Google hacking doesn't mean to hack Google. Google hacking term used when a hacker tries to find vulnerable targets or sensitive data by using the Google search engine.In Google hacking hackers use search engine commands to locate sensitive data and vulnerable devices on the Internet. Google supports a multitude of operators and modifiers that add a ton of power to google searching.
Although Google hacking techniques are against Google terms of service and Google blocks well-known Google hacking queries, nothing can stop hackers from crawling websites and launching Google queries.
I am going to explain some operators used in Google hacking
intitle:
Syntax: intitle:operator
This will return all the pages that have word entered after the intitle (as we used operator here) in the title of the page. If you want to check for multiple keywords in title use allintitle in place of intitle.
allintitle:operator1 operator2....
inurl:
Syntax: inurl:operator
This will return all the pages that have word entered after the inurl in the url of a page. If you want to check for multiple keywords in url use allinurl in place of inurl
allinurl:operator1 operator2 ....
site:
Syntax: site:Domain
This will return all the pages that have certain keywords in that particular site or domain.
link:
Syntax: link:URL
This will list down webpages that have links to the specified webpage.
intext:
Syntax: intext:operator
This will return all the pages that have word entered after the intext in the particular website. If you want to check for multiple keywords in website use allintext in place of intext
allintext:operator1 operator2 ....
related:
Syntax: related:URL
The “related:” will list web pages that are "similar" to a specified web page. For Example:
“related:www.ethicalhack4u.blogspot.com” will list web pages that are similar to the
ethicalhacking homepage
Note T
here can be no space between the "related:" and the web page url.
cache:
Syntax: cache:URL [highlight]
The cache operator will search through google’s cache and return the
results based on those documents. You can alternatively tell cache to
highlight a word or phrase by adding it after the operator and URL.
info:
Syntax: info:URL
This tag will give you the information that Google has on the given URL.
filetype:
Syntax:
filetype
:keyword
This will restricts Google search for files on internet with particular extensions (i.e. doc, pdf
or ppt etc).
Well, the Google’s query syntaxes discussed above can really
help people to precise their search and get what they are
exactly looking for.
Looking for vulnerable sites or servers using “inurl:” or “allinurl:”
Using “allinurl:winnt/system32/” will list
down all the links to the server which gives you access to those
restricted directories like “system32” through web. If you are
lucky enough then you might get access to the cmd.exe in the
“system32” directory. Once you have the access to “cmd.exe”
and are able to execute it then you can go ahead in further
escalating your privileges over the server and compromise it.
Using “inurl:.bash_history” will list down
all the links to the server which gives access to
“.bash_history” file through web. This is a command history
file. This file includes the list of command executed by the
administrator, and sometimes includes sensitive information
such as password typed in by the administrator. If this file
is compromised and if contains the encrypted unix (or *nix)
password then it can be easily cracked using “John The
Ripper”.
Using “inurl:config.txt” will list down all
the links to the servers which gives access to “config.txt”
file through web. This file contains sensitive information,
including the hash value of the administrative password and
database authentication credentials. For Example: Ingenium
Learning Management System is a Web-based application for
Windows based systems developed by Click2learn, Inc. Ingenium
Learning Management System versions 5.1 and 6.1 stores
sensitive information insecurely in the config.txt file.
other Queries
inurl:admin filetype:txt
inurl:admin filetype:db
inurl:admin filetype:cfg
inurl:mysql filetype:cfg
inurl:passwd filetype:txt
inurl:iisadmin
inurl:auth_user_file.txt
inurl:orders.txt
inurl:"wwwroot/*."
inurl:adpassword.txt
inurl:webeditor.php
inurl:file_upload.php
Looking for vulnerable sites or servers using “intitle:” or “allintitle:”
Using allintitle: "index of /root” will
list down the links to the web server which gives access to
restricted directories like “root” through web. This directory
sometimes contains sensitive information which can be easily
retrieved through simple web requests.
Using allintitle: "index of /admin” will
list down the links to the websites which has got index
browsing enabled for restricted directories like “admin”
through web. Most of the web application sometimes uses names
like “admin” to store admin credentials in it. This directory
sometimes contains sensitive information which can be easily
retrieved through simple web requests.
Other Queries
intitle:"Index of" .sh_history
intitle:"Index of" .bash_history
intitle:"index of" passwd
intitle:"index of" people.lst
intitle:"index of" pwd.db
intitle:"index of" etc/shadow
intitle:"index of" spwd
intitle:"index of" master.passwd
intitle:"index of" htpasswd
intitle:"index of" members OR accounts
intitle:"index of" user_carts OR user_cart
allintitle: sensitive filetype:doc
allintitle: restricted filetype :mail
allintitle: restricted filetype:doc site:gov
To search for sites vulnerable to Cross-Sites Scripting (XSS) attacks:
allinurl:/scripts/cart32.exe
allinurl:/CuteNews/show_archives.php
allinurl:/phpinfo.php
0 comments:
Post a Comment