Inurl view php is bold. Leveraging Google's Little-Known Features to Find Hidden Things

Run the downloaded file by double clicking (you need to have virtual machine ).

3. Anonymity when checking the site for SQL injection

Configuring Tor and Privoxy on Kali Linux

[Section under construction]

Configuring Tor and Privoxy on Windows

[Section under construction]

Settings for working through a proxy in jSQL Injection

[Section under construction]

4. Checking the site for SQL injection with jSQL Injection

Working with the program is extremely simple. It is enough to enter the site address and press ENTER.

The following screenshot shows that the site is vulnerable to three types of SQL injection at once (information about them is indicated in the lower right corner). By clicking on the names of the injections, you can switch the method used:

Also, the existing databases have already been displayed.

You can see the contents of each table:

Usually, the most interesting things in the tables are the administrator's credentials.

If you are lucky and you have found the administrator's data, then it's too early to rejoice. You also need to find the admin panel, where to enter this data.

5. Search for admin areas with jSQL Injection

To do this, go to the next tab. Here we are greeted by a list of possible addresses. You can select one or several pages to check:

The convenience lies in the fact that you do not need to use other programs.

Unfortunately, careless programmers who store passwords in open form, not too much. Quite often, in the password line, we see something like

8743b52063cd84097a65d1633f5c74f5

This is a hash. You can decrypt it with brute force. AND… jSQL Injection has a built-in brute-force.

6. Brute-forcing hashes using jSQL Injection

The undoubted convenience is that you do not need to look for other programs. It has support for many of the most popular hashes.

This is not the most the best option... In order to become a guru in decoding hashes, the Book "" in Russian is recommended.

But, of course, when there is no other program at hand or there is no time to learn, jSQL Injection with a built-in brute-force function will come in handy.

There are settings: you can set what characters are included in the password, the password length range.

7. Operations with files after detecting SQL injection

In addition to operations with databases - reading and modifying them, in case of detection of SQL injections, the following file operations can be performed:

• reading files on the server
• uploading new files to the server
• uploading shells to the server

And all this is implemented in jSQL Injection!

There are restrictions - the SQL server must have file privileges. For reasonable system administrators, they are disabled and access to file system you will not be able to get it.

The existence of file privileges is easy enough to check. Go to one of the tabs (reading files, creating a shell, uploading a new file) and try to perform one of the specified operations.

Another very important note - we need to know the exact absolute path to the file with which we will work - otherwise nothing will work.

Take a look at the following screenshot:

Any attempt to operate on a file is answered by: No FILE privilege(no file privileges). And nothing can be done about it.

If instead you have a different error:

Problem writing into [directory_name]

This means that you have incorrectly specified the absolute path where you want to write the file.

In order to assume an absolute path, you need to know at least operating system on which the server is running. To do this, switch to the Network tab.

Such an entry (line Win64) gives us reason to assume that we are dealing with a Windows OS:

Keep-Alive: timeout = 5, max = 99 Server: Apache / 2.4.17 (Win64) PHP / 7.0.0RC6 Connection: Keep-Alive Method: HTTP / 1.1 200 OK Content-Length: 353 Date: Fri, 11 Dec 2015 11:48:31 GMT X-Powered-By: PHP / 7.0.0RC6 Content-Type: text / html; charset = UTF-8

Here we have some Unix (* BSD, Linux):

Transfer-Encoding: chunked Date: Fri, 11 Dec 2015 11:57:02 GMT Method: HTTP / 1.1 200 OK Keep-Alive: timeout = 3, max = 100 Connection: keep-alive Content-Type: text / html X- Powered-By: PHP / 5.3.29 Server: Apache / 2.2.31 (Unix)

And here we have CentOS:

Method: HTTP / 1.1 200 OK Expires: Thu, 19 Nov 1981 08:52:00 GMT Set-Cookie: PHPSESSID = 9p60gtunrv7g41iurr814h9rd0; path = / Connection: keep-alive X-Cache-Lookup: MISS from t1.hoster.ru:6666 Server: Apache / 2.2.15 (CentOS) X-Powered-By: PHP / 5.4.37 X-Cache: MISS from t1.hoster.ru Cache-Control: no-store, no-cache, must-revalidate, post-check = 0, pre-check = 0 Pragma: no-cache Date: Fri, 11 Dec 2015 12:08:54 GMT Transfer-Encoding: chunked Content-Type: text / html; charset = WINDOWS-1251

On Windows, a typical site folder is C: \ Server \ data \ htdocs \... But, in fact, if someone "thought of" making a server on Windows, then, most likely, this person has not heard anything about privileges. Therefore, it is worth starting attempts directly from the C: / Windows / directory:

As you can see, everything went fine the first time.

But the jSQL Injection shells themselves raise my doubts. If you have file privileges, then you can easily upload something from the web interface.

8. Bulk check of sites for SQL-injection

And even jSQL Injection has this feature. Everything is extremely simple - load a list of sites (you can import from a file), select those that you want to check and press the appropriate button to start the operation.

Conclusion on jSQL Injection

jSQL Injection is a good, powerful tool for finding and then using SQL Injection found on sites. Its undoubted advantages: ease of use, built-in related functions. jSQL Injection can be a beginner's best friend when analyzing websites.

Of the shortcomings, I would note the impossibility of editing databases (at least I did not find this functionality). As with all tools with a graphical interface, the disadvantages of this program can be attributed to the impossibility of using it in scripts. Nevertheless, some automation is possible in this program too - thanks to the built-in bulk site check function.

Of the established sample and certificate... At a special discount for any faculty and courses!

Merged

Hi all guys!
I want to say right away that I am not a deep-profile specialist - there are people who are both smarter and with deeper knowledge. For me personally, this is a hobby. But there are people who know less than me - first of all, the material is not designed for completely fools, but you also don’t need to be super pro to understand it.
Many of us are used to thinking that a dork is a vulnerability, alas, you were wrong - in essence, a dork is a search query sent to a search engine.
That is the word index.php? Id = dork
but the word Shop is also a dork.
In order to understand what you want, you must be clearly aware of what your requirements for a search engine are. Regular dork index.php? Id = can be divided into
index - key
.php? - a code indicating that you need a site on Php
id = identifier of something on the site
id = 2 in our case 2 is an indication with which parameter the identifier should be parsed.
If you write index.php? Id = 2 then there will be sites only where id = 2, in case of mismatch the site will be eliminated. For this reason, it makes no sense to write an exact indication of the identifier - since it can 1,2,3,4,5 and indefinitely.
If you decide to create an exact dork, let's say under Steam, then it makes sense to give it such a look
inurl: game * + intext: "csgo"
it will parse the word game * in the url of the site (where * is an arbitrary number of characters after the word game - after all, there can be games and the like)
It is also worth using an operator such as intitle:
If you've seen a good gaming site or have a list of vulnerable gaming sites
it makes sense to use the related operator for parsing:
For related: a value in the form of a link to the site is suitable
related: ***
- it will find all sites from the point of view of the search engine are similar to the specified
Remember - dork is parsing - it's not a hole.
A hole, it is a vulnerability that is detected by a scanner based on what you have parsed.
I personally do not recommend using a large number of prefixes (search operators) when you work without proxies.
I will tell you about the method of creating private roads for the country
In order to create a dork like index.php? Id = we will have to parse it
index - we will replace it with an arbitrary word
.php? id = will be our dork code
Dream up new code it makes no sense - because many sites are stable on the same codes and engines and will stand. List of codes:

Spoiler: Doors

Php? Ts =
.php? topic =
.php? t =
.php? ch =
.php? _nkw =
.php? id =
.php? option =
.php? view =
.php? lang =
.php? page =
.php? p =
.php? q =
.php? gdjkgd =
.php? son =
.php? search =
.php? uid =
.php? title =
.php? id_q =
.php? prId =
.php? tag =
.php? letter =
.php? prid =
.php? catid =
.php? ID =
.php? iWine =
.php? productID =
.php? products_id =
.php? topic_id =
.php? pg =
.php? clan =
.php? fid =
.php? url =
.php? show =
.php? inf =
.php? event_id =
.php? term =
.php? TegID =
.php? cid =
.php? prjid =
.php? pageid =
.php? name =
.php? id_n =
.php? th_id =
.php? category =
.php? book_id =
.php? isbn =
.php? item_id =
.php? sSearchword =
.php? CatID =
.php? art =
.html? ts =
.html? topic =
.html? t =
.html? ch =
.html? _nkw =
.html? id =
.html? option =
.html? view =
.html? lang =
.html? page =
.html? p =
.html? q =
.html? gdjkgd =
.html? son =
.html? search =
.html? uid =
.html? title =
.html? id_q =
.html? prId =
.html? tag =
.html? letter =
.html? prid =
.html? catid =
.html? ID =
.html? iWine =
.html? productID =
.html? products_id =
.html? topic_id =
.html? pg =
.html? clan =
.html? fid =
.html? url =
.html? show =
.html? inf =
.html? event_id =
.html? term =
.html? TegID =
.html? cid =
.html? prjid =
.html? pageid =
.html? name =
.html? id_n =
.html? th_id =
.html? category =
.html? book_id =
.html? isbn =
.html? item_id =
.html? sSearchword =
.html? CatID =
.html? art =
.aspx? ts =
.aspx? topic =
.aspx? t =
.aspx? ch ​​=
.aspx? _nkw =
.aspx? id =
.aspx? option =
.aspx? view =
.aspx? lang =
.aspx? page =
.aspx? p =
.aspx? q =
.aspx? gdjkgd =
.aspx? son =
.aspx? search =
.aspx? uid =
.aspx? title =
.aspx? id_q =
.aspx? prId =
.aspx? tag =
.aspx? letter =
.aspx? prid =
.aspx? catid =
.aspx? ID =
.aspx? iWine =
.aspx? productID =
.aspx? products_id =
.aspx? topic_id =
.aspx? pg =
.aspx? clan =
.aspx? fid =
.aspx? url =
.aspx? show =
.aspx? inf =
.aspx? event_id =
.aspx? term =
.aspx? TegID =
.aspx? cid =
.aspx? prjid =
.aspx? pageid =
.aspx? name =
.aspx? id_n =
.aspx? th_id =
.aspx? category =
.aspx? book_id =
.aspx? isbn =
.aspx? item_id =
.aspx? sSearchword =
.aspx? CatID =
.aspx? art =
.asp? ts =
.asp? topic =
.asp? t =
.asp? ch =
.asp? _nkw =
.asp? id =
.asp? option =
.asp? view =
.asp? lang =
.asp? page =
.asp? p =
.asp? q =
.asp? gdjkgd =
.asp? son =
.asp? search =
.asp? uid =
.asp? title =
.asp? id_q =
.asp? prId =
.asp? tag =
.asp? letter =
.asp? prid =
.asp? catid =
.asp? ID =
.asp? iWine =
.asp? productID =
.asp? products_id =
.asp? topic_id =
.asp? pg =
.asp? clan =
.asp? fid =
.asp? url =
.asp? show =
.asp? inf =
.asp? event_id =
.asp? term =
.asp? TegID =
.asp? cid =
.asp? prjid =
.asp? pageid =
.asp? name =
.asp? id_n =
.asp? th_id =
.asp? category =
.asp? book_id =
.asp? isbn =
.asp? item_id =
.asp? sSearchword =
.asp? CatID = .asp? art =
.htm? ts = .htm? topic =
.htm? t = .htm? ch =
.htm? _nkw =
.htm? id =
.htm? option =
.htm? view =
.htm? lang =
.htm? page =
.htm? p =
.htm? q =
.htm? gdjkgd =
.htm? son =
.htm? search =
.htm? uid =
.htm? title =
.htm? id_q =
.htm? prId =
.htm? tag =
.htm? letter =
.htm? prid =
.htm? catid =
.htm? ID =
.htm? iWine =
.htm? productID =
.htm? products_id =
.htm? topic_id =
.htm? pg =
.htm? clan =
.htm? fid =
.htm? url =
.htm? show =
.htm? inf =
.htm? event_id =
.htm? term =
.htm? TegID =
.htm? cid =
.htm? prjid =
.htm? pageid =
.htm? name =
.htm? id_n =
.htm? th_id =
.htm? category =
.htm? book_id =
.htm? isbn =
.htm? item_id =
.htm? sSearchword =
.htm? CatID =
.htm? art =
.cgi? ts =
.cgi? topic =
.cgi? t =
.cgi? ch =
.cgi? _nkw =
.cgi? id =
.cgi? option =
.cgi? view =
.cgi? lang =
.cgi? page =
.cgi? p =
.cgi? q =
.cgi? gdjkgd =
.cgi? son =
.cgi? search =
.cgi? uid =
.cgi? title =
.cgi? id_q =
.cgi? prId =
.cgi? tag =
.cgi? letter =
.cgi? prid =
.cgi? catid =
.cgi? ID =
.cgi? iWine =
.cgi? productID =
.cgi? products_id =
.cgi? topic_id =
.cgi? pg =
.cgi? clan =
.cgi? fid =
.cgi? url =
.cgi? show =
.cgi? inf =
.cgi? event_id =
.cgi? term =
.cgi? TegID =
.cgi? cid =
.cgi? prjid =
.cgi? pageid =
.cgi? name =
.cgi? id_n =
.cgi? th_id =
.cgi? category =
.cgi? book_id =
.cgi? isbn =
.cgi? item_id =
.cgi? sSearchword =
.cgi? CatID =
.cgi? art =
.jsp? ts =
.jsp? topic =
.jsp? t =
.jsp? ch =
.jsp? _nkw =
.jsp? id =
.jsp? option =
.jsp? view =
.jsp? lang =
.jsp? page =
.jsp? p =
.jsp? q =
.jsp? gdjkgd =
.jsp? son =
.jsp? search =
.jsp? uid =
.jsp? title =
.jsp? id_q =
.jsp? prId =
.jsp? tag =
.jsp? letter =
.jsp? prid =
.jsp? catid =
.jsp? ID =
.jsp? iWine =
.jsp? productID =
.jsp? products_id =
.jsp? topic_id =
.jsp? pg =
.jsp? clan =
.jsp? fid =
.jsp? url =
.jsp? show =
.jsp? inf =
.jsp? event_id =
.jsp? term =
.jsp? TegID =
.jsp? cid =
.jsp? prjid =
.jsp? pageid =
.jsp? name =
.jsp? id_n =
.jsp? th_id =
.jsp? category =
.jsp? book_id =
.jsp? isbn =
.jsp? item_id =
.jsp? sSearchword =
.jsp? CatID =
.jsp? art =

We will use these codes for the dork generator.
We go to google translator - we translate into Italian - the most frequently used words are a list.
Parse the list of words in Italian - insert it into the first column of the dork generator - put the codes in the second column, usually php is a variety of sites, cfm shops, jsp - games.
Generating - removing spaces. Privat dorks for Italy are ready.
It also makes sense to insert in the right column phrases in the same language in the style of "remember me, forgot your password" instead of site: it
They will parse cool, they will be private if you parse something unique and replace the dork key.
And add remember me in the same language - then the sites will fly only with databases.
It's all about thinking. The doors will be of the form name.php? Uid = their whole feature will be in a unique key. They will be mixed, the Inurl operator: no need to apply - since parsing will go without it in the url, in the text, and in the title.
After all, the meaning of the dork is that it can be anything - and steam, and a stick, and a netteler - or maybe not. Here you need to take the quantity.
There is also the so-called vulnerability parsing.

Spoiler: Doors

intext: "java.lang.NumberFormatException: null"
intext: "error in your SQL syntax"
intext: "mysql_num_rows ()"
intext: "mysql_fetch_array ()"
intext: "Error Occurred While Processing Request"
intext: "Server Error in" / "Application"
intext: "Microsoft OLE DB Provider for ODBC Drivers error"
intext: "Invalid Querystring"
intext: "OLE DB Provider for ODBC"
intext: "VBScript Runtime"
intext: "ADODB.Field"
intext: "BOF or EOF"
intext: "ADODB.Command"
intext: "JET Database"
intext: "mysql_fetch_row ()"
intext: "Syntax error"
intext: "include ()"
intext: "mysql_fetch_assoc ()"
intext: "mysql_fetch_object ()"
intext: "mysql_numrows ()"
intext: "GetArray ()"
intext: "FetchRow ()"

These dorks immediately look for vulnerabilities directly, that is, use them together with unique words that are unlikely to be parsed before you

Getting private data doesn't always mean hacking - sometimes it's published in public access... Knowledge google settings and a little ingenuity will allow you to find a lot of interesting things - from credit card numbers to FBI documents.

WARNING

All information is provided for informational purposes only. Neither the editorial board nor the author is responsible for any possible harm caused by the materials of this article.

Today, everything is connected to the Internet, caring little about restricting access. Therefore, a lot of private data becomes the prey of search engines. Spider robots are no longer limited to web pages, but index all the content available on the Web and constantly add undisclosed information to their databases. Finding these secrets is easy - you just need to know exactly how to ask about them.

Looking for files

In the right hands, Google will quickly find everything that is bad on the Web - for example, personal information and files for official use. They are often hidden, like a key under a rug: there are no real access restrictions, the data just lies on the backyard of the site, where links do not lead. Google's standard web interface only provides basic settings advanced search, but even those will suffice.

You can use two operators to limit your search to specific file types on Google using filetype and ext. The first specifies the format that the search engine determined by the file title, the second - the file extension, regardless of its internal content. When searching in both cases, you only need to specify the extension. Initially, the ext operator was convenient to use in cases where the file did not have specific format features (for example, to search for ini and cfg configuration files, inside which there could be anything). Now Google's algorithms have changed, and there is no visible difference between operators - the results in most cases come out the same.

Filtering the issue

By default, Google searches for words and, in general, any entered characters in all files on indexed pages. You can limit the search scope by domain top level, a specific site or by the location of the desired sequence in the files themselves. For the first two options, the operator site is used, followed by the name of the domain or the selected site. In the third case, a whole set of operators allows you to search for information in service fields and metadata. For example, allinurl will find the specified in the body of the links themselves, allinanchor - in the text with the tag , allintitle - in the page titles, allintext - in the body of the pages.

For each operator there is a light version with a shorter name (without the all prefix). The difference is that allinurl will find links with all words, while inurl will only find links with the first one. The second and subsequent words from the query can appear anywhere on web pages. The inurl operator also differs from another, similar in meaning - site. The former also allows you to find any sequence of characters in a link to the searched document (for example, / cgi-bin /), which is widely used to find components with known vulnerabilities.

Let's try it in practice. We take the allintext filter and make the request return a list of credit card numbers and verification codes, which will expire only after two years (or when their owners get tired of feeding everyone in a row).

Allintext: card number expiration date / 2017 cvv

When you read in the news that a young hacker "hacked into the servers" of the Pentagon or NASA, stealing classified information, then in most cases we are talking about just such an elementary technique of using Google. Suppose we are interested in a list of NASA employees and their contact details. Surely there is such a list in electronic form. For convenience or by oversight, it can also be found on the organization's website itself. It is logical that in this case there will be no links to it, since it is intended for internal use. What words can be in such a file? At least - the "address" field. Testing all these assumptions is easy.

Inurl: nasa.gov filetype: xlsx "address"

We use bureaucracy

Finds like these are a nice little thing. A really solid catch provides a more detailed knowledge of Google operators for webmasters, the Web itself, and the structure of what they are looking for. Knowing the details, you can easily filter the results and refine the properties of the files you need in order to get really valuable data in the rest. It's funny that bureaucracy comes to the rescue here. It produces typical formulations that make it convenient to search for secret information accidentally leaked into the Web.

For example, the Distribution statement stamp, which is mandatory in the office of the US Department of Defense, means standardized restrictions on the distribution of a document. Letter A denotes public releases in which there is nothing secret; B - for internal use only, C - strictly confidential, and so on up to F. Separately, there is the letter X, which marks especially valuable information representing a state secret of the highest level. Let such documents be searched for by those who are supposed to do it on duty, and we will restrict ourselves to files with the letter C. According to the DoDI directive 5230.24, such marking is assigned to documents containing a description of critical technologies that fall under export control. Such highly guarded information can be found on sites in the .mil top-level domain dedicated to the US Army.

"DISTRIBUTION STATEMENT C" inurl: navy.mil

It is very convenient that the .mil domain contains only sites from the US Department of Defense and its contract organizations. Domain-restricted search results are exceptionally clean, and the headlines are self-explanatory. It is practically useless to search for Russian secrets in this way: chaos reigns in the .ru and.rf domains, and the names of many weapons systems sound botanical (PP "Cypress", ACS "Akatsiya") or completely fabulous (TOS "Buratino").

By carefully examining any document from a site in the .mil domain, you can see other markers to refine your search. For example, a reference to export restrictions "Sec 2751", which is also convenient to search for interesting technical information. From time to time, it is withdrawn from the official sites, where it was once lit up, so if you cannot follow an interesting link in the search results, use Google's cache (operator cache) or the Internet Archive site.

Climbing into the clouds

In addition to accidentally declassified government documents, Google's cache occasionally pops up links to personal files from Dropbox and other storage services that create "private" links to publicly published data. It's even worse with alternative and homemade services. For example, the following request finds data from all Verizon clients who have an FTP server installed and actively used on their router.

Allinurl: ftp: // verizon.net

There are now more than forty thousand such clever people, and in the spring of 2015 there were an order of magnitude more. Instead of Verizon.net, you can substitute the name of any well-known provider, and the more famous it is, the bigger the catch can be. Through the built-in FTP server, you can see the files on the external storage connected to the router. Usually this is a NAS for remote work, a personal cloud or some kind of peer-to-peer file download. All contents of such media are indexed by Google and other search engines, so you can access files stored on external drives using a direct link.

Peeping configs

Before the massive migration to the clouds, simple FTP servers, which also had enough vulnerabilities, ruled as remote storages. Many of them are still relevant today. For example, the popular WS_FTP Professional program stores configuration data, user accounts, and passwords in the ws_ftp.ini file. It is easy to find and read as all records are stored in plain text and passwords are encrypted with Triple DES after minimal obfuscation. In most versions, simply discarding the first byte is sufficient.

It is easy to decrypt such passwords using the WS_FTP Password Decryptor utility or a free web service.

Speaking of hacking an arbitrary site, they usually mean obtaining a password from the logs and backups of CMS configuration files or applications for ecommerce... If you know their typical structure, then you can easily indicate keywords... Lines like those found in ws_ftp.ini are extremely common. For example, Drupal and PrestaShop have a user ID (UID) and a corresponding password (pwd), and all information is stored in files with the .inc extension. You can search for them as follows:

"pwd =" "UID =" ext: inc

Revealing passwords from DBMS

In configuration files of SQL servers names and addresses Email users are stored in clear text, and their MD5 hashes are written instead of passwords. Strictly speaking, it is impossible to decrypt them, but you can find a match among the known hash-password pairs.

Until now, there are DBMSs that do not even use password hashing. The configuration files for any of them can simply be viewed in the browser.

Intext: DB_PASSWORD filetype: env

With the advent on servers Windows place configuration files partly occupied the registry. You can search through its branches in exactly the same way, using reg as the file type. For example, like this:

Filetype: reg HKEY_CURRENT_USER "Password" =

Don't forget the obvious

Sometimes it is possible to get to classified information with the help of accidentally opened and caught in the field of view Google data... Ideally, find a list of passwords in some common format. Store account information in text file, Word document or electronic Excel spreadsheet only desperate people can, but there are always enough of them.

Filetype: xls inurl: password

On the one hand, there are plenty of tools to prevent such incidents. It is necessary to specify adequate access rights in htaccess, patch CMS, do not use left-hand scripts and close other holes. There is also a robots.txt file that prevents search engines from indexing files and directories specified in it. On the other hand, if the robots.txt structure on some server differs from the standard one, then it becomes immediately clear what they are trying to hide on it.

The list of directories and files on any site is preceded by the standard index of. Since for service purposes it should appear in the header, it makes sense to limit its search to the intitle operator. Interesting things are in the / admin /, / personal /, / etc / and even / secret / directories.

Follow the updates

The relevance here is extremely important: old vulnerabilities are being closed very slowly, but Google and its search results are constantly changing. There is even a difference between the “last second” filter (& tbs = qdr: s at the end of the request url) and “real time” (& tbs = qdr: 1).

Date time interval last update file from Google is also implicitly indicated. Through the graphical web interface, you can select one of the typical periods (hour, day, week, and so on) or set a date range, but this method is not suitable for automation.

By sight address bar you can only guess about a way to limit the output of the results using the construction & tbs = qdr:. The letter y after it sets the limit of one year (& tbs = qdr: y), m shows the results for the last month, w - for the week, d - for the past day, h - for last hour, n - in a minute, and s - in a second. The most recent results just reported to Google are found using the & tbs = qdr: 1 filter.

If you need to write a tricky script, it will be useful to know that the date range is set in Google in Julian format using the daterange operator. For example, this is how you can find the list PDF documents with the word confidential, uploaded from 1st January to 1st July 2015.

Confidential filetype: pdf daterange: 2457024-2457205

The range is specified in Julian date format, excluding the fractional part. Translating them manually from the Gregorian calendar is inconvenient. It's easier to use a date converter.

Targeting and filtering again

In addition to specifying additional operators in the search query, you can send them directly in the body of the link. For example, the qualification filetype: pdf corresponds to the construction as_filetype = pdf. Thus, it is convenient to specify any clarifications. Suppose that results are returned only from the Republic of Honduras by adding the cr = countryHN construction to the search URL, and only from the city of Bobruisk - gcs = Bobruisk. See the developer section for a complete list.

Google's automation tools are meant to make life easier, but they often add challenges. For example, the user's city is determined by the user's IP via WHOIS. Based on this information, Google not only balances the load between servers, but also changes the search results. Depending on the region, for the same request, the first page will get different results, and some of them may be completely hidden. To feel like a cosmopolitan and to search for information from any country, its two-letter code after the gl = country directive will help. For example, the Netherlands code is NL, but the Vatican and North Korea do not have their own code on Google.

Often, search results are cluttered even after using a few advanced filters. In this case, it is easy to refine the query by adding several exclusion words to it (each of them is preceded by a minus sign). For example, banking, names and tutorial are often used with the word Personal. Therefore, cleaner search results will be shown not by a textbook example of a query, but by a refined one:

Intitle: "Index of / Personal /" -names -tutorial -banking

Last example

A sophisticated hacker is distinguished by the fact that he provides himself with everything he needs on his own. For example, a VPN is convenient, but either expensive or temporary and limited. It's too expensive to subscribe for yourself alone. It's good that there are group subscriptions, and using Google it is easy to become part of a group. To do this, just find the Cisco VPN configuration file, which has a rather non-standard PCF extension and a recognizable path: Program Files \ Cisco Systems \ VPN Client \ Profiles. One request, and you join, for example, the friendly staff of the University of Bonn.

Filetype: pcf vpn OR Group

INFO

Google finds config files with passwords, but many of them are encrypted or replaced with hashes. If you see strings of fixed length, then immediately look for a decryption service.

Passwords are stored encrypted, but Maurice Massard has already written a program to decrypt them and provides it free of charge through thecampusgeeks.com.

At Google help hundreds of different types attacks and penetration tests. There are many options, affecting popular programs, major database formats, multiple vulnerabilities in PHP, clouds, and so on. If you have an accurate idea of ​​what you are looking for, this will greatly simplify obtaining the information you need (especially the one that was not planned to be made public). Shodan is not a single source of interesting ideas, but every database of indexed network resources!

How to search correctly with google.com

Everyone probably knows how to use a search engine like Google =) But not everyone knows that if you correctly compose search query with the help of special constructions, you can achieve the results of what you are looking for much more efficiently and faster =) In this article I will try to show what and how you need to do in order to search correctly

Google supports several advanced search operators that have special meaning when searching on google.com. Typically, these operators modify the search, or even tell Google to do the entire Various types search. For example, the construction link: is an special operator, and the request link: www.google.com will not give you a normal search, but will instead find all web pages that have links to google.com.
alternative request types

cache: If you include other words in your query, Google will highlight those included words within the cached document.
For example, cache: www.web site will show cached content with the word "web" highlighted.

link: the search query discussed above will show web pages that contain links to the specified query.
For example: link: www.site will display all pages that have a link to http: //www.site

related: Displays web pages that are "related" to the specified web page.
For example, related: www.google.com will list web pages that are similar home page Google

info: Request Information: Provides some of the information Google has about the requested web page.
For example, info: website will show information about our forum =) (Armada - Forum of adult webmasters).

Other information requests

define: The define: query will provide a definition of the words you enter after this, compiled from various online sources. The definition will be for the entire phrase entered (that is, it will include all words in the exact query).

stocks: If you start your request with stocks: Google will treat the rest of the request timeline as stock ticker symbols, and link to a page showing ready information for these symbols.
For example, stocks: Intel yahoo will show information about Intel and Yahoo. (Note that you must type the characters latest news, not the name of the company)

Request Modifiers

site: If you include site: in your query, Google will limit the results to the websites it finds on that domain.
You can also search for individual zones, as such ru, org, com, etc ( site: com site: ru)

allintitle: If you run a query with allintitle :, Google will limit the results with all the words of the query in the header.
For example, allintitle: google search will return all Google search pages like images, Blog, etc

intitle: If you include intitle: in your request, Google will limit the results to documents containing that word in the title.
For example, intitle: Business

allinurl: If you run a query with allinurl: Google will limit the results, with all the words of the query in the URL.
For example, allinurl: google search will return documents with google and search in the header. Also, as an option, you can separate words with a slash (/) then words on both sides of the slash will be searched within one page: Example allinurl: foo / bar

inurl: If you include inurl: in your query, Google will limit the results to documents containing that word in the URL.
For example, Animation inurl: website

intext: searches only in the text of the page for the specified word, ignoring the title and link texts, and other things not related to. There is also a derivative of this modifier - allintext: those. further, all words in the query will be searched only in the text, which is also important, ignoring frequently used words in links
For example, intext: forum

daterange: searches in time frames (daterange: 2452389-2452389), dates for times are in Julian format.

Well, and all sorts of interesting examples of queries

Examples of writing queries for Google. For spammers

Inurl: control.guest? A = sign

Site: books.dreambook.com “Homepage URL” “Sign my” inurl: sign

Site: www.freegb.net Homepage

Inurl: sign.asp “Character Count”

"Message:" inurl: sign.cfm "Sender:"

Inurl: register.php “User Registration” “Website”

Inurl: edu / guestbook “Sign the Guestbook”

Inurl: post “Post Comment” “URL”

Inurl: / archives / “Comments:” “Remember info?”

“Script and Guestbook Created by:” “URL:” “Comments:”

Inurl:? Action = add “phpBook” “URL”

Intitle: ”Submit New Story”

Magazines

Inurl: www.livejournal.com/users/ mode = reply

Inurl greatestjournal.com/ mode = reply

Inurl: fastbb.ru/re.pl?

Inurl: fastbb.ru /re.pl? "Guest book"

Blogs

Inurl: blogger.com/comment.g? ”PostID” “anonymous”

Inurl: typepad.com/ “Post a comment” “Remember personal info?”

Inurl: greatestjournal.com/community/ “Post comment” “addresses of anonymous posters”

“Post comment” “addresses of anonymous posters” -

Intitle: "Post comment"

Inurl: pirillo.com “Post comment”

Forums

Inurl: gate.html? ”Name = Forums” “mode = reply”

Inurl: "forum / posting.php? Mode = reply"

Inurl: "mes.php?"

Inurl: ”members.html”

Inurl: forum / memberlist.php? ”

Any search for vulnerabilities on web resources begins with intelligence and information gathering.
Intelligence can be either active - brute-force the files and directories of the site, launching vulnerability scanners, manually browsing the site, and passive - searching for information in different search engines. Sometimes it happens that a vulnerability becomes known even before the first page of the site opens.

How is this possible?
Search robots, non-stop roaming the Internet, in addition to useful information ordinary user, often fix what can be used by cybercriminals in an attack on a web resource. For example, script errors and files with sensitive information (from configuration files and logs to files with authentication data and database backups).
From the point of view of a search robot, an error message about an sql query execution is plain text, inseparable, for example, from the description of products on the page. If suddenly the search robot came across a file with the .sql extension, which for some reason ended up in working folder site, then it will be perceived as part of the content of the site and will also be indexed (including, possibly, the passwords specified in it).

Such information can be found by knowing strong, often unique, keywords that help separate “vulnerable pages” from pages that do not contain vulnerabilities.
A huge database of special queries using keywords (so-called dorks) exists on exploit-db.com and is known as the Google Hack Database.

Why google?
Doors are targeted primarily at google for two reasons:
- the most flexible syntax for keywords (shown in Table 1) and special characters (shown in Table 2);
- the google index is still more complete than that of other search engines;

Table 1 - Main google keywords

Keyword	Meaning	Example
site	Search only on the specified site. Only takes into account url	site: somesite.ru - will find all pages for the given domain and subdomains
inurl	Search by words present in uri. Unlike cl. the words "site", searches for matches after the site name	inurl: news - find all pages where the given word is found in uri
intext	Search in the body of the page	intext: "plugs" - completely similar to the usual query "plugs"
intitle	Search in the title of the page. Text enclosed between tags