Google Hacking is actually unable to have any new things. In the past few years, I saw the relevant introduction in some foreign sites, but because I didn't pay attention to this technology at the time, I just used the MDB used to find unnamed named MDB. Or what is the WebShell left by others, there is no big practical use. But the previous time, I suddenly found that Google Hacking is not so simple ...
Simple implementation of Google Hacking
I remember that I saw an article written by the article.
Www.google.com to search for DVBBS6.mdb or conn.inc to get some sensitive information of some sites. Actually some syntax in Google can provide us more information (of course, people who are used to attacking more. I want.), Here, come to introduce some common syntax.
Intext:
This is to make a character in the text content in the web page as a search condition. For example, enter: intexT: Mobile network. Will return all the web pages containing the "mobile network" in the web page. AlLinText: Usage and intexT similar.
INTITLE:
And the INTEXT above, the search for the character we have to find in the search page title. For example, the INTITLE: Security Angel. The web page containing "Security Angel" in all web headers. Similar to INTITLE.
Cache:
Search for Google's cache about some content, sometimes you can find some good things.
Define:
Search for a definition of a word, search: Define: Hacker, will return the definition of Hacker.
FileType:
This I want to recommend it, whether it is a net-type attack or what we have to say to a specific target. Search for the specified type of file. For example, enter: FileType: DOC. Return all DOC ends The file URL. Of course, if you are looking .bak, .mdb or .inc is also possible, the information obtained may be richer :)
Inf
Find some basic information for the specified site.
InURL:
Search if we specified characters exist in the URL. For example, INURL: Admin, returns N similar to this connection:
http://www.xxx.com/xxx/admin, used to find the URL of the administrator to log in. AllowinURL is similar to INURL, specifying multiple characters.
LINK:
For example, search: InURL:
Www.4ngel.net can return all and
Www.4ngel.net made a link URL.
Site:
This is also useful, for example: Site:
Www.4ngel.net. Will return all and 4Ngel.Net this station related to the URL.
It is also useful to have some operators:
Put the line that may ignore the Google such as query
- ignore some word
~ Consent words
Single wildcard
* Wildcard, can represent multiple letters
"" Precise inquiry
Let's talk about the actual application (I personally or more habits with Google.com, the following is searching on Google), for an attacker attacker, maybe he is most interested in password files. And Google is Its powerful search ability tends to reveal some sensitive information to them. Search with Google:
INTITLE: "INDEX OF" ETC
INTITLE: "index of" .sh_history
INTITLE: "index of" .bash_history
INTITLE: "INDEX OF" passwd
INTITLE: "INDEX OF" personPle.lst
INTITLE: "index of" pwd.db
INTITLE: "INDEX OF" ETC / Shadow
INTITLE: "INDEX OF" SPWD
INTITLE: "index of" master.passwd
INTITLE: "Index of" htpasswd
"# -Frontpage-" inURL: service.pwd
Sometimes because some important password files are unprotected to exposure to the network, if there is any kind of person, it is very harm. Below is a Passwd file I found a FreeBSD system ( I have done it): Figure 1
You can also use Google to search for some programs with vulnerabilities. For example, the ZEROBOAR has found a file code leak vulnerability, we can use Google to find the site on the Internet:
Intext: ZeroBoard FileType: PHP
Or use:
InURL: Outlogin.php? _ZB_Path = Site: .jp
To find the page we need. PhpMyAdmin is a set of powerful database operation software, some sites can be operated directly from PHPMYADMIN without using the password. We can search for this vulnerability using the Google search: URL:
INTITLE: PHPMYADMIN INTEXT: CREATE New Database
Figure II
still remember
http://www.xxx.com/_vti_bin/..\..\..\..\..\../winnt/system32/cmd.exe?dir? Find with Google You may also find a lot of antique machines. Also we can use this to find a page with other CGI vulnerabilities.
AllinURL: Winnt System32
Figure three
As we simply say that you can search for database files with Google, you can use some syntax to accurately find you can get more things (Access database, MSSQL, mysql connection file, etc.). Example example:
AllinURL: BBS Data
FileType: MDB Inurl: Database
FILETYPE: INC CONN
InURL: Data FileType: MDB
INTITLE: "index of" data / / This situation often occurs on some configuring an incorrect Apache Win32 server
Like the principles above, we can also use Google to find the background, and the method is slightly, and it will be a contrast. After all, I wrote this article is to let everyone know Google Hacking, not let you go with Google. Safe is Take the double-edged sword, the key is how you go to use.
Authenticity and application of Google Hacking (below)
Author: sniper
Article is for:
www.4ngel.net
Japanese issue: 05/01/26
This article is only used in technical discussions, do not use other purposes.
The upper part of this article can be found in 4ngel.net.
Using Google is completely information collection and penetration of a site, let's take a test for a specific site with Google.
Www.xxxx.com is one of the famous universities in the country, and an accidental opportunity I decided to conduct a test on its site (the information on the school has been processed, please do not hold the temple :).
First use Google to see some basic conditions of this site (some details):
Site: xxxx.com
From the information returned, find a few domain names of several schools in the school:
http://a1.xxxx.com
http://a2.xxxx.com
http://a3.xxxx.com
http://a4.xxxx.com
By the way, it should be in different servers. (Think about the poor web server, university is rich, sweat). Schools generally have a lot of good information, first look at what is good, no:
Site: XXXX.com FileType: DOC
Get n nice DOC. First find the management background address of the website:
Site: xxxx.com intext: Management
Site: xxxx.com inURL: login
Site: xxxx.com inTitle: Management
More than 2 management background addresses:
http://a2.xxxx.com/sys/admin_login.asp
http://a3.xxxx.com:88/_Admin/login_in.asp is also good, see what the program is running on the server:
Site: a2.xxxx.com fileType: ASP
Site: a2.xxxx.com fileType: PHP
Site: A2.xxxx.com FileType: ASPX
Site: a3.xxxx.com fileType: ASP
Site: .......
......
The A2 server should be IIS, which is used on the entire station of the ASP, and there is a PHP forum.
The A3 server is also IIS, ASPX ASP. Web programs should be developed by themselves. If you have a forum, you can see what a public FTP account can be met:
Site: a2.xxxx.com intext: ftp: // *: *
Didn't find something worthless. Let's take a look at the loopholes that you uploaded:
Site: a2.xxxx.com inURL: File
Site: a3.xxxx.com inURL: LOAD
Discover a page of upload files on A2:
http://a2.xxxx.com/sys/uploadfile.asp
Use IE to look at it, no permission access. Try the injection,
Site: a2.xxxx.com fileType: ASP
Get the address of the N ASP page, make the software to do it, this program is obviously nothing to do for the injection, Dbowner permission, although it is not high but it is enough, I don't like the back a shell, and it looks a database The head is not small, directly put the password of the web administrator to say that MD5 is encrypted. The password of the general school's site is relatively regular, usually a domain name telephone, a variant, and get it with Google.
Site: xxxx.com // Get n secondary domain name
Site: xxxx.com intext: * @ xxxx.com // Get N email addresses, and the name of the owner of the mailbox
Site: xxxx.com intext: Phone // N Phone
Do what information is a dictionary, hang it slowly. After a while, I ran 4 accounts, 2 is the student meeting, 1 administrator, and one may be a teacher's account. Landing:
Name: Website Administrator
Pass: A2xxxx7619 // said, is the domain name 4 numbers
It is necessary to discuss the discussion of this article, huh, huh, here.
Prevention of Google Hacking:
Previously, we stopped the Fengle's article, and the principle was to build a Robots.txt at the root directory to avoid some sensitive information about the network robot. For details, everyone see the original article:
http://www.4ngel.net/Article/26.htm.
But this method I personally don't recommend it, there is a bit of this place without silver three hundred two tastes. Simple method is to delete some information on your site and visit this URL on Google.
http://www.google.com/remove.html
I saw that some people discussed the program to deceive the Robot method, I think I can try:
code show as below:
IF (strstr ($ _ server [http_user_agent '], "googlebot"))
{
Header ("HTTP / 1.1 301");
HEADER ("Location:
http://www.google.com ");
}
?>
ASP: <%
IF INSTR (Request.ServerVariables ("http_user_agent"), "Googlebot") THEN
Response.Redirect ("
http://www.google.com ")
END IF
%>
postscript
During this time, some Google Hack's research sites in Google Hack saw that it is almost the flexible use of some basic syntax, or with a foot vulnerability, mainly by personal flexible thinking. Foreign prevention in Google Hack is not a lot, so everyone is still, don't go to break, huh. For some running on WIN
Apache's network management should pay more attention to this, an intitle: index of is almost coming out :)
