Exploiting Misconfigured Webservers To Find Credentials/Configs (Pt 2).

Charlie AveryCharlie Avery
3 min read

Table of contents

Uncovering data leaks with a Custom Python Tool

In cybersecurity, misconfigured devices with weak security are prime targets for attackers. Part 1 of this series explored using Shodan to find exposed devices with open ports or outdated firmware. Now, in Part 2, I (Charlie Avery) introduce “Valhalla,” a refined Python tool inspired by dk0m’s Haku Scan. It automates scanning Shodan for exposed SQL database dumps in open directories, streamlining breach detection for ethical hackers. Use this tool legally and ethically.

Setup and Architecture

Valhalla uses Python with libraries: os, time, requests, toml, shodan, rich, and beautifulsoup4. To set it up:

  1. Install dependencies: pip install shodan toml rich beautifulsoup4.

  2. Create a config.toml with your Shodan API key and query, e.g., http.title:"Index of" ".sql".

  3. Replace webhook in script.py

  4. Run: python script.py.

The core valhalla class uses a modular scan() method, easily extensible for other search engines like Censys.

Key Features

  1. Config Loading: Loads settings from config.toml for secure, portable API keys. Errors are shown clearly via rich.console.

  2. Shodan Integration: Queries Shodan with paginated results to avoid API limits, ideal for large scans.

  3. Host Parsing: Extracts IP, port, and hostname, organizing outputs into unique folders (e.g., urls/unknown_{ip}).

  4. HTML Scraping: Uses BeautifulSoup to parse and save HTML from Shodan’s HTTP data for offline analysis.

  5. File Detection: Identifies .sql or .sqlite files, parsing filename, size, and date, filtering invalid entries.

  6. Output Management: Saves results to urls.txt and per-host info.txt, with robust folder creation and error handling.

  7. Discord Notifications: Sends real-time alerts via webhooks with host details, file info, and direct links.

Why It’s Valuable

  • Saves Time: Automates tedious Shodan searches, parsing hundreds of results quickly.

  • Actionable Insights: Finds fresh SQL dumps with metadata, exposing credentials or configs on IoT devices.

  • Customizable: Adjust queries for specific vulnerabilities, like IoT ports (80/8080).

  • Risk Assessment: Alerts organizations to exposed data, preventing breaches.

Protecting Businesses

Valhalla detects exposed SQL files, like customer records on misconfigured IoT servers, allowing companies to fix issues (e.g., disable directory indexing) before attacks. For example, an e-commerce firm’s exposed customer_db_2025-08-18.sql on a camera’s server is found, alerted via Discord, and secured within hours, averting fines and lawsuits.

If you find leaks, contact the company via email or support, detailing the attack vector, leak contents, severity, and reproduction steps. Use bug bounty programs if available.

Real-World Example

While pentesting a smart home company, Valhalla finds a users_2025-08-18.sql file (5MB) on an IoT camera’s open directory. You report unhashed passwords, preventing a major breach.

Conclusion

Valhalla transforms reconnaissance, automating data breach discovery. Part 3 will cover analyzing dumps and chaining exploits. Hack responsibly.

0
Subscribe to my newsletter

Read articles from Charlie Avery directly inside your inbox. Subscribe to the newsletter, and don't miss out.

iotSecurity#cybersecuritycybersecurityhackingcodeProgramming BlogsshodanDatabases

Written by

Charlie Avery
Charlie Avery

I am a 19 year old, self-taught, computer programmer and aspired malware analyst. I have also taught myself penetration testing via TryHackMe and HTB. I hope to one day work in a security operations centre, protecting companies world-wide from threats.