About dorks or all lovers of private dorks. Using Little Known Google Functions to Find Hidden Inurl privat bild php name treasure
Run the downloaded file by double clicking (you need to have virtual machine ).
3. Anonymity when checking the site for SQL injections
Setting up Tor and Privoxy in Kali Linux
[Section under development]
Setting up Tor and Privoxy on Windows
[Section under development]
jSQL Injection proxy settings
[Section under development]
4. Checking the site for SQL injection with jSQL Injection
Working with the program is extremely simple. Just enter the site address and press ENTER.
The following screenshot shows that the site is vulnerable to three types of SQL injections at once (information about them is indicated in the lower right corner). By clicking on the names of the injections, you can switch the method used:
Also, we have already displayed the existing databases.
You can see the contents of each table:
Usually, the most interesting part of the tables is the administrator credentials.
If you are lucky and you found the administrator's data, then it's too early to rejoice. You also need to find the admin panel, where to enter these data.
5. Search for admins with jSQL Injection
To do this, go to the next tab. Here we are met by a list of possible addresses. You can select one or more pages to check:
The convenience is that you do not need to use other programs.
Unfortunately, there are not very many careless programmers who store passwords in clear text. Quite often in the password string we see something like
8743b52063cd84097a65d1633f5c74f5
This is a hash. You can decrypt it with brute force. And… jSQL Injection has a built-in brute-forcer.
6. Brute-forcing hashes with jSQL Injection
Undoubted convenience is that you do not need to look for other programs. There is support for many of the most popular hashes.
This is not the best option. In order to become a guru in deciphering hashes, the book "" in Russian is recommended.
But, of course, when there is no other program at hand or there is no time to study, jSQL Injection with a built-in brute-force function will come in handy.
There are settings: you can set which characters are included in the password, the password length range.
7. File operations after SQL injection detection
In addition to operations with databases - reading and modifying them, if SQL injections are detected, the following file operations can be performed:
- reading files on the server
- uploading new files to the server
- uploading shells to the server
And all this is implemented in jSQL Injection!
There are limitations - the SQL server must have file privileges. For reasonable system administrators, they are disabled and access to file system cannot be obtained.
The presence of file privileges is easy enough to check. Go to one of the tabs (reading files, creating a shell, uploading a new file) and try to perform one of the indicated operations.
Another very important note - we need to know the exact absolute path to the file with which we will work - otherwise nothing will work.
Look at the following screenshot:
Any attempt to operate on a file is answered by: No FILE privilege(no file privileges). And nothing can be done here.
If instead you have another error:
Problem writing into [directory_name]
This means that you incorrectly specified the absolute path where you want to write the file.
In order to assume an absolute path, one must at least know the operating system the server is running on. To do this, switch to the Network tab.
Such an entry (string Win64) gives us reason to assume that we are dealing with Windows OS:
Keep-Alive: timeout=5, max=99 Server: Apache/2.4.17 (Win64) PHP/7.0.0RC6 Connection: Keep-Alive Method: HTTP/1.1 200 OK Content-Length: 353 Date: Fri, 11 Dec 2015 11:48:31 GMT X-Powered-By: PHP/7.0.0RC6 Content-Type: text/html; charset=UTF-8
Here we have some Unix (*BSD, Linux):
Transfer-Encoding: chunked Date: Fri, 11 Dec 2015 11:57:02 GMT Method: HTTP/1.1 200 OK Keep-Alive: timeout=3, max=100 Connection: keep-alive Content-Type: text/html X- Powered-By: PHP/5.3.29 Server: Apache/2.2.31 (Unix)
And here we have CentOS:
Method: HTTP/1.1 200 OK Expires: Thu, 19 Nov 1981 08:52:00 GMT Set-Cookie: PHPSESSID=9p60gtunrv7g41iurr814h9rd0; path=/ Connection: keep-alive X-Cache-Lookup: MISS from t1.hoster.ru:6666 Server: Apache/2.2.15 (CentOS) X-Powered-By: PHP/5.4.37 X-Cache: MISS from t1.hoster.ru Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Date: Fri, 11 Dec 2015 12:08:54 GMT Transfer-Encoding: chunked Content-Type: text/html; charset=WINDOWS-1251
On Windows, a typical site folder is C:\Server\data\htdocs\. But, in fact, if someone "thought" of making a server on Windows, then, very likely, this person has not heard anything about privileges. Therefore, you should start trying directly from the C: / Windows / directory:
As you can see, everything went perfectly the first time.
But the jSQL Injection shells themselves raise my doubts. If you have file privileges, then you may well upload something with a web interface.
8. Bulk checking sites for SQL injections
And even jSQL Injection has this feature. Everything is extremely simple - upload a list of sites (can be imported from a file), select those that you want to check and click the appropriate button to start the operation.
Output by jSQL Injection
jSQL Injection is a good, powerful tool for finding and then using SQL injections found on sites. Its undoubted advantages: ease of use, built-in related functions. jSQL Injection can be a beginner's best friend when analyzing websites.
Of the shortcomings, I would note the impossibility of editing databases (at least I did not find this functionality). As with all tools with a graphical interface, the inability to use in scripts can be attributed to the disadvantages of this program. Nevertheless, some automation is possible in this program too - thanks to the built-in mass site check function.
jSQL Injection is much more convenient to use than sqlmap . But sqlmap supports more kinds of SQL injection, has file firewall options, and some other features.
Bottom line: jSQL Injection - best friend novice hacker.
Help for this program in the Encyclopedia Kali Linux you will find on this page: http://kali.tools/?p=706
Inheritance is an object-oriented programming mechanism that allows you to describe a new class based on an existing (parent) class.
A class that is derived from another is called a subclass. This relationship is usually described using the terms "parent" and "child". The child class is derived from the parent and inherits its characteristics: properties and methods. Typically, a subclass adds new functionality to the functionality of the parent class (also called the superclass).
To create a subclass, you must use the extends keyword in the class declaration, followed by the name of the class from which you want to inherit:
age = $age; ) function add_age () ( $this->age++; ) ) // declare an inherited class class my_Cat extends Cat ( // define our own subclass method function sleep() ( echo "
Zzzzz..."; ) ) $kitty = new my_Cat(10); // call the inherited method $kitty->add_age(); // read the value of the inherited property echo $kitty->age; // call the own subclass method $ kitty->sleep(); ?>
A subclass inherits access to all methods and properties of the parent class, since they are of type public . This means that for instances of the my_Cat class, we can call the add_age() method and access the $age property, even though they are defined in the cat class. Also in the above example, the subclass does not have its own constructor. If the subclass does not declare its own constructor, then when creating instances of the subclass, the superclass constructor will be automatically called.
Note that subclasses can override properties and methods. By defining a subclass, we ensure that its instance is determined by the characteristics of the child class first and then the parent class. To better understand this, consider an example:
age"; ) ) class my_Cat extends Cat ( public $age = 10; ) $kitty = new my_Cat; $kitty->foo(); ?>
When $kitty->foo() is called, the PHP interpreter cannot find such a method in the my_Cat class, so the implementation of this method given in the Cat class is used. However, the subclass defines its own $age property, so when it is accessed in the $kitty->foo() method, the PHP interpreter finds this property in the my_Cat class and uses it.
Since we have already covered the topic of specifying the type of arguments, it remains to be said that if the parent class is specified as the type, then all descendants for the method will also be available for use, look at the following example:
foo(new my_Cat); ?>
We can treat an instance of the my_Cat class as if it were an object of type Cat , i.e. we can pass an object of type my_Cat to the foo() method of the Cat class and everything will work as it should.
parent statement
In practice, subclasses may need to extend the functionality of parent class methods. By extending functionality by overriding superclass methods, subclasses retain the ability to first execute the parent class's code and then add code that implements additional functionality. Let's see how this can be done.
To call the desired method from the parent class, you need to refer to this class itself through the descriptor. PHP provides the parent keyword for this purpose. The parent statement allows subclasses to access methods (and constructors) of the parent class and add to their existing functionality. To refer to a method in the context of a class, the symbols " :: " (two colons) are used. Parent statement syntax:
Parent::parent_class method
This construct will call the method defined in the superclass. Following such a call, you can place your own program code that will add new functionality:
title = $title; $this->price = $price; ) ) class new_book extends book ( public $pages; function __construct($title, $price, $pages) ( // call the constructor method of the parent class parent::__construct($title, $price); // initialize the property defined in subclass $this->pages = $pages; ) ) $obj = new new_book("abc", 35, 500); echo "Book: $obj->title
Price: $obj->price
Pages: $obj->pages"; ?>
When a child class defines its own constructor, PHP does not automatically call the parent class constructor. This must be done manually in the subclass constructor. The subclass first calls the constructor of its parent class in its constructor, passing the necessary arguments for initialization, executing it, and then the code that implements additional functionality is executed, in this case initializing the property of the subclass.
The parent keyword can be used not only in constructors, but also in any other method whose functionality you want to extend, you can achieve this by calling the parent class method:
name)."; return $str; ) ) class my_Cat extends Cat ( public $age = 5; function getstr() ( $str = parent::getstr(); $str .= "
Age: ($this->age) years."; return $str; ) ) $obj = new my_Cat; echo $obj->getstr(); ?>
Here, the getstr() method from the superclass is first called, the value of which is assigned to the variable, and then the rest of the code defined in the subclass method is executed.
Now that we've covered the basics of inheritance, we can finally look at the visibility of properties and methods.
public, protected and private: access control
Up to this point, we have explicitly declared all properties as public (public). And this type of access is set by default for all methods.
Class members can be declared as public (public), protected (protected) and private (closed). Let's look at the difference between them:
- To public(public) properties and methods can be accessed from any context.
- To protected(protected) properties and methods can be accessed either from the containing class or from a subclass of it. No external code is allowed access to them.
- You can make class data inaccessible to the calling program with the keyword private(closed). Such properties and methods can only be accessed from within the class in which they are declared. Even subclasses of this class do not have access to such data.
public - public access:
hello"; ) ) $obj = new human; // access from caller echo "$obj->age"; // Valid $obj->say(); // Valid?>private - access only from class methods:
age"; ) ) $obj = new human; // no access to private data directly from the caller echo "$obj->age"; // Error! access denied! // however, private data can be output $obj using the method ->say(); // Valid?>protected - protected access:
The protected modifier looks exactly like the private modifier from the point of view of the calling program: it prohibits access to the object's data from outside. However, unlike private, it allows you to access data not only from the methods of its class, but also from the methods of a subclass.
Slito
Hi all guys! Spoiler: Dorks php?ts=
I want to say right away that I am not a deep profile specialist - there are people who are smarter and with deeper knowledge. For me personally, it's a hobby. But there are people who know less than me - first of all, the material is not designed for complete fools, but you don’t need to be super pro to understand it.
Many of us are used to thinking that dork is a vulnerability, alas, you were mistaken - in essence, dork is a search query sent to a search engine.
That is the word index.php?id= dork
but the word Shop is also a dork.
In order to understand what you want, you must be clearly aware of what your requirements for the search engine are. The usual kind of dork index.php?id= can be divided into
index - key
.php? - a code indicating that you need a site based on Php
id= ID of something on the site
id=2 in our case 2 is an indication with which parameter the identifier should be parsed.
If you write index.php?id=2, then there will be sites only where id=2, in case of a mismatch, the site will be filtered out. For this reason, writing an exact indication of the identifier does not make sense - since it can be 1,2,3,4,5 and ad infinitum.
If you decide to create an exact dork, let's say under steam, then it makes sense to give it this look
inurl:game* +intext:"csgo"
it will parse the word game* in the site URL (where * is an arbitrary number of characters after the word game - after all, it can be games and the like)
It is also worth using an operator such as intitle:
If you see a good gaming site or have a list of vulnerable gaming sites
it makes sense to use the related operator for parsing:
For related: a value in the form of a link to the site is suitable
related: ***
- it will find all sites from the point of view of the search engine similar to the specified one
Remember - a dork is a parsing - it's not a hole.
A hole, it is a vulnerability that is detected by a scanner based on what you have parsed.
I personally don't recommend using a large number of prefixes (search operators) when you work without proxies.
I'll tell you about the method of creating private roads for the country
In order to create a dork like index.php? id = we have to parse it
index - we will replace with an arbitrary word
.php?id= will be our dork code
There is no point in inventing a new code - because many sites are stable on the same codes and engines and will continue to be. List of codes:
.php?topic=
.php?t=
.php?ch=
.php?_nkw=
.php?id=
.php?option=
.php?view=
.php?lang=
.php?page=
.php?p=
.php?q=
.php?gdjkgd=
.php?son=
.php?search=
.php?uid=
.php?title=
.php?id_q=
.php?prid=
.php?tag=
.php?letter=
.php?prid=
.php?catid=
.php?ID=
.php?iWine=
.php?productID=
.php?products_id=
.php?topic_id=
.php?pg=
.php?clan=
.php?fid=
.php?url=
.php?show=
.php?inf=
.php?event_id=
.php?term=
.php?TegID=
.php?cid=
.php?prjid=
.php?pageid=
.php?name=
.php?id_n=
.php?th_id=
.php?category=
.php?book_id=
.php?isbn=
.php?item_id=
.php?sSearchword=
.php?CatID=
.php?art=
.html?ts=
.html?topic=
.html?t=
.html?ch=
.html?_nkw=
.html?id=
.html?option=
.html?view=
.html?lang=
.html?page=
.html?p=
.html?q=
.html?gdjkgd=
.html?son=
.html?search=
.html?uid=
.html?title=
.html?id_q=
.html?prId=
.html?tag=
.html?letter=
.html?prid=
.html?catid=
.html?ID=
.html?iWine=
.html?productID=
.html?products_id=
.html?topic_id=
.html?pg=
.html?clan=
.html?fid=
.html?url=
.html?show=
.html?inf=
.html?event_id=
.html?term=
.html?TegID=
.html?cid=
.html?prjid=
.html?pageid=
.html?name=
.html?id_n=
.html?th_id=
.html?category=
.html?book_id=
.html?isbn=
.html?item_id=
.html?sSearchword=
.html?CatID=
.html?art=
.aspx?ts=
.aspx?topic=
.aspx?t=
.aspx?ch=
.aspx?_nkw=
.aspx?id=
.aspx?option=
.aspx?view=
.aspx?lang=
.aspx?page=
.aspx?p=
.aspx?q=
.aspx?gdjkgd=
.aspx?son=
.aspx?search=
.aspx?uid=
.aspx?title=
.aspx?id_q=
.aspx?prId=
.aspx?tag=
.aspx?letter=
.aspx?prid=
.aspx?catid=
.aspx?ID=
.aspx?iWine=
.aspx?productID=
.aspx?products_id=
.aspx?topic_id=
.aspx?pg=
.aspx?clan=
.aspx?fid=
.aspx?url=
.aspx?show=
.aspx?inf=
.aspx?event_id=
.aspx?term=
.aspx?TegID=
.aspx?cid=
.aspx?prjid=
.aspx?pageid=
.aspx?name=
.aspx?id_n=
.aspx?th_id=
.aspx?category=
.aspx?book_id=
.aspx?isbn=
.aspx?item_id=
.aspx?sSearchword=
.aspx?CatID=
.aspx?art=
.asp?ts=
.asp?topic=
.asp?t=
.asp?ch=
.asp?_nkw=
.asp?id=
.asp?option=
.asp?view=
.asp?lang=
.asp?page=
.asp?p=
.asp?q=
.asp?gdjkgd=
.asp?son=
.asp?search=
.asp?uid=
.asp?title=
.asp?id_q=
.asp?prId=
.asp?tag=
.asp?letter=
.asp?prid=
.asp?catid=
.asp?ID=
.asp?iWine=
.asp?productID=
.asp?products_id=
.asp?topic_id=
.asp?pg=
.asp?clan=
.asp?fid=
.asp?url=
.asp?show=
.asp?inf=
.asp?event_id=
.asp?term=
.asp?TegID=
.asp?cid=
.asp?prjid=
.asp?pageid=
.asp?name=
.asp?id_n=
.asp?th_id=
.asp?category=
.asp?book_id=
.asp?isbn=
.asp?item_id=
.asp?sSearchword=
.asp?CatID= .asp?art=
.htm?ts= .htm?topic=
.htm?t= .htm?ch=
.htm?_nkw=
.htm?id=
.htm?option=
.htm?view=
.htm?lang=
.htm?page=
.htm?p=
.htm?q=
.htm?gdjkgd=
.htm?son=
.htm?search=
.htm?uid=
.htm?title=
.htm?id_q=
.htm?prId=
.htm?tag=
.htm?letter=
.htm?prid=
.htm?catid=
.htm?ID=
.htm?iWine=
.htm?productID=
.htm?products_id=
.htm?topic_id=
.htm?pg=
.htm?clan=
.htm?fid=
.htm?url=
.htm?show=
.htm?inf=
.htm?event_id=
.htm?term=
.htm?TegID=
.htm?cid=
.htm?prjid=
.htm?pageid=
.htm?name=
.htm?id_n=
.htm?th_id=
.htm?category=
.htm?book_id=
.htm?isbn=
.htm?item_id=
.htm?sSearchword=
.htm?CatID=
.htm?art=
.cgi?ts=
.cgi?topic=
.cgi?t=
.cgi?ch=
.cgi?_nkw=
.cgi?id=
.cgi?option=
.cgi?view=
.cgi?lang=
.cgi?page=
.cgi?p=
.cgi?q=
.cgi?gdjkgd=
.cgi?son=
.cgi?search=
.cgi?uid=
.cgi?title=
.cgi?id_q=
.cgi?prId=
.cgi?tag=
.cgi?letter=
.cgi?prid=
.cgi?catid=
.cgi?ID=
.cgi?iWine=
.cgi?productID=
.cgi?products_id=
.cgi?topic_id=
.cgi?pg=
.cgi?clan=
.cgi?fid=
.cgi?url=
.cgi?show=
.cgi?inf=
.cgi?event_id=
.cgi?term=
.cgi?TegID=
.cgi?cid=
.cgi?prjid=
.cgi?pageid=
.cgi?name=
.cgi?id_n=
.cgi?th_id=
.cgi?category=
.cgi?book_id=
.cgi?isbn=
.cgi?item_id=
.cgi?sSearchword=
.cgi?CatID=
.cgi?art=
.jsp?ts=
.jsp?topic=
.jsp?t=
.jsp?ch=
.jsp?_nkw=
.jsp?id=
.jsp?option=
.jsp?view=
.jsp?lang=
.jsp?page=
.jsp?p=
.jsp?q=
.jsp?gdjkgd=
.jsp?son=
.jsp?search=
.jsp?uid=
.jsp?title=
.jsp?id_q=
.jsp?prId=
.jsp?tag=
.jsp?letter=
.jsp?prid=
.jsp?catid=
.jsp?ID=
.jsp?iWine=
.jsp?productID=
.jsp?products_id=
.jsp?topic_id=
.jsp?pg=
.jsp?clan=
.jsp?fid=
.jsp?url=
.jsp?show=
.jsp?inf=
.jsp?event_id=
.jsp?term=
.jsp?TegID=
.jsp?cid=
.jsp?prjid=
.jsp?pageid=
.jsp?name=
.jsp?id_n=
.jsp?th_id=
.jsp?category=
.jsp?book_id=
.jsp?isbn=
.jsp?item_id=
.jsp?sSearchword=
.jsp?CatID=
.jsp?art=
We will use these codes for the dork generator.
We go to Google translator - we translate into Italian - the list of the most frequently used words.
We parse the list of words in Italian - we insert into the first column of the dork generator - we put codes into the second, usually php is a variety of sites, cfm shops, jsp - games.
We generate - we remove gaps. Private dorks for Italy are ready.
It also makes sense to insert phrases in the same language into the right column in the style of "remember me, forgot password" instead of site:it
They will parse cool, they will be private if you parse something unique and replace the dork key.
And add remember me in the same language - then the sites will fly only with bases.
It's all about thinking. Dorks will be of the form name.php?uid= all their token will be in a unique key. They will be mixed, the Inurl: operator does not need to be applied - since parsing will go without it both in the url, and in the text, and in the title.
After all, the meaning of the dork is all in the fact that it can be anything - and steam, and a stick, and a netteler - or maybe not. Here you need to take the quantity.
There is also the so-called vulnerability parsing.
Spoiler: Dorks
intext:"java.lang.NumberFormatException: null"
intext:"error in your SQL syntax"
intext:"mysql_num_rows()"
intext:"mysql_fetch_array()"
intext:"Error Occurred While Processing Request"
intext:"Server Error in "/"Application"
intext:"Microsoft OLE DB Provider for ODBC Drivers error"
intext:"Invalid Querystring"
intext:"OLE DB Provider for ODBC"
intext:"VBScript Runtime"
intext:"ADODB.Field"
text:"BOF or EOF"
intext:"ADODB.Command"
intext:"JET Database"
intext:"mysql_fetch_row()"
intext:"Syntax error"
intext:"include()"
intext:"mysql_fetch_assoc()"
intext:"mysql_fetch_object()"
intext:"mysql_numrows()"
intext:"GetArray()"
intext:"FetchRow()"
Hacking with Google
Alexander Antipov
search engine Google system(www.google.com) provides many search options. All of these features are an invaluable search tool for a first-time Internet user and at the same time an even more powerful weapon of invasion and destruction in the hands of people with evil intentions, including not only hackers, but also non-computer criminals and even terrorists.
(9475 views in 1 week)
Denis Batrankov
denisNOSPAMixi.ru
Attention:This article is not a guide to action. This article is written for you, WEB server administrators, so that you will lose the false feeling that you are safe, and you will finally understand the insidiousness of this method of obtaining information and set about protecting your site.
Introduction
For example, I found 1670 pages in 0.14 seconds!
2. Let's enter another line, for example:
inurl:"auth_user_file.txt"a little less, but this is already enough for free download and for guessing passwords (using the same John The Ripper). Below I will give some more examples.
So, you need to realize that the Google search engine has visited most of the Internet sites and cached the information contained on them. This cached information allows you to get information about the site and the content of the site without a direct connection to the site, just digging into the information that is stored internally by Google. Moreover, if the information on the site is no longer available, then the information in the cache may still be preserved. All it takes for this method is to know some Google keywords. This technique is called Google Hacking.
For the first time, information about Google Hacking appeared on the Bugtruck mailing list 3 years ago. In 2001, this topic was raised by a French student. Here is a link to this letter http://www.cotse.com/mailing-lists/bugtraq/2001/Nov/0129.html . It gives the first examples of such requests:
1) Index of /admin
2) Index of /password
3) Index of /mail
4) Index of / +banques +filetype:xls (for france...)
5) Index of / +passwd
6) Index of/password.txt
This topic made a lot of noise in the English-reading part of the Internet quite recently: after an article by Johnny Long published on May 7, 2004. For a more complete study of Google Hacking, I advise you to go to the site of this author http://johnny.ihackstuff.com. In this article, I just want to bring you up to date.
Who can use it:
- Journalists, spies and all those people who like to stick their nose in other people's business can use this to search for compromising evidence.
- Hackers looking for suitable targets for hacking.
How Google works.
To continue the conversation, let me remind you of some of the keywords used in Google queries.
Search using the + sign
Google excludes unimportant, in its opinion, words from the search. For example, interrogative words, prepositions and articles in English language: for example are, of, where. In Russian, Google seems to consider all words important. If the word is excluded from the search, then Google writes about it. In order for Google to start searching for pages with these words, you need to add a + sign before them without a space before the word. For example:
ace + of base
Search by sign -
If Google finds a large number of pages from which it is necessary to exclude pages with certain topics, then you can force Google to search only for pages that do not contain certain words. To do this, you need to indicate these words by putting a sign in front of each - without a space before the word. For example:
fishing - vodka
Search with the ~ sign
You may want to look up not only the specified word, but also its synonyms. To do this, precede the word with the symbol ~.
Finding an exact phrase using double quotes
Google searches on each page for all occurrences of the words that you wrote in the query string, and it does not care about the relative position of the words, the main thing is that all the specified words are on the page at the same time (this is the default action). To find the exact phrase, you need to put it in quotation marks. For example:
"bookend"
To have at least one of the specified words, you must specify the logical operation explicitly: OR. For example:
book safety OR protection
In addition, you can use the * sign in the search string to denote any word and. to represent any character.
Finding words with additional operators
There are search operators that are specified in the search string in the format:
operator:search_term
The spaces next to the colon are not needed. If you insert a space after a colon, you will see an error message, and before it, Google will use them as a normal search string.
There are groups of additional search operators: languages - indicate in which language you want to see the result, date - limit the results for the past three, six or 12 months, occurrences - indicate where in the document you need to look for the string: everywhere, in the title, in the URL, domains - search for the specified site or vice versa exclude it from the search, safe search - block sites containing specified type information and remove them from search results pages.
However, some operators do not need an additional parameter, for example, the query " cache:www.google.com" can be called as a full search string, and some keywords, on the contrary, require a search word, for example " site:www.google.com help". In the light of our topic, let's look at the following operators:
Operator |
Description |
Requires an additional parameter? |
search only for the site specified in search_term |
||
search only in documents with type search_term |
||
find pages containing search_term in title |
||
find pages containing all the words search_term in the title |
||
find pages containing the word search_term in their address |
||
find pages containing all the words search_term in their address |
Operator site: limits the search to only the specified site, and you can specify not only Domain name but also the IP address. For example, enter:
Operator filetype: restricts searches to files of a certain type. For example:
As of the date of this article, Google can search within 13 different file formats:
- Adobe Portable Document Format (pdf)
- Adobe PostScript (ps)
- Lotus 1-2-3 (wk1, wk2, wk3, wk4, wk5, wki, wks, wku)
- Lotus Word Pro (lwp)
- MacWrite(mw)
- Microsoft Excel(xls)
- Microsoft PowerPoint (ppt)
- Microsoft Word (doc)
- Microsoft Works (wks, wps, wdb)
- Microsoft Write (wri)
- Rich Text Format (rtf)
- Shockwave Flash (swf)
- Text (ans, txt)
Operator link: shows all pages that point to the specified page.
It must always be interesting to see how many places on the Internet know about you. We try:
Operator cache: shows the Google cached version of the site as it looked when Google last visited the page. We take any frequently changing site and look:
Operator title: searches for the specified word in the page title. Operator allintitle: is an extension - it looks for all the specified few words in the page title. Compare:
intitle:flight to mars
intitle:flight intitle:on intitle:mars
allintitle:flight to mars
Operator inurl: causes Google to show all pages containing the specified string in the URL. allinurl: searches for all words in a URL. For example:
allinurl:acid_stat_alerts.php
This command is especially useful for those who don't have SNORT - at least they can see how it works on a real system.
Google Hacking Methods
So, we found out that using a combination of the above operators and keywords, anyone can start collecting necessary information and looking for vulnerabilities. These techniques are often referred to as Google Hacking.
site `s map
You can use the site: statement to see all the links that Google has found on the site. Usually, pages that are dynamically created by scripts are not indexed using parameters, so some sites use ISAPI filters so that links are not in the form /article.asp?num=10&dst=5, but with slashes /article/abc/num/10/dst/5. This is done to ensure that the site is generally indexed by search engines.
Let's try:
site:www.whitehouse.gov whitehouse
Google thinks that every page on a site contains the word whitehouse. This is what we use to get all the pages.
There is also a simplified version:
site:whitehouse.gov
And the best part is that the comrades from whitehouse.gov didn't even know that we looked at the structure of their site and even looked into the cached pages that Google downloaded for itself. This can be used to study the structure of sites and view content without being noticed for the time being.
Listing files in directories
WEB servers can show lists of server directories instead of the usual HTML pages. This is usually done to force users to select and download specific files. However, in many cases administrators have no intention of showing the contents of a directory. This is due to a misconfiguration of the server or the absence of a master page in the directory. As a result, the hacker has a chance to find something interesting in the directory and use it for his own purposes. To find all such pages, it is enough to notice that they all contain the words: index of in their title. But since the index of words contain not only such pages, we need to refine the query and take into account the keywords on the page itself, so queries like:
intitle:index.of parent directory
intitle:index.of name size
Since most directory listings are intentional, you may have a hard time finding misplaced listings the first time. But at least you can already use the listings to define WEB versions server as described below.
Getting the WEB server version.
Knowing the WEB server version is always helpful before starting any hacker attack. Again thanks to Google it is possible to get this information without connecting to a server. If you carefully look at the directory listing, you can see that the name of the WEB server and its version are displayed there.
Apache1.3.29 - ProXad Server at trf296.free.fr Port 80
An experienced administrator can change this information, but, as a rule, it is true. Thus, to get this information, it is enough to send a request:
intitle:index.of server.at
To get information for a specific server, we refine the request:
intitle:index.of server.at site:ibm.com
Or vice versa, we are looking for servers running on a specific version of the server:
intitle:index.of Apache/2.0.40 Server at
This technique can be used by a hacker to find a victim. If, for example, he has an exploit for a certain version of the WEB server, then he can find it and try the existing exploit.
You can also get the server version by looking at the pages that are installed by default when installing a fresh version of the WEB server. For example, to see the Apache 1.2.6 test page, just type
intitle:Test.Page.for.Apache it.worked!
Moreover, some operating systems immediately install and launch the WEB server during installation. However, some users are not even aware of this. Naturally, if you see that someone has not deleted the default page, then it is logical to assume that the computer has not been subjected to any configuration at all and is probably vulnerable to attacks.
Try looking for IIS 5.0 pages
allintitle:Welcome to Windows 2000 Internet Services
In the case of IIS, you can determine not only the version of the server, but also Windows version and service pack.
Another way to determine the version of the WEB server is to look for manuals (help pages) and examples that can be installed on the site by default. Hackers have found quite a few ways to use these components to gain privileged access to the site. That is why you need to remove these components on the production site. Not to mention the fact that by the presence of these components you can get information about the type of server and its version. For example, let's find the apache manual:
inurl:manual apache directives modules
Using Google as a CGI scanner.
CGI scanner or WEB scanner is a utility for searching for vulnerable scripts and programs on the victim's server. These utilities need to know what to look for, for this they have a whole list of vulnerable files, for example:
/cgi-bin/cgiemail/uargg.txt
/random_banner/index.cgi
/random_banner/index.cgi
/cgi-bin/mailview.cgi
/cgi-bin/maillist.cgi
/cgi-bin/userreg.cgi
/iissamples/ISSamples/SQLQHit.asp
/SiteServer/admin/findvserver.asp
/scripts/cphost.dll
/cgi-bin/finger.cgi
We can find each of these files with Google, using additionally with the file name in the search string the words index of or inurl: we can find sites with vulnerable scripts, for example:
allinurl:/random_banner/index.cgi
With additional knowledge, a hacker could exploit a script vulnerability and use the vulnerability to force the script to serve any file stored on the server. For example a password file.
How to protect yourself from being hacked through Google.
1. Do not upload important data to the WEB server.
Even if you posted the data temporarily, you can forget about it or someone will have time to find and take this data before you erase it. Don't do it. There are many other ways to transfer data that protect it from theft.
2. Check your site.
Use the described methods to research your site. Check your site periodically for new methods that appear on the site http://johnny.ihackstuff.com. Remember that if you want to automate your actions, you need to get special permission from Google. If you carefully read http://www.google.com/terms_of_service.html, then you will see the phrase: You may not send automated queries of any sort to Google's system without express permission in advance from Google.
3. You may not need Google to index your site or part of it.
Google allows you to remove a link to your site or part of it from its database, as well as remove pages from the cache. In addition, you can prohibit the search for images on your site, prohibit the display of short fragments of pages in search results All the possibilities for deleting a site are described on the page http://www.google.com/remove.html. To do this, you must confirm that you are really the owner of this site or insert tags on the page or
4. Use robots.txt
It is known that search engines look into the robots.txt file at the root of the site and do not index those parts that are marked with the word Disallow. You can use this to prevent part of the site from being indexed. For example, to avoid indexing the entire site, create a robots.txt file containing two lines:
User-agent: *
disallow: /
What else happens
So that life does not seem like honey to you, I will say in the end that there are sites that follow those people who, using the above methods, look for holes in scripts and WEB servers. An example of such a page is
Application.
A little sweet. Try one of the following for yourself:
1. #mysql dump filetype:sql - search for mySQL database dumps
2. Host Vulnerability Summary Report - will show you what vulnerabilities other people have found
3. phpMyAdmin running on inurl:main.php - this will force close the control via phpmyadmin panel
4. Not for distribution confidential
5. Request Details Control Tree Server Variables
6. Running in child mode
7. This report was generated by WebLog
8. intitle:index.of cgiirc.config
9. filetype:conf inurl:firewall -intitle:cvs - maybe someone needs firewall configuration files? :)
10. intitle:index.of finances.xls - hmm....
11. intitle:Index of dbconvert.exe chats - icq chat logs
12. intext:Tobias Oetiker traffic analysis
13. intitle:Usage Statistics for Generated by Webalizer
14. intitle:statistics of advanced web statistics
15. intitle:index.of ws_ftp.ini - ws ftp config
16. inurl:ipsec.secrets holds shared secrets - secret key - good find
17. inurl:main.php Welcome to phpMyAdmin
18. inurl:server-info Apache Server Information
19. site:edu admin grades
20. ORA-00921: unexpected end of SQL command - get paths
21. intitle:index.of trillian.ini
22. intitle:Index of pwd.db
23. intitle:index.of people.lst
24. intitle:index.of master.passwd
25.inurl:passlist.txt
26. intitle:Index of .mysql_history
27. intitle:index of intext:globals.inc
28. intitle:index.of administrators.pwd
29. intitle:Index.of etc shadow
30. intitle:index.of secring.pgp
31. inurl:config.php dbuname dbpass
32. inurl:perform filetype:ini
Training center "Informzaschita" http://www.itsecurity.ru - a leading specialized center in the field of information security training (License of the Moscow Committee of Education No. 015470, State accreditation No. 004251). The only authorized training center of Internet Security Systems and Clearswift in Russia and CIS countries. Microsoft authorized training center (Security specialization). Training programs are coordinated with the State Technical Commission of Russia, FSB (FAPSI). Certificates of training and state documents on advanced training.
SoftKey is a unique service for buyers, developers, dealers and affiliate partners. In addition, this is one of the best online software stores in Russia, Ukraine, Kazakhstan, which offers customers a wide range, many payment methods, prompt (often instant) order processing, tracking the order fulfillment process in the personal section, various discounts from the store and manufacturers ON.
And so friends, I decided to make a small continuation. I did not expect such feedback, I really hope that for beginners it will be useful ...
This time I will try to tell you what dorks should not be. Since you often have to work with clients whose dorks look completely crazy. And after talking a little, it turns out that they also paid for these dorks. Infuriates, in general) I myself, out of my own stupidity, bought Dorks, both for 300 rubles and for 20 rubles. But I have not yet met a competent person who will make dorks that will be good and the search engine will give out what I need from them. Not trying to offend anyone, and then just a personal opinion.
First, before buying, always ask for 10-15 roads to check, just visually evaluate them. I hope after this guide you will be able to identify more or less sharpened dorks for your request from those that cannot even be called public.
Go!
It's easier for me to work with examples, so I'll try to jot down a list of "game" roads that sometimes come across, and tell you what to look for:
Mistake.php?gta_5= frame
We disassemble the dork into parts:
mistake.php- here, it is assumed that this word should be present in the link. In fact, it's a little different. In order for a word to be present in the link, it must be applied to the operator inurl: or allinurl:
Suppose we come across some links with this word. But, it is this part (judging by the dork) that should refer to the title of the page. I don't know what coder would make the mistake.php page on their gaming site.
Certainly, there will be. But it will be a very small percentage. As for me, the page should be more or less with a popular name used by php coders.
A couple more pages that are not desirable in the dorks (often the sellers of the dorks use random words):
Gta5.php - no one will call the page farcry_primal.php farcry_primal.cfm - the .cfm extension is used in ASP.NET, yes, it is written in, but not as often as in php. And to run into a page with this name, it's a great success kramble.php how_to_work.php catch "in.php - special characters should not be in the page name jzooo.php - in general, understand what the hell is this page game_of_trone.php - a rare page , + does not refer to games, but most likely to the title of the movie
I hope you understand the approximate logic. The page should have a logical title, this is the main thing. It doesn't really matter if the title has something related to the gaming theme or not. Which pages are mainly used by coders, and in general the more popular ones that can be used in dorks:
Index.php private.php pm.php user.php members.php area.php config.php search.php redirect.php r.php (same redirect) s.php (same search) mail.php forum.php post .php account.php exit.php query.php q.php (same query) etc.
More or less like this. The name of the page in the dork (if any) should be monosyllabic, convenient for use on the site, and carry some kind of logical connotation. It's not scary that we don't have names like steam.php or steam_keys.php or roulette.php, it is important for us to find more links. And the more often a query word is used on websites, the better. More or less necessary for us on the subject, we will select with the help of the rest of the dork
We figured out the page names, but this is not the most important thing. Let's move on to the second part.
Meet this GET request:
?gta_5- I must say right away that there are no such requests. (remember that this is my personal opinion)
The GET request, ideally the one we want, should go to the database, and in the case of a SQL injection, cause a database fetch error. This is what we need. However, to find a query that would be called gta_5 Again, great luck. And if we find him, we need to make him vulnerable. This again discards most of the links we are interested in.
A couple more examples of bad, not good requests:
Groove= ?paypal= ?qiwi_wallet= ?my_money= ?dai_webmoney= ?skdoooze= ?sadlkjadlkjswq= ?213123= ?777=
Why is paypal a bad request? Because it is assumed that with this request we want to access the database with a paypal selection. No one keeps the paypal database, except perhaps for the company itself. Again, I'm cheating.
Examples of good queries, good ones that everyone loves to use because they are short, convenient, easy to remember, and have at least some logic:
Id= ?cat= ?cat_id= ?get= ?post= ?frame= ?r= ?redirect= (you get the idea) ?banner= ?go= ?leave= ?login= ?pass= ?password= ?username= ? user= ?search= ?s= ?wallet= ?acc= ?balance= ?do= ?page= ?page_id= ?topic= ?forum= ?thread= ?download= ?free= ?message=
Of course, you can continue indefinitely. But these are universal requests that can perfectly suit mix dorks, gaming, cash, and any other. We will come across forums, torrent sites, and everything else.
For example, a couple of queries that may come in handy, let's say for game queries:
Game= ?game_id= ?battle= ?log= ?team= ?weapon= ?inv= (inventory) ?gamedata= ?player= ?players= ?play= (came across video sites) ?playtag= ?match=
Approximately the same query logic should be applied to other topics, ideally. At least you need to understand English a little, and realize what dorks you buy. In general, it is enough to look at 10-20 doors and it will immediately become clear what kind of mega privat you bought, and whether it is worth contacting this seller in the future. Or in general, to make a refund through black, if you see that your dorks contain sex.php? or? photo= and you ordered dorks for shops. Hands under the train to such figures
And so, finally, the most important part of the dork (which is sometimes absent altogether). If we have just considered the name of the GET request (not the request itself), now we are just moving on to the request, which can help us find exactly what we need.
From our test dork, this is the part- frame
I won’t say that this is a bad request, but given that we are looking for gaming sites, the effectiveness of such a request is about 15-20%. For a mix of roads, or just for the number of links (just to merge something), it will do.
The name of the request can include, as many dork tutorials and manuals correctly say, any words related to our topic. We will not deviate from game requests, so I will give an example of good, suitable requests for games:
Game gaming exp player level players dota counter-strike AWP | Aziimov M19 NAVI play free free games download game game forum about game screenshot game game guide
It should be clear what the theme of your roads is. If you have something like the following in the purchased dorks (and we bought game ones):
Watch freedom text dsadaswe 213123321 ledy gaga fuck america bla bla girl tits free XXX porn futurama s01e13
Then again, feel free to send the seller's nafik and throw out your dorks. You can't see gaming sites :)
One more thing, you can use operators with these queries - intitle: , allintitle: , intext: , allintext:
Where, after the colon, there will be the game request itself from the list a little higher ( intitle: game, allintext: play free)
It seems to be everything that I wanted to convey. Basically, I hope the article will be useful at least somehow for beginners (it would be useful for me and help save a few hundred rubles, and help put unscrupulous sellers of roads in their place). Well, if you more or less understood how to make dorks yourself, I will only be happy.
Train, fill your eye / hand, there is nothing particularly complicated in the dorks.
And lastly, I don’t know how in the dumper, but the a-parser calmly eats and looks for many links with requests in Russian. Why not, I thought. Tested, the effect pleased me. You can laugh))
Frame.php?name= free games get.php?query= download cs search.php?ok= game servers
[My first article] -
Loading...