Google is the world’s most popular and powerful search engine. It has the ability
to accept pre-defined commands as inputs which then produces unbelievableresults.
Google’s Advanced Search Query Syntax
Discussed below are various Google’s special commands and I shall be explaining
each command in brief and will show how it can be used for getting confidentialdata.
each command in brief and will show how it can be used for getting confidentialdata.
[ intitle: ]
The “intitle:” syntax helps Google restrict the search results to pages containingthat word in the title.
The “intitle:” syntax helps Google restrict the search results to pages containingthat word in the title.
intitle: login password
will return links to those pages that has the word “login” in their title, and theword “password” anywhere in the page.
Similarly, if one has to query for more than one word in the page title then in that
case “allintitle:” can be used instead of “intitle” to get the list of pages containing
all those words in its title.
intitle: login intitle: password
is same as
allintitle: login password
[ inurl: ]
The “inurl:” syntax restricts the search results to those URLs containing the search
keyword. For example: “inurl: passwd” (without quotes) will return only links tothose pages that have “passwd” in the URL.
The “inurl:” syntax restricts the search results to those URLs containing the search
keyword. For example: “inurl: passwd” (without quotes) will return only links tothose pages that have “passwd” in the URL.
Similarly, if one has to query for more than one word in an URL then in that case
“allinurl:” can be used instead of “inurl” to get the list of URLs containing all those
search keywords in it.
allinurl: etc/passwd
will look for the URLs containing “etc” and “passwd”. The slash (“/”) between the
words will be ignored by Google.
[ site: ]
The “site:” syntax restricts Google to query for certain keywords in a particular
site or domain.
will look for the URLs containing “etc” and “passwd”. The slash (“/”) between the
words will be ignored by Google.
[ site: ]
The “site:” syntax restricts Google to query for certain keywords in a particular
site or domain.
exploits site:hackingspirits.com
will look for the keyword “exploits” in those pages present in all the links of thedomain “hackingspirits.com”. There should not be any space between “site:” andthe “domain name”.
[ filetype: ]
This “filetype:” syntax restricts Google search for files on internet with particular
extensions (i.e. doc, pdf or ppt etc).
will look for the keyword “exploits” in those pages present in all the links of thedomain “hackingspirits.com”. There should not be any space between “site:” andthe “domain name”.
[ filetype: ]
This “filetype:” syntax restricts Google search for files on internet with particular
extensions (i.e. doc, pdf or ppt etc).
filetype:doc site:gov confidential
will look for files with “.doc” extension in all government domains with “.gov”extension and containing the word “confidential” either in the pages or in the“.doc” file. i.e. the result will contain the links to all confidential word document files on the government sites.
[ link: ]
“link:” syntax will list down webpages that have links to the specified webpage.
link:www.expertsforge.com
[ link: ]
“link:” syntax will list down webpages that have links to the specified webpage.
link:www.expertsforge.com
will list webpages that have links pointing to the SecurityFocus homepage. Note
there can be no space between the “link:” and the web page url.
[ related: ]
The “related:” will list web pages that are “similar” to a specified
web page.related:www.expertsforge.comwill list web pages that are similar to the Securityfocus homepage. Note there can be no space between the “related:” and the web page url.
[ cache: ]
The query “cache:” will show the version of the web page that Google has in its cache.
there can be no space between the “link:” and the web page url.
[ related: ]
The “related:” will list web pages that are “similar” to a specified
web page.related:www.expertsforge.comwill list web pages that are similar to the Securityfocus homepage. Note there can be no space between the “related:” and the web page url.
[ cache: ]
The query “cache:” will show the version of the web page that Google has in its cache.
cache:www.hackingspirits.com
will show Google’s cache of the Google homepage. Note there can be no space between the “cache:” and the web page url.
If you include other words in the query, Google will highlight those words withinthe cached document.
cache:www.hackingspirits.com guest
will show the cached content with the word “guest” highlighted.
[ intext: ]
The “intext:” syntax searches for words in a particular website. It ignores links or URLs and page titles.
intext:exploits
will return only links to those web pages that has the search keyword “exploits” in its webpage.
[ phonebook: ]
“phonebook” searches for U.S. street address and phone number information.
phonebook:Lisa+CA
will list down all names of person having “Lisa” in their names and located in“California (CA)”. This can be used as a great tool for hackers incase someone want to do dig personal information for social engineering.
Google Hacks
Well, the Google’s query syntaxes discussed above can really help people to precise their search and get what they are exactly looking for.
Now Google being so intelligent search engine, hackers don’t mind exploiting its ability to dig much confidential and secret information from the net which theyare not supposed to know. Now I shall discuss those techniques in details howhackers dig information from the net using Google and how that information canbe used to break into remote servers.
Index Of
Using “Index of ” syntax to find sites enabled with Index browsing
A webserver with Index browsing enabled means anyone can browse thewebserver directories like ordinary local directories. The use of “index of” syntax to get a list links to webserver which has got directory browsing enabled will bediscussd below. This becomes an easy source for information gathering for ahacker. Imagine if the get hold of password files or others sensitive files which arenot normally visible to the internet. Below given are few examples using whichone can get access to many sensitive information much easily.
Index of /admin
Index of /passwd
Index of /password
Index of /mail
“Index of /” +passwd
“Index of /” +password.txt
“Index of /” +.htaccess
“Index of /secret”
“Index of /confidential”
“Index of /root”
“Index of /cgi-bin”
“Index of /credit-card”
“Index of /logs”
“Index of /config”
Looking for vulnerable sites or servers using “inurl:” or “allinurl:”
a. Using “allinurl:winnt/system32/” (without quotes) will list down all the links tothe server which gives access to restricted directories like “system32” through web. If you are lucky enough then you might get access to the cmd.exe in the “system32” directory. Once you have the access to “cmd.exe” and is able to execute it.
b. Using “allinurl:wwwboard/passwd.txt”(without quotes) in the Google searchwill list down all the links to the server which are vulnerable to “WWWBoardPassword vulnerability”. To know more about this vulnerability you can have alook at the following
link:
http://www.securiteam.com/exploits/2BUQ4S0SAW.html
c. Using “inurl:.bash_history” (without quotes) will list down all the links to theserver which gives access to “.bash_history” file through web. This is a commandhistory file. This file includes the list of command executed by the administrator,and sometimes includes sensitive information such as password typed in by theadministrator. If this file is compromised and if contains the encrypted unix (or*nix) password then it can be easily cracked using “John The Ripper”.
d. Using “inurl:config.txt” (without quotes) will list down all the links to theservers which gives access to “config.txt” file through web. This file contains sensitive information, including the hash value of the administrative passwordand database authentication credentials.
For Example: Ingenium Learning Management System is a Web-based applicationfor Windows based systems developed by Click2learn, Inc. Ingenium LearningManagement System versions 5.1 and 6.1 stores sensitive information insecurelyin the config.txt file. For more information refer the followinglinks:
http://www.securiteam.com/securitynews/6M00H2K5PG.html
Other similar search using “inurl:” or “allinurl:” combined with other syntax
inurl:admin filetype:txt
inurl:admin filetype:db
inurl:admin filetype:cfg
inurl:mysql filetype:cfg
inurl:passwd filetype:txt
inurl:iisadmin
inurl:auth_user_file.txt
inurl:orders.txt
inurl:”wwwroot/*.”
inurl:adpassword.txt
inurl:webeditor.php
inurl:file_upload.php
inurl:gov filetype:xls “restricted”
index of ftp +.mdb allinurl:/cgi-bin/ +mailto
Looking for vulnerable sites or servers using “intitle:” or “allintitle:”
a. Using [allintitle: "index of /root”+ (without brackets) will list down the links tothe web server which gives access to restricted directories like “root” through web. This directory sometimes contains sensitive information which can be easilyretrieved through simple web requests.
b. Using *allintitle: "index of /admin”+ (without brackets) will list down the links to the websites which has got index browsing enabled for restricted directories like “admin” through web. Most of the web application sometimes uses names like“admin” to store admin credentials in it. This directory sometimes containssensitive information which can be easily retrieved through simple web requests.
Other similar search using “intitle:” or “allintitle:” combined with other syntax
intitle:”Index of” .sh_history
intitle:”Index of” .bash_history
intitle:”index of” passwd
intitle:”index of” people.lst
intitle:”index of” pwd.db
intitle:”index of” etc/shadow
intitle:”index of” spwd
intitle:”index of” master.passwd
intitle:”index of” htpasswd
intitle:”index of” members OR accounts
intitle:”index of” user_carts OR user_cart
allintitle: sensitive filetype:doc
allintitle: restricted filetype :mail
allintitle: restricted filetype:doc site:gov
Other interesting Search Queries
• To search for sites vulnerable to Cross-Sites Scripting (XSS) attacks:
allinurl:/scripts/cart32.exe
allinurl:/CuteNews/show_archives.php
allinurl:/phpinfo.php
To search for sites vulnerable to SQL Injection attacks:
allinurl:/privmsg.php
allinurl:/privmsg.php
will show Google’s cache of the Google homepage. Note there can be no space between the “cache:” and the web page url.
If you include other words in the query, Google will highlight those words withinthe cached document.
cache:www.hackingspirits.com guest
will show the cached content with the word “guest” highlighted.
[ intext: ]
The “intext:” syntax searches for words in a particular website. It ignores links or URLs and page titles.
intext:exploits
will return only links to those web pages that has the search keyword “exploits” in its webpage.
[ phonebook: ]
“phonebook” searches for U.S. street address and phone number information.
phonebook:Lisa+CA
will list down all names of person having “Lisa” in their names and located in“California (CA)”. This can be used as a great tool for hackers incase someone want to do dig personal information for social engineering.
Google Hacks
Well, the Google’s query syntaxes discussed above can really help people to precise their search and get what they are exactly looking for.
Now Google being so intelligent search engine, hackers don’t mind exploiting its ability to dig much confidential and secret information from the net which theyare not supposed to know. Now I shall discuss those techniques in details howhackers dig information from the net using Google and how that information canbe used to break into remote servers.
Index Of
Using “Index of ” syntax to find sites enabled with Index browsing
A webserver with Index browsing enabled means anyone can browse thewebserver directories like ordinary local directories. The use of “index of” syntax to get a list links to webserver which has got directory browsing enabled will bediscussd below. This becomes an easy source for information gathering for ahacker. Imagine if the get hold of password files or others sensitive files which arenot normally visible to the internet. Below given are few examples using whichone can get access to many sensitive information much easily.
Index of /admin
Index of /passwd
Index of /password
Index of /mail
“Index of /” +passwd
“Index of /” +password.txt
“Index of /” +.htaccess
“Index of /secret”
“Index of /confidential”
“Index of /root”
“Index of /cgi-bin”
“Index of /credit-card”
“Index of /logs”
“Index of /config”
Looking for vulnerable sites or servers using “inurl:” or “allinurl:”
a. Using “allinurl:winnt/system32/” (without quotes) will list down all the links tothe server which gives access to restricted directories like “system32” through web. If you are lucky enough then you might get access to the cmd.exe in the “system32” directory. Once you have the access to “cmd.exe” and is able to execute it.
b. Using “allinurl:wwwboard/passwd.txt”(without quotes) in the Google searchwill list down all the links to the server which are vulnerable to “WWWBoardPassword vulnerability”. To know more about this vulnerability you can have alook at the following
link:
http://www.securiteam.com/exploits/2BUQ4S0SAW.html
c. Using “inurl:.bash_history” (without quotes) will list down all the links to theserver which gives access to “.bash_history” file through web. This is a commandhistory file. This file includes the list of command executed by the administrator,and sometimes includes sensitive information such as password typed in by theadministrator. If this file is compromised and if contains the encrypted unix (or*nix) password then it can be easily cracked using “John The Ripper”.
d. Using “inurl:config.txt” (without quotes) will list down all the links to theservers which gives access to “config.txt” file through web. This file contains sensitive information, including the hash value of the administrative passwordand database authentication credentials.
For Example: Ingenium Learning Management System is a Web-based applicationfor Windows based systems developed by Click2learn, Inc. Ingenium LearningManagement System versions 5.1 and 6.1 stores sensitive information insecurelyin the config.txt file. For more information refer the followinglinks:
http://www.securiteam.com/securitynews/6M00H2K5PG.html
Other similar search using “inurl:” or “allinurl:” combined with other syntax
inurl:admin filetype:txt
inurl:admin filetype:db
inurl:admin filetype:cfg
inurl:mysql filetype:cfg
inurl:passwd filetype:txt
inurl:iisadmin
inurl:auth_user_file.txt
inurl:orders.txt
inurl:”wwwroot/*.”
inurl:adpassword.txt
inurl:webeditor.php
inurl:file_upload.php
inurl:gov filetype:xls “restricted”
index of ftp +.mdb allinurl:/cgi-bin/ +mailto
Looking for vulnerable sites or servers using “intitle:” or “allintitle:”
a. Using [allintitle: "index of /root”+ (without brackets) will list down the links tothe web server which gives access to restricted directories like “root” through web. This directory sometimes contains sensitive information which can be easilyretrieved through simple web requests.
b. Using *allintitle: "index of /admin”+ (without brackets) will list down the links to the websites which has got index browsing enabled for restricted directories like “admin” through web. Most of the web application sometimes uses names like“admin” to store admin credentials in it. This directory sometimes containssensitive information which can be easily retrieved through simple web requests.
Other similar search using “intitle:” or “allintitle:” combined with other syntax
intitle:”Index of” .sh_history
intitle:”Index of” .bash_history
intitle:”index of” passwd
intitle:”index of” people.lst
intitle:”index of” pwd.db
intitle:”index of” etc/shadow
intitle:”index of” spwd
intitle:”index of” master.passwd
intitle:”index of” htpasswd
intitle:”index of” members OR accounts
intitle:”index of” user_carts OR user_cart
allintitle: sensitive filetype:doc
allintitle: restricted filetype :mail
allintitle: restricted filetype:doc site:gov
Other interesting Search Queries
• To search for sites vulnerable to Cross-Sites Scripting (XSS) attacks:
allinurl:/scripts/cart32.exe
allinurl:/CuteNews/show_archives.php
allinurl:/phpinfo.php
To search for sites vulnerable to SQL Injection attacks:
allinurl:/privmsg.php
allinurl:/privmsg.php
No comments:
Post a Comment