Google Hacks

Well, the Google’s query syntaxes discussed above can really help people to precise their search and get what they are exactly looking for.Now Google being so intelligent search engine, hackers don’t mind exploiting its ability to dig much confidential and secret information from the net which they are not supposed to know. Now I shall discuss those techniques in details how hackers dig information from the net using Google and how that information can be used to break into remote servers.Index OfUsing “Index of ” syntax to find sites enabled with Index browsing.A webserver with Index browsing enabled means anyone can browse the webserver directories like ordinary local directories. The use of “index of” syntax to get a list links to webserver which has got directory browsing enabled will be discussd below. This becomes an easy source for information gathering for a hacker. Imagine if the get hold of password files or others sensitive files which are not normally visible to the internet. Below given are few examples using which one can get access to many sensitive information much easily.Index of /adminIndex of /passwdIndex of /passwordIndex of /mail"Index of /" +passwd"Index of /" +password.txt"Index of /" +.htaccess"Index of /secret""Index of /confidential""Index of /root""Index of /cgi-bin""Index of /credit-card""Index of /logs""Index of /config"Looking for vulnerable sites or servers using “inurl:” or “allinurl:”.a. Using “allinurl:winnt/system32/” (without quotes) will list down all the links to the server which gives access to restricted directories like “system32” through web. If you are lucky enough then you might get access to the cmd.exe in the “system32” directory. Once you have the access to “cmd.exe” and is able to execute it.b. Using “allinurl:wwwboard/passwd.txt”(without quotes) in the Google search will list down all the links to the server which are vulnerable to “WWWBoard Password vulnerability”. To know more about this vulnerability you can have a look at the following link:http://www.securiteam.com/exploits/2BUQ4S0SAW.htmlc. Using “inurl:.bash_history” (without quotes) will list down all the links to the server which gives access to “.bash_history” file through web. This is a command history file. This file includes the list of command executed by the administrator, and sometimes includes sensitive information such as password typed in by the administrator. If this file is compromised and if contains the encrypted unix (or *nix) password then it can be easily cracked using “John The Ripper”.d. Using “inurl:config.txt” (without quotes) will list down all the links to the servers which gives access to “config.txt” file through web. This file contains sensitive information, including the hash value of the administrative password and database authentication credentials.For Example: Ingenium Learning Management System is a Web-based application for Windows based systems developed by Click2learn, Inc. Ingenium Learning Management System versions 5.1 and 6.1 stores sensitive information insecurely in the config.txt file. For more information refer the followinglinks: http://www.securiteam.com/securitynews/6M00H2K5PG.htmlOther similar search using “inurl:” or “allinurl:” combined with other syntaxinurl:admin filetype:txtinurl:admin filetype:dbinurl:admin filetype:cfginurl:mysql filetype:cfginurl:passwd filetype:txtinurl:iisadmininurl:auth_user_file.txtinurl:orders.txtinurl:"wwwroot/*."inurl:adpassword.txtinurl:webeditor.phpinurl:file_upload.phpinurl:gov filetype:xls "restricted"index of ftp +.mdb allinurl:/cgi-bin/ +mailtoLooking for vulnerable sites or servers using “intitle:” or “allintitle:”a. Using [allintitle: "index of /root”] (without brackets) will list down the links to the web server which gives access to restricted directories like “root” through web. This directory sometimes contains sensitive information which can be easily retrieved through simple web requests.b. Using [allintitle: "index of /admin”] (without brackets) will list down the links to the websites which has got index browsing enabled for restricted directories like “admin” through web. Most of the web application sometimes uses names like “admin” to store admin credentials in it. This directory sometimes contains sensitive information which can be easily retrieved through simple web requests.Other similar search using “intitle:” or “allintitle:” combined with other syntaxintitle:"Index of" .sh_historyintitle:"Index of" .bash_historyintitle:"index of" passwdintitle:"index of" people.lstintitle:"index of" pwd.dbintitle:"index of" etc/shadowintitle:"index of" spwdintitle:"index of" master.passwdintitle:"index of" htpasswdintitle:"index of" members OR accountsintitle:"index of" user_carts OR user_cartallintitle: sensitive filetype:docallintitle: restricted filetype :mailallintitle: restricted filetype:doc site:govOther interesting Search QueriesTo search for sites vulnerable to Cross-Sites Scripting (XSS) attacks:allinurl:/scripts/cart32.exeallinurl:/CuteNews/show_archives.phpallinurl:/phpinfo.phpTo search for sites vulnerable to SQL Injection attacks:allinurl:/privmsg.phpallinurl:/privmsg.php