puede instalar vía pip o easy_install.

Vamos a hacer una búsqueda.

Data provided by Pastebin.com – Download Raw – See Original
  1. darkmac:GooDork marc$ python GooDork.py inurl:/products/category/?id=
  2.      _/_/_/                   _/_/_/                     _/
  3.   _/         _/_/     _/_/   _/    _/   _/_/   _/  _/_/ _/  _/
  4.  _/  _/_/ _/    _/ _/    _/ _/    _/ _/    _/ _/_/     _/_/
  5. _/    _/ _/    _/ _/    _/ _/    _/ _/    _/ _/       _/  _/
  6.  _/_/_/   _/_/     _/_/   _/_/_/     _/_/   _/       _/    _/
  7. by k3170
  8. []
  9. Searching >>inurl:/products/category/?id=<<
  10. 200
  11.  OK
  12. Date: Thu, 11 Jul 2013 21:52:45 GMT
  13. Expires: -1
  14. Cache-Control: private, max-age=0
  15. Content-Type: text/html; charset=ISO-8859-1
  16. Set-Cookie:PREF=ID=0cd70a2461167b31:FF=0:TM=1373579565:LM=1373579565:S=P7g9NPNmp3pg3t2c;expires=Sat, 11-Jul-2015 21:52:45 GMT; path=/; domain=.google.com
  17. Set-Cookie: NID=67=dSh-AyrbkHxbIDdf0eDO2GhBFE8KF1MIDzrERJQANpsFJTA4hJXYtNdwAW-7h6IDgE7jCBFfRSri7Hgg0gXabq5oebaEqnMMHGcBhhPDXfkJ9KY36rMhK99GgIECk4ma; expires=Fri,10-Jan-2014 21:52:45 GMT; path=/; domain=.google.com; HttpOnly
  18. P3P: CP=”This is not a P3P policy! See http://www.google.com/support/accounts/bin/answer.py?hl=en&answer=151657 for more info.”
  19. Server: gws
  20. X-XSS-Protection: 1; mode=block
  21. X-Frame-Options: SAMEORIGIN

Aquí tenemos la respuesta por parte de servidor, ahora veremos que es lo que ha encontrado.

Data provided by Pastebin.com – Download Raw – See Original
  1. [‘http://www.irnashop2.com/backup/hamkar/theTba-Contents/Components/Operator/Templates/Products/Category.ascx’,’http://www.jotform.com/help/tag/products%2520category’,’http://stores.ebay.com/Periscope-Military-Products/Category-1-/_i.html%3F_fsub%3D2′, ‘http://stores.ebay.com/NATURAL-GREEN-MOSS-PRODUCTS/Category-1-/_i.html%3F_fsub%3D2′,’http://demo2.zylone.com/zylone_basic_v2_untested/products/category/number-charms’,’http://godynamic.eon.ph/our-products/category%2520b.html’,’http://www.geelongmedical.com.au/products/category/XPTBWJOR’,’http://www.freelancer.co.uk/job-search/magento-products-category-tree/’,’http://gdrectifiers.co.uk/products/category/power_assemblies/rotating_diode_assemblies/’, ‘http://stores.ebay.ca/Periscope-Military-Products/Category-1-/_i.html%3F_fsub%3D2’, ‘http://www.red-dot-21.com/products/category/kitchen’,’http://www.trustradius.com/products%3Fcategory%3Dweb-analytics-visitor-id%26like%3Dapptegic’,’http://www.venditacoltelli.com/web/portale.php/products/category/cat/221′,’http://www.aliexpress.com/item/Materials-knitted-products-category-scarf-applicable-sex-female-age-range-method-of-weaving-warp-processing-Zharan/518862084.html’, ‘http://www.freelancer.com.jm/job-search/list-products-category-page-zencart/’, ‘http://ixld.com/products/category%3Fid%3D6609′,’http://nanotechelectronics.com/index.php/products/category/8-gsm-pay-phones’,’http://www.capitalcardsystems.com/products/category-details/-in-department/departments/id-products-systems’, ‘http://www.freelancer.ph/job-search/cre-loaded-show-products-category-subcategories-v20/’,’http://www.freelancer.co.za/job-search/virtuemart-products-category-view/’,’http://www.gearsource.com/catalog/browse/brand/lex-products/category/dimming/page/1/priceend/2500/pricestart/1001/rows/10/shoppingstyle/listings/sortby/lastmodified%257Cdesc’,’http://www.indeed.com/forum/cmp/Oldcastle-Location%253A-Corona-Posted-On%253A-August-17,-2010-Share-This-Job-On-Facebook-Job-Description%253A-Human-Resources-Generalist-Product-Group%253Aoldcastle-Distribution-Job-Id%253A13223company%253Aallied-Building-Products-Category%253Ahuman-Resources.html’,’http://www.secure.namify.com/products/category.aspx%3Fcategid%3Dtablecovers’,’http://aetheriusdesign.com/aetheriusdesign.com/%3Faction%3Dproducts%26category%3Dlogo%26page%3D2′, ‘http://www.peterschem.com/products/category/14%3Fprint%3D1′,’http://www.districtsystems.com/sandbox/index.php/products/category/id-card-makers’,’http://www.mavercarp.co.uk/index.php%3Foption%3Dproducts%26category%3D1%26id%3D6′,’http://www.openpr.com/news/155974/Ducon-Technologies-I-Pvt-Ltd-Announced-IndiaMART-Leader-of-Tomorrow-Engineering-Products-Category.html%3FSID%3D41ab5ae360b1033d0b6136c67e0a1206′,’http://deiramarket.com/dubai/wholesaler/product-P1013536-selling-offer-from-Strollers-Walkers–Carriers-group-in-Baby-Products-category-Stokke-2011-Xplory-Stroller’, ‘http://zanzo.oakdene-services.com/products/category/view/senator-super-hit–ballpen–01607p’, ‘http://www.freelancer.com.bd/job-search/list-products-category-page-zencart/’, ‘http://www.freelancer.hk/job-search/virtuemart-products-category-view/’, ‘http://www.polyg.com.tw/products-category.php%3Fid%3D4′,’http://www.freelancer.sg/work/cre-loaded-show-products-category-subcategories-v20/’,’http://www.mubrno.com/e_shop/products/category%3Fp%3D2%26s%3Did%26c%3DKRTEK’,’http://www.freelancer.co.id/job-search/list-products-category-page-zencart/’,’http://www.freelancer.pk/work/magento-ramdom-products-category/’,’http://www.riscogroup.com/products/category/wireless%2520systems%252Blightsys’,’http://preprod.daitem.fr/products/category/slugUniverse:pour-mon-entreprise/slugRange:proteger/lang:fr’,’http://furtherfasterforever.com/blog/store/products/category/bicycling-shorts/’,’http://www.mavermatch.co.uk/index.php%3Foption%3Dproducts%26category%3D63%26id%3D265′, ‘http://www.fancy.com/things/257925959309597777/Boast-USA-:-Products-:-Category’, ‘http://pastamamas.gourmet-basket.com/products/category/vegetables-and-potatoes%3Fsort%3Dname%26direction%3Dasc’, ‘http://re-downloads.info/Wallpapers-Popular-Products-Category.html’, ‘http://www.trekhaak-trekhaken.be/en/products/category/espace-iv-mpv-1102′,’http://www.tiffanysealing.com/products/category/%3Fid%3D2′,’http://www.tiffanysealing.com/products/category/%3Fid%3D14′,’http://www.peterschem.ru/products/category/14%3Fprint%3D1′,’http://www.esd.bg/index.php/en/products/category/list/product/biometric-ID-Board-G83-14400’, ‘http://www.saauto.com.au/products/category/EBMEPAMB’,’http://www.qsptips.com/products/category.aspx%3Fid%3D15′,’http://www.muovitech.com/%3Fpage%3Dproducts%26category%3DPE-pipes%2520and%2520PE-fittings%26id%3D423′, ‘http://www.petrocanada-kpi.com/products/category/%3Fid%3D1′,’http://www.seema.de/en/products/category/63-Packing—Depacking%3Fdir_new%3Ddesc%26dir_old%3Dasc%26order_new%3Dmachines.id.new%26order_old%3Dmachines.manufacturer.old’, ‘http://www.crehelp.com/show-all-products-category-amp-subcategories-v10-id-4209.html’,’http://www.desalination.biz/products/category.asp%3Fid%3D301%26title%3DWater%2BStorage%2BTanks%26channel%3D0′, ‘http://ping.sg/read/www-gate-barrier-com-products-category-id-9-penyedia-no1-aut’,’http://community.emerson.com/networkpower/support/avocent/desktop/longview/w/wiki/1432.longview-products-category-5-cable-568b.aspx’,’http://itstore.prapey.com/store/products/category/id-card-printing/’,’http://rapbank.com/products/category/self-help/’,’http://rapbank.com/products/category/free/’,’http://www.toysopt.com.ua/products/category/id/2629/’,’http://bytes.com/topic/coldfusion/answers/932182-how-show-category-then-all-products-category-each-category’, ‘http://ac.runcode.us/q/access-products-category-attribute-info-from-php-with-magento-api’,’http://www.computeruser.com/pressreleases/more-than-6300-uk-suppliers-in-home-products-category-at-wholesalepagescouk.html’, ‘http://efreedom.com/Question/1-4356019/Magento-Get-Products-Category-Order-Rand’,’http://business.highbeam.com/437399/article-1G1-180696438/products-category’,’http://go4answers.webhost4life.com/SearchResult.aspx%3Fq%3Dtechnical%2Breason%2B10%2B000%2Bproducts%2Bcategory%2Bsql%2Bprespective’,’http://www.ariscomandiri.com/products-category/50/156/oem_products’,’http://www.megaiklan.com/kategori.php%3Fgratis%3D323259%26view%3Dwww.gate-barrier.com/products/category/%3Fid%3D1pusat’, ‘http://occforeclosure.net/archive-for-the-hot-new-products-category/jayclarkent.com*jcemain*wp-content*uploads*2011*01*jay032.jpg/’, ‘http://id.scribd.com/doc/139943470/Products-Category’,’http://www.inlazy.com/png/png.aspx%3Fid%3D53554_Digital%2Baudio%2Band%2Bvideo%2Bproducts%2Bcategory%2Bvector%2Bicon’, ‘http://www.picstopin.com/600/products-category-palace-figure/http:%257C%257Cwww*fly-artxm*com%257CPic_Produets%257C20122212030440*jpg/’,’http://www.tradeeasy.com/search/manufacturers-products/category%25206.html’,’http://www.usbmax.com/Products/category.cfm%3Fid%3D177′,’http://www.sitefile.org/seo/tripodturnstilegate.com~~products~~category~~%2560%2560id%253D5.htm’,’http://www.sitefile.org/seo/tripodturnstilegate.com~~products~~category~~%2560%2560id%253D11.htm’,’http://www.sitefile.org/seo/tripodturnstilegate.com~~products~~category~~%2560%2560id%253D4.htm’, ‘http://www.workmob.com/products/http-wwwmarblepluscomau-products-category-XDUKNHUI/21025’]
  2. step: 301 ,results: 80

Podemos acotar más la búsquedas:

Data provided by Pastebin.com – Download Raw – See Original
  1. darkmac:GooDork marc$ python GooDork.py site:.com  -u ‘article.php?id=’

La herramienta es muy sencilla de usar:

Data provided by Pastebin.com – Download Raw – See Original
  1. darkmac:GooDork marc$ python GooDork.py
  2.      _/_/_/                   _/_/_/                     _/
  3.   _/         _/_/     _/_/   _/    _/   _/_/   _/  _/_/ _/  _/
  4.  _/  _/_/ _/    _/ _/    _/ _/    _/ _/    _/ _/_/     _/_/
  5. _/    _/ _/    _/ _/    _/ _/    _/ _/    _/ _/       _/  _/
  6.  _/_/_/   _/_/     _/_/   _/_/_/     _/_/   _/       _/    _/
  7. by k3170
  8. version 2.2.1
  9. Usage: ./GooDork [dork] {options}
  10. dork                    — google search query
  11. pattern                 — a regular expression to search for
  12. OPTIONS
  13. -b ‘pattern’    — search the displayable text of the dork results for ‘pattern’
  14. -t ‘pattern’    — search the titles of the dork results for ‘pattern’
  15. -u ‘pattern’    — search the urls of the dork results for ‘pattern’
  16. -a ‘pattern’    — search in the anchors of the dork results for ‘pattern’
  17. -s ‘pattern’    — search in the script tags of the dork results for ‘pattern’
  18. -o ‘filename’   — ouput the results
  19. -L  amount              — Limit the amount of restults processed to the first L results
  20. -U ‘user-agent’– Custom User-agent
  21. e.g ./GooDork site:.edu -bStudents #returns urls to all pages in the .edu domain displaying ‘Students’
  22. e.g ./GooDork site:.edu -o universities.txt #returns urls to all pages in the .edu ‘universities.txt’

Si no tenemos mucha idea de como escoger los dorks adecuados podemos visitar webs tan emblemáticas como:

No hará falta que diga que se podría hacer un módulo para SQLmap que buscara algo parecido a:

Data provided by Pastebin.com – Download Raw – See Original
  1. inurl:/general.php?*id=*
  2. inurl:/careers-detail.asp?id=
  3. inurl:/WhatNew.asp?page=&id=
  4. inurl:/gallery.asp?cid=
  5. inurl:/publications.asp?type=
  6. inurl:/mpfn=pdview&id=
  7. inurl:/reservations.php?id=
  8. inurl:/list_blogs.php?sort_mode=
  9. inurl:/eventdetails.php?*=
  10. inurl:/commodities.php?*id=
  11. inurl:/recipe-view.php?id=
  12. inurl:product.php?mid=
  13. inurl:view_ad.php?id=
  14. inurl:/imprimir.php?id=
  15. inurl:/prodotti.php?id=
  16. inurl:index.cgi?aktion=shopview
  17. inurl:/default.php?id=
  18. inurl:/default.php?portalID=
  19. inurl:/*.php?id=
  20. inurl:/articles.php?id=
  21. inurl:/os_view_full.php?
  22. inurl:/Content.asp?id=
  23. inurl:/CollectionContent.asp?id=
  24. inurl:/Details.asp?id=
  25. intext:”Powered By : SE Software Technologies” filetype:php
  26. inurl:/index.php?pgId=
  27. inurl:/index.php?PID= “Powered By Dew-NewPHPLinks v.2.1b”
  28. inurl:/dosearch.asp?
  29. inurl:/details.php?linkid=
  30. inurl:/viewfaqs.php?cat=
  31. inurl:/calendar.php?token=
  32. Source : http://rendys-xp.blogspot.com/2013/01/google-dork-sql-injection.html#ixzz2YmJKDrOn

Y lanzará sqlmap directamente, pero no daremos más malas ideas 😛

[+] Github del Proyecto: https://github.com/k3170makan/GooDork
[+] Web con el artículo del autor: http://blog.k3170makan.com/2012/03/goodork-super-charging-your-google.html
[+] Web con múltiples Google Dorks: http://www.exploit-db.com/google-dorks/

Artículo cortesía de Marc Rivero López

Fuente:

securitybydefault.com

Be Sociable, Share!