Google Hacking (Google hack)

Goole Hacker (Google hack) Google Hacker-IntroductionGoogle Hacker (Google hacker) uses Google's search capabilities to find information that hackers want to find. The general is to find the site backstage, network management of personal information, can also be used to find someone on the network activities.

Google Hacker is generally done as a means of hacking at the time of the invasion. In the intrusion process sometimes need to find the background of the landing port needs to use Google HACKER. Sometimes Google also provides an effective platform for finding administrator information when it comes to solving passwords.

Google Hacker Intrusion Method (from the network):
Route print view native Settings network

Intext:
This is one of the characters in the body content of the Web page as a search condition. For example, in Google: intext: NET. All Web pages that contain "moving nets" are returned in the body part of the Web page. Allintext: Use the same method as Intext.

intitle:
Similar to the one above intext, search the page title for the character we are looking for. For example, search: intitle: Security Angel. The page that contains the "Security Angel" in all page headings is returned. Similarly allintitle: similar to intitle.

Cache:
Search Google for some content cache, sometimes you may find some good things oh.

define:
Search for the definition of a word, search: Define:hacker, will return the definition of hacker.

filetype:
I'd like to focus on this, whether it's a cast-in-the-net attack or what we're going to say later. Searches for files of the specified type. For example, enter: Filetype:doc. All file URLs ending in Doc are returned. Of course, if you look for. Bak,. MDB or. Inc is also available, and the information may be richer:)

Info:
Finds some basic information for a specified site.

inurl:
Searches for the characters that we specify are present in the URL. For example, input: Inurl:admin, will return n a connection similar to this: Http://www.xxx.com/xxx/admin, The URL used to find the administrator login is good. Allinurl is similar to inurl and can specify multiple characters.

Link:

For example, search: Inurl:www.4ngel.net can return all and www.4ngel.net URLs that have been linked.

site:
This is also useful, for example: Site:www.4ngel.net. will return all URLs associated with 4ngel.net this station.
Yes, there are also some operators that are useful:
+ Google may ignore the list of words such as query scope
-Ignore a word
~ Word of consent
. A single wildcard character
* wildcard character, which can represent multiple letters
"" Exact query

Let's start with the actual application (I am more accustomed to using Google.com, the following are searched on Google), for a malicious attacker, Perhaps he is most interested in the password file. Google, for its powerful search power, often reveals sensitive information to them. Search for the following with Google:

intitle: "IndexOf" etc
intitle: "Indexof". Sh_history
intitle: "Indexof". Bash_history
intitle: "IndexOf" passwd
intitle: "IndexOf" People.lst
intitle: "IndexOf" pwd.db
intitle: "IndexOf" Etc/shadow
intitle: "IndexOf" spwd
intitle: "IndexOf" master.passwd
intitle: "IndexOf" htpasswd
"#-frontpage-" inurl:service.pwd

Sometimes, for a variety of reasons, some important password files are exposed to the network unprotected, and if it is obtained by someone with ulterior motives, then the harm is great. Here is the passwd file of a FreeBSD system I have found (which I have handled):

You can also use Google to search for some vulnerable programs, such as Zeroboard discovered a file code disclosure vulnerability in the previous period, we can use Google to find the Web site to use the program:
intext:ZeroBoardfiletype:php

or use:
inurl:outlogin.php?_zb_path=site:.jp

To find the pages we need. phpMyAdmin is a powerful database operating software, some sites due to misconfiguration, we can not use the password directly to the phpMyAdmin operation. We can use Google to search for a program URL that has such a vulnerability:
Intitle:phpmyadminintext:Createnewdatabase

Remember Http://www.xxx.com/_vti_bin/..%5C..%5C....m32/cmd.exe?dir? Looking for Google, you may also find a lot of antique-grade machines. We can also use this to find pages with other CGI vulnerabilities.
Allinurl:winntsystem32
Might

We have simply said that we can use Google to search the database files, with some syntax to find more accurate to get more things (Access database, MSSQL, MySQL connection files, etc.). For example:

Allinurl:bbsdata
Filetype:mdbinurl:database
Filetype:incconn
Inurl:datafiletype:mdb
intitle: "indexof" data//often occurs on servers that are incorrectly configured APACHE+WIN32

And the above principle, we can also use Google to find backstage, the method is slightly, extrapolate can, after all, I write this article is to let everyone understand googlehacking, and not let you use Google to destroy. Security is a double-edged sword, the key is how you use it.

Using Google is completely able to collect and penetrate a site, we use Google to test a specific site. Www.xxxx.com is one of the national famous universities, a chance I decided to test its site (the information involved in the school has been processed, please do not seat:).
First use Google first look at this site some basic situation (some details are omitted):
Site:xxxx.com

From the returned information, find the domain names of several of the schools ' faculties:

Http://a1.xxxx.com
Http://a2.xxxx.com
Http://a3.xxxx.com
Http://a4.xxxx.com
By the way ping a bit, should be on a different server. (Think of our school on that poor Web server, the university is rich, sweat one). Schools will generally have a lot of good information, first see what good things do not:
Site:xxxx.comfiletype:doc

Get n a nice doc. First look for the site's management background address:
Site:xxxx.comintext: Management
Site:xxxx.cominurl:login
Site:xxxx.comintitle: Management

Get over 2 admin backend addresses:
Http://a2.xxxx.com/sys/admin_login.asp
Http://a3.xxxx.com:88/_admin/login_in.asp
It's pretty good to see what's running on the server:
Site:a2.xxxx.comfiletype:asp
site:a2.xxxx.comfiletype:php
Site:a2.xxxx.comfiletype:aspx
Site:a3.xxxx.comfiletype:asp
Site: .....
......

A2 server should be IIS, the above with the ASP's entire station program, there is a PHP forum
The A3 server is also iis,aspx+asp. Web programs should be developed on their own. There is a forum to see if you can meet any public FTP account or something:
site:a2.xxxx.comintext:ftp://*:*

There was nothing of value in finding anything. And then see if there is a bug that uploads a category:
Site:a2.xxxx.cominurl:file
Site:a3.xxxx.cominurl:load

Find a page to upload files on A2:
Http://a2.xxxx.com/sys/uploadfile.asp
Use IE to see a bit, do not have permission to access. Try the injections,
Site:a2.xxxx.comfiletype:asp

Get n ASP page address, physical activity let software do it, this program obviously did not do what to prevent injection, dbowner permission, although not high but enough, backashell I do not like, and look at the database size is not small, directly to the Web administrator's password burst out again, MD5 has been encrypted. General School site Password are more regular, usually is the domain name + phone A class of deformation, with Google to do it.

site:xxxx.com//get n two level domain names
site:xxxx.comintext:* @xxxx. com//get n e-mail address, and the name of the owner of the mailbox or something.
Site:xxxx.comintext: Telephone//n a telephone

Make a dictionary of what information, hang it up and run slowly. After a period of time to run out of 4 accounts, 2 are student union, 1 administrators, there is a possible teacher's account. Log in:
Name: Site administrator
Pass:a2xxxx7619//said, is the domain name + 4 numbers

How to mention the power that does not belong to this article to discuss the visit, oh, so far.

On the precaution of googlehacking

Before we stood Xiaofeng waning Moon wrote an article to evade Google, the principle is through the site root to establish a robots.txt to avoid the network robot to obtain some sensitive information, the specific people see the original article:
Http://www.4ngel.net/article/26.htm
But this method I personally do not recommend, a bit here taste. The simple way to do this is to Google to remove some of its own site information, access to this URL:
Http://www.google.com/remove.html
A few days ago saw another discussion with the program to deceive robot method, I think you can try, the code is as follows:

if (Strstr ($_server "' Http_user_agent '", "Googlebot"))
{
Header ("http/1.1301");
Header ("location:http://www.google.com");
}
?>

Postscript

This period of time in some foreign googlehack research site looked at, in fact, are almost some of the basic grammar of the flexible use, or with a script loophole, mainly rely on personal flexible thinking. Foreign to googlehack aspects of the prevention is not a lot, so we still donuts, do not go to sabotage pull, hehe. For some to run on win
Apache network management should pay more attention to this aspect, a intitle:indexof almost all come out:)