Foreword Google Hacking is actually unable to have any new things. In the past few years, I saw the relevant introduction in some foreign sites, but because I didn't pay attention to this technology at the time, I thought that I used to find an unnamed name. What is the WebShell left by MDB or others, but there is no great practical use. But the previous time, I suddenly found that Google Hacking is not so simple ...
Simple implementation of Google Hacking
I remember that I have written in an article that is simple to search for DVBBS6.MDB or Conn.inc to search for DVBBS6.mdb or conn.inc. In fact, some syntax in Google can provide us more Information (of course, there are also people who are habitating more.), Let's introduce some common syntax. IntexT: This is to make a character in the text content in the web page as a search criterion. For example, in Google: IntexT: Mobility Network. Return all web pages containing "mobile network" in the web page text section. AlINText: Similar to INTEXT.
INTITLE: That INTEXT is similar to whether there is a character we have to find in the search page title. For example, search: intitle: Security Angel. Table will return to all web headings to include "Security Angel" web pages. Similar to INTITLE .
Cache: Search for caches of some content in Google, sometimes you can find some good things.
Define: Search for a word, search: Define: Hacker, will return the definition of Hacker.
FILETYPE: I have to recommend it, whether it is a net attack or the information collection we have to say to a particular goal. Search for a specified type of file. For example, enter: filetype: doc. Take all Docu ended file URL. Of course, if you are .bak, .mdb or .inc, it is also possible, and the information obtained may be richer :)
INFO: Find some basic information for the specified site.
InURL: Search if we specified characters exist in the URL. For example, INURL: Admin, will return N similar to such a connection: http://www.xxx.com/xxx/admin, used to find the administrator to log in The URL is good. AlLinURL is similar to INURL, which can specify multiple characters.
LINK: For example: InURL: www.4ngel.net can return all and www.4ngel.net to make a link URL.
Site: This is also useful, for example: site: www.4ngel.net. All URLs related to 4Ngel.net will return.
It is also useful to have some operators: Put the lines of Google may ignore such as query scope - ignore some words ~ consent words. Single wildcard * wildcard, can represent multiple letters "" accurate query
Let's talk about the actual application (I personally or more habits with Google.com, the following is searching on Google), for an attacker attacker, maybe he is most interested in password files. And Google is Its powerful search ability tends to reveal some sensitive information to them. Search with Google:
INTITLE: "index of" etc ositle: "index of" .sh_historyintitle: "index of" .bash_historyintitle: "index of" PASswintitle: "index of" people.lstitle: "index of" pwd.dbintitle: "Index of" ETC / shadowintitle: "index of" spwdintitle: "index of" master.passwdintitle: "index of" htpasswd "# -frontpage-" Inout: service.pwd
Sometimes because some important password files are unprotected to exposure to the network, if there is any kind of person, it is very harm. Below is a Passwd file I found a FreeBSD system ( I have done it): Figure 1:
Click to view the original size picture
You can also use Google to search for some programs with vulnerabilities. For example, the Zeroboard is found to disclose a file code leak vulnerability. We can use Google to find the site to use this set of programs online: Intext: Zeroboard FILETYPE: PHP
Or use: inURL: Outlogin.php? _ZB_Path = Site: .jp
To find the page we need. PhpMyAdmin is a powerful database operation software, some sites cause us to operate directly without using the password directly. We can search for such vulnerabilities with the Google search URL: Intitle : phpmyadmin intexT: Create New Database
Figure II:
Click to view the original size picture
Remember http://www.xxx.com/_vti_bin/..\..\....M32/cmd.exe?dir? Find with Google, you may also find a lot of antique machines . Also we can use this to find a page with other CGI vulnerabilities. AllinURL: Winnt System32
Figure 3:
Click to view the original size picture
As we simply say that you can search for database files with Google, you can use some syntax to accurately find you can get more things (Access database, MSSQL, mysql connection file, etc.). Example example:
AllinURL: BBS DataFilety: MDB InURL: DatabaseFilety: "Index of" data / / This situation often occurs on some configuration incorrect Apache Win32
Like the principles above, we can also use Google to find the background, and the method is slightly, and it will be a contrast. After all, I wrote this article is to let everyone know Google Hacking, not let you go with Google. Safe is Take the double-edged sword, the key is how you go to use.
Using Google is completely information collection and penetration of a site, let's take a test for a specific site with Google. Www.xxxx.com is one of the famous universities in the country, and an accidental opportunity I decided to conduct a test on its site (the information on the school is already processed, please do not leave the seat first :) First use Google first look at this site first Some basic conditions (some details are slightly available): Site: xxxx.com
From the information returned, find a few domain names of several schools in the school:
http: //a1.xxxx.com Htttp: //a2.xxxx.comhttp: //a3.xxxx.comhttp: //a4.xxxx.com
By the way, it should be in different servers. (Think about the poor web server, university is rich, sweat). Schools usually have a lot of good information, first look at what is good, no: site: xxxx.com filetype: DOC
Get n nice DOC. Let's find the management background address of the website first: Site: xxxx.com intext: management site: xxxx.com inURL: LogInsite: xxxx.com Intitle: Management
More than 2 management background addresses: http://a2.xxxx.com/sys/admin_login.asphttp: //a3.xxxx.com: 88 / _admin / login_in.asp
Not bad, look at what procedures running on the server: Site: a2.xxxx.com filety: aspsite: a2.xxxx.com filetype: phpsite: a2.xxxx.com filetype: aspxsite: a3.xxxx.com filetype: Aspsite: ........... The A2 server should be IIS, which is used by the ASP's entire program, and a php forum A3 server is also IIS, ASPX ASP. Web programs should be developed by themselves. If you have a forum, you can see what the FTP account can I meet: Site: a2.xxxx.com intext: ftp: // *: *
Didn't find something worthless. Let's take a look at a hole in which a category is not uploaded: Site: a2.xxxx.com inURL: FILESite: a3.xxxx.com Inout: loading
Discover a page of uploaded files on A2: http://a2.xxxx.com/sys/uploadfile.asp
Use IE to look at it, no permission access. Try the injection, Site: a2.xxxx.com fileType: ASP
Get the address of the N ASP page, make the software to do it, this program is obviously nothing to do for the injection, Dbowner permission, although it is not high but it is enough, I don't like the back a shell, and it looks a database The head is not small, directly put the password of the web administrator to say that MD5 is encrypted. The password of the general school's site is relatively regular, usually a domain name telephone, a variant, and get it with Google.
Site: xxxx.com // Get n secondary domain name Site: xxxx.com @ @ xxxx.com // Get N email addresses, there is also the name of the owner of the mailbox, what is the name: xxxx.com intext: phone // n Phone
Do what information is a dictionary, hang it slowly. After a while, I ran 4 accounts, 2 is the student meeting, 1 administrator, and one may be a teacher's account. Go to: name: Website Administrator Pass: A2xxxx7619 // Say, it is domain name 4 numbers
It is necessary to discuss the discussion of this article, huh, huh, here.
About Google Hacking prevention
Previously, the Xiafeng, the dam, the dead moon, wrote an article avoiding Google, the principle is to create a Robots.txt in the root root of the site to avoid some sensitive information about the network robot, and the specific you see the original article: http: // Www.ttian.net/Article/show.php?id=154
But this method I personally don't recommend it, there is a bit of this place without silver three hundred two tastes. Simple method is to delete some information on your site, visit this URL: http://www.google.com/remove.html
A few days ago, I saw that someone discussed the program to deceive the Robot method, I think I can try, the code is as follows:
IF (strstr ($ _ server ['http_user_agent'], "googlebot")) {header ("http / 1.1 301"); Header ("location: http://www.google.com");}?>
postscript
