UT-Dorkbot

Bot User-Agent: ut-dorkbot

⚠️ Overview

UT-Dorkbot is a Perl-based automated vulnerability scanner that leverages Google dork queries to identify websites susceptible to SQL injection and cross-site scripting (XSS) attacks. Originally released on GitHub by the pseudonymous developer "uT" in March 2017, the tool has been widely distributed on underground forums and remains unmaintained but still actively used by malicious actors for reconnaissance.

🔧 Technical Capabilities

UT-Dorkbot operates by first loading a configurable list of Google dork queries from an internal database or external file, focusing on common CMS platforms such as WordPress, Joomla, and Drupal to find injection-prone parameters. It then submits these queries to Google's search engine, parses the resulting URLs, and performs HTTP GET requests against those targets. For each parameter, it injects standard SQL injection payloads like single quotes ('), double quotes, and boolean-based blind conditions (' AND 1=1), as well as checks for reflected XSS by inserting and limited local file inclusion (LFI) tests. The tool supports multi-threading with configurable thread counts to increase scanning throughput, and it outputs results in plain text format, highlighting detected vulnerabilities. It includes basic evasion techniques such as rotating user agents from a predefined list and adding random delays between requests to avoid Google's rate limiting, but does not implement CAPTCHA solving or proxy rotation. Additionally, UT-Dorkbot can perform time-based blind SQL injection using SLEEP() payloads to confirm vulnerabilities when error-based responses are suppressed.

📜 History & Notable Incidents

UT-Dorkbot first appeared on GitHub in March 2017 under the repository "UT-Dorkbot" by user "uT", accumulating over 100 stars before being removed by GitHub due to policy violations in early 2018. It has been cited in multiple security advisories, including reports from the SANS Internet Storm Center, as a common tool used by low-sophistication attackers for website defacement and credential theft. While no specific CVE is associated with the tool itself, it has been observed in campaigns targeting educational and government websites running outdated software, such as those using unpatched versions of Joomla or vulnerable PHP scripts.

🔍 Detection Indicators

The default User-Agent string is "UT-Dorkbot/1.0", but the tool frequently spoofs "Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0" or "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36". Behavioral indicators include rapid sequential requests to numerous unrelated domains from a single IP address, with repeated identical SQL injection or XSS payloads, such as ?id=1' or ?q=