Network Security Library
Javascript Feeds    RSS Feed    Security Dashboard    SearchSecurity.com
About | Contact | Advertise | Site Map
Print Printer Friendly      PDF PDF Version
intrusion detection E-mail      Save Save This

Demystifying Google Hacks


{LANG_NAVORIGIN} Exploits
Debasis Mohanty 03/11/2005



Using “Index of ” syntax to find sites enabled with Index browsing


A webserver with Index browsing enabled means anyone can browse the webserver directories like ordinary local directories. Here I shall discuss how one can use “index of” syntax to get a list links to webserver which has got directory browsing enabled. This becomes an easy source for information gathering for a hacker. Imagine if the get hold of password files or others sensitive files which are not normally visible to the internet. Below given are few examples using which one can get access to many sensitive information much easily.

Index of /admin
Index of /passwd
Index of /password
Index of /mail

"Index of /" +passwd
"Index of /" +password.txt
"Index of /" +.htaccess

"Index of /secret"
"Index of /confidential"
"Index of /root"
"Index of /cgi-bin"
"Index of /credit-card"
"Index of /logs"
"Index of /config"

Looking for vulnerable sites or servers using “inurl:” or “allinurl:”

  1. Using “allinurl:winnt/system32/” (without quotes) will list down all the links to the server which gives access to restricted directories like “system32” through web. If you are lucky enough then you might get access to the cmd.exe in the “system32” directory. Once you have the access to “cmd.exe” and is able to execute it then Bingo!! You owns the server. ?
  2. Using “allinurl:wwwboard/passwd.txt”(without quotes) in the Google search will list down all the links to the server which are vulnerable to “WWWBoard Password vulnerability”. To know more about this vulnerability you can have a look at the following link: http://www.securiteam.com/exploits/2BUQ4S0SAW.html
  3. Using “inurl:.bash_history” (without quotes) will list down all the links to the server which gives access to “.bash_history” file through web. This is a command history file. This file includes the list of command executed by the administrator, and sometimes includes sensitive information such as password typed in by the administrator. If this file is compromised and if contains the encrypted unix (or *nix) password then it can be easily cracked using “John The Ripper”.
  4. Using “inurl:config.txt” (without quotes) will list down all the links to the servers which gives access to “config.txt” file through web. This file contains sensitive information, including the hash value of the administrative password and database authentication credentials. For Example: Ingenium Learning Management System is a Web-based application for Windows based systems developed by Click2learn, Inc. Ingenium Learning Management System versions 5.1 and 6.1 stores sensitive information insecurely in the config.txt file. For more information refer the following links: http://www.securiteam.com/securitynews/6M00H2K5PG.html
Other similar search using “inurl:” or “allinurl:” combined with other syntaxs
inurl:admin filetype:txt
inurl:admin filetype:db
inurl:admin filetype:cfg
inurl:mysql filetype:cfg
inurl:passwd filetype:txt
inurl:iisadmin
inurl:auth_user_file.txt
inurl:orders.txt
inurl:"wwwroot/*."
inurl:adpassword.txt
inurl:webeditor.php
inurl:file_upload.php

inurl:gov filetype:xls "restricted"
index of ftp +.mdb allinurl:/cgi-bin/ +mailto

Looking for vulnerable sites or servers using “intitle:” or “allintitle:”

  1. Using [allintitle: "index of /root”] (without brackets) will list down the links to the web server which gives access to restricted directories like “root” through web. This directory sometimes contains sensitive information which can be easily retrieved through simple web requests.
  2. Using [allintitle: "index of /admin”] (without brackets) will list down the links to the websites which has got index browsing enabled for restricted directories like “admin” through web. Most of the web application sometimes uses names like “admin” to store admin credentials in it. This directory sometimes contains sensitive information which can be easily retrieved through simple web requests.
Other similar search using “intitle:” or “allintitle:” combined with other syntaxs
intitle:"Index of" .sh_history
intitle:"Index of" .bash_history
intitle:"index of" passwd
intitle:"index of" people.lst
intitle:"index of" pwd.db
intitle:"index of" etc/shadow
intitle:"index of" spwd
intitle:"index of" master.passwd
intitle:"index of" htpasswd
intitle:"index of" members OR accounts
intitle:"index of" user_carts OR user_cart

allintitle: sensitive filetype:doc
allintitle: restricted filetype :mail
allintitle: restricted filetype:doc site:gov


Other interesting Search Queries


Conclusion



This is a weird world of internet nothing is secure as anything you make more sophisticated will leads to further weakness or complexities.

In my next article I shall discuss about more advance methods and techniques of Google hacks and how the servers can be secured from it.


About Me



Well, I hail from the world of rules breakers. I love to play with High-End Security Systems and never hesitate to exploit any vulnerability associated with it.

I hack remote servers for the corporates on request and agreement to test their network vulnerabilities. Most of the attacks are done using tools developed by me. Most of these tools are developed using C and C++. Well I believe that as a hacker one must code his/her own tool instead of using some third-party tools. So I have coded few vulnerability scanners for remote host penetration testing. Not so robust, but I like them.

To know more about me you can visit my site: www.hackingspirits.com

Various methods and techniques for penetration testing has been made available on my site: http://www.hackingspirits.com/eth-hac/eth_hac.html

Various tools developed by me are of following categories: Debasis Mohanty
http://www.hackingspirits.com
http://groups.yahoo.com/group/Ring-of-Fire/

Comments are invited at debasis_mty@yahoo.com

"I work in the dark, I do what I can, I give what I have. My doubt is my passion, and my passion is my task. The rest is the madness of art."













E-Mail Link

Your IP address will be sent with this e-mail
From e-mail to e-mail



Stats
78298 Views
4.39/5 Rating
54 Votes
Papers
Newest
Highest Rated
Most Viewed
Reference

Services
Javascript Feeds
RSS (New Papers)
Security Dashboard

Our Stuff
About SecurityDocs
Advertise
Contact

Valid HTML 4.01!
Valid CSS!


Unless otherwise noted, all paper copyrights are owned by the author. The rest copyright 2003-2005 TechTarget

Privacy : Contact