google

1. FTP passwords
2.  
3. ws_ftp.ini is a configuration file for a popular win32 FTP client that stores usernames, (weakly) encoded passwords, sites and directories that the user can store for later reference.
4.  
5. intitle:index.of ws_ftp.ini
6.  
7. You can also this dork which uses "parent directory" to avoid results other than directory listings
8.  
9. filetype:ini ws_ftp pwd
10.  
11. Or
12.  
13. "index of/" "ws_ftp.ini" "parent directory"
14.  
15. even if the site or file has been taken offlline, you can still search the contents in the Google cache using the following dork
16.  
17. "cache:www.abc.com/ws_ftp.ini"
18.  
19. where
20.  
21. www.abc.com is the site you want to check the dork for.
22.  
23. The ws_ftp password uses quite weak encryption algorithm, hence once you get the password, you can break it using the decryptor provided here
24. http://www.hispasec.com/directorio/laboratorio/Software/ws_ftp.html
25. or from here
26. http://lab.artlung.com/ws-ftp-password-decoder/
27.  
28. PHP Hacking
29.  
30. Sites made in PHP have a file known as “config.php” which stores configuration and the username and password for the sql database the site is hosting. This password is required only once per transaction (i.e when ever admin logins or a transaction is committed at administrator level) and hence will be specified by the ‘require_once’ parameter in the config file or in index file.
31.  
32. intitle:index.of config.php
33.  
34. to view php file contents
35.  
36. intitle:"Index of" phpinfo.php
37.  
38. you can also try the directory traversal attack in php using the following dork
39.  
40. inurl:download.php?=filename
41.  
42. if you are lucky, substitute the filename with ‘index.php’, download it, read it and get the password (hint:if you are not able to find it, try looking for globals.php).
43.  
44. Since most websites today deny this trick, but you may get lucky with some :) You might also want to have a look at Hacking PHP 4.4 websites in 20 seconds
45. http://www.theprohack.com/2009/07/hacking-php-44-sites-in-20-seconds.html
46.  
47. SQL Dumps
48.  
49. We will be hunting for SQL password dumps saved in database, here ext:sql specifies the type of password dump, e10adc3949ba59abbe56e057f20f883e is the md5 hash for 123456; one of the most common password people keep..and intext dork will allows to search inside the dump.
50.  
51. ext:sql intext:@gmail.com intext:e10adc3949ba59abbe56e057f20f883e
52.  
53. ext:sql intext:"INSERT INTO" intext:@somemail.com intext:password
54.  
55. Remember kids
56.  
57. Use different email providers, substitute gmail/yahoomail instead of somemail ,or try custom domain mail providers.
58. Use different file extensions.
59. Use different type of hashes, some older ones might be using md4 and some others might be using other prominent encryption algorithms.
60. just mix everything up and try different combinations :)
61.  
62. Its not over..Yet
63.  
64. A very flexible query can be used to hunt for WS_FTP.log which in turn can disclose valuable information about the server.
65.  
66. +htpasswd +WS_FTP.LOG filetype:log
67.  
68. You can substitute "+htpasswd" for "+FILENAME" & you may get several results not mentioned before using the normal search. You can further explore filenames by using keywords like
69.  
70. phpinfo, admin, MySQL, password, htdocs, root, Cisco, Oracle, IIS, resume, inc, sql, users, mdb, frontpage, CMS, backend, https, editor, intranet
71.  
72. The list goes on and on.. Also you cam try this dork to data mine information about the uploader
73.  
74. "allinurl: "some.host.com" WS_FTP.LOG filetype:log"
75.  
76. which tells you more about who's uploading files to a specific site, quite handy for some passive reconnaissance.