Merged
Hello guys!
I want to say right away that I am not an in-depth specialist - there are people smarter and with deeper knowledge. For me personally this is a hobby. But there are people who know less than me - first of all, the material is not intended for complete fools, but you don’t need to be super pro to understand it.
Many of us are accustomed to thinking that a dork is a vulnerability, alas, you were wrong - in essence, a dork is a search request sent to a search engine.
That is, the word index.php?id= dork
but the word Shop is also a word.
In order to understand what you want, you must be clearly aware of your requirements for a search engine. The usual form of dork index.php?id= can be divided into
index - key
.php?
- code indicating that you need a website based on Php
id= identifier of something on the site
id=2 in our case 2 is an indication with which parameter the identifier should be parsed.
If you write index.php?id=2 then there will be sites only with id=2; if there is a mismatch, the site will be eliminated. For this reason, it makes no sense to write an exact indication to the identifier - since it can be 1,2,3,4,5 and ad infinitum.
If you decide to create an exact dork, for example under Steam, then it makes sense to give it this look
inurl:game* +intext:"csgo"
it will parse the word game* in the site URL (where * is an arbitrary number of characters after the word game - after all, it can be games and the like)
It is also worth using an operator such as intitle:
If you have seen a good gaming site or you have a list of vulnerable gaming sites
It makes sense to use the related operator for parsing:
For related: a value in the form of a link to the site is suitable
- it will find all sites from the search engine's point of view similar to the specified one
Remember - a dork is a parsing - it is not a hole.
A hole, also known as a vulnerability, is detected by a scanner based on what you have parsed.
I personally do not recommend using a large number of prefixes (search operators) when you work without proxies.
I'll tell you about the method of creating private doors for the country
In order to create a door like index.php?id= we will have to parse it
index - we will replace it with an arbitrary word
.php?id= will be the code for our dork
There is no point in inventing new code - because many sites are stable on the same codes and engines and will continue to be. List of codes:
Spoiler: Dorky
Php?ts=
.php?topic=
.php?t=
.php?ch=
.php?_nkw=
.php?id=
.php?option=
.php?view=
.php?lang=
.php?page=
.php?p=
.php?q=
.php?gdjkgd=
.php?son=
.php?search=
.php?uid=
.php?title=
.php?id_q=
.php?prId=
.php?tag=
.php?letter=
.php?prid=
.php?catid=
.php?ID=
.php?iWine=
.php?productID=
.php?products_id=
.php?topic_id=
.php?pg=
.php?clan=
.php?fid=
.php?url=
.php?show=
.php?inf=
.php?event_id=
.php?term=
.php?TegID=
.php?cid=
.php?prjid=
.php?pageid=
.php?name=
.php?id_n=
.php?th_id=
.php?category=
.php?book_id=
.php?isbn=
.php?item_id=
.php?sSearchword=
.php?CatID=
.php?art=
.html?ts=
.html?topic=
.html?t=
.html?ch=
.html?_nkw=
.html?id=
.html?option=
.html?view=
.html?lang=
.html?page=
.html?p=
.html?q=
.html?gdjkgd=
.html?son=
.html?search=
.html?uid=
.html?title=
.html?id_q=
.html?prId=
.html?tag=
.html?letter=
.html?prid=
.html?catid=
.html?ID=
.html?iWine=
.html?productID=
.html?products_id=
.html?topic_id=
.html?pg=
.html?clan=
.html?fid=
.html?url=
.html?show=
.html?inf=
.html?event_id=
.html?term=
.html?TegID=
.html?cid=
.html?prjid=
.html?pageid=
.html?name=
.html?id_n=
.html?th_id=
.html?category=
.html?book_id=
.html?isbn=
.html?item_id=
.html?sSearchword=
.html?CatID=
.html?art=
.aspx?ts=
.aspx?topic=
.aspx?t=
.aspx?ch=
.aspx?_nkw=
.aspx?id=
.aspx?option=
.aspx?view=
.aspx?lang=
.aspx?page=
.aspx?p=
.aspx?q=
.aspx?gdjkgd=
.aspx?son=
.aspx?search=
.aspx?uid=
.aspx?title=
.aspx?id_q=
.aspx?prId=
.aspx?tag=
.aspx?letter=
.aspx?prid=
.aspx?catid=
.aspx?ID=
.aspx?iWine=
.aspx?productID=
.aspx?products_id=
.aspx?topic_id=
.aspx?pg=
.aspx?clan=
.aspx?fid=
.aspx?url=
.aspx?show=
.aspx?inf=
.aspx?event_id=
.aspx?term=
.aspx?TegID=
.aspx?cid=
.aspx?prjid=
.aspx?pageid=
.aspx?name=
.aspx?id_n=
.aspx?th_id=
.aspx?category=
.aspx?book_id=
.aspx?isbn=
.aspx?item_id=
.aspx?sSearchword=
.aspx?CatID=
.aspx?art=
.asp?ts=
.asp?topic=
.asp?t=
.asp?ch=
.asp?_nkw=
.asp?id=
.asp?option=
.asp?view=
.asp?lang=
.asp?page=
.asp?p=
.asp?q=
.asp?gdjkgd=
.asp?son=
.asp?search=
.asp?uid=
.asp?title=
.asp?id_q=
.asp?prId=
.asp?tag=
.asp?letter=
.asp?prid=
.asp?catid=
.asp?ID=
.asp?iWine=
.asp?productID=
.asp?products_id=
.asp?topic_id=
.asp?pg=
.asp?clan=
.asp?fid=
.asp?url=
.asp?show=
.asp?inf=
.asp?event_id=
.asp?term=
.asp?TegID=
.asp?cid=
.asp?prjid=
.asp?pageid=
.asp?name=
.asp?id_n=
.asp?th_id=
.asp?category=
.asp?book_id=
.asp?isbn=
.asp?item_id=
.asp?sSearchword=
.asp?CatID= .asp?art=
.htm?ts= .htm?topic=
.htm?t= .htm?ch=
.htm?_nkw=
.htm?id=
.htm?option=
.htm?view=
.htm?lang=
.htm?page=
.htm?p=
.htm?q=
.htm?gdjkgd=
.htm?son=
.htm?search=
.htm?uid=
.htm?title=
.htm?id_q=
.htm?prId=
.htm?tag=
.htm?letter=
.htm?prid=
.htm?catid=
.htm?ID=
.htm?iWine=
.htm?productID=
.htm?products_id=
.htm?topic_id=
.htm?pg=
.htm?clan=
.htm?fid=
.htm?url=
.htm?show=
.htm?inf=
.htm?event_id=
.htm?term=
.htm?TegID=
.htm?cid=
.htm?prjid=
.htm?pageid=
.htm?name=
.htm?id_n=
.htm?th_id=
.htm?category=
.htm?book_id=
.htm?isbn=
.htm?item_id=
.htm?sSearchword=
.htm?CatID=
.htm?art=
.cgi?ts=
.cgi?topic=
.cgi?t=
.cgi?ch=
.cgi?_nkw=
.cgi?id=
.cgi?option=
.cgi?view=
.cgi?lang=
.cgi?page=
.cgi?p=
.cgi?q=
.cgi?gdjkgd=
.cgi?son=
.cgi?search=
.cgi?uid=
.cgi?title=
.cgi?id_q=
.cgi?prId=
.cgi?tag=
.cgi?letter=
.cgi?prid=
.cgi?catid=
.cgi?ID=
.cgi?iWine=
.cgi?productID=
.cgi?products_id=
.cgi?topic_id=
.cgi?pg=
.cgi?clan=
.cgi?fid=
.cgi?url=
.cgi?show=
.cgi?inf=
.cgi?event_id=
.cgi?term=
.cgi?TegID=
.cgi?cid=
.cgi?prjid=
.cgi?pageid=
.cgi?name=
.cgi?id_n=
.cgi?th_id=
.cgi?category=
.cgi?book_id=
.cgi?isbn=
.cgi?item_id=
.cgi?sSearchword=
.cgi?CatID=
.cgi?art=
.jsp?ts=
.jsp?topic=
.jsp?t=
.jsp?ch=
.jsp?_nkw=
.jsp?id=
.jsp?option=
.jsp?view=
.jsp?lang=
.jsp?page=
.jsp?p=
.jsp?q=
.jsp?gdjkgd=
.jsp?son=
.jsp?search=
.jsp?uid=
.jsp?title=
.jsp?id_q=
.jsp?prId=
.jsp?tag=
.jsp?letter=
.jsp?prid=
.jsp?catid=
.jsp?ID=
.jsp?iWine=
.jsp?productID=
.jsp?products_id=
.jsp?topic_id=
.jsp?pg=
.jsp?clan=
.jsp?fid=
.jsp?url=
.jsp?show=
.jsp?inf=
.jsp?event_id=
.jsp?term=
.jsp?TegID=
.jsp?cid=
.jsp?prjid=
.jsp?pageid=
.jsp?name=
.jsp?id_n=
.jsp?th_id=
.jsp?category=
.jsp?book_id=
.jsp?isbn=
.jsp?item_id=
.jsp?sSearchword=
.jsp?CatID=
.jsp?art=
We will use these codes for the dork generator.
We go to Google translator - translate into Italian - list of the most frequently used words.
We parse a list of words in Italian - insert it into the first column of the dork generator - put the codes into the second, usually php - these are a variety of sites, cfm shops, jsp - gaming ones.
We generate - we remove spaces. Private doors for Italy are ready.
It also makes sense to insert phrases in the same language in the right column in the style of “remember me, forgot your password” instead of site:it
They will parse cool, they will be private if you parse something unique and replace the dork key.
And add remember me in the same language - then the sites will fly only with databases.
It's all about thinking. Dorks will look like name.php?uid= all their features will be in a unique key. They will be mixed, the Inurl: operator does not need to be used - since parsing will proceed without it in the url, in the text, and in the title.
After all, the whole point of dork is that anything can happen - stim, stick, netteler - or it may not happen. Here you need to take in quantity.
There is also so-called vulnerability parsing.
Spoiler: Dorky
intext:"java.lang.NumberFormatException: null"
intext:"error in your SQL syntax"
intext:"mysql_num_rows()"
intext:"mysql_fetch_array()"
intext:"Error Occurred While Processing Request"
intext:"Server Error in "/" Application"
intext:"Microsoft OLE DB Provider for ODBC Drivers error"
intext:"Invalid Querystring"
intext:"OLE DB Provider for ODBC"
intext:"VBScript Runtime"
intext:"ADODB.Field"
intext:"BOF or EOF"
intext:"ADODB.Command"
intext:"JET Database"
intext:"mysql_fetch_row()"
intext:"Syntax error"
intext:"include()"
intext:"mysql_fetch_assoc()"
intext:"mysql_fetch_object()"
intext:"mysql_numrows()"
intext:"GetArray()"
intext:"FetchRow()"
These dorks are immediately looking for vulnerabilities directly, that is, using them together with unique words that were unlikely to be parsed before you
How to search correctly using google.com
Everyone probably knows how to use a search engine like Google =) But not everyone knows that if you correctly compose a search query using special constructions, you can achieve the results of what you are looking for much more efficiently and quickly =) In this article I will try to show that and what you need to do to search correctly
Google supports several advanced search operators that have special meaning when searching on google.com. Typically, these statements change the search, or even tell Google to do completely different types of searches. For example, the design link: is a special operator, and the request link:www.google.com will not give you a normal search, but will instead find all web pages that have links to google.com.
alternative request types
cache: If you include other words in your query, Google will highlight those included words within the cached document.
For example, cache:www.web site will show the cached content with the word "web" highlighted.
link: The search query above will show web pages that contain links to the specified query.
For example: link:www.site will display all pages that have a link to http://www.site
related: Displays web pages that are “related” to the specified web page.
For example, related: www.google.com will list web pages that are similar home page Google.
info: Query Information: will present some of the information Google has about the web page you are requesting.
For example, info:website will show information about our forum =) (Armada - Adult Webmasters Forum).
Other information requests
define: The define: query will provide a definition of the words you enter after it, collected from various online sources. The definition will be for the entire phrase entered (that is, it will include all words in the exact query).
stocks: If you start a query with stocks: Google will process the rest of the query terms as stock symbols, and link to a page showing ready-made information for these symbols.
For example, stocks:Intel yahoo will show information about Intel and Yahoo. (Note that you must type the characters latest news, not company name)
Query Modifiers
site: If you include site: in your query, Google will limit the results to those websites it finds in that domain.
You can also search by individual zones, such as ru, org, com, etc ( site:com site:ru)
allintitle: If you run a query with allintitle:, Google will limit the results to all the query words in the title.
For example, allintitle: google search will return all Google pages by search such as images, Blog, etc
intitle: If you include intitle: in your query, Google will limit the results to documents containing that word in the title.
For example, intitle:Business
allinurl: If you run a query with allinurl: Google will limit the results to all query words in the URL.
For example, allinurl: google search will return documents with google and search in the title. Also, as an option, you can separate words with a slash (/) then words on both sides of the slash will be searched within the same page: Example allinurl: foo/bar
inurl: If you include inurl: in your query, Google will limit the results to documents containing that word in the URL.
For example, Animation inurl:site
intext: searches only the specified word in the text of the page, ignoring the title and texts of links, and other things not related to. There is also a derivative of this modifier - allintext: those. further, all words in the query will be searched only in the text, which can also be important, ignoring frequently used words in links
For example, intext:forum
daterange: searches in a time frame (daterange:2452389-2452389), dates for times are indicated in Julian format.
Well, and all sorts of interesting examples of queries
Examples of writing queries for Google. For spammers
Inurl:control.guest?a=sign
Site:books.dreambook.com “Homepage URL” “Sign my” inurl:sign
Site:www.freegb.net Homepage
Inurl:sign.asp “Character Count”
“Message:” inurl:sign.cfm “Sender:”
Inurl:register.php “User Registration” “Website”
Inurl:edu/guestbook “Sign the Guestbook”
Inurl:post “Post Comment” “URL”
Inurl:/archives/ “Comments:” “Remember info?”
“Script and Guestbook Created by:” “URL:” “Comments:”
Inurl:?action=add “phpBook” “URL”
Intitle:"Submit New Story"
Magazines
Inurl:www.livejournal.com/users/ mode=reply
Inurl greatestjournal.com/ mode=reply
Inurl:fastbb.ru/re.pl?
Inurl:fastbb.ru /re.pl? "Guest book"
Blogs
Inurl:blogger.com/comment.g?”postID””anonymous”
Inurl:typepad.com/ “Post a comment” “Remember personal info?”
Inurl:greatestjournal.com/community/ “Post comment” “addresses of anonymous posters”
“Post comment” “addresses of anonymous posters” -
Intitle:"Post comment"
Inurl:pirillo.com “Post comment”
Forums
Inurl:gate.html?”name=Forums” “mode=reply”
Inurl:”forum/posting.php?mode=reply”
Inurl:"mes.php?"
Inurl:”members.html”
Inurl:forum/memberlist.php?”
And so, now I’ll tell you how to hack something without any special knowledge. I’ll say right away that there is little benefit from this, but still.
First, you need to find the sites themselves. To do this, go to google.com and search for dorks
Inurl:pageid= inurl:games.php?id= inurl:page.php?file= inurl:newsDetail.php?id= inurl:gallery.php?id= inurl:article.php?id= inurl:show.php? id= inurl:staff_id= inurl:newsitem.php?num= inurl:readnews.php?id= inurl:top10.php?cat= inurl:historialeer.php?num= inurl:reagir.php?num= inurl:Stray- Questions-View.php?num= inurl:forum_bds.php?num= inurl:game.php?id= inurl:view_product.php?id= inurl:newsone.php?id= inurl:sw_comment.php?id= inurl: news.php?id= inurl:avd_start.php?avd= inurl:event.php?id= inurl:product-item.php?id= inurl:sql.php?id= inurl:news_view.php?id= inurl: select_biblio.php?id= inurl:humor.php?id= inurl:aboutbook.php?id= inurl:ogl_inet.php?ogl_id= inurl:fiche_spectacle.php?id= inurl:communique_detail.php?id= inurl:sem. php3?id= inurl:kategorie.php4?id= inurl:news.php?id= inurl:index.php?id= inurl:faq2.php?id= inurl:show_an.php?id= inurl:preview.php? id= inurl:loadpsb.php?id= inurl:opinions.php?id= inurl:spr.php?id= inurl:pages.php?id= inurl:announce.php?id= inurl:clanek.php4?id= inurl:participant.php?id= inurl:download.php?id= inurl:main.php?id= inurl:review.php?id= inurl:chappies.php?id= inurl:read.php?id= inurl: prod_detail.php?id= inurl:viewphoto.php?id= inurl:article.php?id= inurl:person.php?id= inurl:productinfo.php?id= inurl:showimg.php?id= inurl:view. php?id= inurl:website.php?id= inurl:hosting_info.php?id= inurl:gallery.php?id= inurl:rub.php?idr= inurl:view_faq.php?id= inurl:artikelinfo.php? id= inurl:detail.php?ID= inurl:index.php?= inurl:profile_view.php?id= inurl:category.php?id= inurl:publications.php?id= inurl:fellows.php?id= inurl :downloads_info.php?id= inurl:prod_info.php?id= inurl:shop.php?do=part&id= inurl:productinfo.php?id= inurl:collectionitem.php?id= inurl:band_info.php?id= inurl :product.php?id= inurl:releases.php?id= inurl:ray.php?id= inurl:produit.php?id= inurl:pop.php?id= inurl:shopping.php?id= inurl:productdetail .php?id= inurl:post.php?id= inurl:viewshowdetail.php?id= inurl:clubpage.php?id= inurl:memberInfo.php?id= inurl:section.php?id= inurl:theme.php ?id= inurl:page.php?id= inurl:shredder-categories.php?id= inurl:tradeCategory.php?id= inurl:product_ranges_view.php?ID= inurl:shop_category.php?id= inurl:transcript.php ?id= inurl:channel_id= inurl:item_id= inurl:newsid= inurl:trainers.php?id= inurl:news-full.php?id= inurl:news_display.php?getid= inurl:index2.php?option= inurl :readnews.php?id= inurl:top10.php?cat= inurl:newsone.php?id= inurl:event.php?id= inurl:product-item.php?id= inurl:sql.php?id= inurl :aboutbook.php?id= inurl:preview.php?id= inurl:loadpsb.php?id= inurl:pages.php?id= inurl:material.php?id= inurl:clanek.php4?id= inurl:announce .php?id= inurl:chappies.php?id= inurl:read.php?id= inurl:viewapp.php?id= inurl:viewphoto.php?id= inurl:rub.php?idr= inurl:galeri_info.php ?l= inurl:review.php?id= inurl:iniziativa.php?in= inurl:curriculum.php?id= inurl:labels.php?id= inurl:story.php?id= inurl:look.php? ID= inurl:newsone.php?id= inurl:aboutbook.php?id= inurl:material.php?id= inurl:opinions.php?id= inurl:announce.php?id= inurl:rub.php?idr= inurl:galeri_info.php?l= inurl:tekst.php?idt= inurl:newscat.php?id= inurl:newsticker_info.php?idn= inurl:rubrika.php?idr= inurl:rubp.php?idr= inurl: offer.php?idf= inurl:art.php?idm= inurl:title.php?id= inurl:".php?id=1" inurl:".php?cat=1" inurl:".php?catid= 1" inurl:".php?num=1" inurl:".php?bid=1" inurl:".php?pid=1" inurl:".php?nid=1"
here is a small list. You can use yours. And so, we found the site. For example http://www.vestitambov.ru/
Next, download this program
**Hidden Content: To see this hidden content your post count must be 3 or greater.**
Click OK. Then we insert the victim site.
We press start. Next we wait for the results.
And so, the program found an SQL vulnerability.
Next, download Havij, http://www.vestitambov.ru:80/index.php?module=group_programs&id_gp= paste the received link there. I won’t explain how to use Havij and where to download it; it’s not difficult to find. All. You have received the data you need - the administrator password, and then it’s up to your imagination.
P.S. This is my first attempt to write something. Sorry if something is wrong
Any search for vulnerabilities on web resources begins with reconnaissance and information collection.
Intelligence can be either active - brute force of files and directories of the site, running vulnerability scanners, manually browsing the site, or passive - searching for information in different search engines. Sometimes it happens that a vulnerability becomes known even before opening the first page of the site.
How is this possible?
Search robots, constantly roaming the Internet, in addition to information useful to the average user, often record things that can be used by attackers to attack a web resource. For example, script errors and files with sensitive information (from configuration files and logs to files with authentication data and database backups).
From the point of view of a search robot, an error message about executing an sql query is plain text, inseparable, for example, from the description of products on the page. If suddenly a search robot came across a file with the .sql extension, which for some reason ended up in working folder site, then it will be perceived as part of the site’s content and will also be indexed (including, possibly, the passwords specified in it).
Such information can be found by knowing strong, often unique, keywords that help separate “vulnerable pages” from pages that do not contain vulnerabilities.
A huge database of special queries using keywords (so-called dorks) exists on exploit-db.com and is known as the Google Hack Database.
Why google?
Dorks are primarily targeted at Google for two reasons:
− the most flexible syntax of keywords (shown in Table 1) and special characters (shown in Table 2);
− the Google index is still more complete than that of other search engines;
Table 1 - Main Google keywords
Keyword
|
Meaning
|
Example
|
site
|
Search only on the specified site. Only takes into account url
|
site:somesite.ru - will find all pages on a given domain and subdomains
|
inurl
|
Search by words present in the uri. Unlike cl. words “site”, searches for matches after the site name
|
inurl:news - finds all pages where the given word appears in the uri
|
intext
|
Search in the body of the page
|
intext:”traffic jams” - completely similar to the usual request for “traffic jams”
|
intitle
|
Search in the page title. Text between tags <br></td>
<td width="214">intitle:”index of” - will find all pages with directory listings <br></td>
</tr><tr><td width="214">ext <br></td>
<td width="214">Search for pages with a specified extension <br></td>
<td width="214">ext:pdf - finds all pdf files <br></td>
</tr><tr><td width="214">filetype <br></td>
<td width="214">Currently, completely similar to class. the word “ext” <br></td>
<td width="214">filetype:pdf - similar <br></td>
</tr><tr><td width="214">related <br></td>
<td width="214">Search for sites with similar topics <br></td>
<td width="214">related:google.ru - will show its analogues <br></td>
</tr><tr><td width="214">link <br></td>
<td width="214">Search for sites that link to this <br></td>
<td width="214">link:somesite.ru - will find all sites that have a link to this <br></td>
</tr><tr><td width="214">define <br></td>
<td width="214">Show word definition <br></td>
<td width="214">define:0day - definition of the term <br></td>
</tr><tr><td width="214">cache <br></td>
<td width="214">Show page contents in cache (if present) <br></td>
<td width="214">cache:google.com - will open a cached page <br></td>
</tr></tbody></table><p>Table 2 - Special characters for Google queries <br></p><table><tbody><tr><td width="214"><b>Symbol</b><br></td>
<td width="214"><b>Meaning</b><br></td>
<td width="214"><b>Example</b><br></td>
</tr><tr><td width="214">“<br></td>
<td width="214">Exact phrase <br></td>
<td width="214">intitle:“RouterOS router configuration page” - search for routers <br></td>
</tr><tr><td width="214">*<br></td>
<td width="214">Any text <br></td>
<td width="214">inurl: “bitrix*mcart” - search for sites on bitrix with a vulnerable mcart module <br></td>
</tr><tr><td width="214">.<br></td>
<td width="214">Any character <br></td>
<td width="214">Index.of - similar to the index of request <br></td>
</tr><tr><td width="214">-<br></td>
<td width="214">Delete a word <br></td>
<td width="214">error -warning - show all pages that have an error but no warning <br></td>
</tr><tr><td width="214">..<br></td>
<td width="214">Range <br></td>
<td width="214">cve 2006..2016 - show vulnerabilities by year starting from 2006 <br></td>
</tr><tr><td width="214">|<br></td>
<td width="214">Logical "or" <br></td>
<td width="214">linux | windows - show pages where either the first or second word occurs <br></td>
</tr></tbody></table><br>It is worth understanding that any request to <a href="https://uptostart.ru/en/pyat-samyh-populyarnyh-poiskovyh-sistem-kakimi-poiskovikami-polzuyutsya/">search engine</a>- This is a word search only. <br>It is useless to look for meta-characters on the page (quotes, parentheses, punctuation marks, etc.). Even a search for the exact phrase specified in quotation marks is a word search, followed by a search for an exact match in the results. <p>All Google Hack Database dorks are logically divided into 14 categories and are presented in Table 3. <br>Table 3 – Google Hack Database Categories <br></p><table><tbody><tr><td width="168"><b>Category</b><br></td>
<td width="190"><b>What allows you to find</b><br></td>
<td width="284"><b>Example</b><br></td>
</tr><tr><td width="168">Footholds <br></td>
<td width="190">Web shells, public file managers <br></td>
<td width="284">Find all hacked sites where the listed webshells are uploaded: <br>(intitle:"phpshell" OR intitle:"c99shell" OR intitle:"r57shell" OR intitle:"PHP Shell" OR intitle:"phpRemoteView") `rwx` "uname" <br></td>
</tr><tr><td width="168">Files containing usernames <br></td>
<td width="190">Registry files, configuration files, logs, files containing the history of entered commands <br></td>
<td width="284">Find all registry files containing account information: <br><i>filetype:reg reg +intext:“internet account manager”</i><br></td>
</tr><tr><td width="168">Sensitive Directories <br></td>
<td width="190">Directories with various information (personal documents, vpn configs, hidden repositories, etc.) <br></td>
<td width="284">Find all directory listings containing VPN-related files: <br><i>"Config" intitle:"Index of" intext:vpn</i><br>Sites containing git repositories: <br><i>(intext:"index of /.git") ("parent directory")</i><br></td>
</tr><tr><td width="168">Web Server Detection <br></td>
<td width="190">Version and other information about the web server <br></td>
<td width="284">Find JBoss server administrative consoles: <br><i>inurl:"/web-console/" intitle:"Administration Console"</i><br></td>
</tr><tr><td width="168">Vulnerable Files <br></td>
<td width="190">Scripts containing known vulnerabilities <br></td>
<td width="284">Find sites that use a script that allows you to upload an arbitrary file from the server: <br><i>allinurl:forcedownload.php?file=</i><br></td>
</tr><tr><td width="168">Vulnerable Servers <br></td>
<td width="190">Installation scripts, web shells, open administrative consoles, etc. <br></td>
<td width="284">Find open PHPMyAdmin consoles running as root: <br><i>intitle:phpMyAdmin "Welcome to phpMyAdmin ***" "running on * as root@*"</i><br></td>
</tr><tr><td width="168">Error Messages <br></td>
<td width="190">Various errors and warnings are often revealing <a href="https://uptostart.ru/en/smartfony-samsung-galaxy-core-2-informaciya-o-drugih-vazhnyh-tehnologiyah-podklyucheniya/">important information</a>- from CMS version to passwords <br></td>
<td width="284">Sites that have errors in executing SQL queries to the database: <br><i>"Warning: mysql_query()" "invalid query"</i><br></td>
</tr><tr><td width="168">Files containing juicy info <br></td>
<td width="190">Certificates, backups, emails, logs, SQL scripts, etc. <br></td>
<td width="284">Find initialization sql scripts: <br><i>filetype:sql and “insert into” -site:github.com</i><br></td>
</tr><tr><td width="168">Files containing passwords <br></td>
<td width="190">Anything that can contain passwords - logs, sql scripts, etc. <br></td>
<td width="284">Logs mentioning passwords: <br><i>filetype:</i><i>log</i><i>intext:</i><i>password |</i><i>pass |</i><i>pw</i><br>sql scripts containing passwords: <br><i>ext:</i><i>sql</i><i>intext:</i><i>username</i><i>intext:</i><i>password</i><br></td>
</tr><tr><td width="168">Sensitive Online Shopping Info <br></td>
<td width="190">Information related to online purchases <br></td>
<td width="284">Find pincodes: <br><i>dcid=</i><i>bn=</i><i>pin</i><i>code=</i><br></td>
</tr><tr><td width="168">Network or vulnerability data <br></td>
<td width="190">Information not directly related to the web resource, but affecting the network or other non-web services <br></td>
<td width="284">Find scripts <a href="https://uptostart.ru/en/avtomaticheskie-nastroiki-mts-kak-poluchit-avtomaticheskie-nastroiki/">automatic settings</a> proxies containing information about the internal network: <br><i>inurl:proxy | inurl:wpad ext:pac | ext:dat findproxyforurl</i><br></td>
</tr><tr><td width="168">Pages containing login portals <br></td>
<td width="190">Pages containing login forms <br></td>
<td width="284">saplogon web pages: <br><i>intext:"2016 SAP AG. All rights reserved." intitle:"Logon"</i><br></td>
</tr><tr><td width="168">Various Online Devices <br></td>
<td width="190">Printers, routers, monitoring systems, etc. <br></td>
<td width="284">Find the printer configuration panel: <br><i>intitle:"</i><i>hp</i><i>laserjet"</i><i>inurl:</i><i>SSI/</i><i>Auth/</i><i>set_</i><i>config_</i><i>deviceinfo.</i><i>htm</i><br></td>
</tr><tr><td width="168">Advisories and Vulnerabilities <br></td>
<td width="190">Websites on vulnerable CMS versions <br></td>
<td width="284">Find vulnerable plugins through which you can upload an arbitrary file to the server: <br><i>inurl:fckeditor -intext:"ConfigIsEnabled = False" intext:ConfigIsEnabled</i><br></td>
</tr></tbody></table><br>Dorks are more often focused on searching across all Internet sites. But nothing prevents you from limiting the search scope on any site or sites. <br>Each Google query can be focused on a specific site by adding the keyword “site:somesite.com” to the query. This keyword can be added to any dork. <p><b>Automating the search for vulnerabilities</b><br>This is how the idea was born to write a simple utility that automates the search for vulnerabilities using a search engine (google) and relies on the Google Hack Database.</p><p>The utility is a script written in nodejs using phantomjs. To be precise, the script is interpreted by phantomjs itself. <br>Phantomjs is a full-fledged web browser without a GUI, controlled by js code and with a convenient API. <br>The utility received a quite understandable name - dorks. By launching it in <a href="https://uptostart.ru/en/kak-rabotat-so-skanerom-ai-bolit-iz-komandnoi-stroki-skaner-ai-bolit-poisk/">command line</a>(without options) we get a short help with several examples of use: <br><br><img src='https://i1.wp.com/habrastorage.org/getpro/habr/post_images/edd/6fb/ccc/edd6fbccc5ec340abe750f3073c1b427.jpg' width="100%" loading=lazy loading=lazy><br>Figure 1 - List of main dorks options</p><p>The general syntax of the utility is: dork “command” “option list”. <br>A detailed description of all options is presented in Table 4.</p><p>Table 4 - Dorks syntax <br></p><table border="1"><tbody><tr><td width="214"><b>Team</b><br></td>
<td width="214"><b>Option</b><br></td>
<td width="214"><b>Description</b><br></td>
</tr><tr><td rowspan="4" width="214">ghdb <br></td>
<td width="214">-l <br></td>
<td width="214">Display a numbered list of dork categories Google Hack Database <br></td>
</tr><tr><td width="214">-c “category number or name” <br></td>
<td width="214">Load doors of the specified category by number or name <br></td>
</tr><tr><td width="214">-q "phrase" <br></td>
<td width="214">Download dorks found by request <br></td>
</tr><tr><td width="214">-o "file" <br></td>
<td width="214">Save the result to a file (only with -c|-q options) <br></td>
</tr><tr><td rowspan="8" width="214">google <br></td>
<td width="214">-d "dork" <br></td>
<td width="214">Set an arbitrary dork (the option can be used many times, combination with the -D option is allowed) <br></td>
</tr><tr><td width="214">-D "file" <br></td>
<td width="214">Use dorks from file <br></td>
</tr><tr><td width="214">-s "site" <br></td>
<td width="214">Set site (option can be used many times, combination with option -S is allowed) <br></td>
</tr><tr><td width="214">-S "file" <br></td>
<td width="214">Use sites from a file (dorks will be searched for each site independently) <br></td>
</tr><tr><td width="214">-f "filter" <br></td>
<td width="214">Set additional keywords (will be added to each dork) <br></td>
</tr><tr><td width="214">-t "number of ms" <br></td>
<td width="214">Interval between requests to google <br></td>
</tr><tr><td width="214">-T "number of ms" <br></td>
<td width="214">Timeout if a captcha is encountered <br></td>
</tr><tr><td width="214">-o "file" <br></td>
<td width="214">Save the result to a file (only those tracks for which something was found will be saved) <br></td>
</tr></tbody></table><br>Using the ghdb command, you can get all the dorks from exploit-db by arbitrary request, or specify the entire category. If you specify category 0, the entire database will be unloaded (about 4.5 thousand dorks). <p>List of categories available on <a href="https://uptostart.ru/en/kak-opredelit-na-taro-rabotaet-li-chelovek-na-dannyi-moment-kak/">this moment</a> presented in Figure 2. <br><br><img src='https://i2.wp.com/habrastorage.org/getpro/habr/post_images/b8f/b11/ffe/b8fb11ffeaced5066fd2fd9e43be67fb.jpg' width="100%" loading=lazy loading=lazy></p><p>Figure 2 - List of available GHDB dork categories</p><p>The google command will substitute each dork in <a href="https://uptostart.ru/en/pochemu-poyavlyaetsya-ya-ne-robot-chto-delat-esli-poiskovik-google/">Google search engine</a> and the result was analyzed for matches. The paths where something was found will be saved to a file. <br>The utility supports different search modes: <br>1 dork and 1 site; <br>1 dork and many sites; <br>1 site and many dorks; <br>many sites and many dorks; <br>The list of dorks and sites can be specified either through an argument or through a file.</p><p><b>Demonstration of work</b><br>Let's try to look for any vulnerabilities using the example of searching for error messages. By command: dorks ghdb –c 7 –o errors.dorks all known dorks of the “Error Messages” category will be loaded as shown in Figure 3. <br><br><img src='https://i0.wp.com/habrastorage.org/getpro/habr/post_images/28c/386/641/28c386641d1528652f7f8e8b8089097a.jpg' width="100%" loading=lazy loading=lazy><br>Figure 3 – Loading all known dorks of the “Error Messages” category</p><p>Dorks are downloaded and saved to a file. Now all that remains is to “set” them on some site (see Figure 4). <br><br><img src='https://i1.wp.com/habrastorage.org/getpro/habr/post_images/8e0/a8a/3af/8e0a8a3af4f26544da1faa584813dbff.jpg' width="100%" loading=lazy loading=lazy><br>Figure 4 – Search for vulnerabilities of the site of interest in the Google cache</p><p>After some time, several pages containing errors are discovered on the site under study (see Figure 5).</p><p><img src='https://i2.wp.com/habrastorage.org/getpro/habr/post_images/10b/e83/ba3/10be83ba38f172213ba06b3f9ad05a58.jpg' width="100%" loading=lazy loading=lazy><br>Figure 5 - Error messages found</p><p>The result, in the file result.txt we get <a href="https://uptostart.ru/en/polnyi-spisok-chastot-cb-diapazona-pereklyuchenie-setok-v-si-bi/">full list</a> dorks that lead to an error. <br>Figure 6 shows the result of searching for site errors. <br><br>Figure 6 – Error search result</p><p>In the cache for this dork, a complete backtrace is displayed, revealing the absolute paths of the scripts, the site content management system and the database type (see Figure 7). <br><br><img src='https://i2.wp.com/habrastorage.org/getpro/habr/post_images/0a9/455/588/0a9455588496d6609f5e13d598cb5a48.jpg' width="100%" loading=lazy loading=lazy><br>Figure 7 – disclosure of information about the site design</p><p>However, it is worth considering that not all dorks from GHDB give true results. Also, Google may not find an exact match and show a similar result.</p><p>In this case, it is wiser to use your personal list of dorks. For example, it is always worth looking for files with “unusual” extensions, examples of which are shown in Figure 8. <br><br><img src='https://i1.wp.com/habrastorage.org/getpro/habr/post_images/d7f/865/693/d7f865693f7fcf13137598eeed0ecb58.jpg' width="100%" loading=lazy loading=lazy><br>Figure 8 – List of file extensions that are not typical for a regular web resource</p><p>As a result, with the command dorks google –D extensions.txt –f bank, from the very first request Google begins to return sites with “unusual” file extensions (see Figure 9). <br><br><img src='https://i2.wp.com/habrastorage.org/getpro/habr/post_images/107/e1f/a2f/107e1fa2f41c4169bcc254cba2f2f4b6.jpg' width="100%" loading=lazy loading=lazy><br>Figure 9 – Search for “bad” file types on banking websites</p><p>It is worth keeping in mind that Google does not accept queries longer than 32 words.</p><p>Using the command dorks google –d intext:”error|warning|notice|syntax” –f university <br>You can look for PHP interpreter errors on educational websites (see Figure 10). <br><br><img src='https://i0.wp.com/habrastorage.org/getpro/habr/post_images/717/74f/e36/71774fe3656bfc058c42d43262fdec4a.jpg' width="100%" loading=lazy loading=lazy><br>Figure 10 – Finding PHP runtime errors</p><p>Sometimes it is not convenient to use one or two categories of dorks. <br>For example, if it is known that the site runs on the Wordpress engine, then we need WordPress-specific modules. In this case, it is convenient to use the Google Hack Database search. The command dorks ghdb –q wordpress –o wordpress_dorks.txt will download all dorks from Wordpress, as shown in Figure 11: <br><br><img src='https://i0.wp.com/habrastorage.org/getpro/habr/post_images/dcb/ac9/a4e/dcbac9a4eb12f6ec775d9cccc2fdee87.jpg' width="100%" loading=lazy loading=lazy><br>Figure 11 – Search for Dorks related to Wordpress</p><p>Let's go back to the banks again and use the command dorks google –D wordpress_dords.txt –f bank to try to find something interesting related to Wordpress (see Figure 12). <br><br><img src='https://i0.wp.com/habrastorage.org/getpro/habr/post_images/042/0c2/c43/0420c2c435931704288b171f725ccc6a.jpg' width="100%" loading=lazy loading=lazy><br>Figure 12 – Search for Wordpress vulnerabilities</p><p>It is worth noting that the search on Google Hack Database does not accept words shorter than 4 characters. For example, if the site's CMS is not known, but the language is known - PHP. In this case, you can filter what you need manually using a pipe and <a href="https://uptostart.ru/en/process-explorer-besplatnaya-utilita-dlya-kontrolya-za-sistemnymi/">system utility</a> search dorks –c all | findstr /I php > php_dorks.txt (see Figure 13): <br><br><img src='https://i2.wp.com/habrastorage.org/getpro/habr/post_images/4c1/2f8/6e1/4c12f86e111074293c14d6a939c6ebab.jpg' width="100%" loading=lazy loading=lazy><br>Figure 13 – Search all dorks where PHP is mentioned</p><p>Searching for vulnerabilities or some sensitive information in a search engine should only be done if there is a significant index on this site. For example, if a site has 10-15 pages indexed, then it’s stupid to search for anything in this way. Checking the index size is easy - just enter in the line <a href="https://uptostart.ru/en/ishchem-i-nahodim-s-pomoshchyu-kartinok-google-poisk-po-kartinke-foto/">google search</a>"site:somesite.com". An example of a site with an insufficient index is shown in Figure 14. <br><br><img src='https://i1.wp.com/habrastorage.org/getpro/habr/post_images/78e/1db/b4f/78e1dbb4fc78cd422cec311fc2ca9d33.jpg' width="100%" loading=lazy loading=lazy><br>Figure 14 – Checking the site index size</p><p>Now about the unpleasant... From time to time Google may request a captcha - there is nothing you can do about it - you will have to enter it. For example, when searching through the “Error Messages” category (90 dorks), the captcha appeared only once.</p><p>It’s worth adding that phantomjs also supports working through a proxy, both via http and socks interface. To enable proxy mode, you need to uncomment the corresponding line in dorks.bat or dorks.sh.</p><p>The tool is available as source code</p>
<p>Obtaining private data does not always mean hacking - sometimes it is published publicly. Knowledge of Google settings and a little ingenuity will allow you to find a lot of interesting things - from credit card numbers to FBI documents.</p>
<h2>WARNING</h2>All information is provided for informational purposes only. Neither the editors nor the author are responsible for any possible harm caused by the materials of this article. <p>Today, everything is connected to the Internet, with little concern for restricting access. Therefore, many private data become the prey of search engines. Spider robots are no longer limited to web pages, but index all content available on the Internet and constantly add non-public information to their databases. Finding out these secrets is easy - you just need to know how to ask about them.</p><h2>Looking for files</h2>
<p>In capable hands, Google will quickly find everything that is not found on the Internet, for example, personal information and files for official use. They are often hidden like a key under a rug: there are no real access restrictions, the data simply lies on the back of the site, where no links lead. The standard Google web interface provides only basic advanced search settings, but even these will be sufficient.</p>
<p>Limit search to files <a href="https://uptostart.ru/en/faily-i-failovaya-sistema-chto-takoe-fail-vse-programmy-i-dannye/">certain type</a> in Google you can use two operators: filetype and ext . The first specifies the format that the search engine determined from the file title, the second specifies the file extension, regardless of its internal content. When searching in both cases, you only need to specify the extension. Initially, the ext operator was convenient to use in cases where the file did not have specific format characteristics (for example, to search for ini and cfg configuration files, which could contain anything). Now Google's algorithms have changed, and there is no visible difference between operators - in most cases the results are the same.</p>
<br><img src='https://i0.wp.com/xakep.ru/wp-content/uploads/2015/07/1436359798_b3e1_filetype_ext.png' width="100%" loading=lazy loading=lazy><h2>Filtering the results</h2>
<p>By default, Google searches for words and, in general, any entered characters in all files on indexed pages. You can limit the search area by top-level domain, a specific site, or by the location of the search sequence in the files themselves. For the first two options, use the site operator, followed by the name of the domain or selected site. In the third case, a whole set of operators allows you to search for information in service fields and metadata. For example, allinurl will find the given one in the body of the links themselves, allinanchor - in the text equipped with the tag <a name>, allintitle - in page titles, allintext - in the body of pages.</p>
<p>For each operator there is a light version with a shorter name (without the prefix all). The difference is that allinurl will find links with all words, and inurl will only find links with the first of them. The second and subsequent words from the query can appear anywhere on web pages. The inurl operator also differs from another operator with a similar meaning - site. The first also allows you to find any sequence of characters in a link to the searched document (for example, /cgi-bin/), which is widely used to find components with known vulnerabilities.</p>
<p>Let's try it in practice. We take the allintext filter and make the request produce a list of numbers and verification codes of credit cards that will expire only in two years (or when their owners get tired of feeding everyone).</p><p>Allintext: card number expiration date /2017 cvv <br><img src='https://i1.wp.com/xakep.ru/wp-content/uploads/2015/07/1436359828_0660_cc_2017.png' width="100%" loading=lazy loading=lazy></p><p>When you read in the news that a young hacker “hacked into the servers” of the Pentagon or NASA, stealing classified information, in most cases we are talking about just such a basic technique of using Google. Suppose we are interested in a list of NASA employees and their contact information. Surely such a list is available in electronic form. For convenience or due to oversight, it may also be on the organization’s website itself. It is logical that in this case there will be no links to it, since it is intended for internal use. What words can be in such a file? At a minimum - the “address” field. Testing all these assumptions is easy.</p>
<br><img src='https://i2.wp.com/xakep.ru/wp-content/uploads/2015/07/1436359852_9681_google_inurl.png' width="100%" loading=lazy loading=lazy><p>Inurl:nasa.gov filetype:xlsx "address"</p>
<br><img src='https://i2.wp.com/xakep.ru/wp-content/uploads/2015/07/1436359864_215b_nasa_address.png' width="100%" loading=lazy loading=lazy><h2>We use bureaucracy</h2>
<p>Finds like this are a nice touch. A truly solid catch is provided by a more detailed knowledge of Google's operators for webmasters, the Network itself, and the peculiarities of the structure of what is being sought. Knowing the details, you can easily filter the results and refine the properties of the necessary files in order to get truly valuable data in the rest. It's funny that bureaucracy comes to the rescue here. It produces standard formulations that are convenient for searching for secret information accidentally leaked onto the Internet.</p>
<p>For example, the Distribution statement stamp, mandatory in the office of the US Department of Defense, means standardized restrictions on the distribution of the document. The letter A denotes public releases in which there is nothing secret; B - intended only for internal use, C - strictly confidential, and so on until F. The letter X stands out separately, which marks particularly valuable information representing a state secret of the highest level. Let those who are supposed to do this on duty search for such documents, and we will limit ourselves to files with the letter C. According to DoDI directive 5230.24, this marking is assigned to documents containing a description of critical technologies that fall under export control. Such carefully protected information can be found on sites in the top-level domain.mil, allocated for the US Army.</p><p>"DISTRIBUTION STATEMENT C" inurl:navy.mil <br><img src='https://i1.wp.com/xakep.ru/wp-content/uploads/2015/07/1436359886_8f3e_distribution_c.jpg' width="100%" loading=lazy loading=lazy></p><p>It is very convenient that the .mil domain contains only sites from the US Department of Defense and its contract organizations. Search results with a domain restriction turn out to be exceptionally clean, and the titles speak for themselves. Searching for Russian secrets in this way is practically useless: chaos reigns in domains.ru and.rf, and the names of many weapons systems sound like botanical ones (PP “Kiparis”, self-propelled guns “Akatsia”) or even fabulous (TOS “Buratino”).</p>
<br><img src='https://i1.wp.com/xakep.ru/wp-content/uploads/2015/07/1436359901_5076_th-57c.jpg' width="100%" loading=lazy loading=lazy><p>By carefully studying any document from a site in the .mil domain, you can see other markers to refine your search. For example, a reference to the export restrictions “Sec 2751”, which is also convenient for searching for interesting technical information. From time to time it is removed from official sites where it once appeared, so if you cannot follow an interesting link in the search results, use Google’s cache (cache operator) or the Internet Archive site.</p>
<h2>Climbing into the clouds</h2>
<p>In addition to accidentally declassified government documents, links to personal files from Dropbox and other data storage services that create “private” links to publicly published data occasionally pop up in Google's cache. It’s even worse with alternative and homemade services. For example, the following query finds data for all Verizon customers who have an FTP server installed and actively using their router.</p><p>Allinurl:ftp://verizon.net</p><p>There are now more than forty thousand such smart people, and in the spring of 2015 there were many more of them. Instead of Verizon.net, you can substitute the name of any well-known provider, and the more famous it is, the larger the catch can be. Through the built-in FTP server, you can see files on an external storage device connected to the router. Usually this is a NAS for remote work, a personal cloud, or some kind of peer-to-peer file downloading. All contents of such media are indexed by Google and other search engines, so you can access files stored on external drives via a direct link.</p>
<p><img src='https://i0.wp.com/xakep.ru/wp-content/uploads/2015/07/1436359919_7cea_allinurl_verizon_ftp.png' width="100%" loading=lazy loading=lazy></p>
<h2>Looking at the configs</h2>
<p>Before the widespread migration to the cloud, simple FTP servers ruled as remote storage, which also had a lot of vulnerabilities. Many of them are still relevant today. For example, the popular WS_FTP Professional program stores configuration data, user accounts and passwords in the ws_ftp.ini file. It is easy to find and read, since all records are saved in text format, and passwords are encrypted with the Triple DES algorithm after minimal obfuscation. In most versions, simply discarding the first byte is sufficient.</p>
<p><img src='https://i2.wp.com/xakep.ru/wp-content/uploads/2015/07/1436359934_1d8d_ws_ftp-pwd.png' width="100%" loading=lazy loading=lazy></p>
<p>It is easy to decrypt such passwords using the WS_FTP Password Decryptor utility or a free web service.</p>
<p><img src='https://i1.wp.com/xakep.ru/wp-content/uploads/2015/07/1436359947_3060_ws_ftp-pwd_found.png' width="100%" loading=lazy loading=lazy></p>
<p>When talking about hacking an arbitrary website, they usually mean obtaining a password from logs and backups of configuration files of CMS or e-commerce applications. If you know their typical structure, you can easily indicate the keywords. Lines like those found in ws_ftp.ini are extremely common. For example, in Drupal and PrestaShop there is always a user identifier (UID) and a corresponding password (pwd), and all information is stored in files with the .inc extension. You can search for them as follows:</p><p>"pwd=" "UID=" ext:inc</p><h2>Revealing DBMS passwords</h2>
<p>In the configuration files of SQL servers, names and addresses <a href="https://uptostart.ru/en/kak-sozdat-vtoruyu-pochtu-na-yandekse-sozdanie-elektronnoi-pochty-na/">Email</a> users are stored in clear text, and instead of passwords, their MD5 hashes are recorded. Strictly speaking, it is impossible to decrypt them, but you can find a match among the known hash-password pairs.</p>
<p><img src='https://i1.wp.com/xakep.ru/wp-content/uploads/2015/07/1436359963_9e67_sql_code.png' width="100%" loading=lazy loading=lazy></p>
<p>There are still DBMSs that do not even use password hashing. The configuration files of any of them can simply be viewed in the browser.</p><p>Intext:DB_PASSWORD filetype:env</p><p><img src='https://i1.wp.com/xakep.ru/wp-content/uploads/2015/07/1436359975_d137_env.png' width="100%" loading=lazy loading=lazy></p>
<p>With the advent of Windows servers, the place of configuration files was partially taken by the registry. You can search through its branches in exactly the same way, using reg as the file type. For example, like this:</p><p>Filetype:reg HKEY_CURRENT_USER "Password"=</p><p><img src='https://i0.wp.com/xakep.ru/wp-content/uploads/2015/07/1436359995_2ecf_reg.png' width="100%" loading=lazy loading=lazy></p>
<h2>Let's not forget the obvious</h2>
<p>Sometimes it is possible to get to classified information with the help of accidentally opened and caught in the field of view <a href="https://uptostart.ru/en/mozhno-li-udalit-gmail-akkaunt-kak-udalitsya-iz-gmail-prostye-sposoby-udalenie/">Google data</a>. The ideal option is to find a list of passwords in some common format. Store account information in <a href="https://uptostart.ru/en/programma-sravneniya-tekstovyh-failov-po-soderzhimomu-putevoditel/">text file</a>, <a href="https://uptostart.ru/en/kak-ubrat-setku-v-avtokade-sovety-i-rekomendacii-otklyuchaem/">Word document</a> or electronic <a href="https://uptostart.ru/en/kak-tablicu-excel-dobavit-v-1s-chto-luchshe-1s-ili-excel-u-vas-est-vopros-nuzhna/">Excel spreadsheet</a> Only desperate people can, but there are always enough of them.</p><p>Filetype:xls inurl:password</p><p><img src='https://i0.wp.com/xakep.ru/wp-content/uploads/2015/07/1436360015_16e4_xls.png' width="100%" loading=lazy loading=lazy></p>
<p>On the one hand, there are a lot of means to prevent such incidents. It is necessary to specify adequate access rights in htaccess, patch the CMS, not use left-handed scripts and close other holes. There is also a file with a list of robots.txt exceptions that prohibits search engines from indexing the files and directories specified in it. On the other hand, if the structure of robots.txt on some server differs from the standard one, then it immediately becomes clear what they are trying to hide on it.</p>
<p><img src='https://i0.wp.com/xakep.ru/wp-content/uploads/2015/07/1436360029_5da8_robots.png' width="100%" loading=lazy loading=lazy></p>
<p>The list of directories and files on any site is preceded by the standard index of. Since for service purposes it must appear in the title, it makes sense to limit its search to the intitle operator. Interesting things are in the /admin/, /personal/, /etc/ and even /secret/ directories.</p>
<p><img src='https://i0.wp.com/xakep.ru/wp-content/uploads/2015/07/1436360054_2a7b_indexof.png' width="100%" loading=lazy loading=lazy></p>
<h2>Stay tuned for updates</h2>
<p>Relevance is extremely important here: old vulnerabilities are closed very slowly, but Google and its search results are constantly changing. There is even a difference between a “last second” filter (&tbs=qdr:s at the end of the request URL) and a “real time” filter (&tbs=qdr:1).</p>
<p>Date time interval <a href="https://uptostart.ru/en/kak-obnovit-ios-na-ipad-poshagovaya-instrukciya-so-skrinshotami-staryi-ipad-ne/">last update</a> Google also indicates the file implicitly. Through the graphical web interface, you can select one of the standard periods (hour, day, week, etc.) or set a date range, but this method is not suitable for automation.</p>
<p>From the look of the address bar, you can only guess about a way to limit the output of results using the &tbs=qdr: construction. The letter y after it sets the limit of one year (&tbs=qdr:y), m shows the results for the last month, w - for the week, d - for the past day, h - for the last hour, n - for the minute, and s - for give me a sec. The most recent results that have just become known to Google are found using the &tbs=qdr:1 filter.</p>
<p>If you need to write a clever script, it will be useful to know that the date range is set in Google in Julian format using the daterange operator. For example, this is how you can find a list <a href="https://uptostart.ru/en/kak-napechatat-dokument-v-fail-pdf-kak-raspechatat-pdf/">PDF documents</a> with the word confidential, uploaded from January 1 to July 1, 2015.</p><p>Confidential filetype:pdf daterange:2457024-2457205</p><p>The range is indicated in Julian date format without taking into account the fractional part. Translating them manually from the Gregorian calendar is inconvenient. It's easier to use a date converter.</p>
<h2>Targeting and filtering again</h2>
<p>In addition to specifying additional operators in the search query, they can be sent directly in the body of the link. For example, the filetype:pdf specification corresponds to the construction as_filetype=pdf . This makes it convenient to ask any clarifications. Let's say that the output of results only from the Republic of Honduras is specified by adding the construction cr=countryHN to the search URL, and only from the city of Bobruisk - gcs=Bobruisk. You can find a complete list in the developer section.</p>
<p>Google's automation tools are designed to make life easier, but they often add problems. For example, a user’s IP is used to determine their city via WHOIS. Based on this information, Google not only balances the load between servers, but also changes the search results. Depending on the region, for the same request, different results will appear on the first page, and some of them may be completely hidden. The two-letter code after the gl=country directive will help you feel like a cosmopolitan and search for information from any country. For example, the code of the Netherlands is NL, but the Vatican and North Korea do not have their own code in Google.</p>
<p>Often, search results end up cluttered even after using several advanced filters. In this case, it is easy to clarify the request by adding several exception words to it (a minus sign is placed in front of each of them). For example, banking, names and tutorial are often used with the word Personal. Therefore, cleaner search results will be shown not by a textbook example of a query, but by a refined one:</p><p>Intitle:"Index of /Personal/" -names -tutorial -banking</p><h2>One last example</h2>
<p>A sophisticated hacker is distinguished by the fact that he provides himself with everything he needs on his own. For example, VPN is a convenient thing, but either expensive, or temporary and with restrictions. It’s too expensive to subscribe for yourself alone. It's good that there are group subscriptions, and with the help of Google it's easy to become part of a group. To do this, just find the Cisco VPN configuration file, which has a rather non-standard PCF extension and a recognizable path: Program Files\Cisco Systems\VPN Client\Profiles. One request and you join, for example, the friendly team of the University of Bonn.</p><p>Filetype:pcf vpn OR Group</p><p><img src='https://i0.wp.com/xakep.ru/wp-content/uploads/2015/07/1436360077_d28b_vpn.png' width="100%" loading=lazy loading=lazy></p>
<h2>INFO</h2>Google finds password configuration files, but many of them are encrypted or replaced with hashes. If you see strings of a fixed length, then immediately look for a decryption service. <br><p>Passwords are stored encrypted, but Maurice Massard has already written a program to decrypt them and provides it for free through thecampusgeeks.com.</p>
<p>Google does hundreds of things <a href="https://uptostart.ru/en/moshchnye-radiostancii-raznyh-chastot-obzor-i-tipy-racii-vybor-racii/">different types</a> attacks and penetration tests. There are many options, affecting popular programs, major database formats, numerous vulnerabilities of PHP, clouds, and so on. Knowing exactly what you're looking for will make it much easier to find the information you need (especially information you didn't intend to make public). Shodan is not the only one that feeds with interesting ideas, but every database of indexed network resources! <br></p>
<script>document.write("<img style='display:none;' src='//counter.yadro.ru/hit;artfast_after?t44.1;r"+
escape(document.referrer)+((typeof(screen)=="undefined")?"":
";s"+screen.width+"*"+screen.height+"*"+(screen.colorDepth?
screen.colorDepth:screen.pixelDepth))+";u"+escape(document.URL)+";h"+escape(document.title.substring(0,150))+
";"+Math.random()+
"border='0' width='1' height='1' loading=lazy loading=lazy>");</script>
</div>
<span style="display:none" class="updated">2016-05-11</span>
<div class="clear"></div>
</div>
</article>
<div class="post-navigation">
<div class="post-previous"> <a href="https://uptostart.ru/en/chto-takoe-mobilnyi-hot-spot-v-vindovs-chto-takoe-mobilnyi/" rel="prev"><span>Previous</span> What is a mobile hotspot and how to set it up?</a>
<!-- /next_post --></div>
<div class="post-next"> <a href="https://uptostart.ru/en/studentam-na-zametku-luchshie-prilozheniya-dlya-raspoznavaniya-i-perevoda-teksta-s/" rel="next"><span>Next</span> The best apps for recognizing and translating text from photos for Android and iOS</a>
<!-- /next_post --></div>
</div>
<section id="related_posts">
<div class="block-head">
<h3>Related publications</h3>
<div class="stripe-line"></div>
</div>
<div class="post-listing">
<div class="related-item">
<div class="post-thumbnail">
<a href="https://uptostart.ru/en/kingo-rut-chto-za-programma-kak-poluchit-root-prava-na-android-s/">
<img width="310" height="165" src="/uploads/c7653e47e6d8c6b81000b0166396b288.jpg" class="attachment-tie-medium wp-post-image" alt="How to Root Android Using Kingo Root App" / loading=lazy loading=lazy> <span class="fa overlay-icon"></span>
</a>
</div>
<h3><a href="https://uptostart.ru/en/kingo-rut-chto-za-programma-kak-poluchit-root-prava-na-android-s/" rel="bookmark">How to Root Android Using Kingo Root App</a></h3>
<p class="post-meta"><span class="tie-date"><i class="fa fa-clock-o"></i> 2024-01-19 05:17:14</span></p>
</div>
<div class="related-item">
<div class="post-thumbnail">
<a href="https://uptostart.ru/en/reiting-mirovyh-landing-page-stranic-primery-prodayushchih-lendingov/">
<img width="310" height="165" src="/uploads/f9602c9eadb538610d0d4f9809172aff.jpg" class="attachment-tie-medium wp-post-image" alt="Examples of selling landing pages (landing page)" / loading=lazy loading=lazy> <span class="fa overlay-icon"></span>
</a>
</div>
<h3><a href="https://uptostart.ru/en/reiting-mirovyh-landing-page-stranic-primery-prodayushchih-lendingov/" rel="bookmark">Examples of selling landing pages (landing page)</a></h3>
<p class="post-meta"><span class="tie-date"><i class="fa fa-clock-o"></i> 2024-01-18 05:21:44</span></p>
</div>
<div class="related-item">
<div class="post-thumbnail">
<a href="https://uptostart.ru/en/kak-ustanavlivat-temy-vkontakte-izmenenie-temy-oformleniya-dlya-vkontakte/">
<img width="310" height="165" src="/uploads/9e7178c0a42fb9d33a693261ea4e2203.jpg" class="attachment-tie-medium wp-post-image" alt="Changing the theme for VKontakte Installing a theme for VK" / loading=lazy loading=lazy> <span class="fa overlay-icon"></span>
</a>
</div>
<h3><a href="https://uptostart.ru/en/kak-ustanavlivat-temy-vkontakte-izmenenie-temy-oformleniya-dlya-vkontakte/" rel="bookmark">Changing the theme for VKontakte Installing a theme for VK</a></h3>
<p class="post-meta"><span class="tie-date"><i class="fa fa-clock-o"></i> 2024-01-13 05:39:23</span></p>
</div>
</div>
</section>
<script type="text/javascript">
document.getElementById('hc_full_comments').innerHTML = '';
</script>
</div>
<aside id="sidebar">
<div class="theiaStickySidebar">
</div>
</aside>
<div class="clear"></div>
</div>
<div class="e3lan e3lan-bottom"> </div>
<footer id="theme-footer">
<div id="footer-widget-area" class="wide-left-3c">
</div>
<div class="clear"></div>
</footer>
<div class="clear"></div>
<div class="footer-bottom">
<div class="container">
<div class="alignright">
</div>
<div class="social-icons">
<a class="ttip-none" title="Google+" href="" target="_blank"><i class="fa fa-google-plus"></i></a><a class="ttip-none" title="Twitter" href="https://www.twitter.com/share?url=https%3A%2F%2Fuptostart.ru%2Fen%2Fkompanii-inurl-privat-bild-php-name-php-nasledovanie-raskryvaem-paroli-ot-subd" target="_blank"><i class="fa fa-twitter"></i></a>
<a
class="ttip-none" title="vk.com" href="https://vk.com/share.php?url=https://uptostart.ru/kompanii-inurl-privat-bild-php-name-php-nasledovanie-raskryvaem-paroli-ot-subd/" target="_blank"><i class="fa fa-vk"></i></a>
</div>
<div class="alignleft">© Copyright 2024, News. Games. Instructions. Internet. Office</div>
<div class="clear"></div>
</div>
</div>
</div>
</div>
</div>
<div id="topcontrol" class="fa fa-angle-up" title="Scroll Up"></div>
<div id="fb-root"></div>
<div id="reading-position-indicator"></div>
<script type='text/javascript' src='https://uptostart.ru/wp-content/plugins/CodeCanyon-Arqamv2.0.4-RetinaResponsiveWordPressSocialCounterPlugin-5085289/assets/js/scripts.js'></script>
<script type='text/javascript' src='https://uptostart.ru/wp-content/plugins/ark-hidecommentlinks/js/ark-hidecommentlinks.js'></script>
<script type='text/javascript' src='https://uptostart.ru/wp-content/plugins/ark-hidecommentlinks/js/pcl_tooltip.js'></script>
<script type='text/javascript' src='https://uptostart.ru/wp-content/plugins/ark-hidecommentlinks/js/pcl_tooltip_init.js'></script>
<script type='text/javascript' src='https://uptostart.ru/wp-content/plugins/contact-form-7/includes/js/jquery.form.min.js'></script>
<script type='text/javascript' src='/assets/scripts1.js'></script>
<script type='text/javascript'>
/* <![CDATA[ */
var tie = {
"mobile_menu_active": "true",
"mobile_menu_top": "",
"lightbox_all": "true",
"lightbox_gallery": "true",
"woocommerce_lightbox": "",
"lightbox_skin": "dark",
"lightbox_thumb": "vertical",
"lightbox_arrows": "",
"sticky_sidebar": "1",
"is_singular": "1",
"SmothScroll": "true",
"reading_indicator": "true",
"lang_no_results": "\u041d\u0435\u0442 \u0420\u0435\u0437\u0443\u043b\u044c\u0442\u0430\u0442\u044b",
"lang_results_found": "\u0420\u0435\u0437\u0443\u043b\u044c\u0442\u0430\u0442\u043e\u0432 \u043d\u0430\u0439\u0434\u0435\u043d\u043e"
};
/* ]]> */
</script>
<script type='text/javascript' src='https://uptostart.ru/wp-content/themes/sahifa/js/tie-scripts.js'></script>
<script type='text/javascript' src='https://uptostart.ru/wp-content/themes/sahifa/js/ilightbox.packed.js'></script>
<script type='text/javascript' src='https://uptostart.ru/wp-content/themes/sahifa/js/search.js'></script>
<script type='text/javascript' src='https://uptostart.ru/wp-content/themes/sahifa/js/jquery.cycle.all.js'></script>
</body>
</html> |
uptostart.ru News. Games. Instructions. Internet. Office.