Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
myhack58佚名MYHACK58:62200714342
HistoryMar 03, 2007 - 12:00 a.m.

Use google to carry out penetration testing-vulnerability warning-the black bar safety net

2007-03-0300:00:00
佚名
www.myhack58.com
11
JSON

Today we are penetration testers in the implementation of the attack before, often the first information-gathering, which is the vulnerability is confirmed and the final exploits, expanding the war fruit. Here we are now going to talk about is:

One, use google to find is people who installed a php webshell back door of the host, and test the ability to use;
Second, use google to find exposed INC sensitive information.
OK, now we start:

  1. Lookup using a php webshell

We in the google search box fill in:

Code:
intitle:“php shell*” “Enable stderr” filetype:php

(Note: intitle—the title of the webpage Enable stderr—UNIX standard output, and standard error of the abbreviation of the filetype—the file type). Search results, you can find a lot of directly on the machine executing the command in the web shell. If found the PHPSHELL will not use,if you are not familiar with UNIX,you can directly look at the LIST,here it is not described in detail,there is more use value. To be clear,we are here to search out some foreign PHPSHELL are to be used UNIX commands,system calls out of the function(in fact,with Baidu and other search engines are available, just fill out the search of the content is different). Through my testing,this PHPWEBSHELL is a direct Echo(Unix commonly used commands). A word on the home page get:

Code:
echo “summon” > index. jsp

In the resulting

Code:
echo

Then write on the:“call”

Now look at home,have been we changed to: “summon” .

We can also use WGET to upload a file on the go(for example you want to replace the leaf bars). Then execute the Command input cat file > index.html or echo “” > file

echo “test” >> file

Such a bar fight it out,the site home page will successfully be replaced. The same can also be

Code:
uname-a;cat /etc/passwd

But a little note,some of the WEBSHELL program has a problem, the Executive will not, for example:
http://www.al3toof.com/card/smal … c_html&command=
http://ramsgaard.net/upload/shell.php

These stations of the php global register off

Solutions:
We can use the correlation tool in the Internet to search, if the information is abused, 到http://www.google.com/remove.html the submission you wish to delete the information,
Control search engine robots of the query.

  1. Search INC sensitive information

We in the google search box fill in:

Code:
. org filetype:inc

We now search the is org domain name of the site of the INC’s information(since google shut off the search"COM"information,we can also search other gov,cn,info,tw,jp,edu, etc. and the like)

PS:I see many PHP programmers in the programming time, like put some regular writing of code or configuration information, written in a. inc file, as shared. inc, The global. inc., conn. inc and so on, of course, this is a good habit to include PHP official website is so, but somehow you have not noticed it containing a safety hazard issues.

Once I write a PHP code that inadvertently write the wrong word when I in a browser to view this PHP file, I found the screen detail shows me the error in the PHP file path and code line. (PHP Error display configuration is open. This function in PHP where is the default!), the This means that when we inadvertently write the wrong code(the same. inc files as well) or the PHP code parsing when things go wrong, and the PHP Error display is open,the client user will see the specific url address. inc files.

And. url of the file as txt text,as when in the browser when browsing,without any reservations, shows its contents, and many sites in. inc file for write the important information such as the user password and the like! Including the famous Haier company and Ka bell Moto company,the reason I’m published is because I personally tested,http://www.haier.com/su ***/inc/conn. inc storm out of the database ID password with the client connection does not go up,the site closed 1 2 1 5,and the firewall is also filtered out.

Good,INC-the knowledge that after,we continue to also search to the lot,find the one that exposes the MYSQL password
We can use the client login up to modify the data. Here relates to the database of knowledge,we do not talk too much,about the"INC exposed sensitive information"on to the end here.

Of course we can by some way fix:
1,You can specialize on. inc files for configuration, to avoid the user direct access to the source file.
2,of course the better method is 加上 并且 改 文件 扩展 名为 .php(PHP can parse the extension,so that the client does not access the source file.

Here,I will FreeMind to paint the picture with the text shows.
About Google Hack of detailed information,to help us analyze step on the point
Connection identifier:

Code:
+ - : . * |

Operator:

Code:
“foo1 foo2”
filetype:1 2 3
site:foo.com
intext:foo
intitle:footitle
allinurl:foo

Password-related

Code:
to: “index of”
htpasswd / passwd
filetype:xls username password email
“ws_ftp. log”
“config.php”
allinurl:admin mdb
service filetype:pwd (frontpage)

Sensitive information:

Code:
“robots. tx”
“disallow:”
filetype:txt
inurl:_vti_cnf (frontpage files)
allinurl:/msadc/samples/selector/showcode. asp
allinurl:/examples/jsp/snp/snoop. jsp
allinurl:phpsysinfo
ipsec filetype:conf
intitle:“error occurred” odbc request where (select|insert)
mydomain.com” nessus report
“report generated by”

End:

If you want to get the ROOT permissions necessary to specific issues specific analysis,but with SHELL access it is good to mention,there are many online according to a WEBSHELL to elevate privileges article we can refer to it.

JSON