├── .github ├── FUNDING.yml ├── PULL_REQUEST_TEMPLATE.md └── workflows │ └── docker-build.yml ├── Dockerfile ├── LICENSE ├── README.md ├── github-dork.py ├── github-dorks-test.txt ├── github-dorks.txt ├── requirements.txt ├── setup.cfg └── setup.py /.github/FUNDING.yml: -------------------------------------------------------------------------------- 1 | github: techgaun 2 | -------------------------------------------------------------------------------- /.github/PULL_REQUEST_TEMPLATE.md: -------------------------------------------------------------------------------- 1 | ### Please include all of the following fields when adding dorks/patterns 2 | - Search URL: https://github.com/search?q= 3 | - Number of search results at time of PR: 4 | - Impact of data disclosed (see table below): 5 | - Description of data disclosed: 6 | 7 | | Icon/Name | Description | Examples | 8 | |-----------|---------------------------------------------------------------------------------------------------------|----------------------------------------------------------------| 9 | ❓ Unknown | The impact of this data is highly variable or unknown) | N/A | 10 | ➖ Low | This data will provide minimal access or mostly public information) | Non-stored XSS, Limited scope + read-only API access | 11 | ➕ Moderate | This data will provide some access or information | Stored XSS in some cases, read-only or limited write API access| 12 | ⚠️ High | This data will provide single-user access or secret information) | Usernames/passwords, OAuth tokens | 13 | ❗️ Critical | This data will provide complete control, access to several users, or confidential/personal information | Credential database dumps, AWS keys 14 | -------------------------------------------------------------------------------- /.github/workflows/docker-build.yml: -------------------------------------------------------------------------------- 1 | name: Docker Build & Test 2 | 3 | on: 4 | push: 5 | branches: [ master ] 6 | pull_request: 7 | branches: [ master ] 8 | 9 | jobs: 10 | build-and-test: 11 | runs-on: ubuntu-latest 12 | steps: 13 | - name: Checkout code 14 | uses: actions/checkout@v4 15 | 16 | - name: Set up Docker Buildx 17 | uses: docker/setup-buildx-action@v3 18 | 19 | - name: Build Docker image 20 | uses: docker/build-push-action@v5 21 | with: 22 | context: . 23 | load: true 24 | tags: github-dorks:test 25 | cache-from: type=gha 26 | cache-to: type=gha,mode=max 27 | 28 | - name: Test Docker image 29 | run: | 30 | # Test the version flag with version flag 31 | docker run github-dorks:test -v 32 | 33 | - name: Verify image size 34 | run: docker image ls github-dorks:test 35 | -------------------------------------------------------------------------------- /Dockerfile: -------------------------------------------------------------------------------- 1 | # Use Python 3.8 as base - this version has good compatibility with older packages 2 | FROM python:3.8-slim 3 | 4 | # Set working directory 5 | WORKDIR /app 6 | 7 | # Install git (needed for pip install from git repos) 8 | RUN apt-get update && \ 9 | apt-get install -y git && \ 10 | apt-get clean && \ 11 | rm -rf /var/lib/apt/lists/* 12 | 13 | # Copy only the necessary files 14 | COPY github-dork.py /app/ 15 | COPY github-dorks.txt /app/ 16 | COPY setup.py /app/ 17 | COPY README.md /app/ 18 | COPY requirements.txt /app/ 19 | 20 | # Install dependencies 21 | # Using the specific version of github3.py that's known to work 22 | RUN pip install --no-cache-dir github3.py==1.0.0a2 feedparser==6.0.2 23 | 24 | # Set environment variables 25 | ENV PYTHONUNBUFFERED=1 26 | ENV PYTHONIOENCODING=UTF-8 27 | 28 | # Create volume for potential output files 29 | VOLUME ["/app/output"] 30 | 31 | ENTRYPOINT ["python", "github-dork.py"] -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | Apache License 2 | Version 2.0, January 2004 3 | http://www.apache.org/licenses/ 4 | 5 | TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION 6 | 7 | 1. Definitions. 8 | 9 | "License" shall mean the terms and conditions for use, reproduction, 10 | and distribution as defined by Sections 1 through 9 of this document. 11 | 12 | "Licensor" shall mean the copyright owner or entity authorized by 13 | the copyright owner that is granting the License. 14 | 15 | "Legal Entity" shall mean the union of the acting entity and all 16 | other entities that control, are controlled by, or are under common 17 | control with that entity. For the purposes of this definition, 18 | "control" means (i) the power, direct or indirect, to cause the 19 | direction or management of such entity, whether by contract or 20 | otherwise, or (ii) ownership of fifty percent (50%) or more of the 21 | outstanding shares, or (iii) beneficial ownership of such entity. 22 | 23 | "You" (or "Your") shall mean an individual or Legal Entity 24 | exercising permissions granted by this License. 25 | 26 | "Source" form shall mean the preferred form for making modifications, 27 | including but not limited to software source code, documentation 28 | source, and configuration files. 29 | 30 | "Object" form shall mean any form resulting from mechanical 31 | transformation or translation of a Source form, including but 32 | not limited to compiled object code, generated documentation, 33 | and conversions to other media types. 34 | 35 | "Work" shall mean the work of authorship, whether in Source or 36 | Object form, made available under the License, as indicated by a 37 | copyright notice that is included in or attached to the work 38 | (an example is provided in the Appendix below). 39 | 40 | "Derivative Works" shall mean any work, whether in Source or Object 41 | form, that is based on (or derived from) the Work and for which the 42 | editorial revisions, annotations, elaborations, or other modifications 43 | represent, as a whole, an original work of authorship. For the purposes 44 | of this License, Derivative Works shall not include works that remain 45 | separable from, or merely link (or bind by name) to the interfaces of, 46 | the Work and Derivative Works thereof. 47 | 48 | "Contribution" shall mean any work of authorship, including 49 | the original version of the Work and any modifications or additions 50 | to that Work or Derivative Works thereof, that is intentionally 51 | submitted to Licensor for inclusion in the Work by the copyright owner 52 | or by an individual or Legal Entity authorized to submit on behalf of 53 | the copyright owner. For the purposes of this definition, "submitted" 54 | means any form of electronic, verbal, or written communication sent 55 | to the Licensor or its representatives, including but not limited to 56 | communication on electronic mailing lists, source code control systems, 57 | and issue tracking systems that are managed by, or on behalf of, the 58 | Licensor for the purpose of discussing and improving the Work, but 59 | excluding communication that is conspicuously marked or otherwise 60 | designated in writing by the copyright owner as "Not a Contribution." 61 | 62 | "Contributor" shall mean Licensor and any individual or Legal Entity 63 | on behalf of whom a Contribution has been received by Licensor and 64 | subsequently incorporated within the Work. 65 | 66 | 2. Grant of Copyright License. Subject to the terms and conditions of 67 | this License, each Contributor hereby grants to You a perpetual, 68 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 69 | copyright license to reproduce, prepare Derivative Works of, 70 | publicly display, publicly perform, sublicense, and distribute the 71 | Work and such Derivative Works in Source or Object form. 72 | 73 | 3. Grant of Patent License. Subject to the terms and conditions of 74 | this License, each Contributor hereby grants to You a perpetual, 75 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 76 | (except as stated in this section) patent license to make, have made, 77 | use, offer to sell, sell, import, and otherwise transfer the Work, 78 | where such license applies only to those patent claims licensable 79 | by such Contributor that are necessarily infringed by their 80 | Contribution(s) alone or by combination of their Contribution(s) 81 | with the Work to which such Contribution(s) was submitted. If You 82 | institute patent litigation against any entity (including a 83 | cross-claim or counterclaim in a lawsuit) alleging that the Work 84 | or a Contribution incorporated within the Work constitutes direct 85 | or contributory patent infringement, then any patent licenses 86 | granted to You under this License for that Work shall terminate 87 | as of the date such litigation is filed. 88 | 89 | 4. Redistribution. You may reproduce and distribute copies of the 90 | Work or Derivative Works thereof in any medium, with or without 91 | modifications, and in Source or Object form, provided that You 92 | meet the following conditions: 93 | 94 | (a) You must give any other recipients of the Work or 95 | Derivative Works a copy of this License; and 96 | 97 | (b) You must cause any modified files to carry prominent notices 98 | stating that You changed the files; and 99 | 100 | (c) You must retain, in the Source form of any Derivative Works 101 | that You distribute, all copyright, patent, trademark, and 102 | attribution notices from the Source form of the Work, 103 | excluding those notices that do not pertain to any part of 104 | the Derivative Works; and 105 | 106 | (d) If the Work includes a "NOTICE" text file as part of its 107 | distribution, then any Derivative Works that You distribute must 108 | include a readable copy of the attribution notices contained 109 | within such NOTICE file, excluding those notices that do not 110 | pertain to any part of the Derivative Works, in at least one 111 | of the following places: within a NOTICE text file distributed 112 | as part of the Derivative Works; within the Source form or 113 | documentation, if provided along with the Derivative Works; or, 114 | within a display generated by the Derivative Works, if and 115 | wherever such third-party notices normally appear. The contents 116 | of the NOTICE file are for informational purposes only and 117 | do not modify the License. You may add Your own attribution 118 | notices within Derivative Works that You distribute, alongside 119 | or as an addendum to the NOTICE text from the Work, provided 120 | that such additional attribution notices cannot be construed 121 | as modifying the License. 122 | 123 | You may add Your own copyright statement to Your modifications and 124 | may provide additional or different license terms and conditions 125 | for use, reproduction, or distribution of Your modifications, or 126 | for any such Derivative Works as a whole, provided Your use, 127 | reproduction, and distribution of the Work otherwise complies with 128 | the conditions stated in this License. 129 | 130 | 5. Submission of Contributions. Unless You explicitly state otherwise, 131 | any Contribution intentionally submitted for inclusion in the Work 132 | by You to the Licensor shall be under the terms and conditions of 133 | this License, without any additional terms or conditions. 134 | Notwithstanding the above, nothing herein shall supersede or modify 135 | the terms of any separate license agreement you may have executed 136 | with Licensor regarding such Contributions. 137 | 138 | 6. Trademarks. This License does not grant permission to use the trade 139 | names, trademarks, service marks, or product names of the Licensor, 140 | except as required for reasonable and customary use in describing the 141 | origin of the Work and reproducing the content of the NOTICE file. 142 | 143 | 7. Disclaimer of Warranty. Unless required by applicable law or 144 | agreed to in writing, Licensor provides the Work (and each 145 | Contributor provides its Contributions) on an "AS IS" BASIS, 146 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or 147 | implied, including, without limitation, any warranties or conditions 148 | of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A 149 | PARTICULAR PURPOSE. You are solely responsible for determining the 150 | appropriateness of using or redistributing the Work and assume any 151 | risks associated with Your exercise of permissions under this License. 152 | 153 | 8. Limitation of Liability. In no event and under no legal theory, 154 | whether in tort (including negligence), contract, or otherwise, 155 | unless required by applicable law (such as deliberate and grossly 156 | negligent acts) or agreed to in writing, shall any Contributor be 157 | liable to You for damages, including any direct, indirect, special, 158 | incidental, or consequential damages of any character arising as a 159 | result of this License or out of the use or inability to use the 160 | Work (including but not limited to damages for loss of goodwill, 161 | work stoppage, computer failure or malfunction, or any and all 162 | other commercial damages or losses), even if such Contributor 163 | has been advised of the possibility of such damages. 164 | 165 | 9. Accepting Warranty or Additional Liability. While redistributing 166 | the Work or Derivative Works thereof, You may choose to offer, 167 | and charge a fee for, acceptance of support, warranty, indemnity, 168 | or other liability obligations and/or rights consistent with this 169 | License. However, in accepting such obligations, You may act only 170 | on Your own behalf and on Your sole responsibility, not on behalf 171 | of any other Contributor, and only if You agree to indemnify, 172 | defend, and hold each Contributor harmless for any liability 173 | incurred by, or claims asserted against, such Contributor by reason 174 | of your accepting any such warranty or additional liability. 175 | 176 | END OF TERMS AND CONDITIONS 177 | 178 | APPENDIX: How to apply the Apache License to your work. 179 | 180 | To apply the Apache License to your work, attach the following 181 | boilerplate notice, with the fields enclosed by brackets "{}" 182 | replaced with your own identifying information. (Don't include 183 | the brackets!) The text should be enclosed in the appropriate 184 | comment syntax for the file format. We also recommend that a 185 | file or class name and description of purpose be included on the 186 | same "printed page" as the copyright notice for easier 187 | identification within third-party archives. 188 | 189 | Copyright {yyyy} {name of copyright owner} 190 | 191 | Licensed under the Apache License, Version 2.0 (the "License"); 192 | you may not use this file except in compliance with the License. 193 | You may obtain a copy of the License at 194 | 195 | http://www.apache.org/licenses/LICENSE-2.0 196 | 197 | Unless required by applicable law or agreed to in writing, software 198 | distributed under the License is distributed on an "AS IS" BASIS, 199 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 200 | See the License for the specific language governing permissions and 201 | limitations under the License. 202 | 203 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | [![Docker Build & Test](https://github.com/techgaun/github-dorks/actions/workflows/docker-build.yml/badge.svg)](https://github.com/techgaun/github-dorks/actions/workflows/docker-build.yml) 2 | 3 | # Github Dorks 4 | 5 | [Github Search](https://github.com/search) is a quite powerful and useful feature that can be used to search for sensitive data on repositories. Collection of Github dorks can reveal sensitive personal and/or organizational information such as private keys, credentials, authentication tokens, etc. This list is supposed to be useful for assessing security and performing pen-testing of systems. 6 | 7 | ## GitHub Dork Search Tool 8 | 9 | [github-dork.py](github-dork.py) is a simple python tool that can search through your repository or your organization/user repositories. It's not a perfect tool at the moment but provides basic functionality to automate the search on your repositories against the dorks specified in the text file. 10 | 11 | ### Installation 12 | 13 | This tool uses [github3.py](https://github.com/sigmavirus24/github3.py) to talk with GitHub Search API. 14 | 15 | Clone this repository and run: 16 | 17 | ```shell 18 | pip install . 19 | ``` 20 | 21 | ### Docker Installation 22 | 23 | You can also run github-dorks using Docker for a consistent environment: 24 | 25 | ```shell 26 | # Build the Docker image 27 | docker build -t github-dorks . 28 | 29 | # Run with a GitHub token (recommended) 30 | docker run -e GH_TOKEN=your_github_token github-dorks -u someuser 31 | 32 | # Run with username/password 33 | docker run -e GH_USER=your_username -e GH_PWD=your_password github-dorks -u someuser 34 | 35 | # Save results to a CSV file 36 | docker run -v $(pwd)/output:/app/output -e GH_TOKEN=your_github_token github-dorks -u someuser -o /app/output/results.csv 37 | ``` 38 | 39 | ### Usage 40 | 41 | ``` 42 | GH_USER - Environment variable to specify Github user 43 | GH_PWD - Environment variable to specify a password 44 | GH_TOKEN - Environment variable to specify Github token 45 | GH_URL - Environment variable to specify GitHub Enterprise base URL 46 | ``` 47 | 48 | Some example usages are listed below: 49 | 50 | ```shell 51 | github-dork.py -r techgaun/github-dorks # search a single repo 52 | 53 | github-dork.py -u techgaun # search all repos of a user 54 | 55 | github-dork.py -u dev-nepal # search all repos of an organization 56 | 57 | GH_USER=techgaun GH_PWD= github-dork.py -u dev-nepal # search as authenticated user 58 | 59 | GH_TOKEN= github-dork.py -u dev-nepal # search using auth token 60 | 61 | GH_URL=https://github.example.com github-dork.py -u dev-nepal # search a GitHub Enterprise instance 62 | ``` 63 | 64 | ### Limitations 65 | 66 | - Authenticated requests get a higher rate limit. But, since this tool waits for the api rate limit to be reset (which is usually less than a minute), it can be slightly slow. 67 | - Output formatting is not great. PR welcome 68 | - ~~Handle rate limit and retry. PR welcome~~ 69 | 70 | ### Contribution 71 | 72 | Please consider contributing dorks that can reveal potentially sensitive information on Github. 73 | 74 | ### List of Dorks 75 | 76 | I am not categorizing at the moment. Instead, I am going to just the list of dorks with a description. Many of the dorks can be modified to make the search more specific or generic. You can see more options [here](https://github.com/search#search_cheatsheet_pane). 77 | 78 | Dork | Description 79 | ------------------------------------------------|-------------------------------------------------------------------------- 80 | filename:.npmrc _auth | npm registry authentication data 81 | filename:.dockercfg auth | docker registry authentication data 82 | extension:pem private | private keys 83 | extension:ppk private | puttygen private keys 84 | filename:id_rsa or filename:id_dsa | private ssh keys 85 | extension:sql mysql dump | mysql dump 86 | extension:sql mysql dump password | mysql dump look for password; you can try varieties 87 | filename:credentials aws_access_key_id | might return false negatives with dummy values 88 | filename:.s3cfg | might return false negatives with dummy values 89 | filename:wp-config.php | wordpress config files 90 | filename:.htpasswd | htpasswd files 91 | filename:.env DB_USERNAME NOT homestead | laravel .env (CI, various ruby based frameworks too) 92 | filename:.env MAIL_HOST=smtp.gmail.com | gmail smtp configuration (try different smtp services too) 93 | filename:.git-credentials | git credentials store, add NOT username for more valid results 94 | PT_TOKEN language:bash | pivotaltracker tokens 95 | filename:.bashrc password | search for passwords, etc. in .bashrc (try with .bash_profile too) 96 | filename:.bashrc mailchimp | variation of above (try more variations) 97 | filename:.bash_profile aws | aws access and secret keys 98 | rds.amazonaws.com password | Amazon RDS possible credentials 99 | extension:json api.forecast.io | try variations, find api keys/secrets 100 | extension:json mongolab.com | mongolab credentials in json configs 101 | extension:yaml mongolab.com | mongolab credentials in yaml configs (try with yml) 102 | jsforce extension:js conn.login | possible salesforce credentials in nodejs projects 103 | SF_USERNAME salesforce | possible salesforce credentials 104 | filename:.tugboat NOT _tugboat | Digital Ocean tugboat config 105 | HEROKU_API_KEY language:shell | Heroku api keys 106 | HEROKU_API_KEY language:json | Heroku api keys in json files 107 | filename:.netrc password | netrc that possibly holds sensitive credentials 108 | filename:_netrc password | netrc that possibly holds sensitive credentials 109 | filename:hub oauth_token | hub config that stores github tokens 110 | filename:robomongo.json | mongodb credentials file used by robomongo 111 | filename:filezilla.xml Pass | filezilla config file with possible user/pass to ftp 112 | filename:recentservers.xml Pass | filezilla config file with possible user/pass to ftp 113 | filename:config.json auths | docker registry authentication data 114 | filename:idea14.key | IntelliJ Idea 14 key, try variations for other versions 115 | filename:config irc_pass | possible IRC config 116 | filename:connections.xml | possible db connections configuration, try variations to be specific 117 | filename:express.conf path:.openshift | openshift config, only email and server thou 118 | filename:.pgpass | PostgreSQL file which can contain passwords 119 | filename:proftpdpasswd | Usernames and passwords of proftpd created by cpanel 120 | filename:ventrilo_srv.ini | Ventrilo configuration 121 | [WFClient] Password= extension:ica | WinFrame-Client infos needed by users to connect toCitrix Application Servers 122 | filename:server.cfg rcon password | Counter Strike RCON Passwords 123 | JEKYLL_GITHUB_TOKEN | Github tokens used for jekyll 124 | filename:.bash_history | Bash history file 125 | filename:.cshrc | RC file for csh shell 126 | filename:.history | history file (often used by many tools) 127 | filename:.sh_history | korn shell history 128 | filename:sshd_config | OpenSSH server config 129 | filename:dhcpd.conf | DHCP service config 130 | filename:prod.exs NOT prod.secret.exs | Phoenix prod configuration file 131 | filename:prod.secret.exs | Phoenix prod secret 132 | filename:configuration.php JConfig password | Joomla configuration file 133 | filename:config.php dbpasswd | PHP application database password (e.g., phpBB forum software) 134 | path:sites databases password | Drupal website database credentials 135 | shodan_api_key language:python | Shodan API keys (try other languages too) 136 | filename:shadow path:etc | Contains encrypted passwords and account information of new unix systems 137 | filename:passwd path:etc | Contains user account information including encrypted passwords of traditional unix systems 138 | extension:avastlic "support.avast.com" | Contains license keys for Avast! Antivirus 139 | filename:dbeaver-data-sources.xml | DBeaver config containing MySQL Credentials 140 | filename:.esmtprc password | esmtp configuration 141 | extension:json googleusercontent client_secret | OAuth credentials for accessing Google APIs 142 | HOMEBREW_GITHUB_API_TOKEN language:shell | Github token usually set by homebrew users 143 | xoxp OR xoxb | Slack bot and private tokens 144 | .mlab.com password | MLAB Hosted MongoDB Credentials 145 | filename:logins.json | Firefox saved password collection (key3.db usually in same repo) 146 | filename:CCCam.cfg | CCCam Server config file 147 | msg nickserv identify filename:config | Possible IRC login passwords 148 | filename:settings.py SECRET_KEY | Django secret keys (usually allows for session hijacking, RCE, etc) 149 | filename:secrets.yml password | Usernames/passwords, Rails applications 150 | filename:master.key path:config | Rails master key (used for decrypting `credentials.yml.enc` for Rails 5.2+) 151 | filename:deployment-config.json | Created by sftp-deployment for Atom, contains server details and credentials 152 | filename:.ftpconfig | Created by remote-ssh for Atom, contains SFTP/SSH server details and credentials 153 | filename:.remote-sync.json | Created by remote-sync for Atom, contains FTP and/or SCP/SFTP/SSH server details and credentials 154 | filename:sftp.json path:.vscode | Created by vscode-sftp for VSCode, contains SFTP/SSH server details and credentails 155 | filename:sftp-config.json | Created by SFTP for Sublime Text, contains FTP/FTPS or SFTP/SSH server details and credentials 156 | filename:WebServers.xml | Created by Jetbrains IDEs, contains webserver credentials with encoded passwords ([not encrypted!](https://intellij-support.jetbrains.com/hc/en-us/community/posts/207074025/comments/207034775)) 157 | "api_hash" "api_id" | Telegram API token 158 | "https://hooks.slack.com/services/" | Slack services URL often have secret API token as a suffix 159 | filename:github-recovery-codes.txt | GitHub recovery key 160 | filename:gitlab-recovery-codes.txt | GitLab recovery key 161 | filename:discord_backup_codes.txt | Discord recovery key 162 | extension:yaml cloud.redislabs.com | Redis credentials provided by Redis Labs found in a YAML file 163 | extension:json cloud.redislabs.com | Redis credentials provided by Redis Labs found in a JSON file 164 | -------------------------------------------------------------------------------- /github-dork.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # -*- encoding: utf-8 -*- 3 | 4 | import github3 as github 5 | import os 6 | import argparse 7 | import time 8 | import feedparser 9 | from copy import copy 10 | from sys import stderr, prefix 11 | 12 | gh_user = os.getenv('GH_USER', None) 13 | gh_pass = os.getenv('GH_PWD', None) 14 | gh_token = os.getenv('GH_TOKEN', None) 15 | gh_url = os.getenv('GH_URL', None) 16 | 17 | if gh_url is None: 18 | gh = github.GitHub(username=gh_user, password=gh_pass, token=gh_token) 19 | else: 20 | gh = github.GitHubEnterprise( 21 | url=gh_url, username=gh_user, password=gh_pass, token=gh_token) 22 | 23 | 24 | def search_wrapper(gen): 25 | while True: 26 | gen_back = copy(gen) 27 | try: 28 | yield next(gen) 29 | except StopIteration: 30 | return 31 | except github.exceptions.ForbiddenError as e: 32 | search_rate_limit = gh.rate_limit()['resources']['search'] 33 | # limit_remaining = search_rate_limit['remaining'] 34 | reset_time = search_rate_limit['reset'] 35 | current_time = int(time.time()) 36 | sleep_time = reset_time - current_time + 1 37 | stderr.write( 38 | 'GitHub Search API rate limit reached. Sleeping for %d seconds.\n\n' 39 | % (sleep_time)) 40 | time.sleep(sleep_time) 41 | yield next(gen_back) 42 | except Exception as e: 43 | raise e 44 | 45 | 46 | def metasearch(repo_to_search=None, 47 | user_to_search=None, 48 | gh_dorks_file=None, 49 | active_monit=None, 50 | output_filename=None, 51 | refresh_time=60): 52 | if active_monit is None: 53 | search(repo_to_search, user_to_search, gh_dorks_file, active_monit, output_filename) 54 | else: 55 | monit(gh_dorks_file, active_monit, refresh_time) 56 | 57 | 58 | def monit(gh_dorks_file=None, active_monit=None, refresh_time=60): 59 | if gh_user is None: 60 | raise Exception('Error, env Github user variable needed') 61 | else: 62 | print( 63 | 'Monitoring user private feed searching new code to be dorked.' + 64 | 'Every new merged pull request trigger user scan.' 65 | ) 66 | print('-----') 67 | items_history = list() 68 | gh_private_feed = "https://github.com/{}.private.atom?token={}".format( 69 | gh_user, active_monit) 70 | while True: 71 | feed = feedparser.parse(gh_private_feed) 72 | for i in feed['items']: 73 | if 'merged pull' in i['title']: 74 | if i['title'] not in items_history: 75 | search( 76 | user_to_search=i['author_detail']['name'], 77 | gh_dorks_file=gh_dorks_file) 78 | items_history.append(i['title']) 79 | print('Waiting for new items...') 80 | time.sleep(refresh_time) 81 | 82 | 83 | def search(repo_to_search=None, 84 | user_to_search=None, 85 | gh_dorks_file=None, 86 | active_monit=None, 87 | output_filename=None): 88 | 89 | if gh_dorks_file is None: 90 | for path_prefix in ['.', os.path.join(prefix, 'github-dorks/')]: 91 | filename = os.path.join(path_prefix, 'github-dorks.txt') 92 | if os.path.isfile(filename): 93 | gh_dorks_file = filename 94 | break 95 | 96 | if not os.path.isfile(gh_dorks_file): 97 | raise Exception('Error, the dorks file path is not valid') 98 | if user_to_search: 99 | print("Scanning User: ", user_to_search) 100 | if repo_to_search: 101 | print("Scanning Repo: ", repo_to_search) 102 | found = False 103 | 104 | outputFile = None 105 | if output_filename: 106 | outputFile = open(output_filename, 'w') 107 | 108 | with open(gh_dorks_file, 'r') as dork_file: 109 | # Write CSV Header 110 | if outputFile: 111 | outputFile.write('Issue Type (Dork), Text Matches, File Path, Score/Relevance, URL of File\n') 112 | for dork in dork_file: 113 | dork = dork.strip() 114 | if not dork or dork[0] in '#;': 115 | continue 116 | addendum = '' 117 | if repo_to_search: 118 | addendum = ' repo:' + repo_to_search 119 | elif user_to_search: 120 | addendum = ' user:' + user_to_search 121 | 122 | dork = dork + addendum 123 | search_results = search_wrapper(gh.search_code(dork)) 124 | try: 125 | for search_result in search_results: 126 | found = True 127 | fmt_args = { 128 | 'dork': dork, 129 | 'text_matches': search_result.text_matches, 130 | 'path': search_result.path, 131 | 'score': search_result.score, 132 | 'url': search_result.html_url 133 | } 134 | 135 | # Either write to file or print output 136 | if outputFile: 137 | outputFile.write('{dork}, {text_matches}, {path}, {score}, {url}\n'.format(**fmt_args)) 138 | else: 139 | result = '\n'.join([ 140 | 'Found result for {dork}', 141 | 'Text matches: {text_matches}', 'File path: {path}', 142 | 'Score/Relevance: {score}', 'URL of File: {url}', '' 143 | ]).format(**fmt_args) 144 | print(result) 145 | 146 | except github.exceptions.GitHubError as e: 147 | print('GitHubError encountered on search of dork: ' + dork) 148 | print(e) 149 | return 150 | except Exception as e: 151 | print(e) 152 | print('Error encountered on search of dork: ' + dork) 153 | 154 | if not found: 155 | print('No results for your dork search' + addendum + '. Hurray!') 156 | 157 | 158 | def main(): 159 | parser = argparse.ArgumentParser( 160 | description='Search github for github dorks', 161 | epilog='Use responsibly, Enjoy pentesting') 162 | 163 | parser.add_argument( 164 | '-v', '--version', action='version', version='%(prog)s 0.1.1') 165 | 166 | group = parser.add_mutually_exclusive_group(required=True) 167 | group.add_argument( 168 | '-u', 169 | '--user', 170 | dest='user_to_search', 171 | action='store', 172 | help='Github user/org to search within. Eg: techgaun') 173 | 174 | group.add_argument( 175 | '-r', 176 | '--repo', 177 | dest='repo_to_search', 178 | action='store', 179 | help='Github repo to search within. Eg: techgaun/github-dorks') 180 | 181 | parser.add_argument( 182 | '-d', 183 | '--dork', 184 | dest='gh_dorks_file', 185 | action='store', 186 | help='Github dorks file. Eg: github-dorks.txt') 187 | 188 | group.add_argument( 189 | '-m', 190 | '--monit', 191 | dest='active_monit', 192 | action='store', 193 | help='Monitors Github user private feed with feed token' 194 | ) 195 | 196 | parser.add_argument( 197 | '-o', 198 | '--outputFile', 199 | dest='output_filename', 200 | action='store', 201 | help='CSV File to write results to. This overwrites the file provided! Eg: out.csv' 202 | ) 203 | 204 | args = parser.parse_args() 205 | metasearch( 206 | repo_to_search=args.repo_to_search, 207 | user_to_search=args.user_to_search, 208 | gh_dorks_file=args.gh_dorks_file, 209 | active_monit=args.active_monit, 210 | output_filename=args.output_filename) 211 | 212 | 213 | if __name__ == '__main__': 214 | main() 215 | -------------------------------------------------------------------------------- /github-dorks-test.txt: -------------------------------------------------------------------------------- 1 | filename:.npmrc _auth 2 | filename:.dockercfg auth 3 | extension:md 4 | -------------------------------------------------------------------------------- /github-dorks.txt: -------------------------------------------------------------------------------- 1 | filename:.npmrc _auth 2 | filename:.dockercfg auth 3 | extension:pem private 4 | extension:ppk private 5 | filename:id_rsa or filename:id_dsa 6 | extension:sql mysql dump 7 | extension:sql mysql dump password 8 | filename:credentials aws_access_key_id 9 | filename:.s3cfg 10 | filename:wp-config.php 11 | filename:.htpasswd 12 | filename:.env DB_USERNAME NOT homestead 13 | filename:.env MAIL_HOST=smtp.gmail.com 14 | filename:.git-credentials 15 | PT_TOKEN language:bash 16 | filename:.bashrc password 17 | filename:.bashrc mailchimp 18 | filename:.bash_profile aws 19 | rds.amazonaws.com password 20 | extension:json api.forecast.io 21 | extension:json mongolab.com 22 | extension:yaml mongolab.com 23 | jsforce extension:js conn.login 24 | SF_USERNAME salesforce 25 | filename:.tugboat NOT _tugboat 26 | HEROKU_API_KEY language:shell 27 | HEROKU_API_KEY language:json 28 | filename:.netrc password 29 | filename:_netrc password 30 | filename:hub oauth_token 31 | filename:robomongo.json 32 | filename:filezilla.xml Pass 33 | filename:recentservers.xml Pass 34 | filename:config.json auths 35 | filename:idea14.key 36 | filename:config irc_pass 37 | filename:connections.xml 38 | filename:express.conf path:.openshift 39 | filename:.pgpass 40 | filename:proftpdpasswd 41 | filename:ventrilo_srv.ini 42 | [WFClient] Password= extension:ica 43 | filename:server.cfg rcon password 44 | JEKYLL_GITHUB_TOKEN 45 | filename:.bash_history 46 | filename:.cshrc 47 | filename:.history 48 | filename:.sh_history 49 | filename:sshd_config 50 | filename:dhcpd.conf 51 | filename:prod.exs NOT prod.secret.exs 52 | filename:prod.secret.exs 53 | filename:configuration.php JConfig password 54 | filename:config.php dbpasswd 55 | filename:config.php pass 56 | path:sites databases password 57 | shodan_api_key language:python 58 | shodan_api_key language:shell 59 | shodan_api_key language:json 60 | shodan_api_key language:ruby 61 | filename:shadow path:etc 62 | filename:passwd path:etc 63 | extension:avastlic "support.avast.com" 64 | filename:dbeaver-data-sources.xml 65 | filename:sftp-config.json 66 | filename:.esmtprc password 67 | extension:json googleusercontent client_secret 68 | HOMEBREW_GITHUB_API_TOKEN language:shell 69 | xoxp OR xoxb 70 | .mlab.com password 71 | filename:logins.json 72 | filename:CCCam.cfg 73 | msg nickserv identify filename:config 74 | filename:settings.py SECRET_KEY 75 | filename:secrets.yml password 76 | filename:master.key path:config 77 | filename:deployment-config.json 78 | filename:.ftpconfig 79 | filename:.remote-sync.json 80 | filename:sftp.json path:.vscode 81 | filename:WebServers.xml 82 | filename:jupyter_notebook_config.json 83 | "api_hash" "api_id" 84 | "https://hooks.slack.com/services/" 85 | filename:github-recovery-codes.txt 86 | filename:gitlab-recovery-codes.txt 87 | filename:discord_backup_codes.txt 88 | extension:yaml cloud.redislabs.com 89 | extension:json cloud.redislabs.com 90 | DATADOG_API_KEY language:shell 91 | -------------------------------------------------------------------------------- /requirements.txt: -------------------------------------------------------------------------------- 1 | github3.py==1.0.0a2 2 | feedparser==6.0.2 3 | -------------------------------------------------------------------------------- /setup.cfg: -------------------------------------------------------------------------------- 1 | [flake8] 2 | max-line-length = 120 3 | -------------------------------------------------------------------------------- /setup.py: -------------------------------------------------------------------------------- 1 | from setuptools import setup 2 | 3 | with open('README.md', 'r') as f: 4 | long_description = f.read() 5 | 6 | setup( 7 | name='github-dorks', 8 | version='0.1', 9 | description='Find leaked secrets via github search.', 10 | license='Apache License 2.0', 11 | long_description=long_description, 12 | author='Samar Dhwoj Acharya (@techgaun)', 13 | long_description_content_type='text/markdown', 14 | scripts=['github-dork.py'], 15 | data_files=[('github-dorks', ['github-dorks.txt'])], 16 | install_requires=[ 17 | 'github3.py==4.0.1', 18 | 'feedparser==6.0.2', 19 | ], 20 | ) 21 | --------------------------------------------------------------------------------