Use google to conduct“penetration testing”-vulnerability warning-the black bar safety net

ID MYHACK58:62200924636
Type myhack58
Reporter 佚名
Modified 2009-09-13T00:00:00


The dark visitor

Today we are penetration testers in the implementation of the attack before, often the first information-gathering, which is the vulnerability is confirmed and the final exploits, expanding the war fruit. Here we are now going to talk about is:

One, use google to find is people who installed a php webshell back door of the host, and test the ability to use;

Second, use google to find exposed INC sensitive information.

OK, now we start:

  1. Lookup using a php webshell

We in the google search box fill in:

Code: intitle:"php shell*" "Enable stderr" filetype:php

(Note: intitle—the title of the webpage Enable stderr—UNIX standard output, and standard error of the abbreviation of the filetype—the file type). Search results, you can find a lot of directly on the machine executing the command in the web shell. If found the PHPSHELL do not use if you are not familiar with UNIX, you can directly look at the LIST, here it is not described in detail, there is more use value. To be clear, we are here to search out some foreign PHPSHELL are to be used UNIX commands, system calls out of the function(in fact, with Baidu and other search engines are available, just fill out the search of the content is different). Through my testing, this PHPWEBSHELL is a direct Echo(Unix commonly used commands). A word on the home page get:

Code: echo "summon" > index. jsp

In the resulting

Code: echo \

Then write on the:"call"

Now look at home, have been we changed to: "summon".

We can also use WGET to upload a file on the go(for example you want to replace the leaf bars). Then execute the Command input cat file > index.html or echo "" > file

echo "test" >> file

Such a break out, the site home page will successfully be replaced. The same can also be

Code: uname-a;cat /etc/passwd

But a bit to note that some of the WEBSHELL program has a problem, the Executive will not, for example: ... c_html&command=

These stations of the php global register off solutions:

We can use the correlation tool in the Internet to search, if there is information to be abused, to the http://*** want to delete the information, the control search engine robot queries.

  1. Search INC sensitive information

We in the google search box fill in:

Code: . org filetype:inc

We now search the is org domain name of the site of the INC's information(since google shut off the search"COM"information, we can also search other gov, cn, info, tw, jp, edu, etc. and the like)

PS:I see many PHP programmers in the programming time, like put some regular writing of code or configuration information, written in a. inc file, as shared. inc, The global. inc., conn. inc and so on, of course, this is a good habit to include PHP official website is so, but somehow you have not noticed it containing a safety hazard issues. Once I write a PHP code that inadvertently write the wrong word when I in a browser to view this PHP file, I found the screen detail shows me the error in the PHP file path and code line. (PHP Error display configuration is open. This function in PHP where is the default!), the This means that when we inadvertently write the wrong code(the same. inc files as well) or the PHP code parsing when things go wrong, and the PHP Error display is open, the client user will see the specific url address. inc file and. url of the file as txt text, as when in the browser when browsing, without any reservations, shows its contents, and many sites in. inc file for write the important information such as the user password and the like! Including the famous Haier company and Ka bell Moto company, the reason I'm published is because I personally tested, /inc/conn. inc storm out of the database ID password with the client connection does not go up, the site closed 1 2 1 5, and the firewall is also filtered out.

INC the knowledge that after that we continued and searched a lot, find one that exposes the MYSQL password, we can use the client login up to modify the data. Here relates to the database of knowledge, we do not talk too much about the"INC exposed sensitive information"just to here the end of IT; of course we can by some way fix:

1, You can specialize on. inc files for configuration, to avoid the user direct access to the source file.

2, of course, the better approach is, 加上并且改文件扩展名为.php(PHP can parse the extension so that client will not access the source file.

Here, I will FreeMind drawn pictures with a text representation. About Google Hack of detailed information, to help us analyze step on the point Connection identifier:

Code: + - : . * │


Code: "foo1 foo2" filetype:1 2 3 intext:foo intitle:footitle allinurl:foo


Code: to: “index of” htpasswd / passwd filetype:xls username password email "ws_ftp. log" "config.php" allinurl:admin mdb service filetype:pwd (frontpage)

Sensitive information:

Code: "robots. tx" "disallow:" filetype:txt inurl:_vti_cnf (frontpage files) allinurl:/msadc/samples/selector/showcode. asp allinurl:/examples/jsp/snp/snoop. jsp allinurl:phpsysinfo ipsec filetype:conf intitle:"error occurred" odbc request where (select│insert) "" nessus report "report generated by"


If you want to get the ROOT permissions necessary to specific issues specific analysis, but with SHELL access it is good to mention, there are many online according to a WEBSHELL to elevate privileges article we can refer to it.

Through google we can search many useful things, but are details, through the information collection slowly analysis, expansion and intrusion. These I'm not specific analysis. To give everyone an idea, we slowly research well to get here, this article is coming to an end, write the purpose of this article is to arouse concern and attention, to understand the new HACK instruments, learn about the new protection method, everything has two sides, in today's Google is the prevailing age, in full use of google at the same time. Should also look much more comprehensive.