Google Advanced Skills-Google hack★★★★

Source: Internet
Author: User
Tags to domain

Google Hacking is actually not a new thing. At that time, Google Hacking did not pay attention to this technology and thought that webshell or something was not of much practical use. Google Hacking is actually not so simple...
Frequently Used googlekeyword:
Foo1 foo2 (that is, association, such as searching XX Company XX beauty)
Operator: foo
Filetype: 123 type
Site: is more interesting than directly viewing the website and can get a lot of unexpected information.
Intext: foo
Intitle: fooltitle title
Allinurl: Foo searches for all related connections of XX website. (Required)
Links: Foo. You just need to know its link.

We can help "-" "+" to adjust the search Accuracy
Directly search for Password: (refer to "exact search)
Of course, we can extend to the above results for secondary search.
"Index of" htpasswd/passwd
Filetype: xls Username Password email
"Config. php"
Allinurl: Admin MDB
Service filetype: Pwd... or, for example, the password Suffix of pcAnywhere, CIF, etc.
More and more interesting, and more sensitive information
"Robots.txt" "disallow:" filetype: txt
Inurl: _ vti_cnf (the key index of FrontPage, the CGI library of the scanner generally has a location)
Allinurl:/MSADC/samples/selector/Showcode. asp
/Examples/JSP/SNP/snoop. jsp
Intitle: Index of/admin
Intitle: "documetation"
Inurl: 5800 (VNC port) or desktop port multiple keyword search
Webmin port 10000
Inurl:/admin/login. asp
Intext: powered by gbook365
Intitle: "php shell *" "enable stderr" filetype: PhP directly searches for phpwebshell filetype: Inc

IPSec filetype: Conf
Intilte: "error occurred" ODBC request where
"Dumping data for table" Username Password
Intitle: "Error Using hypernews"
"Server software"
Intitle: "http_user_agent = googlebot"
"Http_user_anget = googlebot" ths Admin
Filetype:. Doc site:. Mil classified
Check multiple Keyword:
Intitle: config confixx Login Password
"" Nessus report
"Report generated"
Google cache exploitation (Hoho, the most influential thing) recommends that you search for multiple websites"
Special Recommendation: administrator users and other related things, such as name and birthday ...... Which of the following functions can be used as a dictionary?


A collection of tips:
1) index. Of. Password
1) filetype: BLT "buddylist"
2) "Access denied for user" "Using password"
2) intitle: "index of" inurl: FTP (pub | incoming)
3) "http: // *: * @ www" domainname
3) filetype: CNF inurl: _ vti_pvt access. CNF
4) auth_user_file.txt
4) allinurl: "/*/_ vti_pvt/" | allinurl: "/*/_ vti_cnf /"
5) the master list
5) inurl: "Install/install. php"
6) allinurl: Admin MDB
6) intitle: "Welcome. to. squeezebox"
7) passlist.txt (a better way)
7) intext: "" bitboard V2.0 "bitshifters bulletin board"
8) "A syntax error has occurred" filetype: ihtml
8) intitle: Login intext: "rt is? Copyright"
9) "#-FrontPage-" inurl: Service. pwd
9) Ext: PhP program_listing intitle: mythweb. program. Listing
10) orA-00921: unexpected end of SQL command
10) intitle: Index. Of abyss. conf
Simple implementation of Google Hacking
Some Google syntaxes can be used to provide us with a lot of other information (of course, they can also be provided to those who are used to attacks and many others they want .), the following describes some frequently used syntaxes.
This is to use a character in the body of the webpage as a search condition. for example, enter "intext: Net" in Google. returns all the web pages that contain "" in the webpage body. allintext: similar to intext.
Similar to the intext above, the search page title contains the characters we are looking for. For example, search: intitle: Security angel. The search will return all the web pages whose titles contain "Security Angel ".
Page. Similarly, allintitle: is similar to intitle.
Searching for the cache of some content in Google may sometimes find some good stuff.
Search for the definition of a word. Search: Define: hacker. The definition of hacker is returned.
I would like to recommend that you use this method to search for specified types of files, such as input files, whether it is a web attack or the information collection for specific targets we will talk about later.
: Filetype: Doc. All file URLs ending with Doc will be returned. Of course, if you are looking for. Bak,. mdb, or. Inc, the information you get may be richer :)
Query the basic information of a specified website.
Search for the specified characters in the URL. For example, if you enter inurl: Admin, N Connections similar to this are returned:
The URL is good. allinurl is similar to inurl, and multiple characters can be specified.
For example, search: inurl: can return all URLs connected to
This is also very practical. For example, site: will return all URLs related to this site of

Some other * operators are also very practical:
+ Display columns that may be ignored by Google as the query range
-Ignore a word
~ Allowed words
. Single wildcard
* Wildcard, which can represent multiple letters
"" Precise Query
Let's start with the actual application
The following content is searched on Google. For a malicious attacker, he may be most interested in the password file. However, because of its powerful search capabilities, Google often
Expose some sensitive information to them. Use Google to search for the following content:
Intitle: "index of" etc
Intitle: "index of". sh_history
Intitle: "index of". bash_history
Intitle: "index of" passwd
Intitle: "index of" People. lst
Intitle: "index of" PWD. DB
Intitle: "index of" etc/shadow
Intitle: "index of" spwd
Intitle: "index of" Master. passwd
Intitle: "index of" htpasswd
"#-FrontPage-" inurl: Service. pwd
Sometimes, for various reasons, important password files are exposed to the network without protection. If they are obtained by someone who is not practical, the harm is very high.

Google can also be used to search for programs with vulnerabilities. For example, zeroboard found a file code leakage vulnerability some time ago and Google can be used to find websites that use this program online:
Intext: zeroboard filetype: PHP
Or use:
Inurl: outlogin. php? _ Zb_path = site:. JP
To find the pages we need. phpMyAdmin is a set of powerful database * software. Due to misconfiguration of some websites, we can directly perform * on phpMyAdmin without using password. we can use Google to search for program URLs with such vulnerabilities:
Intitle: phpMyAdmin intext: Create new database
Http:// Dir? Search by Google, and you may find many antique machines. We can also use this to find pages with other CGI vulnerabilities.
Allinurl: winnt system32
As mentioned above, Google can be used to search for database files, and some syntax can be used to precisely search for many other things (Access database, MSSQL, MySQL Connection Files, etc ). example:
Allinurl: BBS data
Filetype: MDB inurl: Database
Filetype: Inc Conn
Inurl: Data filetype: MDB
Intitle: "index of" data // This often occurs on Apache + Win32 servers with incorrect configuration. Like the above principle, we can also use Google to find the background.

Google is fully capable of collecting and penetrating information on a website. Below we will use Google to perform a trial on a specific website.
First, use Google to check some basic information about the website (some details are omitted ):
Find the domain names of several school departments from the returned information:
By the way, the ping should be performed on different servers. Schools generally have a lot of good information. Let's see if there are any good things.
Site: filetype: Doc
Get n good doc files.
First look for the website management background address:
Site: intext: Management
Site: inurl: Login
Site: intitle: Management
More than 2 Admin backend addresses:
Http:// 88/_ admin/login_in.asp
Pretty good. Let's see what programs are running on the server:
Site: filetype: ASP
Site: filetype: PHP
Site: filetype: aspx
Site: filetype: ASP
Site :.......
A2server should use IIS, the above is the ASP full-Site program, another PHP Forum
A3server is also IIS, aspx + ASP. Web programs should all be developed by themselves. If you have a forum, you can see if you can meet any public FTP account or something:
Site: intext: ftp ://*:*
No value found. Let's see if there are any upload vulnerabilities:
Site: inurl: File
Site: inurl: Load
A file upload page is found on A2:
I checked it with IE and did not have the permission to ask. Try injection,
Site: filetype: ASP
Get the address of n asp pages, and let the software do the physical work. This program obviously does not prevent injection, and the dbowner permission is not high, but it is enough, and the back a shell is not very nice.
And it seems that the database is not small, and the password of the web administrator is directly exposed. Then, MD5 is encrypted. In general, the school's website password is more regular than the primary, usually the domain name +
The transformation of the telephone type should be done with Google.
Site: // obtain N second-level domain names
Site: intext: * @ // get n email addresses and the name of the email owner.
Site: intext: Phone Number // n
Create a dictionary of the information and then run it slowly. After a while, we ran out of four accounts, two of which were from the student union, one administrator, and the other possibly the teacher's account. Login:
Name: website administrator
Pass: a2xxxx7619 // Let's talk about it, that is, the domain name + 4 digits
The question about how to raise the right does not belong to the topic in this article.

During this time, I looked at some Google hack research sites outside China. In fact, they are almost the same as some basic syntaxes for flexible use, or to work with a Script Vulnerability, mainly rely on
Flexible personal thinking. There are not many defense measures for Google hack in foreign countries, so we are still waiting until we click here, so don't try to crack the attack. For some running on Windows
Apache network administrators should pay more attention to this aspect. An intitle: Index of is almost identical :)
1. Search for webshell using PHP
Intitle: "php shell *" "enable stderr" filetype: PHP
(Note: intitle-the webpage title enable stderr-UNIX standard output and the abbreviated filetype-file type for standard errors ). In the search results, you can find a lot of results directly on the machine.
The Web shell of the command line. Assume that the phpshell you find won't be used. If you are not familiar with Unix, you can directly look at the list. Here we will not discuss it in detail and there is a lot of value for using it. Description
Some of the foreign phpshells we searched here use Unix commands, all of which are functions called by the system. (In fact, Baidu and other search engines can do this, just fill in
The write search content is different ). This phpwebshell can directly echo (commands are often used in UNIX ). One sentence:

Echo "summon"> index. jsp

Now we have changed the homepage to "summon.
We can also use wget to upload a file (for example, You need to replace the leaf ). Execute Command and enter cat File> index.html or echo ""> File
Echo "test"> File
In this way, the homepage is replaced successfully. The same

Uname-A; CAT/etc/passwd
It's just worth noting that some webshell programs have problems and cannot run,
2. Search for Inc sensitive information
In the Google search box, enter:
. Org filetype: Inc


To ...........
Info: some basic information is returned.
Site: all related URLs are returned.
Link: returns all the sites connected to the site.

Site: filetype: TXT search for other TXT files in turn push

Search for the background
Site: intext: Management
Site: inurl: Login
Site: intitle: Background

View the programs used by the server
Site: filetype: ASP
Site: filetype: PHP
Site: filetype: JSP
Site: filetype: aspx

View upload vulnerabilities:
Site: inurl: File
Site: inurl: Load

Search for injection points:
Site: filetype: ASP ======================== 1. Google Introduction

Google ( is a search engine developed in September 1998 by two Stanford University doctoral students, Larry Page and Sergey Brin. Google Inc was founded in 1999. In July 2000, Google replaced Inktomi to become a search engine of Yahoo. In September of the same year, Google became a search engine of Netease in China. So far, Google has won more than 30 Industry Awards in 98 years.

2. Google features

Google supports up to 132 languages, including simplified Chinese and Traditional Chinese;

Google sites only provide search engine functions, so they do not have to worry about anything;

Google is extremely fast. It is said that there are more than 8000 servers and more than 200 T3-level broadband;

Google's patented webpage-level technology PageRank can provide search results with a high hit rate;

Google's search results extract the detailed content of a Web page, not just a brief introduction to the site;

Google's smart "good luck" function provides websites that may best meet the requirements;

Google's "Web page snapshot" function can directly retrieve cached web pages from googleserver.

3. Basic Search: +,-, or

Google does not need to use the plaintext "+" to represent the logical "and" operations. It only requires space.

Demo: search for a Chinese webpage that includes keywords "yijinjing" and "Suck stars **

Search: "Easy to suck stars **"

Result: You have searched for the Chinese (simplified) webpage about Yi Jinjing's sucking stars. There are about 726 query results, which are 1-10. The search time is 0.13 seconds.

Note: The quote outside the search syntax in the article can only be referenced and cannot be included in the search bar.

Google uses the minus sign "-" to indicate the logical "Non" operation.

Demo: Search for Chinese webpages that contain "yijinjing" but not "Xingxing **

Search: "yijinjing-attracting stars **"

Result: You have searched for a Chinese (simplified) webpage about yijinjing-Xingxing. There are about 5,440 query results, which are 1-10. The search time is 0.13 seconds.

Note: "+" and "-" are English characters, rather than Chinese characters "+" and "-". In addition, there must be no space between the operator and the keyword. For example, "Yi Jinjing-sucking stars **", the search engine will be treated as a logical "and" operation, and the "-" in the middle will be ignored.

Google uses uppercase "or" to indicate logical "or" operations. However, if the keyword is Chinese or the query has a bug, the correct query result cannot be obtained.

Demo: search for a Chinese webpage that includes either branney "Britney" or the Beatles.

Search: "Britney or Beatles"

Result: You have searched for a Chinese (simplified) web page about Britney or Beatles. There are about 14,600 query results, which are 1-10. The search time is 0.08 seconds.

Search: "branny or the Beatle"

Result: The webpage that matches your query-branny or Beatle-is not found.

Note: The lower-case "or" will be ignored during the query. In this way, the above operation is actually a "and" query.

"+" And "-" play the same role sometimes, to narrow down the search results and increase the query result hit rate.

For example, refer to the details of tianlong Babu.

Analysis: If "tianlong Babu" is used as the keyword, there are 26,500 search results, and the top priority is mainly related to Jin Yong's novel "tianlong Babu". It is very difficult to find the required information. Two methods can be used to reduce irrelevant results.

1. Suppose you know one of the eight parts, such as Asura, add? There are only 995 items in the search results for "axura" keyword. You can directly find all eight parts, "axura, tianlong Babu ".

2. If you do not know any of the eight parts, but you know that it is related to Buddhism, You can exclude the records related to Jin Yong's novels. The query result is 1,010 items, can quickly find the required information, "Arn, Arn, And Arn Buddhism-Jin Yong ".

4. Secondary search: wildcard characters, uppercase and lowercase letters, sentences, ignore characters, and forced search

Google does not support wildcards, such as "*" and "?". Can only perform exact queries, "*" or "?" After keyword. Will be ignored.

Google is not sensitive to uppercase and lowercase English characters. The search results for "God" and "God" are the same.

Google's keyword can be a phrase (without spaces in the middle) or a sentence (with spaces in the middle). However, when using a sentence for keyword, you must add an English quote.

Example: search for a page containing the "Long, long ago" string.

Search: "Long, long ago ""

Result: about 28,300 query results have been searched for "Long, long ago". This is item 1-10. The search time is 0.28 seconds.

Note: Unlike searching for English keyword strings, Google does not properly process Chinese strings. For example, if you search for "Ah, my sun", we hope the result contains this sentence. This is not the case. There are a lot of query results. Words like "ah", "my", and "sun" are completely separated, but they are not like "Ah my sun. Obviously, Google still lacks support for Chinese characters.

Google frequently-used words (mainly English words), such as "I" and "com", and some symbols such as "*" and ". ", for ignore processing, assuming that the user must require keyword to include these frequently used words, the mandatory Syntax" + "is required ".

Demo: search for "Who am I ?" . Suppose we use "who am I? "", "Who", "I", "?" Will be omitted, the search will only use "am" as the keyword, so force search should be used.

Search: "+ who + Am + I ""

Result: A total of 362,000 query results have been searched for "+ who + Am + I" on the Internet. This is item 1-10. The search time is 0.30 seconds.

Note: English symbols (such as question marks, periods, and commas) cannot be used to search for keyword, and cannot be used to enhance the system.

5. Advanced Search: site, Link, inurl, allinurl, intitle, allintitle

"Site" indicates that the search results are limited to a specific site or site channel, such as "", "", or a domain name such as "" or "com. If you want to exclude a website or a page within the domain name range, you only need "-site/domain name ".

Demo: Search for Chinese education and scientific research sites ( on all pages including "Jin Yong.

Search: "Jin Yong site:"

Result: The Chinese (simplified) webpage related to Jin Yong site: has been searched. There are about 2,680 query results, which are 1-10. The search time is 0.31 seconds.

Demo: Search for Chinese Sina site pages that contain "Jin Yong" and "Gu Long,

Search: "Jin Yong Gulong"

Result: The Chinese (simplified) webpage about Jin Yong Gulong has been searched in There are about 869 query results, which are 1-10. The search time is 0.34 seconds.

Note: The colon after the site is an English character and cannot contain spaces after the colon. Otherwise, "site:" is used as a search keyword. In addition, the website domain name cannot have a prefix of "HTTP" and "www", or a folder Suffix of "/". The website channel is only limited to "channel name. domain Name, rather than domain name/channel name. For example, the syntax "Jin Yong site:" is incorrect.

The "Link" syntax returns all webpages that are linked to a specific URL.

Demo: search for all webpages directed to in the Software Park of the Chinese army.

Search: "link:"

Result: a webpage with a link to is searched. There are about 695 query results, which are 1-10. The search time is 0.23 seconds.

Note: "Link" cannot be mixed with other syntaxes, so "link:" will be ignored by Google even if there are spaces behind it.

The webpage link returned by inurl syntax includes the first keyword, and the subsequent keyword is displayed in the link or webpage document. There are many sites that display a type of resource names with the same attributes in the folder name or webpage name, such as "MP3" and "gallary". Therefore, you can use the inurl syntax to find the relevant resource links, and then use the second keyword to determine whether a specific detailed information exists. The biggest difference between inurl syntax and Basic Search syntax is that the former can usually provide very accurate topic information.

Demo example: Find the Midi Music "a smile in the sea ".

Search: "inurl: MIDI"

Result: You have searched the Chinese (simplified) webpage for inurl: Midi. There are about 14 query results, which are 1-10. The search time is 0.01 seconds.

Demo: find information about Windows security on the Microsoft Site.

Search: "inurlecurity Windows2000 site:"

Result: The Web page about inurlecurity Windows2000 has been searched in There are about 198 query results, which are 1-10. The search time is 0.37 seconds.

Note: "inurl:" cannot be followed by spaces. Google does not use the correct URL symbol, for example. Google treats "/" in "cgi-bin/phf" as a space.

The link to the webpage returned by the allinurl syntax includes all query keyword. The query object is only a link string of the webpage.

Demo: search for websites that may have phf security vulnerabilities. The CGI-BIN folder for these sites typically contains the phf script program (which is insecure), which is now linked to domain name/cgi-bin/phf ".

Syntax: "allinurl:" cgi-bin "phf + COM"

Search: You have searched allinurl: "cgi-bin" phf + COM. For about 40 query results, this is item 1-10. The search time is 0.06 seconds.

The usage of allintitle and intitle is similar to the preceding allinurl and inurl. Only the latter queries the URL, while the former queries the title bar of the webpage. The webpage title is a part of the HTML markup language title. One principle of web page design is to express the key content of the home page in a concise language in the webpage title. Therefore, you can only query the title bar to find a topic page with a high correlation rate.

Demo: search for a collection of photos about banned political posts, such as Teng Yuanji.

Search: "intitle: tengyuan jixiang photo"

Result: You have searched for a Chinese (simplified) webpage on intitle: tengyuan jixiang. There are about 284 query results, which are 1-10. The search time is 0.03 seconds.

Google's Advanced Search Syntax: related, cache, Info

Related is used to search for webpages with similar structure content. For example, search for all pages similar to the Chinese Sina homepage (such as Netease homepage, Sohu homepage, and chinacnet homepage) and "related: ".

The cache is used to search for the cache of a page on googleserver. This function is the same as "Web page snapshot" and is often used to find some deleted dead link webpages, it is equivalent to using the "Web snapshot" function on the general search result page.

Info is used to display a series of searches related to a link. It provides the cache, Link, related, and webpage functions that fully include the link.

Demo: search for information related to the Sina homepage.

Search: ""

Result: The webpage information about is displayed.

Sina Homepage

Beijing Station Shanghai Station Guangdong station... game world, |, audio and video entertainment, |, club, |, male

People and women, |, forum chat, |, fashion trend, |, culture, education, parenting, |, driving world, |,

Software Download ....

Google provides the following URL Information:

View the archives of in a Google Snapshot

Search for webpages similar to

Search for webpages with links to

Search for webpages including 'www'

Vi. Other important functions

Folder Service

If you do not want to search for a webpage, but want to find some special sites, you can ask Google's category folder "Category /". Google's folders are provided by volunteers, while Google's domestic names are relatively small. Therefore, there are very few Websites under Chinese folders.

Tool bar

To facilitate searchers, Google provides a toolbar that is integrated into a browser. You can enter keyword in the toolbar without opening the Google homepage. In addition, the toolbar provides many other functions, such as displaying pages with PageRank. The most convenient thing is that you can quickly switch between the Google homepage, folder service, newsgroup search, advanced search, and search settings. If you want to install Google's Toolbar, you can ask ", and press the page prompt to download and install the toolbar.

Usenet search

News groups contain a large amount of valuable information. Deja has always been one of the top news group search engines. In December February 2001, Google acquired deja and provided all deja functions. Today, in addition to searching, Google also supports the Web browsing and posting functions of newsgroups.

Enter """ to enter the googlegooglenews community. Unfortunately, there is no Chinese interface yet. Because there are so many posts in the news group, I click "advaced groups search" to go to the advanced search page The advanced newsgroup search interface provides conditional searches for keyword, newsgroup, topic, author, post number, language, and publication date. The author item refers to the unique identification number email box used by the author to post. For example, if you want to search for a post by the famous online writer Tuya in alt. Chinese. Text, you can run the following command: "group: Alt. Chinese. Text Author: [email protected]". In general, we recommend that you use the graphic search interface for convenient and intuitive search.

Search Result Translation

I used to worry about pages in French and Spanish that you don't understand? Today, Google supports a search result translation function, which can translate non-English search results into English !! Although only limited Latin, French, Spanish, German and Portuguese are supported, I have to admit that this is a great improvement.

However, Google can only implement this function in English. Go to the Google settings page,, with the option "beta: enable translation of search results into your interface language.", and select it.

Search Result Filtering

The adult content on the Internet is vast, and many sites have spoofing or other bad attempts. Visitors are very easy to fall into the trap. To this end, Google has set up a new adult content filtering feature. For details, see the Google settings page at a complete SafeSearch filtering is available at the bottom. However, Google does not yet have this function in Chinese.

PDF Document Search

One thing I particularly appreciate for Google is that it provides retrieval of internal documents in PDF files. Currently, Google searches about 25 million PDF documents. This is amazing. PDF is an electronic document format developed by Adobe and has become an electronic publishing standard for the Internet. PDF documents are generally comprehensive documents with images and texts. The information provided is generally more comprehensive than the summary.

Demo: Search for PDF documents about e-commerce.

Search: "inurldf eCommerce"

Result: about 19,200 query results have been searched for inurldf Ecommerce on the Internet. This is item 1-10. The search time is 0.11 seconds.

The following is a search result:


Outsourcing Electronic Commerce Business Case White Paper by: John P. Sahlin, product

Marketing implements sonial (PMP) Implementation manager, web engineering...

General text files-similar web pages

As you can see, Google added the [PDF] Mark before the PDF file. In addition, Google converted the PDF file into a text file and clicked "general text file ", you can roughly view the general content of this PDF document. Of course, the original PDF images and formats are gone.

Image Document Search

Google provides the Internet file search function !! This function is currently in the B testing phase, but it is very useful. The "" is the address of the question ". You can enter the keyword describing the image content in the keyword field, for example, "Britney Spears". You can also enter the keyword describing the image quality or other attributes, such as "high quality ".

The search results provided by Google have an intuitive Thumbnail (thumbnail) and a simple description of the thumbnail, such as the file name and size. Click the thumbnail. The page is divided into two tabs. The upper part is the thumbnail of the image and the page Link. The lower part is the page where the image is located. There is a "Remove frame" button in the upper-right corner of the screen, which can quickly switch the frame page to the result page of a single frame, which is very convenient. Google also provides adult content image restrictions to protect searchers from unnecessary harassment.

However, the image search function does not support Chinese characters.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.