database digging

Finding various vulnerabilities using google dorking | part – 9.1

Google Hacking Basics

A fairly large portion of this blog is dedicated to the techniques the “bad guys” will use to locate sensitive information. We present this information to help you become better informed about their motives so that you can protect yourself and perhaps your customers. We’ve already looked at some of the benign basic searching techniques that are foundational for any Google user who wants to break the barrier of the basics and charge through to the next level: the ways of the Google hacker. Now we’ll start looking at more nefarious uses of Google that hackers are likely to employ.

Anonymity with Caches

Google’s cache feature is truly an amazing thing.The simple fact is that if Google crawls a page or document, you can almost always count on getting a copy of it, even if the original
source has since dried up and blown away. Of course the down side of this is that hackers can get a copy of your sensitive data even if you’ve pulled the plug on that pesky Web server. Another down side of the cache is that the bad guys can crawl your entire Web site (including the areas you “forgot” about) without even sending a single packet to your server. If your Web server doesn’t get so much as a packet, it can’t write anything to the log files. (You are logging your Web connections, aren’t you?) If there’s nothing in the log files, you might not have any idea that your sensitive data has been carried away. It’s sad that we even have to think in these terms, but untold megabytes, gigabytes, and even terabytes of sensitive data leak from Web servers every day. Understanding how hackers can mount an anonymous attack on your sensitive data via Google’s cache is of utmost importance.

Locating Directory Listings

You can use this query to find directory listing vulnerabilities :

Directory Listings

A directory listing is a type of Web page that lists files and directories that exist on a Web server. Designed to be navigated by clicking directory links, directory listings typically have a
title that describes the current directory, a list of files and directories that can be clicked, and often a footer that marks the bottom of the directory listing.

Unfortunately, directory listings have many faults, specifically:

They are not secure in and of themselves.They do not prevent users from downloading certain files or accessing certain directories.This task is often left to the
protection measures built into the Web server software or third-party scripts, modules, or programs designed specifically for that purpose.

They can display information that helps an attacker learn specific technical details about the Web server.

They do not discriminate between files that are meant to be public and those that are meant to remain behind the scenes.

They are often displayed accidentally, since many Web servers display a directory listing if a top-level index file (index.htm, index.html, default.asp, and so on) is missing or invalid.

All this adds up to a deadly combination. In this section, we’ll take a look at some of the ways Google hackers can take advantage of directory listings

Locating Directory Listings

You can use this query to find directory listing vulnerabilities :

index of /
intitle:index.of “parent directory”
index of /ftp
Bill Gates intitle:”index.of” “parent directory” “size” “last modified” “description” Microsoft (pdf|txt|epub|doc|docx) -inurl:(jsp|php|html|aspx|htm|cf|shtml|ebooks|ebook) -site:.info
Nina Simone intitle:”index.of” “parent directory” “size” “last modified” “description” I Put A Spell On You (mp4|mp3|avi|flac|aac|ape|ogg) -inurl:(jsp|php|html|aspx|htm|cf|shtml|lyrics-realm|mp3-collection) -site:.info

Server Versioning

One piece of information an attacker can use to determine the best method for attacking a Web server is the exact software version. An attacker could retrieve that information by connecting directly to the Web port of that server and issuing a request for the Hypertext Transfer Protocol (HTTP) (Web) headers. It is possible, however, to retrieve similar information from Google without ever connecting to the target server. One method involves using the information provided in a directory listing.

The Google query used to locate servers this way is simply an extension of the intitle:index.of query.The listing shown in Figure 3.11 was located with a query of intitle:index.of “server at”. This query will locate all directory listings on the Web with index of in the title and server at anywhere in the text of the page.This might not seem like a very specific search, but the results are very clean and do not require further refinement.

Directory Listing of Web Servers

“AnWeb/1.42h” intitle:index.of
“Apache Tomcat/” intitle:index.of
“Apache-AdvancedExtranetServer/” intitle:index.of
“Apache/df-exts” intitle:index.of
“Apache/” intitle:index.of
“Apache/AmEuro” intitle:index.of
“Apache/Blast” intitle:index.of
“Apache/WWW” intitle:index.of
“Apache/df-exts” intitle:index.of
“CERN httpd 3.0B (VAX VMS)” intitle:index.of
“CompySings/2.0.40” intitle:index.of
“Davepache/2.02.003 (Unix)” intitle:index.of
“DinaHTTPd Server/1.15” intitle:index.of
“HP Apache-based Web “Server/1.3.26” intitle:index.of
“HP Apache-based Web “Server/1.3.27 (Unix) mod_ssl/2.8.11 OpenSSL/0.9.6g”
intitle:index.of
“HP-UX_Apache-based_Web_Server/2.0.43” intitle:index.of
“httpd+ssl/kttd” * server at intitle:index.of
“IBM_HTTP_Server” intitle:index.of
“IBM_HTTP_Server/2.0.42” intitle:index.of
“JRun Web Server” intitle:index.of
“LiteSpeed Web” intitle:index.of
“MCWeb” intitle:index.of
“MaXX/3.1” intitle:index.of
“Microsoft-IIS/* server at” intitle:index.of
“Microsoft-IIS/4.0” intitle:index.of
“Microsoft-IIS/5.0 server at” intitle:index.of
“Microsoft-IIS/6.0” intitle:index.of
“OmniHTTPd/2.10” intitle:index.of
“OpenSA/1.0.4” intitle:index.of
“OpenSSL/0.9.7d” intitle:index.of
“Oracle HTTP Server/1.3.22” intitle:index.of
“Oracle-HTTP-Server/1.3.28” intitle:index.of
“Oracle-HTTP-Server” intitle:index.of
“Oracle HTTP Server Powered by Apache” intitle:index.of
“Patchy/1.3.31” intitle:index.of
“Red Hat Secure/2.0” intitle:index.of
“Red Hat Secure/3.0 server at” intitle:index.of
“Savant/3.1” intitle:index.of
“SEDWebserver *” “server at” intitle:index.of
“SEDWebserver/1.3.26” intitle:index.of
“TcNet httpsrv 1.0.10” intitle:index.of
“WebServer/1.3.26” intitle:index.of
“WebTopia/2.1.1a “ intitle:index.of
“Yaws 1.65” intitle:index.of
“Zeus/4.3” intitle:index.of
“Apache/1.0” intitle:index.of
“Apache/1.1” intitle:index.of
“Apache/1.2” intitle:index.of
“Apache/1.2.0 server at” intitle:index.of
“Apache/1.2.4 server at” intitle:index.of
“Apache/1.2.6 server at” intitle:index.of
“Apache/1.3.0 server at” intitle:index.of
“Apache/1.3.2 server at” intitle:index.of
“Apache/1.3.1 server at” intitle:index.of
“Apache/1.3.1.1 server at” intitle:index.of
“Apache/1.3.3 server at” intitle:index.of
“Apache/1.3.4 server at” intitle:index.of
“Apache/1.3.6 server at” intitle:index.of
“Apache/1.3.9 server at” intitle:index.of
“Apache/1.3.11 server at” intitle:index.of
“Apache/1.3.12 server at” intitle:index.of
“Apache/1.3.14 server at” intitle:index.of
“Apache/1.3.17 server at” intitle:index.of
“Apache/1.3.19 server at” intitle:index.of
“Apache/1.3.20 server at” intitle:index.of
“Apache/1.3.22 server at” intitle:index.of
“Apache/1.3.23 server at” intitle:index.of
“Apache/1.3.24 server at” intitle:index.of
“Apache/1.3.26 server at” intitle:index.of
“Apache/1.3.27 server at” intitle:index.of
“Apache/1.3.27-fil” intitle:index.of
“Apache/1.3.28 server at” intitle:index.of
“Apache/1.3.29 server at” intitle:index.of
“Apache/1.3.31 server at” intitle:index.of
“Apache/1.3.33 server at” intitle:index.of
“Apache/1.3.34 server at” intitle:index.of
“Apache/1.3.35 server at” intitle:index.of
“Apache/2.0 server at” intitle:index.of
“Apache/2.0.32 server at” intitle:index.of
“Apache/2.0.35 server at” intitle:index.of
“Apache/2.0.36 server at” intitle:index.of
“Apache/2.0.39 server at” intitle:index.of
“Apache/2.0.40 server at” intitle:index.of
“Apache/2.0.42 server at” intitle:index.of
“Apache/2.0.43 server at” intitle:index.of
“Apache/2.0.44 server at” intitle:index.of
“Apache/2.0.45 server at” intitle:index.of
“Apache/2.0.46 server at” intitle:index.of
“Apache/2.0.47 server at” intitle:index.of
“Apache/2.0.48 server at” intitle:index.of
“Apache/2.0.49 server at” intitle:index.of
“Apache/2.0.49a server at” intitle:index.of
“Apache/2.0.50 server at” intitle:index.of
“Apache/2.0.51 server at” intitle:index.of
“Apache/2.0.52 server at” intitle:index.of
“Apache/2.0.55 server at” intitle:index.of
“Apache/2.0.59 server at” intitle:index.of

In addition to identifying the Web server version, it is also possible to determine the operating system of the server as well as modules and other software that is installed. We’ll
look at more specific techniques to accomplish this later, but the server versioning technique we’ve just looked at can be extended by including more details in our query. shows queries that located extremely esoteric server software combinations, revealed by server tags. These tags list a great deal of information about the servers they were found on and are shining examples proving that even a seemingly small information leak can sometimes explode out of control, revealing more information than expected.

Queries That Locate Specific and Esoteric Server Versions

“Apache/1.3.12 (Unix) mod_fastcgi/2.2.12 mod_dyntag/1.0 mod_advert/1.12
mod_czech/3.1.1b2” intitle:index.of
“Apache/1.3.12 (Unix) mod_fastcgi/2.2.4 secured_by_Raven/1.5.0” intitle:index.of
“Apache/1.3.12 (Unix) mod_ssl/2.6.6 OpenSSL/0.9.5a” intitle:index.of
“Apache/1.3.12 Cobalt (Unix) Resin/2.0.5 StoreSense-Bridge/1.3 ApacheJServ/1.1.1
mod_ssl/2.6.4 OpenSSL/0.9.5a mod_auth_pam/1.0a FrontPage/4.0.4.3
mod_perl/1.24” intitle:index.of
“Apache/1.3.14 - PHP4.02 - Iprotect 1.6 CWIE (Unix) mod_fastcgi/2.2.12
PHP/4.0.3pl1” intitle:index.of
“Apache/1.3.14 Ben-SSL/1.41 (Unix) mod_throttle/2.11 mod_perl/1.24_01
PHP/4.0.3pl1 FrontPage/4.0.4.3 rus/PL30.0” intitle:index.of
“Apache/1.3.20 (Win32)” intitle:index.of

Queries That Locate Specific and Esoteric Server Versions

“Apache/1.3.20 Sun Cobalt (Unix) PHP/4.0.3pl1 mod_auth_pam_external/0.1
FrontPage/4.0.4.3 mod_perl/1.25” intitle:index.of
“Apache/1.3.20 Sun Cobalt (Unix) PHP/4.0.4 mod_auth_pam_external/0.1
FrontPage/4.0.4.3 mod_ssl/2.8.4 OpenSSL/0.9.6b mod_perl/1.25” intitle:index.of
“Apache/1.3.20 Sun Cobalt (Unix) PHP/4.0.6 mod_ssl/2.8.4 OpenSSL/0.9.6
FrontPage/5.0.2.2510 mod_perl/1.26” intitle:index.of
“Apache/1.3.20 Sun Cobalt (Unix) mod_ssl/2.8.4 OpenSSL/0.9.6b PHP/4.0.3pl1
mod_auth_pam_external/0.1 FrontPage/4.0.4.3 mod_perl/1.25” intitle:index.of
“Apache/1.3.20 Sun Cobalt (Unix) mod_ssl/2.8.4 OpenSSL/0.9.6b PHP/4.0.3pl1
mod_fastcgi/2.2.8 mod_auth_pam_external/0.1 mod_perl/1.25” intitle:index.of
“Apache/1.3.20 Sun Cobalt (Unix) mod_ssl/2.8.4 OpenSSL/0.9.6b PHP/4.0.4
mod_auth_pam_external/0.1 mod_perl/1.25” intitle:index.of
“Apache/1.3.20 Sun Cobalt (Unix) mod_ssl/2.8.4 OpenSSL/0.9.6b PHP/4.0.6
mod_auth_pam_external/0.1 FrontPage/4.0.4.3 mod_perl/1.25” intitle:index.of
“Apache/1.3.20 Sun Cobalt (Unix) mod_ssl/2.8.4 OpenSSL/0.9.6b
mod_auth_pam_external/0.1 mod_perl/1.25” intitle:index.of
“Apache/1.3.26 (Unix) Debian GNU/Linux PHP/4.1.2 mod_dtcl” intitle:index.of
“Apache/1.3.26 (Unix) PHP/4.2.2” intitle:index.of
“Apache/1.3.26 (Unix) mod_ssl/2.8.9 OpenSSL/0.9.6b” intitle:index.of
“Apache/1.3.26 (Unix) mod_ssl/2.8.9 OpenSSL/0.9.7” intitle:index.of
“Apache/1.3.26+PH” intitle:index.of
“Apache/1.3.27 (Darwin)” intitle:index.of
“Apache/1.3.27 (Unix) mod_log_bytes/1.2 mod_bwlimited/1.0 PHP/4.3.1
FrontPage/5.0.2.2510 mod_ssl/2.8.12 OpenSSL/0.9.6b” intitle:index.of
“Apache/1.3.27 (Unix) mod_ssl/2.8.11 OpenSSL/0.9.6g FrontPage/5.0.2.2510
mod_gzip/1.3.26 PHP/4.1.2 mod_throttle/3.1.2” intitle:index.of

Document Grinding and Database Digging

There’s no shortage of documents on the Internet. Good guys and bad guys alike can use information found in documents to achieve their distinct purposes. In this chapter we take a
look at ways you can use Google to not only locate these documents but to search within these documents to locate information.There are so many different types of documents and
we can’t cover them all, but we’ll look at the documents in distinct categories based on their function. Specifically, we’ll take a look at configuration files, log files, and office documents.
Once we’ve looked at distinct file types, we’ll delve into the realm of database digging. We won’t examine the details of the Structured Query Language (SQL) or database architecture
and interaction; rather, we’ll look at the many ways Google hackers can locate and abuse database systems armed with nothing more than a search engine.

Configuration File Search Examples

conf files e.g

Log Files

Log files record information. Depending on the application, the information recorded in a log file can include anything from timestamps and IP addresses to usernames and passwords—even incredibly sensitive data such as credit card numbers!

Log File Search Examples

log files examples

Office Documents

The term office document generally refers to documents created by word processing software, spreadsheet software, and lightweight database programs. Common word processing software includes Microsoft Word, Corel WordPerfect, MacWrite, and Adobe Acrobat. Common spreadsheet programs include Microsoft Excel, Lotus 1-2-3, and Linux’s Gnumeric. Other
documents that are generally lumped together under the office document category include Microsoft PowerPoint, Microsoft Works, and Microsoft Access documents.Table 4.3 lists
some of the more common office document file types, organized roughly by their Internet popularity (based on number of Google hits).

Office files search examples

office files

Database Digging

Login Portals

A login portal is the “front door” of a Web-based application. Proudly displaying a username and password dialog, login portals generally bear the scrutiny of most Web attackers simply because they are the one part of an application that is most carefully secured.There are obvious exceptions to this rule, but as an analogy, if you’re going to secure your home, aren’t you going to first make sure your front door is secure?

Queries That Locate Database Interfaces

Database Interfaces
Database Interfaces

Queries for finding Support Files

Another way an attacker can locate or gather information about a database is by querying for support files that are installed with, accompany, or are created by the database software.
These can include configuration files, debugging scripts, and even sample database files. lists some searches that locate specific support files that are included with or are created by popular database clients and servers.

Support Files

support files

Error messages

As we’ve discussed throughout this book, error messages can be used for all sorts of profiling and information-gathering purposes. Error messages also play a key role in the detection and
profiling of database systems. As is the case with most error messages, database error messages can also be used to profile the operating system and Web server version. Conversely, operating system and Web server error messages can be used to profile and detect database servers shows queries that leverage database error messages.

Queries That Locate Database Error Messages

Error messages

Locate SQL Database Dumps

database dumps
Spread the love

Leave a Comment

Your email address will not be published.