Well, the Google’s query syntaxes discussed above can reallyhelp people to precise their search and get what they are
exactly looking for.
Now Google being so intelligent search engine, malicious users
don’t mind exploiting its ability to dig confidential and secret
information from internet which has got restricted access. Now I
shall discuss those techniques in details how malicious user dig
information from internet using Google as a tool.
Using “Index of ” syntax to find sites enabled with Index browsing
A webserver with Index browsing enabled means anyone can browse
the webserver directories like ordinary local directories. Here
I shall discuss how one can use “index of” syntax to get a list
links to webserver which has got directory browsing enabled.
This becomes an easy source for information gathering for a
hacker. Imagine if the get hold of password files or others
sensitive files which are not normally visible to the internet.
Below given are few examples using which one can get access to
many sensitive information much easily.
Index of /admin
Index of /passwd
Index of /password
Index of /mail
"Index of /" +passwd
"Index of /" +password.txt
"Index of /" +.htaccess
"Index of /secret"
"Index of /confidential"
"Index of /root"
"Index of /cgi-bin"
"Index of /credit-card"
"Index of /logs"
"Index of /config"
Looking for vulnerable sites or servers using “inurl:” or “allinurl:”
a. Using “allinurl: winnt/system32/ ” (without quotes) will list
down all the links to the server which gives access to
restricted directories like “system32” through web. If you are
lucky enough then you might get access to the cmd.exe in the
“system32” directory. Once you have the access to “cmd.exe”
and are able to execute it then you can go ahead in further
escalating your privileges over the server and compromise it.
b. Using “allinurl: wwwboard/passwd.txt ” (without quotes) in the
Google search will list down all the links to the server which
are vulnerable to “WWWBoard Password vulnerability”. To know
more about this vulnerability you can have a look at the
following link:
c. Using “inurl: .bash_history ” (without quotes) will list down
all the links to the server which gives access to
“.bash_history” file through web. This is a command history
file. This file includes the list of command executed by the
administrator, and sometimes includes sensitive information
such as password typed in by the administrator. If this file
is compromised and if contains the encrypted unix (or *nix)
password then it can be easily cracked using “John The
Ripper”.
d. Using “ inurl: config.txt” (without quotes) will list down all
the links to the servers which gives access to “config.txt”
file through web. This file contains sensitive information,
including the hash value of the administrative password and
database authentication credentials. For Example: Ingenium
Learning Management System is a Web-based application for
Windows based systems developed by Click2learn, Inc. Ingenium
Learning Management System versions 5.1 and 6.1 stores
sensitive information insecurely in the config.txt file. For
more information refer the following links:
No comments: