Saturday, February 28, 2009

GOOGLE SEARCHING

Google search engine can be used to hack into remote
servers or gather confidential or sensitive information
which are not visible through common searches.
Google is the world’s most popular and powerful
search engine. It has the ability to accept predefined
commands as inputs which then produces unbelievable
results.Google’s Advanced Search Query Syntax
Discussed below are various Google’s special commands
and I shall be explaining each command in brief and will
show how it can be used for getting confidential data.

[ intitle: ]

The “intitle:” syntax helps Google restrict the search
results to pages containing that word in the title.

intitle: login password


will return links to those pages that has the word
"login" in their title, and the word "password"
in the page.

Similarly, if one has to query for more than one word
in the page title then in that case “allintitle:” can be
used instead of “intitle” to get the list of pages
containing all those words in its title.

intitle: login intitle: password
is same as allintitle: login password

[ inurl: ]

The “inurl:” syntax restricts the search results to
those URLs containing the search keyword. For
example: “inurl: passwd” (without quotes) will
return only links to those pages that have "passwd"
in the URL.

Similarly, if one has to query for more than one
word in an URL then in that case “allinurl:”
can be used instead of “inurl” to get the list of
URLs containing all those search keywords in it.

allinurl: etc/passwd


will look for the URLs containing “etc” and “passwd”.
The slash (“/”) between the words will be ignored by
Google.

[ site: ]

The “site:” syntax restricts Google to query for certain
keywords in a particular site or domain.

exploits site:hackingspirits.com

will look for the keyword “exploits” in those pages
present in all the links of the domain
“hackingspirits.com”. There should not be any
space between “site:” and the “domain name”.

[ filetype: ]

This “filetype:” syntax restricts Google search for
files on internet with particular extensions
(i.e. doc, pdf or ppt etc).

filetype:doc site:gov confidential


will look for files with “.doc” extension in all
government domains with “.gov” extension
and containing the word “confidential” either
in the pages or in the “.doc” file. i.e. the result
will contain the links to all confidential word
document files on the government sites.


[ link: ]

“link:” syntax will list down webpages that
have links to the specified webpage.

link:www.expertsforge.com


will list webpages that have links pointing to the
SecurityFocus homepage. Note there can be no
space between the "link:" and the web page url.


[ related: ]

The “related:” will list web pages that are "similar"
to a specified web page.

related:www.expertsforge.com


will list web pages that are similar to the
Securityfocus homepage. Note there can be no
space between the "related:" and the web page url.


[ cache: ]

The query “cache:” will show the version of the
web page that Google has in its cache.

cache:www.hackingspirits.com

will show Google's cache of the Google homepage.
Note there can be no space between the "cache:"
and the web page url.

If you include other words in the query, Google
will highlight those words within the cached document.

cache:www.hackingspirits.com guest

will show the cached content with the word
"guest" highlighted.

[ intext: ]

The “intext:” syntax searches for words in a particular
website. It ignores links or URLs and page titles.

intext:exploits


will return only links to those web pages that has
the search keyword "exploits" in its web page.


[ phonebook: ]

“phonebook” searches for U.S. street address and
phone number information.

phonebook:Lisa+CA


will list down all names of person having “Lisa” in
their names and located in “California (CA)”. This
can be used as a great tool for hackers in case someone
want to do dig personal information for social engineering.

Google Hacks

Well, the Google’s query syntax discussed above
can really help people to precise their search and
get what they are exactly looking for.

Now Google being so intelligent search engine,
hackers don’t mind exploiting its ability to dig much
confidential and secret information from the net which
they are not supposed to know. Now I shall discuss
those techniques in details how hackers dig information
from the net using Google and how that information
can be used to break into remote servers.

Index Of

Using “Index of ” syntax to find sites enabled with
Index browsing

A web server with Index browsing enabled means
anyone can browse the web server directories like
ordinary local directories. The use of “index of”
syntax to get a list links to web server which has got
directory browsing enabled will be discussed below.
This becomes an easy source for information gathering
for a hacker. Imagine if the get hold of password files
or others sensitive files which are not normally visible
to the internet. Below given are few examples using
which one can get access to many sensitive information
much easily.

Index of /admin
Index of /passwd
Index of /password
Index of /mail

"Index of /" +passwd
"Index of /" +password.txt
"Index of /" +.htaccess

"Index of /secret"
"Index of /confidential"
"Index of /root"
"Index of /cgi-bin"
"Index of /credit-card"
"Index of /logs"
"Index of /config"


Looking for vulnerable sites or servers using “inurl:”
or “allinurl:”

a. Using “allinurl:winnt/system32/” (without quotes)
will list down all the links to the server which gives
access to restricted directories like “system32” through
web. If you are lucky enough then you might get access
to the cmd.exe in the “system32” directory. Once you
have the access to “cmd.exe” and is able to execute it.


b. Using “allinurl:wwwboard/passwd.txt”(without quotes)
in the Google search will list down all the links to the server
which are vulnerable to “WWWBoard Password vulnerability”.
To know more about this vulnerability you can have a look at
the following link:

http://www.securiteam.com/exploits/2BUQ4S0SAW.html

c. Using “inurl:.bash_history” (without quotes) will list
down all the links to the server which gives access to
“.bash_history” file through web. This is a command
history file. This file includes the list of command executed
by the administrator, and sometimes includes sensitive
information such as password typed in by the administrator.
If this file is compromised and if contains the encrypted
unix (or *nix) password then it can be easily cracked using
“John The Ripper”.

d. Using “inurl:config.txt” (without quotes) will list down
all the links to the servers which gives access to
“config.txt” file through web. This file contains sensitive
information, including the hash value of the administrative
password and database authentication credentials.

For Example: Ingenium Learning Management System
is a Web-based application for Windows based systems
developed by Click2learn, Inc. Ingenium Learning
Management System versions 5.1 and 6.1 stores
sensitive information insecurely in the config.txt file.
For more information refer the following links:
http://www.securiteam.com/securitynews/6M00H2K5PG.html

Other similar search using “inurl:” or “allinurl:”
combined with other syntax


inurl:admin filetype:txt
inurl:admin filetype:db
inurl:admin filetype:cfg
inurl:mysql filetype:cfg
inurl:passwd filetype:txt
inurl:iisadmin
inurl:auth_user_file.txt
inurl:orders.txt
inurl:"wwwroot/*."
inurl:adpassword.txt
inurl:webeditor.php
inurl:file_upload.php

inurl:gov filetype:xls "restricted"
index of ftp +.mdb allinurl:/cgi-bin/ +mailto


Looking for vulnerable sites or servers using
“intitle:” or “allintitle:”

a. Using [allintitle: "index of /root”] (without brackets)
will list down the links to the web server which gives
access to restricted directories like “root” through web.
This directory sometimes contains sensitive information
which can be easily retrieved through simple web requests.

b. Using [allintitle: "index of /admin”] (without brackets)
will list down the links to the websites which has got index
browsing enabled for restricted directories like “admin”
through web. Most of the web application sometimes uses
names like “admin” to store admin credentials in it.
This directory sometimes contains sensitive information
which can be easily retrieved through simple web requests.

Other similar search using “intitle:” or “allintitle:”
combined with other syntax

intitle:"Index of" .sh_history
intitle:"Index of" .bash_history
intitle:"index of" passwd
intitle:"index of" people.lst
intitle:"index of" pwd.db
intitle:"index of" etc/shadow
intitle:"index of" spwd
intitle:"index of" master.passwd
intitle:"index of" htpasswd
intitle:"index of" members OR accounts
intitle:"index of" user_carts OR user_cart

allintitle: sensitive filetype:doc
allintitle: restricted filetype :mail
allintitle: restricted filetype:doc site:gov



Other interesting Search Queries

· To search for sites vulnerable to Cross-Sites Scripting (XSS) attacks:

allinurl:/scripts/cart32.exe
allinurl:/CuteNews/show_archives.php
allinurl:/phpinfo.php



· To search for sites vulnerable to SQL Injection attacks:

allinurl:/privmsg.php
allinurl:/privmsg.php