Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
myhack58佚名MYHACK58:62200612536
HistoryOct 27, 2006 - 12:00 a.m.

Google advanced techniques—GooGle Hack-vulnerability warning-the black bar safety net

2006-10-2700:00:00
佚名
www.myhack58.com
165
JSON

google hacking is actually not anything new,at the time did not pay attention to this technology,think of webshell or something,and without too much practical use. google hacking is not so simple…

Commonly used google keyword:
foo1 foo2 (which is associated, such as search xx company xx beauty)
operator:foo
filetype:1 2 3 Type
site:foo.com relatively straightforward to see the website more interesting, you can get many unexpected information
intext:foo
intitle: fooltitle title Oh
allinurl:foo search xx website all the relevant connections. (Pedal point necessary)
links:foo don’t say you know is it related links
allintilte:foo.com

We can assist"-" "+"to adjust the search to the precise degree

Direct search password: (quotation marks are represented as exact search)
Of course we can then extend the above results to the second search
“index of” htpasswd / passwd
filetype:xls username password email
“ws_ftp. log”
“config.php”
allinurl:admin mdb
service filetype:pwd… Or some such as pcanywhere the password suffix cif, etc.

More and more interesting, then a little more sensitive information
“robots.txt” “Disallow:” filetype:txt
inurl:_vti_cnf (FrontPage key index. the scanner of CGI libraries in General)
allinurl: /msadc/Samples/selector/showcode. asp
/…/…/…/passwd
/examples/jsp/snp/snoop. jsp
phpsysinfo
intitle:index of /admin
intitle:“documetation”
inurl: 5 8 0 0(vnc port)or desktop port such as multiple keyword search
webmin port 1 0 0 0 0
inurl:/admin/login. asp
intext:Powered by GBook365
intitle:“php shell*” “Enable stderr” filetype:php direct the search to phpwebshell

foo.org filetype:inc

ipsec filetype:conf
intilte:“error occurred” ODBC request where (select|insert) plainly means, you can directly try to check the database to retrieve, for the current popular sql injection, will be developed Oh
“Dumping data for table” username password
intitle:“Error using Hypernews”
“Server Software”
intitle:“HTTP_USER_AGENT=Googlebot”
“HTTP_USER_ANGET=Googlebot” THS ADMIN
filetype:.doc site:. mil classified direct search military-related word

Check multiple keywords:
intitle:config confixx login password

mydomain.com” nessus report
“report generated by”
“ipconfig”
“winipconfig”

google cache use hoho, the most influential of the things recommended everyone to search when"search all sites"
Particularly recommended: administrator, users and other related things, such as your name, birthday, etc… The most miserable it can also be used as a dictionary.

Some tips collection:

  1. index. of. password
  2. filetype:blt “buddylist”
  3. “access denied for user” “using password”
  4. intitle:“index of” inurl:ftp (pub | incoming)
  5. http://*:*@www” domainname
  6. filetype:cnf inurl:_vti_pvt access. cnf
  7. auth_user_file.txt
  8. allinurl:“//_vti_pvt/" | allinurl:"//_vti_cnf/”
  9. The Master List
  10. inurl:“install/install.php”
  11. allinurl: admin mdb
  12. intitle:“welcome. to. squeezebox”
  13. passlist.txt (a better way)
  14. intext:““BiTBOARD v2. 0” BiTSHiFTERS Bulletin Board”
  15. “A syntax error has occurred” filetype:ihtml
  16. intitle:Login intext:“RT is ? Copyright”
  17. “# -FrontPage-” inurl:service. pwd
  18. ext:php program_listing intitle:MythWeb. Program. Listing
    1 0) ORA-0 0 9 2 1: unexpected end of SQL command
    1 0) intitle:index. of abyss. conf

NO2:
--------------------------------------------------------------------------------

google hacking simple implementation
Using google some of the syntax can provide us more information(of course also offered to those who are accustomed to attack the people more of what they want.), The following is to introduce some of the commonly used syntax.
intext:
This is the page in the body content of a character as a search condition. For example, in google, enter:intext:Action Network. Will return all in the body of the page section contains the"Action Network"page. allintext:use and intext similar.

intitle:
And above that intext almost,search the page title if there we’re looking for characters. For example search:intitle:Safety Angel. Will return all pages with titles containing"Safety Angel"network

Page. Similarly allintitle:also with the intitle is similar.

cache:
Search google on some of the content of the cache,sometimes may be able to find some good things Oh.

define:
Search for a word definition,search:define:hacker,will return about the hacker definition.

filetype:
This I want to focus recommend something,whether it is Net-working attack or are we back to say the specific goals for information collection need to be used to this. Searches for the specified type of file. For example, the input

:filetype:doc. Will return all to the doc at the end of the file URL. Of course, if you’re looking for. bak,. mdb or. inc is also possible,the information obtained may be richer:)

inf
Find the specified site of some of the basic information.

inurl:
Search our specified character exists in the URL. For example, enter:inurl:admin,will return N similar to such a connection http://www. xxx. com/xxx/admin,used to find the administrator den

Land of the URL of the good. allinurl also with inurl similar,you can specify multiple characters.

link:
For example search:inurl:www. 4ngel. net can return all the and www. 4ngel. net to do a link URL.

site:
This is also very useful,for example:site:www. 4ngel. net. Will return all and 4ngel. net this station for the URL.

Oh, and some of the*operators is also very useful:
+ Put google may ignore the word column as the query range
The - a word ignored
~ Consent of the word
. A single wildcard
The * wildcard can represent multiple letters
“” Precise query

The following began to talk about the practical application

The following are on google search,for an ulterior motive of the attacker,maybe he’s most interested in is the password file. And google because of its powerful search capabilities will tend to

Put some sensitive information disclosed to them. With a google search for the following content:
intitle:“index of” etc
intitle:“Index of” . sh_history
intitle:“Index of” . bash_history
intitle:“index of” passwd
intitle:“index of” people. lst
intitle:“index of” pwd. db
intitle:“index of” etc/shadow
intitle:“index of” spwd
intitle:“index of” master. passwd
intitle:“index of” htpasswd
“# -FrontPage-” inurl:service. pwd
Sometimes because of various reasons some important password file is unprotected exposure on the network,if be people with ulterior motives to get,Then the harm is very large

Can also use google to search for some with the vulnerability of the program,such as ZeroBoard some time ago found a file code disclosure vulnerability,you can use google to find online the use of this program site:
intext:ZeroBoard filetype:php
Or use:
inurl:outlogin. php? _zb_path= site:. jp
To find our desired page. phpmyadmin is a powerful databasemade software,some sites due to configuration errors,cause we can not use the password directly to phpmyadmin. We can use google search the existence of such a vulnerability program URL:
intitle:phpmyadmin intext:Create new database

Also http://www. xxx. com/_vti_bin/…%5C…%5C…%5C…%5C…%5C…/winnt/system32/cmd. exe? dir? With google look for, you may also find many of the antique machines. Similarly, we can use this look for other cgi vulnerabilities page.
allinurl: winnt system32

The front has simple said You can use google to search for the database file,with some syntax to precisely find to be able to get more things(access database,mssql, mysql connection files, etc.). For example an example about it:
allinurl:bbs data
filetype:mdb inurl:database
filetype:inc conn
inurl:data filetype:mdb
intitle:“index of” data //in some incorrectly configured apache+win32 Server often this occurs,and above the same principle,we can also use google to find the background.

Use google is entirely possible for one site for information gathering and infiltration, here we use google to specific sites to conduct a test.
First with google look at this site some of the basic situation(some of the details of the part omitted):
site:xxxx.com
From the information returned, find a few of the schools in the several Department of the Court of the domain name:
http://a1.xxxx.com
http://a2.xxxx.com
http://a3.xxxx.com
http://a4.xxxx.com
By the way the ping a bit, should be on a different server. The school will generally have a lot better information, take a look at what good things didn’t

site:xxxx.com filetype:doc
Give N a good doc.

The first look of the website management background address:
site:xxxx.com intext:management
site:xxxx.com inurl:login
site:xxxx.com intitle:management
Over get 2 a management background address:
http://a2.xxxx.com/sys/admin_login.asp
http://a3.xxxx.com:88/_admin/login_in.asp

Also good to see on the server running what is the procedure:
site:a2.xxxx.com filetype:asp
site:a2.xxxx.com filetype:php
site:a2.xxxx.com filetype:aspx
site:a3.xxxx.com filetype:asp
site:…

a2 server should be IIS, the above is the asp of the entire Station program, there is a php Forum
a3 server is IIS, aspx+asp. web applications should be developed. There are forums that see if you can meet what the public FTP account or something: the
site:a2.xxxx.com intext:ftp://:
Didn’t find anything worthwhile. Look again there is no upload for a class of vulnerabilities:
site:a2.xxxx.com inurl:file
site:a3.xxxx.com inurl:load
In a2 is found on a file upload page:
http://a2.xxxx.com/sys/uploadfile.asp
Use IE to see it, no permission to access. Try injection,
site:a2.xxxx.com filetype:asp
Get N asp page address, the physical work will allow the software to do it, this program is clearly not for injection do what the guard, dbowner permissions, although not high, but has enough, back a shell not too Hi

Welcome, and look the database of the head is not small, directly to the web Administrator’s password storm out and besides, MD5 encryption. General school site passwords are more regular, are usually the domain name+

Telephone type of deformation, use google to get it.
site:xxxx.com //obtain the N second-level domain
site:xxxx.com intext:*@xxxx.com //get N E-mail address, and the mailbox owner’s name or something.
site:xxxx.com intext:phone //N Telephone
Put what information do dictionary right, hang on slowly run. Over a period of time ran out of the 4 accounts, 2 are students, 1 administrator, and one may be the teacher’s account. Landing up to:
name: website administrator
pass: the a2xxxx7619 //say it, is the domain name+4 numbers
You cannot provide rights that do not belong to this article discusses access to, Oh, stop here.

This time in some foreign google hack research site looked at, in fact also are the same are some of the basic syntax of flexibility in the use of, or with a scripting vulnerabilities, mainly rely on

Personal and flexible thinking. Abroad for google hack aspect of prevention is also is not a lot, so we still point to far, don’t go to destroy La, huh. For some in the win on the run
apache the network management should pay more attention to this aspect, a intitle:index of almost all out:)

  1. Lookup using a php webshell

intitle:“php shell*” “Enable stderr” filetype:php

(Note: intitle—the title of the webpage Enable stderr—UNIX standard output, and standard error of the abbreviation of the filetype—the file type). Search results, you can find a lot of directly on the machine execution.

The line command in the web shell. If found the PHPSHELL do not use if you are not familiar with UNIX, you can directly look at the LIST, here it is not described in detail, there is more use value. To illustrate

Is, we are here to search out some foreign PHPSHELL are to be used UNIX commands, system calls out of the function(in fact, with Baidu and other search engines are available, just fill

Write the search content is different). This PHPWEBSHELL is a direct Echo(Unix commonly used commands). A word on the home page get:

echo “summon” > index. jsp

Now look at home, have been we changed to: “summon”.

We can also use WGET to upload a file on the go(for example you want to replace the leaf bars). Then execute the Command input cat file > index.html or echo “” > file

echo “test” >> file

Such a break out, the site home page will successfully be replaced. The same can also be

uname-a;cat /etc/passwd

But a bit to note that some of the WEBSHELL program has a problem, the Executive will not,

  1. Search INC sensitive information

In the google search box fill in:

Code:

. org filetype:inc

JSON