ozguralp / gmapsapiscanner Goto Github PK
View Code? Open in Web Editor NEWLicense: MIT License
License: MIT License
Hi,
Running this on a MacBook Pro M2 in Docker and using the python3 maps_api_scanner_python3.py
line. All goes through fine until the end where I get
Reason: Verbose responses are not enabled for this API, cannot determine the reason.
API key is not vulnerable for Playable Locations API.
Traceback (most recent call last):
File "/opt/homebrew/lib/python3.11/site-packages/requests/models.py", line 971, in json
return complexjson.loads(self.text, **kwargs)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/opt/homebrew/Cellar/[email protected]/3.11.6/Frameworks/Python.framework/Versions/3.11/lib/python3.11/json/__init__.py", line 346, in loads
return _default_decoder.decode(s)
^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/opt/homebrew/Cellar/[email protected]/3.11.6/Frameworks/Python.framework/Versions/3.11/lib/python3.11/json/decoder.py", line 337, in decode
obj, end = self.raw_decode(s, idx=_w(s, 0).end())
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/opt/homebrew/Cellar/[email protected]/3.11.6/Frameworks/Python.framework/Versions/3.11/lib/python3.11/json/decoder.py", line 355, in raw_decode
raise JSONDecodeError("Expecting value", s, err.value) from None
json.decoder.JSONDecodeError: Expecting value: line 1 column 1 (char 0)
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/Users/jj/gmapsapiscanner/maps_api_scanner_python3.py", line 254, in <module>
scan_gmaps(apikey)
File "/Users/jj/gmapsapiscanner/maps_api_scanner_python3.py", line 203, in scan_gmaps
print("Reason: "+ response.json()["error"]["message"])
^^^^^^^^^^^^^^^
File "/opt/homebrew/lib/python3.11/site-packages/requests/models.py", line 975, in json
raise RequestsJSONDecodeError(e.msg, e.doc, e.pos)
requests.exceptions.JSONDecodeError: Expecting value: line 1 column 1 (char 0)
It worked before so I'm not sure what has changed before. It displayed a table before but no longer.
Thank you
Currently it's asking for input, it's useful to have option such as running "python3 maps_api_scanner_python3.py --apikey "API_KEY_HERE" , it's useful for container usage, see issue #9
google api key is a public information, why it could be vulnerable? How to protect it? Does
It need to be encrypted?
python3 maps_api_scanner.py -help
File "maps_api_scanner.py", line 11
print "API key is vulnerable for Staticmap API! Here is the PoC link which can be used directly via browser:"
^
SyntaxError: Missing parentheses in call to 'print'. Did you mean print("API key is vulnerable for Staticmap API! Here is the PoC link which can be used directly via browser:")?
explain proper how to use
Issue 6 refers to Embed Advanced being paid, however now all Embed API usage is unlimited with no charge, compare Google docs below:
Old Embed API pricing:
https://web.archive.org/web/20200616082619/https://developers.google.com/maps/documentation/embed/usage-and-billing#embed-advanced
Current Embed API pricing:
https://developers.google.com/maps/documentation/embed/usage-and-billing
You can check if an API key works for FCM by using the curl below:
api_key=YOUR_SERVER_KEY
curl --header "Authorization: key=$api_key" \
--header Content-Type:"application/json" \
https://fcm.googleapis.com/fcm/send \
-d "{\"registration_ids\":[\"ABC\"]}"
Source: https://abss.me/posts/fcm-takeover/
Would be cool if this would be integrated in the script. I will be trying to integrate this myself sometime soon, so I might come back later with a pull request.
The script can do:
hi there, the google maps endpoint for the "Custom Search API" requires a valid referer header before processing the request, if you add the correct referer (in most cases the website that is leaking the api token) if goes through. Atm I launched the script with the private api key, and if fails to detect this endpoint even though its vulnerable - i manually added the referer and it works.
Could you add a script parameter that asks for the referer header on script launch and subsequently adds it to the sent request?
Hello @ozguralp
Thanks for the tool.
Btw i have a doubt.What about this type of google map. now a days so many sites are using map in iframe.
How to know the API key. is there an method?
can you help on this?
<iframe title="Google Maps" src="https://www.google.com/maps/embed?pb=!1m18!1m12!1m3!1d2460i768!4f13.1!3m3!1m2!1s0x47c4348fb3c0de4d%3A0x3eb9473d3aaf9db6!2s!5e0!3m2!1sen!2snl!4v1494572044200" frameborder="0" allowfullscreen></iframe>
when try to open this iframe link got this type response in source code
<script src="https://maps.googleapis.com/maps/api/js?client=google-maps-embed&paint_origin=&libraries=geometry,search&v=3.exp&language=en_US®ion=no&callback=onApiLoad" nonce="JLOyqV1ANgEX13u4e9g==" async defer></script>
The endpoint used in https://github.com/ozguralp/gmapsapiscanner/blob/master/maps_api_scanner.py#L28 will always work on valid API keys, even if the key is restricted. Here is why:
If the embed maps are using the basic embed requests, Google will not check restrictions, as the usage of that API is free.
https://www.google.com/maps/embed/v1/place?q=Seattle&key=KEY
But if the advanced map modes are used, then the restrictions apply.
https://www.google.com/maps/embed/v1/search?q=record+stores+in+Seattle&key=KEY
Example:
.dockerignore file content:
Containerfile
LICENSE
README.md
maps_api_scanner.py
Here what I use on latest fedora: (after git clone --depth 1
this repo)
Build by: podman build --rm -t gmapsapiscanner .
Run by: podman run --name gmapsapiscanner -ti --entrypoint /bin/sh --rm gmapsapiscanner
then python3 maps_api_scanner_python3.py
and enter the key.
Containerfile content:
FROM python:alpine
RUN set -ex; \
apk update; \
apk upgrade; \
adduser -D appuser
USER appuser
WORKDIR /home/appuser/gmapsapiscanner/
COPY . /home/appuser/gmapsapiscanner/
RUN set -ex; \
pip3 install requests
it will be possible to use it from command-line without enter container if api-key can be set by argument, issue #8 , then ContainerFile can have add at the bottom:
ENTRYPOINT ["python3", "maps_api_scanner_python3.py", "--apikey"]
and be run like:
podman run --name gmapsapiscanner --rm gmapsapiscanner API_KEY_HERE
I used the latest version (pulled the code one hour ago)
Try this key AIzaSyB3MeUSpCntta2BW8UeLmVlRgnM7tB6hio.
Then if you try the generated iframe code:
<iframe width="600" height="450" frameborder="0" style="border:0" src="https://www.google.com/maps/embed/v1/place?q=Seattle&key=AIzaSyB3MeUSpCntta2BW8UeLmVlRgnM7tB6hio" allowfullscreen></iframe>
You will get this:
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.