Instructions for using jSQL Injection, a multifunctional tool for finding and exploiting SQL injections in Kali Linux. About dorks or all lovers of private dorks Organizations inurl reviews php

Run the downloaded file by double clicking (you need to have a virtual machine).

3. Anonymity when checking a site for SQL injection

Setting up Tor and Privoxy in Kali Linux

[Section under development]

Setting up Tor and Privoxy on Windows

[Section under development]

Proxy settings in jSQL Injection

[Section under development]

4. Checking the site for SQL injection with jSQL Injection

Working with the program is extremely simple. Just enter the website address and press ENTER.

The following screenshot shows that the site is vulnerable to three types of SQL injections (information about them is indicated in the lower right corner). By clicking on the names of injections you can switch the method used:

Also, the existing databases have already been displayed to us.

You can view the contents of each table:

Typically, the most interesting thing about tables is the administrator credentials.

If you are lucky and you find the administrator’s data, then it’s too early to rejoice. You still need to find the admin panel where to enter this data.

5. Search for admin panels with jSQL Injection

To do this, go to the next tab. Here we are greeted with a list of possible addresses. You can select one or more pages to check:

The convenience lies in the fact that you do not need to use other programs.

Unfortunately, there are not very many careless programmers who store passwords in clear text. Quite often in the password line we see something like

8743b52063cd84097a65d1633f5c74f5

This is a hash. You can decrypt it using brute force. And... jSQL Injection has a built-in brute forcer.

6. Brute force hashes using jSQL Injection

The undoubted convenience is that you do not need to look for other programs. There is support for many of the most popular hashes.

This is not the best option. In order to become a guru in decoding hashes, the Book “” in Russian is recommended.

But, of course, when there is no other program at hand or there is no time to study, jSQL Injection with its built-in brute force function will come in very handy.

There are settings: you can set which characters are included in the password, the password length range.

7. File operations after detecting SQL injections

In addition to operations with databases - reading and modifying them, if SQL injections are detected, the following file operations can be performed:

• reading files on the server
• uploading new files to the server
• uploading shells to the server

And all this is implemented in jSQL Injection!

There are restrictions - the SQL server must have file privileges. Smart system administrators have them disabled and will not be able to gain access to the file system.

The presence of file privileges is quite simple to check. Go to one of the tabs (reading files, creating a shell, uploading a new file) and try to perform one of the specified operations.

Another very important note - we need to know the exact absolute path to the file with which we will work - otherwise nothing will work.

Look at the following screenshot:

To any attempt to operate on a file, we receive the following response: No FILE privilege(no file privileges). And nothing can be done here.

If instead you have another error:

Problem writing into [directory_name]

This means that you incorrectly specified the absolute path where you want to write the file.

In order to guess an absolute path, you need to at least know the operating system the server is running on. To do this, switch to the Network tab.

Such a record (line Win64) gives us reason to assume that we are dealing with Windows OS:

Keep-Alive: timeout=5, max=99 Server: Apache/2.4.17 (Win64) PHP/7.0.0RC6 Connection: Keep-Alive Method: HTTP/1.1 200 OK Content-Length: 353 Date: Fri, 11 Dec 2015 11:48:31 GMT X-Powered-By: PHP/7.0.0RC6 Content-Type: text/html; charset=UTF-8

Here we have some Unix (*BSD, Linux):

Transfer-Encoding: chunked Date: Fri, 11 Dec 2015 11:57:02 GMT Method: HTTP/1.1 200 OK Keep-Alive: timeout=3, max=100 Connection: keep-alive Content-Type: text/html X- Powered-By: PHP/5.3.29 Server: Apache/2.2.31 (Unix)

And here we have CentOS:

Method: HTTP/1.1 200 OK Expires: Thu, 19 Nov 1981 08:52:00 GMT Set-Cookie: PHPSESSID=9p60gtunrv7g41iurr814h9rd0; path=/ Connection: keep-alive X-Cache-Lookup: MISS from t1.hoster.ru:6666 Server: Apache/2.2.15 (CentOS) X-Powered-By: PHP/5.4.37 X-Cache: MISS from t1.hoster.ru Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Date: Fri, 11 Dec 2015 12:08:54 GMT Transfer-Encoding: chunked Content-Type: text/html; charset=WINDOWS-1251

On Windows, a typical folder for sites is C:\Server\data\htdocs\. But, in fact, if someone “thought of” making a server on Windows, then, very likely, this person has not heard anything about privileges. Therefore, you should start trying directly from the C:/Windows/ directory:

As you can see, everything went fine the first time.

But the jSQL Injection shells themselves raise doubts in my mind. If you have file privileges, then you can easily upload something with a web interface.

8. Bulk checking of sites for SQL injections

And even this function is available in jSQL Injection. Everything is extremely simple - download a list of sites (you can import from a file), select those that you want to check and click the appropriate button to start the operation.

Conclusion from jSQL Injection

jSQL Injection is a good, powerful tool for searching and then using SQL injections found on websites. Its undoubted advantages: ease of use, built-in related functions. jSQL Injection can be a beginner's best friend when analyzing websites.

Among the shortcomings, I would note the impossibility of editing databases (at least I did not find this functionality). As with all GUI tools, one of the disadvantages of this program can be attributed to its inability to be used in scripts. Nevertheless, some automation is also possible in this program - thanks to the built-in function of mass site scanning.

established sample and certificate. For a special discount on any faculties and courses!

Obtaining private data does not always mean hacking - sometimes it is published publicly. Knowledge of Google settings and a little ingenuity will allow you to find a lot of interesting things - from credit card numbers to FBI documents.

WARNING

All information is provided for informational purposes only. Neither the editors nor the author are responsible for any possible harm caused by the materials of this article.

Today, everything is connected to the Internet, with little concern for restricting access. Therefore, many private data become the prey of search engines. Spider robots are no longer limited to web pages, but index all content available on the Internet and constantly add non-public information to their databases. Finding out these secrets is easy - you just need to know how to ask about them.

Looking for files

In capable hands, Google will quickly find everything that is not found on the Internet, for example, personal information and files for official use. They are often hidden like a key under a rug: there are no real access restrictions, the data simply lies on the back of the site, where no links lead. The standard Google web interface provides only basic advanced search settings, but even these will be sufficient.

You can limit your Google search to a specific type of file using two operators: filetype and ext . The first specifies the format that the search engine determined from the file title, the second specifies the file extension, regardless of its internal content. When searching in both cases, you only need to specify the extension. Initially, the ext operator was convenient to use in cases where the file did not have specific format characteristics (for example, to search for ini and cfg configuration files, which could contain anything). Now Google's algorithms have changed, and there is no visible difference between operators - in most cases the results are the same.

Filtering the results

By default, Google searches for words and, in general, any entered characters in all files on indexed pages. You can limit the search area by top-level domain, a specific site, or by the location of the search sequence in the files themselves. For the first two options, use the site operator, followed by the name of the domain or selected site. In the third case, a whole set of operators allows you to search for information in service fields and metadata. For example, allinurl will find the given one in the body of the links themselves, allinanchor - in the text equipped with the tag , allintitle - in page titles, allintext - in the body of pages.

For each operator there is a lightweight version with a shorter name (without the prefix all). The difference is that allinurl will find links with all words, and inurl will only find links with the first of them. The second and subsequent words from the query can appear anywhere on web pages. The inurl operator also differs from another operator with a similar meaning - site. The first also allows you to find any sequence of characters in a link to the searched document (for example, /cgi-bin/), which is widely used to find components with known vulnerabilities.

Let's try it in practice. We take the allintext filter and make the request produce a list of numbers and verification codes of credit cards that will expire only in two years (or when their owners get tired of feeding everyone).

Allintext: card number expiration date /2017 cvv

When you read in the news that a young hacker “hacked into the servers” of the Pentagon or NASA, stealing classified information, in most cases we are talking about just such a basic technique of using Google. Suppose we are interested in a list of NASA employees and their contact information. Surely such a list is available in electronic form. For convenience or due to oversight, it may also be on the organization’s website itself. It is logical that in this case there will be no links to it, since it is intended for internal use. What words can be in such a file? At a minimum - the “address” field. Testing all these assumptions is easy.

Inurl:nasa.gov filetype:xlsx "address"

We use bureaucracy

Finds like this are a nice touch. A truly solid catch is provided by a more detailed knowledge of Google's operators for webmasters, the Network itself, and the peculiarities of the structure of what is being sought. Knowing the details, you can easily filter the results and refine the properties of the necessary files in order to get truly valuable data in the rest. It's funny that bureaucracy comes to the rescue here. It produces standard formulations that are convenient for searching for secret information accidentally leaked onto the Internet.

For example, the Distribution statement stamp, required by the US Department of Defense, means standardized restrictions on the distribution of a document. The letter A denotes public releases in which there is nothing secret; B - intended only for internal use, C - strictly confidential, and so on until F. The letter X stands out separately, which marks particularly valuable information representing a state secret of the highest level. Let those who are supposed to do this on duty search for such documents, and we will limit ourselves to files with the letter C. According to DoDI directive 5230.24, this marking is assigned to documents containing a description of critical technologies that fall under export control. You can find such carefully protected information on sites in the top-level domain.mil, allocated for the US Army.

"DISTRIBUTION STATEMENT C" inurl:navy.mil

It is very convenient that the .mil domain contains only sites from the US Department of Defense and its contract organizations. Search results with a domain restriction are exceptionally clean, and the titles speak for themselves. Searching for Russian secrets in this way is practically useless: chaos reigns in domains.ru and.rf, and the names of many weapons systems sound like botanical ones (PP “Kiparis”, self-propelled guns “Akatsia”) or even fabulous (TOS “Buratino”).

By carefully studying any document from a site in the .mil domain, you can see other markers to refine your search. For example, a reference to the export restrictions “Sec 2751”, which is also convenient for searching for interesting technical information. From time to time it is removed from official sites where it once appeared, so if you cannot follow an interesting link in the search results, use Google’s cache (cache operator) or the Internet Archive site.

Climbing into the clouds

In addition to accidentally declassified government documents, links to personal files from Dropbox and other data storage services that create “private” links to publicly published data occasionally pop up in Google's cache. It’s even worse with alternative and homemade services. For example, the following query finds data for all Verizon customers who have an FTP server installed and actively using their router.

Allinurl:ftp:// verizon.net

There are now more than forty thousand such smart people, and in the spring of 2015 there were many more of them. Instead of Verizon.net, you can substitute the name of any well-known provider, and the more famous it is, the larger the catch can be. Through the built-in FTP server, you can see files on an external storage device connected to the router. Usually this is a NAS for remote work, a personal cloud, or some kind of peer-to-peer file downloading. All contents of such media are indexed by Google and other search engines, so you can access files stored on external drives via a direct link.

Looking at the configs

Before the widespread migration to the cloud, simple FTP servers ruled as remote storage, which also had a lot of vulnerabilities. Many of them are still relevant today. For example, the popular WS_FTP Professional program stores configuration data, user accounts and passwords in the ws_ftp.ini file. It is easy to find and read, since all records are saved in text format, and passwords are encrypted with the Triple DES algorithm after minimal obfuscation. In most versions, simply discarding the first byte is sufficient.

It is easy to decrypt such passwords using the WS_FTP Password Decryptor utility or a free web service.

When talking about hacking an arbitrary website, they usually mean obtaining a password from logs and backups of configuration files of CMS or e-commerce applications. If you know their typical structure, you can easily indicate the keywords. Lines like those found in ws_ftp.ini are extremely common. For example, in Drupal and PrestaShop there is always a user identifier (UID) and a corresponding password (pwd), and all information is stored in files with the .inc extension. You can search for them as follows:

"pwd=" "UID=" ext:inc

Revealing DBMS passwords

In the configuration files of SQL servers, user names and email addresses are stored in clear text, and their MD5 hashes are written instead of passwords. Strictly speaking, it is impossible to decrypt them, but you can find a match among the known hash-password pairs.

There are still DBMSs that do not even use password hashing. The configuration files of any of them can simply be viewed in the browser.

Intext:DB_PASSWORD filetype:env

With the advent of Windows servers, the place of configuration files was partially taken by the registry. You can search through its branches in exactly the same way, using reg as the file type. For example, like this:

Filetype:reg HKEY_CURRENT_USER "Password"=

Let's not forget the obvious

Sometimes it is possible to get to classified information using data that was accidentally opened and came to the attention of Google. The ideal option is to find a list of passwords in some common format. Only desperate people can store account information in a text file, Word document or Excel spreadsheet, but there is always enough of them.

Filetype:xls inurl:password

On the one hand, there are a lot of means to prevent such incidents. It is necessary to specify adequate access rights in htaccess, patch the CMS, not use left-handed scripts and close other holes. There is also a file with a list of robots.txt exceptions that prohibits search engines from indexing the files and directories specified in it. On the other hand, if the structure of robots.txt on some server differs from the standard one, then it immediately becomes clear what they are trying to hide on it.

The list of directories and files on any site is preceded by the standard index of. Since for service purposes it must appear in the title, it makes sense to limit its search to the intitle operator. Interesting things are in the /admin/, /personal/, /etc/ and even /secret/ directories.

Stay tuned for updates

Relevance is extremely important here: old vulnerabilities are closed very slowly, but Google and its search results are constantly changing. There is even a difference between a “last second” filter (&tbs=qdr:s at the end of the request URL) and a “real time” filter (&tbs=qdr:1).

The time interval of the date of the last update of the file is also indicated implicitly by Google. Through the graphical web interface, you can select one of the standard periods (hour, day, week, etc.) or set a date range, but this method is not suitable for automation.

From the look of the address bar, you can only guess about a way to limit the output of results using the &tbs=qdr: construction. The letter y after it sets the limit of one year (&tbs=qdr:y), m shows the results for the last month, w - for the week, d - for the past day, h - for the last hour, n - for the minute, and s - for give me a sec. The most recent results that Google has just made known are found using the filter &tbs=qdr:1 .

If you need to write a clever script, it will be useful to know that the date range is set in Google in Julian format using the daterange operator. For example, this is how you can find a list of PDF documents with the word confidential, downloaded from January 1 to July 1, 2015.

Confidential filetype:pdf daterange:2457024-2457205

The range is indicated in Julian date format without taking into account the fractional part. Translating them manually from the Gregorian calendar is inconvenient. It's easier to use a date converter.

Targeting and filtering again

In addition to specifying additional operators in the search query, they can be sent directly in the body of the link. For example, the filetype:pdf specification corresponds to the construction as_filetype=pdf . This makes it convenient to ask any clarifications. Let's say that the output of results only from the Republic of Honduras is specified by adding the construction cr=countryHN to the search URL, and only from the city of Bobruisk - gcs=Bobruisk. You can find a complete list in the developer section.

Google's automation tools are designed to make life easier, but they often add problems. For example, the user’s city is determined by the user’s IP through WHOIS. Based on this information, Google not only balances the load between servers, but also changes the search results. Depending on the region, for the same request, different results will appear on the first page, and some of them may be completely hidden. The two-letter code after the gl=country directive will help you feel like a cosmopolitan and search for information from any country. For example, the code of the Netherlands is NL, but the Vatican and North Korea do not have their own code in Google.

Often, search results end up cluttered even after using several advanced filters. In this case, it is easy to clarify the request by adding several exception words to it (a minus sign is placed in front of each of them). For example, banking, names and tutorial are often used with the word Personal. Therefore, cleaner search results will be shown not by a textbook example of a query, but by a refined one:

Intitle:"Index of /Personal/" -names -tutorial -banking

One last example

A sophisticated hacker is distinguished by the fact that he provides himself with everything he needs on his own. For example, VPN is a convenient thing, but either expensive, or temporary and with restrictions. Signing up for a subscription for yourself is too expensive. It's good that there are group subscriptions, and with the help of Google it's easy to become part of a group. To do this, just find the Cisco VPN configuration file, which has a rather non-standard PCF extension and a recognizable path: Program Files\Cisco Systems\VPN Client\Profiles. One request and you join, for example, the friendly team of the University of Bonn.

Filetype:pcf vpn OR Group

INFO

Google finds password configuration files, but many of them are encrypted or replaced with hashes. If you see strings of a fixed length, then immediately look for a decryption service.

Passwords are stored encrypted, but Maurice Massard has already written a program to decrypt them and provides it for free through thecampusgeeks.com.

Google runs hundreds of different types of attacks and penetration tests. There are many options, affecting popular programs, major database formats, numerous vulnerabilities of PHP, clouds, and so on. Knowing exactly what you're looking for will make it much easier to find the information you need (especially information you didn't intend to make public). Shodan is not the only one that feeds with interesting ideas, but every database of indexed network resources!

It becomes funny every time when people start talking about private dorks.
Let's start by defining what a dork is and what a private is:

DORK (DORKA)- this is a mask, in other words, a request to a search engine, in response to which the system will produce a list of website pages whose addresses contain this same DORK.

Private- information to which only one person or a small group of people working on one project has access.

Now let's look at the phrase " Private sex ".
If we send a request to find sites for a given domain and it gives us some kind of result, then anyone can do this, and therefore the information provided is not private.

And a little about game/money/shop sellers.
A lot of people like to make dorks of this type:

Steam.php?q= bitcoin.php?id= minecraft.php?id=

Let’s imagine that we don’t understand anything about dorks and try to see how many links Google gives us:

You probably immediately had thoughts like this in your head: “Khrenovich, you don’t know shit, look at how many links there are, people are practically selling money!”
But I’ll tell you no, because now let’s see what links such a request will give us:

I think you get the point, now let's use the Google operator inurl: for an exact search and let's see what comes up:

Yeah, the number has decreased sharply, then the same thing. And if we take into account that there will be duplicate domains + links of the ***.info/vaernamo-nyheter/dennis-steam.php plan, then the bottom line is that we get 5-10 pieces.

How many people do you think will add such links to their website?

You must be registered to see links.

", etc., yes of course only a few.

Which means writing dorks like steam.php?id= there is no point, then the question is, what kind of dorki should we cook?
And everything is quite simple, we need to collect as many links as possible on our door. The largest number of links will come from the most primitive link of the form index.php?id=

Oops, as much as 538 million, a good result, right?
Let's add more inurl:

Well, half of them have disappeared, but now almost all links will have index.php?id=

From the above we can conclude: we need the most frequently used directories, it is from them that our results will be the highest.

I think many people had thoughts like: “Well, what next? We need thematic sites, and not all sorts of sites for puppy lovers!” Well, of course, but to move on to the topics of the sites, we will need to get acquainted with Google operators, let's get started. We will not analyze all operators, but only those that will help us with page parsing.

What are the operators we are interested in:

inurl: Shows sites that contain the specified word in the page address.
Example:
We need sites where the page address contains the word cart. Let's create a request like inurl:cart and it will give us all the links where the address contains the word cart. Those. Using this request, we achieved more strict compliance with our conditions and the elimination of links that do not suit us.

intext: The pages are selected based on the content of the page.
Example:
Let's say we need pages on which the words bitcoin are written. Let's create a request like intext:bitcoin , Now it will give us links where the word bitcoin was used in the text.

intitle: Pages are displayed that have the words specified in the query in their title tag. I think you already understand how to write queries, so I won’t give examples.

allinanchor: the operator shows pages that have words of interest to us in their description.

related: perhaps one of the important operators that provides sites with similar content.
Example:
related:exmo.com - it will give us the exchanges, try checking it yourself.

Well, perhaps all the main operators that we need.

Now let's move on to building roads using these operators.

Before each door we will put an inurl:

Inurl:cart?id= inurl:index?id= inurl:catalog?id=

Let's also use intext: let's say we're looking for toys, which means we need words like dota2, portal, CSGO...

Intext:dota2 intext:portal intext:csgo

If we need a phrase, then allinurl:

Allinurl:GTA SAMP...

Now let’s glue it all together and get this look:

Inurl:cart?id= intext:dota2 inurl:cart?id= intext:portal inurl:cart?id= intext:csgo inurl:cart?id= allinurl:GTA SAMP inurl:index?id= intext:dota2 inurl:index? id= intext:portal inurl:index?id= intext:csgo inurl:index?id= allinurl:GTA SAMP inurl:catalog?id= intext:dota2 inurl:catalog?id= intext:portal inurl:catalog?id= intext: csgo inurl:catalog?id= allinurl:GTA SAMP

As a result, we got game doors with a narrower and more precise search.
So use your brains and experiment a little with search operators and keywords, no need to get perverted and write dorks like hochymnogoigr.php?id=

Thank you everyone, I hope you got at least something useful from this article.

The Google search engine (www.google.com) provides many search options. All these features are an invaluable search tool for a user new to the Internet and at the same time an even more powerful weapon of invasion and destruction in the hands of people with evil intentions, including not only hackers, but also non-computer criminals and even terrorists.
(9475 views in 1 week)

Denis Barankov
denisNOSPAMixi.ru

Attention:This article is not a guide to action. This article was written for you, WEB server administrators, so that you will lose the false feeling that you are safe, and you will finally understand the insidiousness of this method of obtaining information and take up the task of protecting your site.

Introduction

For example, I found 1670 pages in 0.14 seconds!

2. Let's enter another line, for example:

inurl:"auth_user_file.txt"

a little less, but this is already enough for free downloading and password guessing (using the same John The Ripper). Below I will give a number of more examples.

So, you need to realize that the Google search engine has visited most of the Internet sites and cached the information contained on them. This cached information allows you to obtain information about the site and the content of the site without directly connecting to the site, only by delving into the information that is stored inside Google. Moreover, if the information on the site is no longer available, then the information in the cache may still be preserved. All you need for this method is to know some Google keywords. This technique is called Google Hacking.

Information about Google Hacking first appeared on the Bugtruck mailing list 3 years ago. In 2001, this topic was raised by a French student. Here is a link to this letter http://www.cotse.com/mailing-lists/bugtraq/2001/Nov/0129.html. It provides the first examples of such queries:

1) Index of /admin
2) Index of /password
3) Index of /mail
4) Index of / +banques +filetype:xls (for france...)
5) Index of / +passwd
6) Index of / password.txt

This topic made waves in the English-reading part of the Internet quite recently: after the article by Johnny Long, published on May 7, 2004. For a more complete study of Google Hacking, I advise you to go to this author’s website http://johnny.ihackstuff.com. In this article I just want to bring you up to date.

Who can use this:
- Journalists, spies and all those people who like to poke their nose into other people's business can use this to search for incriminating evidence.
- Hackers looking for suitable targets for hacking.

How Google works.

To continue the conversation, let me remind you of some of the keywords used in Google queries.

Search using the + sign

Google excludes words it considers unimportant from searches. For example, question words, prepositions and articles in English: for example are, of, where. In Russian, Google seems to consider all words important. If a word is excluded from the search, Google writes about it. In order for Google to start searching for pages with these words, you need to add a + sign without a space before the word. For example:

ace +of base

Search using the sign –

If Google finds a large number of pages from which it needs to exclude pages with a certain topic, then you can force Google to search only for pages that do not contain certain words. To do this, you need to indicate these words by placing a sign in front of each - without a space before the word. For example:

fishing - vodka

Search using ~

You may want to search not only the specified word, but also its synonyms. To do this, precede the word with the ~ symbol.

Finding an exact phrase using double quotes

Google searches on each page for all occurrences of the words that you wrote in the query string, and it does not care about the relative position of the words, as long as all the specified words are on the page at the same time (this is the default action). To find the exact phrase, you need to put it in quotes. For example:

"bookend"

In order to have at least one of the specified words, you need to specify the logical operation explicitly: OR. For example:

book safety OR protection

In addition, you can use the * sign in the search bar to indicate any word and. to represent any character.

Searching for words using additional operators

There are search operators that are specified in the search string in the format:

operator:search_term

Spaces next to the colon are not needed. If you insert a space after the colon, you will see an error message, and before it, Google will use them as a normal search string.
There are groups of additional search operators: languages ​​- indicate in which language you want to see the result, date - limit the results for the past three, six or 12 months, occurrences - indicate where in the document you need to search for the line: everywhere, in the title, in the URL, domains - search on the specified site or, conversely, exclude it from the search; safe search - blocks sites containing the specified type of information and removes them from the search results pages.
However, some operators do not require an additional parameter, for example the request " cache:www.google.com" can be called as a full-fledged search string, and some keywords, on the contrary, require a search word, for example " site:www.google.com help". In light of our topic, let's look at the following operators:

Operator	Description	Requires an additional parameter?
	search only on the site specified in search_term
	search only in documents with type search_term
	find pages containing search_term in the title
	find pages containing all search_term words in the title
	find pages containing the word search_term in their address
	find pages containing all search_term words in their address

Operator site: limits the search only to the specified site, and you can specify not only the domain name, but also the IP address. For example, enter:

Operator filetype: Limits the search to a specific file type. For example:

As of the publication date of the article, Google can search within 13 different file formats:

• Adobe Portable Document Format (pdf)
• Adobe PostScript (ps)
• Lotus 1-2-3 (wk1, wk2, wk3, wk4, wk5, wki, wks, wku)
• Lotus WordPro (lwp)
• MacWrite (mw)
• Microsoft Excel (xls)
• Microsoft PowerPoint (ppt)
• Microsoft Word (doc)
• Microsoft Works (wks, wps, wdb)
• Microsoft Write (wri)
• Rich Text Format (rtf)
• Shockwave Flash (swf)
• Text (ans, txt)

Operator link: shows all pages that point to the specified page.
It's probably always interesting to see how many places on the Internet know about you. Let's try:

Operator cache: Shows the version of the site in Google's cache as it looked the last time Google visited that page. Let’s take any frequently changing site and look:

Operator intitle: searches for the specified word in the page title. Operator allintitle: is an extension - it searches for all specified few words in the page title. Compare:

intitle:flight to Mars
intitle:flight intitle:on intitle:mars
allintitle:flight to mars

Operator inurl: forces Google to show all pages containing the specified string in the URL. allinurl operator: searches for all words in a URL. For example:

allinurl:acid acid_stat_alerts.php

This command is especially useful for those who don't have SNORT - at least they can see how it works on a real system.

Hacking Methods Using Google

So, we found out that using a combination of the above operators and keywords, anyone can collect the necessary information and search for vulnerabilities. These techniques are often called Google Hacking.

Site Map

You can use the site: operator to list all the links that Google has found on a site. Typically, pages that are dynamically created by scripts are not indexed using parameters, so some sites use ISAPI filters so that links are not in the form /article.asp?num=10&dst=5, and with slashes /article/abc/num/10/dst/5. This is done so that the site is generally indexed by search engines.

Let's try:

site:www.whitehouse.gov whitehouse

Google thinks that every page on a website contains the word whitehouse. This is what we use to get all the pages.
There is also a simplified version:

site:whitehouse.gov

And the best part is that the comrades from whitehouse.gov didn’t even know that we looked at the structure of their site and even looked at the cached pages that Google downloaded. This can be used to study the structure of sites and view content, remaining undetected for the time being.

View a list of files in directories

WEB servers can display lists of server directories instead of regular HTML pages. This is usually done to ensure that users select and download specific files. However, in many cases, administrators have no intention of showing the contents of a directory. This occurs due to incorrect server configuration or the absence of the main page in the directory. As a result, the hacker has a chance to find something interesting in the directory and use it for his own purposes. To find all such pages, it is enough to note that they all contain the words: index of. But since the words index of contain not only such pages, we need to refine the query and take into account the keywords on the page itself, so queries like:

intitle:index.of parent directory
intitle:index.of name size

Since most directory listings are intentional, you may have a hard time finding misplaced listings the first time. But at least you can already use listings to determine the WEB server version, as described below.

Obtaining the WEB server version.

Knowing the WEB server version is always useful before launching any hacker attack. Again, thanks to Google, you can get this information without connecting to a server. If you look closely at the directory listing, you can see that the name of the WEB server and its version are displayed there.

Apache1.3.29 - ProXad Server at trf296.free.fr Port 80

An experienced administrator can change this information, but, as a rule, it is true. Thus, to obtain this information it is enough to send a request:

intitle:index.of server.at

To get information for a specific server, we clarify the request:

intitle:index.of server.at site:ibm.com

Or vice versa, we are looking for servers running a specific version of the server:

intitle:index.of Apache/2.0.40 Server at

This technique can be used by a hacker to find a victim. If, for example, he has an exploit for a certain version of the WEB server, then he can find it and try the existing exploit.

You can also get the server version by viewing the pages that are installed by default when installing the latest version of the WEB server. For example, to see the Apache 1.2.6 test page, just type

intitle:Test.Page.for.Apache it.worked!

Moreover, some operating systems immediately install and launch the WEB server during installation. However, some users are not even aware of this. Naturally, if you see that someone has not removed the default page, then it is logical to assume that the computer has not undergone any customization at all and is likely vulnerable to attack.

Try searching for IIS 5.0 pages

allintitle:Welcome to Windows 2000 Internet Services

In the case of IIS, you can determine not only the server version, but also the Windows version and Service Pack.

Another way to determine the WEB server version is to search for manuals (help pages) and examples that may be installed on the site by default. Hackers have found quite a few ways to use these components to gain privileged access to a site. That is why you need to remove these components on the production site. Not to mention the fact that the presence of these components can be used to obtain information about the type of server and its version. For example, let's find the apache manual:

inurl:manual apache directives modules

Using Google as a CGI scanner.

CGI scanner or WEB scanner is a utility for searching for vulnerable scripts and programs on the victim’s server. These utilities must know what to look for, for this they have a whole list of vulnerable files, for example:

/cgi-bin/cgiemail/uargg.txt
/random_banner/index.cgi
/random_banner/index.cgi
/cgi-bin/mailview.cgi
/cgi-bin/maillist.cgi
/cgi-bin/userreg.cgi

/iissamples/ISSamples/SQLQHit.asp
/SiteServer/admin/findvserver.asp
/scripts/cphost.dll
/cgi-bin/finger.cgi

We can find each of these files using Google, additionally using the words index of or inurl with the file name in the search bar: we can find sites with vulnerable scripts, for example:

allinurl:/random_banner/index.cgi

Using additional knowledge, a hacker can exploit a script's vulnerability and use this vulnerability to force the script to emit any file stored on the server. For example, a password file.

How to protect yourself from Google hacking.

1. Do not post important data on the WEB server.

Even if you posted the data temporarily, you may forget about it or someone will have time to find and take this data before you erase it. Don't do this. There are many other ways to transfer data that protect it from theft.

2. Check your site.

Use the methods described to research your site. Check your site periodically for new methods that appear on the site http://johnny.ihackstuff.com. Remember that if you want to automate your actions, you need to get special permission from Google. If you read carefully http://www.google.com/terms_of_service.html, then you will see the phrase: You may not send automated queries of any sort to Google's system without express permission in advance from Google.

3. You may not need Google to index your site or part of it.

Google allows you to remove a link to your site or part of it from its database, as well as remove pages from the cache. In addition, you can prohibit the search for images on your site, prohibit short fragments of pages from being shown in search results. All possibilities for deleting a site are described on the page http://www.google.com/remove.html. To do this, you must confirm that you are really the owner of this site or insert tags into the page or

4. Use robots.txt

It is known that search engines look at the robots.txt file located at the root of the site and do not index those parts that are marked with the word Disallow. You can use this to prevent part of the site from being indexed. For example, to prevent the entire site from being indexed, create a robots.txt file containing two lines:

User-agent: *
Disallow: /

What else happens

So that life doesn’t seem like honey to you, I’ll say finally that there are sites that monitor those people who, using the methods outlined above, look for holes in scripts and WEB servers. An example of such a page is

Application.

A little sweet. Try some of the following for yourself:

1. #mysql dump filetype:sql - search for mySQL database dumps
2. Host Vulnerability Summary Report - will show you what vulnerabilities other people have found
3. phpMyAdmin running on inurl:main.php - this will force control to be closed through the phpmyadmin panel
4. not for distribution confidential
5. Request Details Control Tree Server Variables
6. Running in Child mode
7. This report was generated by WebLog
8. intitle:index.of cgiirc.config
9. filetype:conf inurl:firewall -intitle:cvs – maybe someone needs firewall configuration files? :)
10. intitle:index.of finances.xls – hmm....
11. intitle:Index of dbconvert.exe chats – icq chat logs
12.intext:Tobias Oetiker traffic analysis
13. intitle:Usage Statistics for Generated by Webalizer
14. intitle:statistics of advanced web statistics
15. intitle:index.of ws_ftp.ini – ws ftp config
16. inurl:ipsec.secrets holds shared secrets - secret key - good find
17. inurl:main.php Welcome to phpMyAdmin
18. inurl:server-info Apache Server Information
19. site:edu admin grades
20. ORA-00921: unexpected end of SQL command – getting paths
21. intitle:index.of trillian.ini
22. intitle:Index of pwd.db
23.intitle:index.of people.lst
24. intitle:index.of master.passwd
25.inurl:passlist.txt
26. intitle:Index of .mysql_history
27. intitle:index of intext:globals.inc
28. intitle:index.of administrators.pwd
29. intitle:Index.of etc shadow
30.intitle:index.ofsecring.pgp
31. inurl:config.php dbuname dbpass
32. inurl:perform filetype:ini

"Hacking mit Google"

Training center "Informzashita" http://www.itsecurity.ru - a leading specialized center in the field of information security training (License of the Moscow Committee of Education No. 015470, State accreditation No. 004251). The only authorized training center for Internet Security Systems and Clearswift in Russia and the CIS countries. Microsoft authorized training center (Security specialization). The training programs are coordinated with the State Technical Commission of Russia, the FSB (FAPSI). Certificates of training and state documents on advanced training.

SoftKey is a unique service for buyers, developers, dealers and affiliate partners. In addition, this is one of the best online software stores in Russia, Ukraine, Kazakhstan, which offers customers a wide range of products, many payment methods, prompt (often instant) order processing, tracking the order process in the personal section, various discounts from the store and manufacturers BY.

Any search for vulnerabilities on web resources begins with reconnaissance and information collection.
Intelligence can be either active - brute force of files and directories of the site, running vulnerability scanners, manually browsing the site, or passive - searching for information in different search engines. Sometimes it happens that a vulnerability becomes known even before opening the first page of the site.

How is this possible?
Search robots, constantly roaming the Internet, in addition to information useful to the average user, often record things that can be used by attackers to attack a web resource. For example, script errors and files with sensitive information (from configuration files and logs to files with authentication data and database backups).
From the point of view of a search robot, an error message about executing an sql query is plain text, inseparable, for example, from the description of products on the page. If suddenly a search robot came across a file with the .sql extension, which for some reason ended up in the site’s working folder, then it will be perceived as part of the site’s content and will also be indexed (including, possibly, the passwords specified in it).

Such information can be found by knowing strong, often unique, keywords that help separate “vulnerable pages” from pages that do not contain vulnerabilities.
A huge database of special queries using keywords (so-called dorks) exists on exploit-db.com and is known as the Google Hack Database.

Why google?
Dorks are primarily targeted at Google for two reasons:
− the most flexible syntax of keywords (shown in Table 1) and special characters (shown in Table 2);
− the Google index is still more complete than that of other search engines;

Table 1 - Main Google keywords

Keyword	Meaning	Example
site	Search only on the specified site. Only takes into account url	site:somesite.ru - will find all pages on a given domain and subdomains
inurl	Search by words present in the uri. Unlike cl. words “site”, searches for matches after the site name	inurl:news - finds all pages where the given word appears in the uri
intext	Search in the body of the page	intext:”traffic jams” - completely similar to the usual request for “traffic jams”
intitle	Search in the page title. Text between tags