Commit d64dfd65 authored by dmknght's avatar dmknght

Import Upstream version 0.82

parents
Pipeline #166 failed with stages
in 41 seconds
*.py[cod]
# C extensions
*.so
# Packages
*.egg
*.egg-info
dist
build
eggs
parts
bin
var
sdist
develop-eggs
.installed.cfg
lib
lib64
__pycache__
# Installer logs
pip-log.txt
# Unit test / coverage reports
.coverage
.tox
nosetests.xml
# Translations
*.mo
# Mr Developer
.mr.developer.cfg
.project
.pydevproject
debian/patches
LICENSE.txt
MANIFEST.in
README.md
setup.py
parsero.egg-info/PKG-INFO
parsero.egg-info/SOURCES.txt
parsero.egg-info/dependency_links.txt
parsero.egg-info/entry_points.txt
parsero.egg-info/requires.txt
parsero.egg-info/top_level.txt
\ No newline at end of file
0.82-parrot1
v0.82-parrot2
#!/usr/bin/env python3
# -*- coding: utf-8 -*-
__license__ = """
Parsero is a free script which read the Robots.txt file of a web server and
look at the Disallow entries. Then it visits these entries and prints the
status code in order to show you which of them are available and which not.
Author:
Javier Nieto | javier.nieto@behindthefirewalls.com
Twitter: @behindfirewalls
Web: www.behindthefirewalls.com
Parsero project site: https://github.com/behindthefirewalls/Parsero
This program is free software; you can redistribute it and/or
modify it under the terms of the GNU General Public License
as published by the Free Software Foundation; either version 2
of the License, or (at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software
Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
The authors disclaims all responsibility in the use of this tool.
"""
class bcolors:
OKGREEN = '\033[92m'
FAIL = '\033[91m'
ENDC = '\033[0m'
YELLOW = '\033[33m'
def disable(self):
self.OKGREEN = ''
self.FAIL = ''
self.ENDC = ''
import sys
if sys.version_info < (3, 0, 0):
print("\n" + bcolors.FAIL + \
"You need Python3 or later to run this script." + \
bcolors.ENDC + "\n")
exit(1)
import urllib.request
import argparse
import time
try:
import urllib3
except ImportError:
print("\n" + bcolors.FAIL + \
'You need to install urllib3. "sudo pip-3.3 install urllib3"' + \
bcolors.ENDC + "\n")
exit(1)
def logo():
hello = """
____
| _ \ __ _ _ __ ___ ___ _ __ ___
| |_) / _` | '__/ __|/ _ \ '__/ _ \
| __/ (_| | | \__ \ __/ | | (_) |
|_| \__,_|_| |___/\___|_| \___/
"""
print(bcolors.YELLOW + hello + bcolors.ENDC)
now = time.strftime("%c")
def conn_check(url, only200):
global pathlist
pathlist = []
salida = 1
try:
# for line in urllib.request.urlopen("http://" + url + "/robots.txt"):
for line in urllib.request.urlopen("%srobots.txt" %(url) if "robots.txt" not in url else url): # BUG, check line 113
lineStr = str(line, encoding='utf8')
path = lineStr.split(': /')
if "Disallow" == path[0]:
pathlist.append(path[1].replace("\n", "").replace("\r", ""))
pathlist = list(set(pathlist))
try:
inx = pathlist.index("/")
del pathlist[inx]
except:
pass
except urllib.error.HTTPError:
print("\n" + bcolors.FAIL + "[x] Error: No robots.txt file has been found." + bcolors.ENDC)
salida = 0
except KeyboardInterrupt:
print("\n" + bcolors.FAIL + "[x] Interrupted by user." + bcolors.ENDC)
salida = 0
except Exception as error:
print("\n" + bcolors.FAIL + "[x] Error: %s" %(error) + bcolors.ENDC)
salida = 0
http = urllib3.PoolManager()
count = 0
count_ok = 0
for p in pathlist:
disurl = url.replace("robots.txt", "") if "robots.txt" in url else url + p
# disurl = url + ('/' + p if url[-1] is not "/" else p) if "robots.txt" not in url else url.replace("/robots.txt", "") + '/' + p
r1 = http.request('GET', disurl, redirect=False, retries=5)
if r1.status == 200:
print(bcolors.OKGREEN + disurl + ' ' + str(r1.status) + ' ' + str(r1.reason) + bcolors.ENDC)
count_ok = count_ok + 1
elif only200 == False:
print(bcolors.FAIL + disurl + ' ' + str(r1.status) + ' ' + str(r1.reason) + bcolors.ENDC)
count = count + 1
count_int = int(count)
count_ok_int = int(count_ok)
if salida == 1:
if count_ok_int != 0 and only200 == True:
print('\n[+] %i links have been analyzed and %i of them are available!!!' % (count_int, count_ok_int))
elif count_ok_int != 0:
print('\n[+] %i links have been analyzed and %i of them are available!!!' % (count_int, count_ok_int))
elif count_ok_int == 0 and only200 == True:
print('\n' + bcolors.FAIL + '[+] %i links have been analyzed but any them are available...' % count_int + bcolors.ENDC)
else:
print('\n' + bcolors.FAIL + '[+] %i links have been analyzed but any them are available...' % count_int + bcolors.ENDC)
def search_bing(url, searchbing, only200):
try:
print("\n[-] Searching the Disallows entries in Bing...\n")
from bs4 import BeautifulSoup
count = 0
for p in pathlist:
# disurl = "http://" + url + '/' + p
disurl = url + '/' + p
opener = urllib.request.build_opener()
opener.addheaders = [('User-agent', 'Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:26.0) Gecko/20100101 Firefox/26.0')]
url2 = "http://www.bing.com/search?q=site:" + disurl
print(url2)
page = opener.open(url2)
soup = BeautifulSoup(page)
http = urllib3.PoolManager()
for cite in soup.findAll('cite'):
try:
if url in cite.text:
count = count + 1
r2 = http.request('GET', cite.text, redirect=False, retries=5)
if r2.status == 200:
print(bcolors.OKGREEN + ' - ' + cite.text + ' ' + str(r2.status) + ' ' + str(r2.reason) + bcolors.ENDC)
elif only200 == False:
print(bcolors.FAIL + ' - ' + cite.text + ' ' + str(r2.status) + ' ' + str(r2.reason) + bcolors.ENDC)
except UnicodeEncodeError:
pass
if count == 0:
print("\n" + bcolors.FAIL + '[+] No Dissallows have been indexed in Bing' + bcolors.ENDC)
except ImportError:
print(bcolors.FAIL + 'You need to install Beautifulsoup. "sudo pip-3.3 install beautifulsoup4"' + bcolors.ENDC)
def date(url):
print("Starting Parsero v0.82 Parrot Security OS edition at " + time.strftime("%x") + " " + time.strftime("%X"))
print("Parsero scan report for " + url)
def main():
parse = argparse.ArgumentParser()
parse.add_argument('-u', action='store', dest='url', help='Type the URL which will be analyzed')
parse.add_argument('-o', action='store_true', dest='only200', help='Show only the "HTTP 200" status code')
parse.add_argument('-sb', action='store_true', dest='searchbing', help='Search in Bing indexed Disallows')
parse.add_argument('-f', action='store', dest='file', help='Scan a list of domains from a list')
args = parse.parse_args()
if args.file == None and args.url == None:
logo()
parse.print_help()
print("\n")
exit(1)
urls = []
if args.file != None:
try:
hostFile = open(args.file, 'r')
except IOError:
logo()
print(bcolors.FAIL + "[-] The file '"'%s'"' doesn't exist." % (args.file) + "\n" + bcolors.ENDC)
exit(1)
for line in hostFile.readlines():
line = line.split("\n")
urls.append(str(line[0]))
if args.url != None:
urls.append(str(args.url))
urls = filter(None, urls)
urls = list(set(urls))
logo()
# Fix cert error for urllib3 https://stackoverflow.com/a/49174340
import ssl
ssl._create_default_https_context = ssl._create_unverified_context
for url in urls:
# if url.find("http://") == 0:
# url = url.replace("http://", "")
if not url.startswith(("http://", "https://")):
url = "http://%s" %(url)
url = "%s/" %(url) if (url[-1] is not "/" and "robots.txt" not in url) else url
start_time = time.time()
only200 = args.only200
searchbing = args.searchbing
date(url)
conn_check(url, only200)
if searchbing == True:
search_bing(url, searchbing, only200)
print("\n[*] Finished in %0.2f seconds.\n" % (time.time() - start_time))
if __name__ == "__main__":
main()
This diff is collapsed.
include README.md LICENSE.txt
What's Parsero?
===============
Parsero is a free script written in Python which reads the Robots.txt
file of a web server and looks at the Disallow entries. The Disallow
entries tell the search engines what directories or files hosted on a
web server mustn't be indexed. For example, "Disallow: /portal/login"
means that the content on www.example.com/portal/login it's not allowed
to be indexed by crawlers like Google, Bing, Yahoo... This is the way
the administrator have to not share sensitive or private information
with the search engines.
But sometimes these paths typed in the Disallows entries are directly
accessible by the users without using a search engine, just visiting
the URL and the Path, and sometimes they are not available to be visited
by anybody. Because it is really common that the administrators write
a lot of Disallows and some of them are available and some of them are
not, you can use Parsero in order to check the HTTP status code of each
Disallow entry in order to check automatically if these directories are
available or not.
Also, the fact the administrator write a robots.txt, it doesn't mean
that the files or directories typed in the Dissallow entries will not
be indexed by Bing, Google, Yahoo, etc. For this reason, Parsero is
capable of searching in Bing to locate content indexed without the web
administrator authorization. Parsero will check the HTTP status code in
the same way for each Bing result.
When you execute Parsero, you can see the HTTP status codes. For example,
the codes bellow:
200 OK The request has succeeded.
403 Forbidden The server understood the request, but is refusing to fulfill it.
404 Not Found The server hasn't found anything matching the Request-URI.
302 Found The requested resource resides temporarily under a different URI.
...
You can get all the latest info about Parsero from
http://www.behindthefirewalls.com/search/?q=parsero
Installing
==========
There are three ways to install Parsero easily.
By using setup.py script
sudo setup.py install
By using pip3
sudo apt-get install python3-pip
sudo pip3 install parsero
In Kali Linux
sudo apt-get update
sudo apt-get install parsero
Usage
=====
$ parsero -h
usage: parsero.py [-h] [-u URL] [-o] [-sb]
optional arguments:
-h, --help show this help message and exit
-u URL Type the URL which will be analyzed
-o Show only the "HTTP 200" status code
-sb Search in Bing indexed Disallows
-f FILE Scan a list of domains from a list
Parsero now use any url instead of domain name
Example
=======
root@kali:~# parsero -u www.example.com -sb
____
| _ \ __ _ _ __ ___ ___ _ __ ___
| |_) / _` | '__/ __|/ _ \ '__/ _ \
| __/ (_| | | \__ \ __/ | | (_) |
|_| \__,_|_| |___/\___|_| \___/
Starting Parsero v0.75 (https://github.com/behindthefirewalls/Parsero) at 05/22/14 11:12:55
Parsero scan report for example.com
http://example.com/download.php 302 Moved Temporarily
http://example.com/raw.php 302 Moved Temporarily
http://example.com/embed_js.php 200 OK
http://example.com/embed.php 200 OK
http://example.com/print.php 302 Moved Temporarily
http://example.com/diff.php 302 Moved Temporarily
http://example.com/share.php 404 Not Found
http://example.com/report.php 302 Moved Temporarily
http://example.com/embed_iframe.php 200 OK
[+] 9 links have been analyzed and 3 of them are available!!!
Searching the Disallows entries in Bing
http://www.bing.com/search?q=site:http://example.com/download.php
http://www.bing.com/search?q=site:http://example.com/raw.php
- example.com/raw.php/contact?i=KR9c2erd 200 OK
- example.com/raw.php/legal.aspx 302 Moved Temporarily
- example.com/raw.php/points?i=KR9c2erd 200 OK
- example.com/raw.php/image/sqrn11sp3C/zayn-tshirt-one-direction?i=... 302 Moved Temporarily
http://www.bing.com/search?q=site:http://example.com/embed_js.php
http://www.bing.com/search?q=site:http://example.com/embed.php
http://www.bing.com/search?q=site:http://example.com/print.php
http://www.bing.com/search?q=site:http://example.com/diff.php
http://www.bing.com/search?q=site:http://example.com/share.php
http://www.bing.com/search?q=site:http://example.com/report.php
http://www.bing.com/search?q=site:http://example.com/embed_iframe.php
Finished in 7.290362596511841 seconds
Disclaimer
==========
The use of this tool is your responsability. Use parsero to audit your
own servers or servers you are allowed to scan. I hereby disclaim any
responsibility for actions taken with this tool.
Author
======
* Javier Nieto <javier.nieto at behindthefirewalls.com>
* Twitter: @behindfirewalls
* Web: http://www.behindthefirewalls.com
Credits
=======
I'd like thank to @cor3dump3d from http://www.devconsole.info for his support
and help.
#!/usr/bin/env python3
# -*- coding: utf-8 -*-
__license__ = """
Parsero is a free script which read the Robots.txt file of a web server and
look at the Disallow entries. Then it visits these entries and prints the
status code in order to show you which of them are available and which not.
Author:
Javier Nieto | javier.nieto@behindthefirewalls.com
Twitter: @behindfirewalls
Web: www.behindthefirewalls.com
Parsero project site: https://github.com/behindthefirewalls/Parsero
This program is free software; you can redistribute it and/or
modify it under the terms of the GNU General Public License
as published by the Free Software Foundation; either version 2
of the License, or (at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software
Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
The authors disclaims all responsibility in the use of this tool.
"""
class bcolors:
OKGREEN = '\033[92m'
FAIL = '\033[91m'
ENDC = '\033[0m'
YELLOW = '\033[33m'
def disable(self):
self.OKGREEN = ''
self.FAIL = ''
self.ENDC = ''
import sys
if sys.version_info < (3, 0, 0):
print("\n" + bcolors.FAIL + \
"You need Python3 or later to run this script." + \
bcolors.ENDC + "\n")
exit(1)
import urllib.request
import argparse
import time
try:
import urllib3
except ImportError:
print("\n" + bcolors.FAIL + \
'You need to install urllib3. "sudo pip-3.3 install urllib3"' + \
bcolors.ENDC + "\n")
exit(1)
def logo():
hello = """
____
| _ \ __ _ _ __ ___ ___ _ __ ___
| |_) / _` | '__/ __|/ _ \ '__/ _ \
| __/ (_| | | \__ \ __/ | | (_) |
|_| \__,_|_| |___/\___|_| \___/
"""
print(bcolors.YELLOW + hello + bcolors.ENDC)
now = time.strftime("%c")
def conn_check(url, only200):
global pathlist
pathlist = []
salida = 1
try:
# for line in urllib.request.urlopen("http://" + url + "/robots.txt"):
for line in urllib.request.urlopen("%srobots.txt" %(url) if "robots.txt" not in url else url): # BUG, check line 113
lineStr = str(line, encoding='utf8')
path = lineStr.split(': /')
if "Disallow" == path[0]:
pathlist.append(path[1].replace("\n", "").replace("\r", ""))
pathlist = list(set(pathlist))
try:
inx = pathlist.index("/")
del pathlist[inx]
except:
pass
except urllib.error.HTTPError:
print("\n" + bcolors.FAIL + "[x] Error: No robots.txt file has been found." + bcolors.ENDC)
salida = 0
except KeyboardInterrupt:
print("\n" + bcolors.FAIL + "[x] Interrupted by user." + bcolors.ENDC)
salida = 0
except Exception as error:
print("\n" + bcolors.FAIL + "[x] Error: %s" %(error) + bcolors.ENDC)
salida = 0
http = urllib3.PoolManager()
count = 0
count_ok = 0
url = url.replace("robots.txt", "") if "robots.txt" in url else url
for p in pathlist:
disurl = url + p
# disurl = url + ('/' + p if url[-1] is not "/" else p) if "robots.txt" not in url else url.replace("/robots.txt", "") + '/' + p
r1 = http.request('GET', disurl, redirect=False, retries=5)
if r1.status == 200:
print(bcolors.OKGREEN + disurl + ' ' + str(r1.status) + ' ' + str(r1.reason) + bcolors.ENDC)
count_ok = count_ok + 1
elif only200 == False:
print(bcolors.FAIL + disurl + ' ' + str(r1.status) + ' ' + str(r1.reason) + bcolors.ENDC)
count = count + 1
count_int = int(count)
count_ok_int = int(count_ok)
if salida == 1:
if count_ok_int != 0 and only200 == True:
print('\n[+] %i links have been analyzed and %i of them are available!!!' % (count_int, count_ok_int))
elif count_ok_int != 0:
print('\n[+] %i links have been analyzed and %i of them are available!!!' % (count_int, count_ok_int))
elif count_ok_int == 0 and only200 == True:
print('\n' + bcolors.FAIL + '[+] %i links have been analyzed but any them are available...' % count_int + bcolors.ENDC)
else:
print('\n' + bcolors.FAIL + '[+] %i links have been analyzed but any them are available...' % count_int + bcolors.ENDC)
def search_bing(url, searchbing, only200):
try:
print("\n[-] Searching the Disallows entries in Bing...\n")
from bs4 import BeautifulSoup
count = 0
for p in pathlist:
# disurl = "http://" + url + '/' + p
disurl = url + '/' + p
opener = urllib.request.build_opener()
opener.addheaders = [('User-agent', 'Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:26.0) Gecko/20100101 Firefox/26.0')]
url2 = "http://www.bing.com/search?q=site:" + disurl
print(url2)
page = opener.open(url2)
soup = BeautifulSoup(page)
http = urllib3.PoolManager()
for cite in soup.findAll('cite'):
try:
if url in cite.text:
count = count + 1
r2 = http.request('GET', cite.text, redirect=False, retries=5)
if r2.status == 200:
print(bcolors.OKGREEN + ' - ' + cite.text + ' ' + str(r2.status) + ' ' + str(r2.reason) + bcolors.ENDC)
elif only200 == False:
print(bcolors.FAIL + ' - ' + cite.text + ' ' + str(r2.status) + ' ' + str(r2.reason) + bcolors.ENDC)
except UnicodeEncodeError:
pass
if count == 0:
print("\n" + bcolors.FAIL + '[+] No Dissallows have been indexed in Bing' + bcolors.ENDC)
except ImportError:
print(bcolors.FAIL + 'You need to install Beautifulsoup. "sudo pip-3.3 install beautifulsoup4"' + bcolors.ENDC)
def date(url):
print("Starting Parsero v0.82 Parrot Security OS edition at " + time.strftime("%x") + " " + time.strftime("%X"))
print("Parsero scan report for " + url)
def main():
parse = argparse.ArgumentParser()
parse.add_argument('-u', action='store', dest='url', help='Type the URL which will be analyzed')
parse.add_argument('-o', action='store_true', dest='only200', help='Show only the "HTTP 200" status code')
parse.add_argument('-sb', action='store_true', dest='searchbing', help='Search in Bing indexed Disallows')
parse.add_argument('-f', action='store', dest='file', help='Scan a list of domains from a list')
args = parse.parse_args()
if args.file == None and args.url == None:
logo()
parse.print_help()
print("\n")
exit(1)
urls = []
if args.file != None:
try:
hostFile = open(args.file, 'r')
except IOError:
logo()