diff --git a/modules/auxiliary/gather/searchengine_subdomains_collector.rb b/modules/auxiliary/gather/searchengine_subdomains_collector.rb index 41b0cb2a50..b6a1d5264d 100644 --- a/modules/auxiliary/gather/searchengine_subdomains_collector.rb +++ b/modules/auxiliary/gather/searchengine_subdomains_collector.rb @@ -46,14 +46,18 @@ class MetasploitModule < Msf::Auxiliary 80 end - def valid?(ip, domain) + def valid_result?(target, subdomain) + data = Rex::Socket.is_ipv4?(target) ? domain2ip(subdomain) : subdomain + data && data.include?(target) ? true : false + end + + def domain2ip(domain) + ips = [] begin ips = Rex::Socket.getaddresses(domain) - true if ips.include?(ip) rescue SocketError - ensure - false end + ips end def uri2domain(uri) @@ -74,9 +78,16 @@ class MetasploitModule < Msf::Auxiliary end def bing_search(dork) +<<<<<<< HEAD begin print_status("Searching Bing for subdomains from #{dork}") results = [] +======= + print_status("Searching Bing for subdomains from #{dork}") + results = [] + + begin +>>>>>>> searchengine_subdomains_collector searches = ['1', '51', '101', '151', '201', '251', '301', '351', '401', '451'] searches.each do |num| resp = send_request_cgi!( @@ -101,6 +112,7 @@ class MetasploitModule < Msf::Auxiliary next unless result result.to_s.downcase! results << result +<<<<<<< HEAD vprint_good(result) end end @@ -108,10 +120,17 @@ class MetasploitModule < Msf::Auxiliary print_error("#{e.message}") ensure return results +======= + end + end + rescue ::Exception => e + print_error("#{dork} - #{e.message}") +>>>>>>> searchengine_subdomains_collector end end def yahoo_search(dork) +<<<<<<< HEAD begin print_status("Searching Yahoo for subdomains from #{dork}") results = [] @@ -164,46 +183,47 @@ class MetasploitModule < Msf::Auxiliary print_good("#{dork} subdomain: #{subdomain} - #{ip}") next if subdomain_ips.include?(ip) subdomain_ips << ip if Rex::Socket.is_ipv4?(ip) +======= + print_status("Searching Yahoo for subdomains from #{dork}") + results = [] + + begin + searches = ["1", "101", "201", "301", "401", "501"] + searches.each do |num| + resp = send_request_cgi!( + 'rhost' => rhost_yahoo, + 'rport' => rport_yahoo, + 'vhost' => rhost_yahoo, + 'method' => 'GET', + 'uri' => '/search', + 'vars_get' => { + 'pz' => 100, + 'p' => dork, + 'b' => num + }) + + next unless resp && resp.code == 200 + html = resp.get_html_document + matches = html.search('span[@class=" fz-15px fw-m fc-12th wr-bw lh-15"]') + matches.each do |match| + result = match.text + result = result.split('/')[0] + result = result.split(':')[0] + next unless result + result.to_s.downcase! + results << result + end +>>>>>>> searchengine_subdomains_collector end - domains[subdomain] = ips + rescue ::Exception => e + print_error("#{dork} - #{e.message}") end - - subdomain_ips.each do |ip| - bing_search_ip(ip) if datastore['IP_SEARCH'] - end - - return if domains.empty? - report_note( - host: domain, - type: 'Bing Search Subdomains', - update: :unique_data, - data: domains) - domains + results end - def bing_search_ip(ip) - dork = "ip:#{ip}" - domains = {} - - results = bing_search(dork) - results.each do |subdomain| - next if domains.include?(subdomain) - next unless valid?(ip, subdomain) - report_host(host: ip, name: subdomain) - print_good("#{dork} suddomain: #{subdomain}") - domains[subdomain] = ip - end - return if domains.empty? - report_note( - host: ip, - type: 'Bing Search Subdomains', - update: :unique_data, - data: domains) - domains - end - - def yahoo_search_domain(domain) + def search_subdomains(target) domains = {} +<<<<<<< HEAD subdomain_ips = [] dork = "domain:#{domain}" results = yahoo_search(dork) @@ -223,45 +243,34 @@ class MetasploitModule < Msf::Auxiliary subdomain_ips.each do |ip| yahoo_search_ip(ip) if datastore['IP_SEARCH'] end +======= + ipv4 = Rex::Socket.is_ipv4?(target) + dork = ipv4 ? "ip:#{target}" : "domain:#{target}" +>>>>>>> searchengine_subdomains_collector - return if domains.empty? - report_note( - host: domain, - type: 'Yahoo Search Subdomains', - update: :unique_data, - data: domains) - domains - end + results = [] # merge results to reduce query times + results |= bing_search(dork) if datastore['ENUM_BING'] + results |= yahoo_search(dork) if datastore['ENUM_YAHOO'] - def yahoo_search_ip(ip) - dork = "ip:#{ip}" - domains = {} - - results = yahoo_search(dork) + return domains if results.nil? || results.empty? results.each do |subdomain| next if domains.include?(subdomain) - next unless valid?(ip, subdomain) - report_host(host: ip, name: subdomain) + next unless valid_result?(target, subdomain) print_good("#{dork} subdomain: #{subdomain}") - domains[subdomain] = ip + if ipv4 + domains[subdomain] = [target] + else + ips = domain2ip(subdomain) + next if ips.empty? + domains[subdomain] = ips + ips.each { |ip| search_subdomains(ip) } if !ips.empty? && datastore['IP_SEARCH'] + end end return if domains.empty? - report_note( - host: ip, - type: 'Yahoo Search Subdomains', - update: :unique_data, - data: domains) - domains + report_note(host: target, type: 'Subdomains', update: :unique_data, data: domains) end def run - target = datastore['TARGET'] - if Rex::Socket.is_ipv4?(target) - bing_search_ip(target) if datastore['ENUM_BING'] - yahoo_search_ip(target) if datastore['ENUM_YAHOO'] - else - bing_search_domain(target) if datastore['ENUM_BING'] - yahoo_search_domain(target) if datastore['ENUM_YAHOO'] - end + search_subdomains(datastore['TARGET']) end end