Google advanced techniques—GooGle Hack-vulnerability warning-the black bar safety net

2006-10-27T00:00:00
ID MYHACK58:62200612536
Type myhack58
Reporter 佚名
Modified 2006-10-27T00:00:00

Description

google hacking is actually not anything new,at the time did not pay attention to this technology,think of webshell or something,and without too much practical use. google hacking is not so simple...

Commonly used google keyword: foo1 foo2 (which is associated, such as search xx company xx beauty) operator:foo filetype:1 2 3 Type site:foo.com relatively straightforward to see the website more interesting, you can get many unexpected information intext:foo intitle: fooltitle title Oh allinurl:foo search xx website all the relevant connections. (Pedal point necessary) links:foo don't say you know is it related links allintilte:foo.com

We can assist"-" "+"to adjust the search to the precise degree

Direct search password: (quotation marks are represented as exact search) Of course we can then extend the above results to the second search "index of" htpasswd / passwd filetype:xls username password email "ws_ftp. log" "config.php" allinurl:admin mdb service filetype:pwd.... Or some such as pcanywhere the password suffix cif, etc.

More and more interesting, then a little more sensitive information "robots.txt" "Disallow:" filetype:txt inurl:_vti_cnf (FrontPage key index. the scanner of CGI libraries in General) allinurl: /msadc/Samples/selector/showcode. asp /../../../passwd /examples/jsp/snp/snoop. jsp phpsysinfo intitle:index of /admin intitle:"documetation" inurl: 5 8 0 0(vnc port)or desktop port such as multiple keyword search webmin port 1 0 0 0 0 inurl:/admin/login. asp intext:Powered by GBook365 intitle:"php shell*" "Enable stderr" filetype:php direct the search to phpwebshell

foo.org filetype:inc

ipsec filetype:conf intilte:"error occurred" ODBC request where (select|insert) plainly means, you can directly try to check the database to retrieve, for the current popular sql injection, will be developed Oh "Dumping data for table" username password intitle:"Error using Hypernews" "Server Software" intitle:"HTTP_USER_AGENT=Googlebot" "HTTP_USER_ANGET=Googlebot" THS ADMIN filetype:.doc site:. mil classified direct search military-related word

Check multiple keywords: intitle:config confixx login password

"mydomain.com" nessus report "report generated by" "ipconfig" "winipconfig"

google cache use hoho, the most influential of the things recommended everyone to search when"search all sites" Particularly recommended: administrator, users and other related things, such as your name, birthday, etc....... The most miserable it can also be used as a dictionary.

......

Some tips collection:

1) index. of. password 1) filetype:blt "buddylist" 2) "access denied for user" "using password" 2) intitle:"index of" inurl:ftp (pub | incoming) 3) "http://:@www" domainname 3) filetype:cnf inurl:_vti_pvt access. cnf 4) auth_user_file.txt 4) allinurl:"//_vti_pvt/" | allinurl:"//_vti_cnf/" 5) The Master List 5) inurl:"install/install.php" 6) allinurl: admin mdb 6) intitle:"welcome. to. squeezebox" 7) passlist.txt (a better way) 7) intext:""BiTBOARD v2. 0" BiTSHiFTERS Bulletin Board" 8) "A syntax error has occurred" filetype:ihtml 8) intitle:Login intext:"RT is ? Copyright" 9) "# -FrontPage-" inurl:service. pwd 9) ext:php program_listing intitle:MythWeb. Program. Listing 1 0) ORA-0 0 9 2 1: unexpected end of SQL command 1 0) intitle:index. of abyss. conf

NO2: --------------------------------------------------------------------------------

google hacking simple implementation Using google some of the syntax can provide us more information(of course also offered to those who are accustomed to attack the people more of what they want.), The following is to introduce some of the commonly used syntax. intext: This is the page in the body content of a character as a search condition. For example, in google, enter:intext:Action Network. Will return all in the body of the page section contains the"Action Network"page. allintext:use and intext similar.

intitle: And above that intext almost,search the page title if there we're looking for characters. For example search:intitle:Safety Angel. Will return all pages with titles containing"Safety Angel"network

Page. Similarly allintitle:also with the intitle is similar.

cache: Search google on some of the content of the cache,sometimes may be able to find some good things Oh.

define: Search for a word definition,search:define:hacker,will return about the hacker definition.

filetype: This I want to focus recommend something,whether it is Net-working attack or are we back to say the specific goals for information collection need to be used to this. Searches for the specified type of file. For example, the input

:filetype:doc. Will return all to the doc at the end of the file URL. Of course, if you're looking for. bak,. mdb or. inc is also possible,the information obtained may be richer:)

inf Find the specified site of some of the basic information.

inurl: Search our specified character exists in the URL. For example, enter:inurl:admin,will return N similar to such a connection http://www. xxx. com/xxx/admin,used to find the administrator den

Land of the URL of the good. allinurl also with inurl similar,you can specify multiple characters.

link: For example search:inurl:www. 4ngel. net can return all the and www. 4ngel. net to do a link URL.

site: This is also very useful,for example:site:www. 4ngel. net. Will return all and 4ngel. net this station for the URL.

Oh, and some of the*operators is also very useful: + Put google may ignore the word column as the query range The - a word ignored ~ Consent of the word . A single wildcard The * wildcard can represent multiple letters "" Precise query

The following began to talk about the practical application

The following are on google search,for an ulterior motive of the attacker,maybe he's most interested in is the password file. And google because of its powerful search capabilities will tend to

Put some sensitive information disclosed to them. With a google search for the following content: intitle:"index of" etc intitle:"Index of" . sh_history intitle:"Index of" . bash_history intitle:"index of" passwd intitle:"index of" people. lst intitle:"index of" pwd. db intitle:"index of" etc/shadow intitle:"index of" spwd intitle:"index of" master. passwd intitle:"index of" htpasswd "# -FrontPage-" inurl:service. pwd Sometimes because of various reasons some important password file is unprotected exposure on the network,if be people with ulterior motives to get,Then the harm is very large

Can also use google to search for some with the vulnerability of the program,such as ZeroBoard some time ago found a file code disclosure vulnerability,you can use google to find online the use of this program site: intext:ZeroBoard filetype:php Or use: inurl:outlogin. php? _zb_path= site:. jp To find our desired page. phpmyadmin is a powerful databasemade software,some sites due to configuration errors,cause we can not use the password directly to phpmyadmin. We can use google search the existence of such a vulnerability program URL: intitle:phpmyadmin intext:Create new database

Also http://www. xxx. com/_vti_bin/..%5C..%5C..%5C..%5C..%5C../winnt/system32/cmd. exe? dir? With google look for, you may also find many of the antique machines. Similarly, we can use this look for other cgi vulnerabilities page. allinurl: winnt system32

The front has simple said You can use google to search for the database file,with some syntax to precisely find to be able to get more things(access database,mssql, mysql connection files, etc.). For example an example about it: allinurl:bbs data filetype:mdb inurl:database filetype:inc conn inurl:data filetype:mdb intitle:"index of" data //in some incorrectly configured apache+win32 Server often this occurs,and above the same principle,we can also use google to find the background.

Use google is entirely possible for one site for information gathering and infiltration, here we use google to specific sites to conduct a test. First with google look at this site some of the basic situation(some of the details of the part omitted): site:xxxx.com From the information returned, find a few of the schools in the several Department of the Court of the domain name: http://a1.xxxx.com http://a2.xxxx.com http://a3.xxxx.com http://a4.xxxx.com By the way the ping a bit, should be on a different server. The school will generally have a lot better information, take a look at what good things didn't

site:xxxx.com filetype:doc Give N a good doc.

The first look of the website management background address: site:xxxx.com intext:management site:xxxx.com inurl:login site:xxxx.com intitle:management Over get 2 a management background address: http://a2.xxxx.com/sys/admin_login.asp http://a3.xxxx.com:88/_admin/login_in.asp

Also good to see on the server running what is the procedure: site:a2.xxxx.com filetype:asp site:a2.xxxx.com filetype:php site:a2.xxxx.com filetype:aspx site:a3.xxxx.com filetype:asp site:....... ...... a2 server should be IIS, the above is the asp of the entire Station program, there is a php Forum a3 server is IIS, aspx+asp. web applications should be developed. There are forums that see if you can meet what the public FTP account or something: the site:a2.xxxx.com intext:ftp://: Didn't find anything worthwhile. Look again there is no upload for a class of vulnerabilities: site:a2.xxxx.com inurl:file site:a3.xxxx.com inurl:load In a2 is found on a file upload page: http://a2.xxxx.com/sys/uploadfile.asp Use IE to see it, no permission to access. Try injection, site:a2.xxxx.com filetype:asp Get N asp page address, the physical work will allow the software to do it, this program is clearly not for injection do what the guard, dbowner permissions, although not high, but has enough, back a shell not too Hi

Welcome, and look the database of the head is not small, directly to the web Administrator's password storm out and besides, MD5 encryption. General school site passwords are more regular, are usually the domain name+

Telephone type of deformation, use google to get it. site:xxxx.com //obtain the N second-level domain site:xxxx.com intext:*@xxxx.com //get N E-mail address, and the mailbox owner's name or something. site:xxxx.com intext:phone //N Telephone Put what information do dictionary right, hang on slowly run. Over a period of time ran out of the 4 accounts, 2 are students, 1 administrator, and one may be the teacher's account. Landing up to: name: website administrator pass: the a2xxxx7619 //say it, is the domain name+4 numbers You cannot provide rights that do not belong to this article discusses access to, Oh, stop here.

This time in some foreign google hack research site looked at, in fact also are the same are some of the basic syntax of flexibility in the use of, or with a scripting vulnerabilities, mainly rely on

Personal and flexible thinking. Abroad for google hack aspect of prevention is also is not a lot, so we still point to far, don't go to destroy La, huh. For some in the win on the run apache the network management should pay more attention to this aspect, a intitle:index of almost all out:) 1. Lookup using a php webshell

intitle:"php shell*" "Enable stderr" filetype:php

(Note: intitle—the title of the webpage Enable stderr—UNIX standard output, and standard error of the abbreviation of the filetype—the file type). Search results, you can find a lot of directly on the machine execution.

The line command in the web shell. If found the PHPSHELL do not use if you are not familiar with UNIX, you can directly look at the LIST, here it is not described in detail, there is more use value. To illustrate

Is, we are here to search out some foreign PHPSHELL are to be used UNIX commands, system calls out of the function(in fact, with Baidu and other search engines are available, just fill

Write the search content is different). This PHPWEBSHELL is a direct Echo(Unix commonly used commands). A word on the home page get:

echo "summon" > index. jsp

Now look at home, have been we changed to: "summon".

We can also use WGET to upload a file on the go(for example you want to replace the leaf bars). Then execute the Command input cat file > index.html or echo "" > file

echo "test" >> file

Such a break out, the site home page will successfully be replaced. The same can also be

uname-a;cat /etc/passwd

But a bit to note that some of the WEBSHELL program has a problem, the Executive will not,

  1. Search INC sensitive information

In the google search box fill in:

Code:

. org filetype:inc