Google Search Skills challenge privacy (Google hacker)

Source: Internet
Author: User
Tags gpg

Google Hacking originally refers to the technology and behavior that uses Google search engine search information for intrusion. Currently, it refers to the technology and behavior that uses various search engine search information for intrusion. google Hacking is actually nothing new. I saw some related introductions on some foreign sites in the early years. However, since Google Hacking did not pay attention to this technology at the time, I think that at most it is only used to find unrenamed MDB or webshells left by others, and there is not much practical use. but some time ago, after carefully reading some information, I suddenly realized that Google Hacking is not that simple. No one posted Google hacker on the Forum, so let me do it. I personally like Google. I don't know if it's the full version, and I didn't translate it. By the way, edit it manually. This makes you more intuitive. Editing is a bit messy.

[All] inurl
[All] intext
[All] intitle
Site
EXT, filetype
Symbol:-. * |
Boolean epression: And or not
Lang: "C ++" define

Privacy Information
1. user name and password

"Create Table" insert into "" Pass | passwd | password "(ext: SQL | Ext: Dump | Ext: txt)
"Your password * Is" (ext: CSV | ext.doc | Ext: txt)

2. Keys

"Index of" slave_datatrans or from_master

3. Privacy Password

"Begin (DSA | RSA)" Ext: Key
"Index of" "secring. GPG"

4. encrypted messages

-"Public | pubring | pubkeysignature | PGP | and | or | release" Ext: GPG
-Intext: "and" (ext: ENC | Ext: axx)
"Ciphervalue" Ext: XML

Confidential information
Information that is expected to become confidential to prevent unauthorized access

Data that is expected to stay confidential against unauthorized access

1. chat logs

"Session start" "Session ident" Thomas Ext: txt

2. Private Mail/Email

"Index of" inbox. dbx
"To parent directory" inurl: "identities"

3. confidential directories and files

"Index of" (Private | secure | geheim | gizli)
“Robots.txt "" User-Agent "Ext: txt
"This document is private | confidential (confidential) | secret" Ext: Doc | Ext: PDF | Ext: xls
Intitle: "index of" "JPG | PNG | BMP" inurl "personal | inurl: Private

4. Online webcam

Intitle: "Live View/-axis" | inurl: View/view.shtml
Inurl: "viewframe? Mode ="
Inurl: "multicameraframe? Mode ="
Inturl: "axis-cgi/mjpg"
Intext: "mobotix M1 ″
Intext: "Open menu"
Inurl: "view/index.shtml"

Identification Materials
1. Describe private information
Name, address, phone number, extension number

    1. Allintext: Name email phone address intext: "Thomas Fischer (character)" Ext: PDF
    2. Twiki inurl: "view/main" "Thomas Fischer"

 

Resume

    1. Intitle: CV or intitle: lebenslauf "Thomas Fischer"
    2. Intitle: CV or intitle: lebenslauf Ext: PDF or ext: Doc

 

2. User Name

    1. Intitle: "usage statistics (Statistical Table) for" intext: "total unique usernames"

 

Examples of Google Hacking 1
UnreliableProgramDisclosed information

    1. "PHP version" intitle: phpinfo inurl: info. php

 

The program contains the SQL injection vulnerability and the path can be changed to a weak port.

    1. "Advanced guestbook * powered" inurl: addentry. php
    2. Intitle: "view IMG" inurl: viewimg. php

 

Security scan report

    1. "Assessment Report" "Nessus" filetype: PDF

 

Database programs and error files

    1. "Welcome to phpMyAdmin ***" "running on * as root @ *" intitle: phpMyAdmin
    2. "MySQL error with Query"

 

========================================================== ==========================================
Countermeasure (countermeasure)// This is the measure. The original author has not translated it. Let me translate it.
Use automatic tools to check your system (e.g. gooscan, sitedigger, goolink)
Use tools to automatically detect your system, such as: (e.g. gooscan, sitedigger, goolink)
Install and manage Google Honeypot
Install and manage Google honeypot?

Sitedigger// Web mining

Free from Foundstone Company// The remaining part is blank. I haven't understood it after reading it several times ~ Who knows ~
Support both GHD and Foundstone's own hacking databaset00ls
For a given host, all etries in the database are queried

========================================================== ==============
References

Google Hacking Database
Http://johnny.ihackstuff.com

Google hack honeypot Project
Http://ghh.sourceforge.net

Goolink-Security token
Www.ghacks.net/2005/11/23/goolink-scanner-beta-preview/

Sitedigger c2.0-information gathering tool
Http://www.foundstone.com

Filesearching
Www.filesearching.com
Gooscan-Google Security token
Http://johnny.ihackstuff.com
========================================================== ==================
Please use this information for no other reason
Online cameras

    1. Inurl: "viewrframe? Mode = motion "(requires ActiveX) [/B]
    2. Intitle: "snc-rz30 home" (requires ActiveX)
    3. Intitle: "WJ-NT104 main"
    4. Inurl: lvapp1 intilte: liveapplet (great pan and zoom)
    5. Intitle: "live vew/-axis"
    6. Inurl: indexframe.shtml "axis video server"

 

View websites logged out from Google
T00ls.net
Train of Thought: Find the robots.txt file on the website to screen

    1. “Robots.txt "" disallow: "filetype: txt

 

Front page user logins
Using this string for search, you can get a lot of login passwords and accounts. The passwords and accounts in the searched files are not encrypted.

    1. Inurl: _ vti_pvt "service. pwd"

 

PHP Photo albums2
This searchAlgorithmAllows you to view the PHP user to upload the photo album, and you can upload your own photo to it.

    1. Inurl: "phphotoabum/upload"

 

VNC User Info
Use VNC brute to forcibly crack password requirements through virtual machine bypass password verification this verification forces login to others' computers

    1. "VNC desktop" inurl: 5800

 

Network printerssecurity
View Internet shared printers. You can view their statuses and settings. You can also use some of them to print your own things.

    1. Inurl: "port_255"-htm

 

PHP administrator access
PhpMyAdmin is an account used by users to control the website database. You can use phpMyAdmin to access websites with low security factors. With this account, you can control their websites.

    1. Intitle: phpMyAdmin "Welcome to phpMyAdmin ***" running on * as root @*"

 

In addition, I attached the previous article about Google hacker and Google Search Skills shared by a typical xfocus expert.Article...

Simple implementation of Google Hacking
I remember I saw an article written in the past. I simply used www.google.com to search for dvbbs6.mdb or Conn. inc. in fact, some Google syntaxes can be used to provide us with more information (of course, they also provide more information to those who are used to attacks .), the following describes some common syntaxes.
Intext:
This is to use a character in the body of the webpage as a search condition. for example, enter "intext: Net" in Google. the system returns all webpages that contain "mobile network" in the body of the webpage. allintext: similar to intext.

Intitle:
Similar to the intext above, search for whether the webpage title contains the characters we are looking. for example, search: intitle: Security angel. the system will return to all webpages whose titles contain "Security Angel. similarly, allintitle: is similar to intitle.

Cache:
Search for the cache of some content in Google, and sometimes you may find some good stuff.

Define:
Search for the definition of a word. Search: Define: hacker. The definition of hacker is returned.

Filetype:
I would like to recommend that you use this tool to collect information about specific targets, whether it is a web attack or what we will talk about later. search for files of the specified type. for example, input: filetype: Doc. all file URLs ending with Doc will be returned. of course, if you are looking. bak ,. MDB or. inc is also available, and more information may be obtained :)

Info:
Query the basic information of a specified site.

Inurl:
Search whether the specified character exists in the URL. For example, if you enter inurl: Admin, N Connections similar to the following are returned: success.

Link:
For example, search: inurl: www.4ngel.net can return all URLs connected to www.4ngel.net.

Site:
This is also useful. For example, site: www.4ngel.net. will return all URLs related to this site of 4ngel.net.

Some operators are also useful:
+ Display columns that may be ignored by Google as the query range
-Ignore a word
~ Word of consent
. Single wildcard
* Wildcard, which can represent multiple letters
"" Exact Query

Next I started to talk about practical applications (I personally prefer to use Google.com and search for the following content on Google). For an attacker who is eager to test, maybe he is most interested in the password file. google often discloses some sensitive information to them because of its powerful search capabilities. search for the following content by Google:
Intitle: "index of" etc
Intitle: "index of". sh_history
Intitle: "index of". bash_history
Intitle: "index of" passwd
Intitle: "index of" people. lst
Intitle: "index of" PWD. DB
Intitle: "index of" etc/shadow
Intitle: "index of" spwd
Intitle: "index of" master. passwd
Intitle: "index of" htpasswd
"#-FrontPage-" inurl: Service. pwd
Sometimes important password files are exposed to the network without protection for various reasons. If they are obtained by someone with ulterior motives, the harm is very great. below is a passwd file of the FreeBSD system I found (I have processed it ):
Figure 1

You can also use Google to search for programs with vulnerabilities, such as files found on zeroboard some time ago.CodeFor vulnerabilities leaked, we can use Google to find websites that use this program on the Internet:
Intext: zeroboard filetype: PHP
Or use:
Inurl: outlogin. php? _ Zb_path = site:. JP
To find the page we need. phpMyAdmin is a set of powerful database operation software. Due to misconfiguration of some sites, we can directly operate phpMyAdmin without using a password. we can use Google to search for the program URLs with such vulnerabilities:
Intitle: phpMyAdmin intext: Create new database
Figure 2

Remember http://www.xxx.com/_vti_bin/..%5C..%5C..%5C..%5C..%5C../winnt/system32/cmd.exe? Dir? You may also find many antique-grade machines by using Google. We can also use this to find pages with other CGI vulnerabilities.
Allinurl: winnt system32
Figure 3

As we have mentioned earlier, Google can be used to search for database files. Some syntaxes can be used to precisely search for more information (Access database, MSSQL, MySQL Connection Files, etc ). for example:
Allinurl: BBS data
Filetype: MDB inurl: Database
Filetype: Inc Conn
Inurl: Data filetype: MDB
Intitle: "index of" data // This often occurs on Apache + Win32 servers with incorrect Configuration
Like the above principle, we can also use Google to find the backend. The method is just a few words. After all, the purpose of this article is to let everyone know about Google Hacking, instead of letting you use Google to destroy it. security is a double-edged sword. The key lies in how you use it.

Implementation and Application of Google Hacking (II)

Author: sniper
Article: www.4ngel.net
Date: 05/01/26
This article is only used for technical discussion and research. Do not use it for other purposes.
The upper part of this article can be found in 4ngel.net.

Google can be used to collect and penetrate information on a site. Next we will use Google to perform a test on a specific site. Www.xxxx.com is one of the famous universities in China. I decided to perform a test on the website by chance (all the information about the school involved in this article has been processed. Do not check the number :).
First, use Google to check some basic information about the site (some details are omitted ):
Site: xxxx.com
Find the domain names of several school departments from the returned information:
Http://a1.xxxx.com
Http://a2.xxxx.com
Http://a3.xxxx.com
Http://a4.xxxx.com
Ping by the way, it should be on different servers. (think about the poor web server in our school. The University is rich and sweaty ). Schools generally have a lot of good information. Let's see if there are any good things:
Site: xxxx.com filetype: Doc
Get n good doc files. First look for the website management background address:
Site: xxxx.com intext: Management
Site: xxxx.com inurl: Login
Site: xxxx.com intitle: Management
More than 2 Admin backend addresses:
Http://a2.xxxx.com/sys/admin_login.asp
Http://a3.xxxx.com: 88/_ admin/login_in.asp
Pretty good. Let's see what programs are running on the server:
Site: a2.xxxx.com filetype: ASP
Site: a2.xxxx.com filetype: PHP
Site: a2.xxxx.com filetype: aspx
Site: a3.xxxx.com filetype: ASP
Site :.......
......
On the A2 server, IIS is used, ASP is used, and a PHP Forum is also used.
The A3 server is also IIS, aspx + ASP. Web programs should all be developed by themselves. If you have a forum, you can see if you can meet any public FTP account or something:
Site: a2.xxxx.com intext: ftp ://*:*
No value found. Let's see if there are any upload vulnerabilities:
Site: a2.xxxx.com inurl: File
Site: a3.xxxx.com inurl: Load
A file upload page is found on A2:
Http://a2.xxxx.com/sys/uploadfile.asp
I checked it with IE and did not have the access permission. Try injection,
Site: a2.xxxx.com filetype: ASP
To get the address of n asp pages, let the software do the physical work. This program obviously does not prevent injection. The dbowner permission is not high, but it is sufficient, back a shell I don't like very much, and it seems that the database is not small, and the web administrator's password is exposed directly. Then, MD5 encryption is passed. Generally, the passwords of school sites are relatively regular, and they are usually domain name + phone deformation. Use Google to fix it.
Site: xxxx.com // obtain N second-level domain names
Site: xxxx.com intext: * @ xxxx.com // get n email addresses and the name of the email owner.
Site: xxxx.com intext: Phone Number // n
Create a dictionary of the information and then run it slowly. After a while, I ran out of four accounts, two of which were from the student union, one administrator, and one possibly from the teacher's account. Login:
Name: website administrator
Pass: a2xxxx7619 // Let's talk about it, that is, the domain name + 4 digits
How to escalate the permission is not discussed in this article.

Prevention of Google Hacking:
Refer to the previous article: http://www.4ngel.net/article/26.htm.
However, I personally do not recommend this method. It is a bit of Silver-free three hundred. In a simple way, Google deletes some information on its website and accesses this URL:
Http://www.google.com/remove.html
A few days ago I saw someone discussing how to use a program to cheat the robot. I think I can try it:
The Code is as follows:
<? PHP

If (strstr ($ _ server ['HTTP _ user_agent '], "googlebot "))
{
Header ("HTTP/1.1 301 ″);
Header ("Location: http://www.google.com ");
}

?>

ASP:
<%
If instr (request. servervariables ("http_user_agent"), "googlebot") then
Response. Redirect (http://www.google.com ")
End if

%>

Postscript
Some Google hack research sites outside China looked at this time. In fact, they are almost all about the flexible use of some basic syntaxes, or the use of a script vulnerability mainly depends on the flexible thinking of the individual. There are not many defense measures for Google hack in foreign countries, so we are still waiting till now, so don't try to crack it. For some running on Windows
Apache network administrators should pay more attention to this aspect. An intitle: Index of will almost all come out :)

Reprinted Please note: Ox x ADMA» http://www.nxadmin.com/web/120.html

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.