Google search engine can be used
to hack into remote servers or
gather confidential or sensitive
information which are not visible
through common searches.
Google is the world’s most popular
and powerful search engine. It has
the ability to accept pre-defined
commands as inputs which then
produces unbelievable results.
Google’s Advanced Search Query
Syntax
Discussed below are various
Google’s special commands and I
shall be explaining each command
in brief and will show how it can be
used for getting confidential data.
[ intitle: ]
The “intitle:” syntax helps Google
restrict the search results to pages
containing that word in the title.
intitle: login password
will return links to those pages that
has the word "login" in their title,
and the word "password"
anywhere in the page.
Similarly, if one has to query for
more than one word in the page title
then in that case“allintitle:” can be
used instead of “intitle” to get the list
of pages containing all those words
in its title.
intitle: login intitle: password
is same as
allintitle: login password
[ inurl: ]
The “inurl:” syntax restricts the
search results to those URLs
containing the search keyword. For
example:“inurl: passwd” (without
quotes) will return only links to
those pages that have "passwd" in
the URL.
Similarly, if one has to query for
more than one word in an URL then
in that case“allinurl:” can be used
instead of “inurl” to get the list of
URLs containing all those search
keywords in it.
allinurl: etc/passwd
will look for the URLs containing
“etc” and “passwd”. The slash (“/”)
between the words will be ignored
by Google.
[ site: ]
The “site:” syntax restricts Google to
query for certain keywords in a
particular site or domain.
exploits site:hackingspirits.com
will look for the keyword “exploits”
in those pages present in all the links
of the domain“hackingspirits.com”.
There should not be any space
between“site:” and the “domain
name”.
[ filetype: ]
This “filetype:” syntax restricts
Google search for files on internet
with particular extensions (i.e. doc,
pdf or ppt etc).
filetype:doc site:gov confidential
will look for files with “.doc”
extension in all government
domains with“.gov” extension and
containing the word “confidential”
either in the pages or in the “.doc”
file. i.e. the result will contain the
links to all confidential word
document files on the government
sites.
[ link: ]
“link:” syntax will list down
webpages that have links to the
specified webpage.
link:www.expertsforge.com
will list webpages that have links
pointing to the SecurityFocus
homepage. Note there can be no
space between the "link:" and the
web page url.
[ related: ]
The “related:” will list web pages that
are "similar" to a specified
web page.
related:www.expertsforge.com
will list web pages that are similar to
the Securityfocus homepage. Note
there can be no space between the
"related:" and the web page url.
[ cache: ]
The query “cache:” will show the
version of the web page that Google
has in its cache.
cache:www.hackingspirits.com
will show Google's cache of the
Google homepage. Note there can
be no space between the "cache:"
and the web page url.
If you include other words in the
query, Google will highlight those
words within the cached document.
cache:www.hackingspirits.com
guest
will show the cached content with
the word "guest" highlighted.
[ intext: ]
The “intext:” syntax searches for
words in a particular website. It
ignores links or URLs and page titles.
intext:exploits
will return only links to those web
pages that has the search keyword
"exploits" in its webpage.
[ phonebook: ]
“phonebook” searches for U.S.
street address and phone number
information.
phonebook:Lisa+CA
will list down all names of person
having“Lisa” in their names and
located in “California (CA)”. This can
be used as a great tool for hackers
incase someone want to do dig
personal information for social
engineering.
Google Hacks
Well, the Google’s query syntaxes
discussed above can really help
people to precise their search and
get what they are exactly looking
for.
Now Google being so intelligent
search engine, hackers don’t mind
exploiting its ability to dig much
confidential and secret information
from the net which they are not
supposed to know. Now I shall
discuss those techniques in details
how hackers dig information from
the net using Google and how that
information can be used to break
into remote servers.
Index Of
Using “Index of ” syntax to find sites
enabled with Index browsing
A webserver with Index browsing
enabled means anyone can browse
the webserver directories like
ordinary local directories. The use of
“index of” syntax to get a list links to
webserver which has got directory
browsing enabled will be discussd
below. This becomes an easy
source for information gathering for
a hacker. Imagine if the get hold of
password files or others sensitive
files which are not normally visible
to the internet. Below given are few
examples using which one can get
access to many sensitive
information much easily.
Index of /admin
Index of /passwd
Index of /password
Index of /mail
"Index of /" +passwd
"Index of /" +password.txt
"Index of /" +.htaccess
"Index of /secret"
"Index of /confidential"
"Index of /root"
"Index of /cgi-bin"
"Index of /credit-card"
"Index of /logs"
"Index of /config"
Looking for vulnerable sites or
servers using“inurl:” or “allinurl:”
a. Using “allinurl:winnt/
system32/” (without quotes) will list
down all the links to the server
which gives access to restricted
directories like“system32” through
web. If you are lucky enough then
you might get access to the
cmd.exe in the“system32”
directory. Once you have the access
to“cmd.exe” and is able to execute
it.
b. Using “allinurl:wwwboard/
passwd.txt”(without quotes) in the
Google search will list down all the
links to the server which are
vulnerable to“WWWBoard
Password vulnerability”. To know
more about this vulnerability you
can have a look at the following link:
http://www.securiteam.com/
exploits/2BUQ4S0SAW.html
c. Using
“inurl:.bash_history” (without
quotes) will list down all the links to
the server which gives access to
“.bash_history” file through web.
This is a command history file. This
file includes the list of command
executed by the administrator, and
sometimes includes sensitive
information such as password
typed in by the administrator. If this
file is compromised and if contains
the encrypted unix (or *nix)
password then it can be easily
cracked using“John The Ripper”.
d. Using “inurl:config.txt” (without
quotes) will list down all the links to
the servers which gives access to
“config.txt” file through web. This
file contains sensitive information,
including the hash value of the
administrative password and
database authentication credentials.
For Example: Ingenium Learning
Management System is a Web-
based application for Windows
based systems developed by
Click2learn, Inc. Ingenium Learning
Management System versions 5.1
and 6.1 stores sensitive information
insecurely in the config.txt file. For
more information refer the following
links: http://www.securiteam.com/
securitynews/6M00H2K5PG.html
Other similar search using “inurl:” or
“allinurl:” combined with other
syntax
inurl:admin filetype:txt
inurl:admin filetype:db
inurl:admin filetype:cfg
inurl:mysql filetype:cfg
inurl:passwd filetype:txt
inurl:iisadmin
inurl:auth_user_file.txt
inurl:orders.txt
inurl:"wwwroot/*."
inurl:adpassword.txt
inurl:webeditor.php
inurl:file_upload.php
inurl:gov filetype:xls "restricted"
index of ftp +.mdb allinurl:/cgi-bin/
+mailto
Looking for vulnerable sites or
servers using“intitle:” or “allintitle:”
a. Using [allintitle: "index of /root”]
(without brackets) will list down the
links to the web server which gives
access to restricted directories like
“root” through web. This directory
sometimes contains sensitive
information which can be easily
retrieved through simple web
requests.
b. Using [allintitle: "index of /admin”]
(without brackets) will list down the
links to the websites which has got
index browsing enabled for
restricted directories like“admin”
through web. Most of the web
application sometimes uses names
like“admin” to store admin
credentials in it. This directory
sometimes contains sensitive
information which can be easily
retrieved through simple web
requests.
Other similar search using “intitle:”
or “allintitle:” combined with other
syntax
intitle:"Index of" .sh_history
intitle:"Index of" .bash_history
intitle:"index of" passwd
intitle:"index of" people.lst
intitle:"index of" pwd.db
intitle:"index of" etc/shadow
intitle:"index of" spwd
intitle:"index of" master.passwd
intitle:"index of" htpasswd
intitle:"index of" members OR
accounts
intitle:"index of" user_carts OR
user_cart
allintitle: sensitive filetype:doc
allintitle: restricted filetype :mail
allintitle: restricted filetype:doc
site:gov
Other interesting Search Queries
· To search for sites vulnerable to
Cross-Sites Scripting (XSS) attacks:
allinurl:/scripts/cart32.exe
allinurl:/CuteNews/
show_archives.php
allinurl:/phpinfo.php
· To search for sites vulnerable to
SQL Injection attacks:
allinurl:/privmsg.php
allinurl:/privmsg.php
No comments:
Post a Comment