Domains/Secret about Dorking (Leaks and Exploiting)

1. .biz .com .info .name .net .org .pro
2. .aero .asia .cat .coop
3. .edu .gov .int .jobs .mill .mobi .museum .tel .travel
4. .arpa .gov.cn .mil.kr .gov.uk
5.  
6.  
7.  
8.  
9. Discussed below are various Google’s special commands and I shall be explaining each command in brief and will show how it can be used for getting confidential data.
10.  
11. [ intitle: ]
12. The “intitle:” syntax helps Google restrict the search results to pages containing that word in the title. For example, “intitle: login password” (without quotes) will return links to those pages that has the word "login" in their title, and the word "password" anywhere in the page.
13.  
14. Similarly, if one has to query for more than one word in the page title then in that case “allintitle:” can be used instead of “intitle” to get the list of pages containing all those words in its title. For example using “intitle: login intitle: password” is same as querying “allintitle: login password”.
15.  
16. [ inurl: ]
17. The “inurl:” syntax restricts the search results to those URLs containing the search keyword. For example: “inurl: passwd” (without quotes) will return only links to those pages that have "passwd" in the URL.
18.  
19. Similarly, if one has to query for more than one word in an URL then in that case “allinurl:” can be used instead of “inurl” to get the list of URLs containing all those search keywords in it. For example: “allinurl: etc/passwd“ will look for the URLs containing “etc” and “passwd”. The slash (“/”) between the words will be ignored by Google.
20.  
21. [ site: ]
22. The “site:” syntax restricts Google to query for certain keywords in a particular site or domain. For example: “exploits site:hackingspirits.com” (without quotes) will look for the keyword “exploits” in those pages present in all the links of the domain “hackingspirits.com”. There should not be any space between “site:” and the “domain name”.
23.  
24. [ filetype: ]
25. This “filetype:” syntax restricts Google search for files on internet with particular extensions (i.e. doc, pdf or ppt etc). For example: “filetype:doc site:gov confidential” (without quotes) will look for files with “.doc” extension in all government domains with “.gov” extension and containing the word “confidential” either in the pages or in the “.doc” file. i.e. the result will contain the links to all confidential word document files on the government sites.
26.  
27. [ link: ]
28. “link:” syntax will list down webpages that have links to the specified webpage. For Example: “link:www.securityfocus.com” will list webpages that have links pointing to the SecurityFocus homepage. Note there can be no space between the "link:" and the web page url.
29.  
30. [ related: ]
31. The “related:” will list web pages that are "similar" to a specified web page. For Example: “related:www.securityfocus.com” will list web pages that are similar to the Securityfocus homepage. Note there can be no space between the "related:" and the web page url.
32.  
33. [ cache: ]
34. The query “cache:” will show the version of the web page that Google has in its cache. For Example: “cache:www.hackingspirits.com” will show Google's cache of the Google homepage. Note there can be no space between the "cache:" and the web page url.
35.  
36. If you include other words in the query, Google will highlight those words within the cached document. For Example: “cache:www.hackingspirits.com guest” will show the cached content with the word "guest" highlighted.
37.  
38. [ intext: ]
39. The “intext:” syntax searches for words in a particular website. It ignores links or URLs and page titles. For example: “intext:exploits” (without quotes) will return only links to those web pages that has the search keyword "exploits" in its webpage.
40.  
41. [ phonebook: ]
42. “phonebook” searches for U.S. street address and phone number information. For Example: “phonebook:Lisa+CA” will list down all names of person having “Lisa” in their names and located in “California (CA)”. This can be used as a great tool for hackers incase someone want to do dig personal information for social engineering.
43.  
44. DEMYSTIFYING GOOGLE HACKS
45.  
46.  
47. Using “Index of ” syntax to find sites enabled with Index browsing
48.  
49.  
50. A webserver with Index browsing enabled means anyone can browse the webserver directories like ordinary local directories. Here I shall discuss how one can use “index of” syntax to get a list links to webserver which has got directory browsing enabled. This becomes an easy source for information gathering for a hacker. Imagine if the get hold of password files or others sensitive files which are not normally visible to the internet. Below given are few examples using which one can get access to many sensitive information much easily.
51.  
52. Index of /admin
53. Index of /passwd
54. Index of /password
55. Index of /mail
56.  
57. "Index of /" +passwd
58. "Index of /" +password.txt
59. "Index of /" +.htaccess
60.  
61. "Index of /secret"
62. "Index of /confidential"
63. "Index of /root"
64. "Index of /cgi-bin"
65. "Index of /credit-card"
66. "Index of /logs"
67. "Index of /config"
68.  
69. Looking for vulnerable sites or servers using “inurl:” or “allinurl:”
70.  
71. Using “allinurl:winnt/system32/” (without quotes) will list down all the links to the server which gives access to restricted directories like “system32” through web. If you are lucky enough then you might get access to the cmd.exe in the “system32” directory. Once you have the access to “cmd.exe” and is able to execute it then Bingo!! You owns the server. ?
72. Using “allinurl:wwwboard/passwd.txt”(without quotes) in the Google search will list down all the links to the server which are vulnerable to “WWWBoard Password vulnerability”. To know more about this vulnerability you can have a look at the following link: http://www.securiteam.com/exploits/2BUQ4S0SAW.html
73. Using “inurl:.bash_history” (without quotes) will list down all the links to the server which gives access to “.bash_history” file through web. This is a command history file. This file includes the list of command executed by the administrator, and sometimes includes sensitive information such as password typed in by the administrator. If this file is compromised and if contains the encrypted unix (or *nix) password then it can be easily cracked using “John The Ripper”.
74. Using “inurl:config.txt” (without quotes) will list down all the links to the servers which gives access to “config.txt” file through web. This file contains sensitive information, including the hash value of the administrative password and database authentication credentials. For Example: Ingenium Learning Management System is a Web-based application for Windows based systems developed by Click2learn, Inc. Ingenium Learning Management System versions 5.1 and 6.1 stores sensitive information insecurely in the config.txt file. For more information refer the following links: http://www.securiteam.com/securitynews/6M00H2K5PG.html
75. Other similar search using “inurl:” or “allinurl:” combined with other syntaxs
76. inurl:admin filetype:txt
77. inurl:admin filetype:db
78. inurl:admin filetype:cfg
79. inurl:mysql filetype:cfg
80. inurl:passwd filetype:txt
81. inurl:iisadmin
82. inurl:auth_user_file.txt
83. inurl:orders.txt
84. inurl:"wwwroot/*."
85. inurl:adpassword.txt
86. inurl:webeditor.php
87. inurl:file_upload.php
88.  
89. inurl:gov filetype:xls "restricted"
90. index of ftp +.mdb allinurl:/cgi-bin/ +mailto
91.  
92. Looking for vulnerable sites or servers using “intitle:” or “allintitle:”
93.  
94. Using [allintitle: "index of /root”] (without brackets) will list down the links to the web server which gives access to restricted directories like “root” through web. This directory sometimes contains sensitive information which can be easily retrieved through simple web requests.
95. Using [allintitle: "index of /admin”] (without brackets) will list down the links to the websites which has got index browsing enabled for restricted directories like “admin” through web. Most of the web application sometimes uses names like “admin” to store admin credentials in it. This directory sometimes contains sensitive information which can be easily retrieved through simple web requests.
96. Other similar search using “intitle:” or “allintitle:” combined with other syntaxs
97. intitle:"Index of" .sh_history
98. intitle:"Index of" .bash_history
99. intitle:"index of" passwd
100. intitle:"index of" people.lst
101. intitle:"index of" pwd.db
102. intitle:"index of" etc/shadow
103. intitle:"index of" spwd
104. intitle:"index of" master.passwd
105. intitle:"index of" htpasswd
106. intitle:"index of" members OR accounts
107. intitle:"index of" user_carts OR user_cart
108.  
109. allintitle: sensitive filetype:doc
110. allintitle: restricted filetype :mail
111. allintitle: restricted filetype:doc site:gov
112.  
113.  
114. OTHER INTERESTING SEARCH QUERIES
115.  
116. To search for sites vulnerable to Cross-Sites Scripting (XSS) attacks:
117. allinurl:/scripts/cart32.exe
118. allinurl:/CuteNews/show_archives.php
119. allinurl:/phpinfo.php
120.  
121. To search for sites vulnerable to SQL Injection attacks:
122. allinurl:/privmsg.php
123. allinurl:/privmsg.php
124.  
125.  
126.  
127.  
128.  
129. inurl:index.of.password
130. Directory listing contains password file(s)?
131. intitle:"Index of" service.pwd
132. Directory listing contains service.pwd file(s)
133. intitle:"Index of" view-source
134. Directory listing contains view-source file(s)
135. intitle:"Index of" admin
136. Direcory listing contains administrative files or directories
137. intitle:"Index of" .htpasswd
138. Directory listing contains .htpasswd file!
139. intitle:"Index of" log.txt
140. Directory listing contians log text files
141. intitle:"Index of" stats.html
142. Directory listing contains stats.html which may contain useful web server statistics
143. "access denied for user" "using password"
144. Web page contains error message which might provide useful application information
145. "A syntax error has occurred" filetype:ihtml
146. Web page contains error message which might provide useful application information
147. "ORA-00921: unexpected end of SQL command"
148. Web page contains error message which might provide useful application information
149. inurl:passlist.txt
150. The passlist.txt file may contain user passwords
151. "Index of /backup"
152. Directory may contain sensitive backup files
153. intitle:"Index of" .bash_history
154. Directory listing contains bash history information
155. intitle:"Index of" index.html.bak
156. Directory listing contains backup index file (index.html.bak)
157. intitle:"Index of" index.php.bak
158. Directory listing contains backup index file (index.html.bak)
159. intitle:"Index of" guestbook.cgi
160. Directory listing contains backup index file (index.html.bak)
161. intitle"Test Page for Apache"
162. Default test page for Apache
163. intitle:index.of.etc
164. Directory listing of /etc ?
165. filetype:xls username password
166. XLS spreadseet containing usernames and passwords?
167. "This file was generated by Nessus"
168. Nessus report!
169. intitle:"Index of" secring.bak
170. Secret key file
171. intitle:"Terminal Services Web Connection"
172. Access terminal services!
173. intitle:"Remote Desktop Web Connection"
174. Access Remote Desktop!
175. intitle:"Index of" access_log
176. Directory listing contains access_log file which may store sensitive information
177. intitle:"Index of" finance.xls
178. Directory listing contains finance.xls which may contain sensitive information
179. intitle:"Usage Statistics for"
180. Statistical information may contain sensitive data
181. intitle:"Index of" WSFTP.LOG
182. WSFTP.LOG file contains information about FTP transactions
183. intitle:"Index of" ws_ftp.ini
184. The ws_ftp.ini file may contain usernames and passwords of FTP users
185. "not for distribution" confidential
186. URL may contain confidential or sensitive information
187. "phpMyAdmin" "running on" inurl:"main.php"
188. phpMyAdmin allows remote mysql database administration
189. "#mysql dump" filetype:sql
190. mysql database dumps
191. "This summary was generated by wwwstat"
192. Database statistics
193. "Host Vulnerability Summary Report"
194. Vulnerability report!
195. "Network Vulnerability Assessment Report"
196. Vulnerability report!
197. inurl:php.ini filetype:ini
198. The php.ini file may contain sensitive PHP environment details.
199. BEGIN (CERTIFICATE|DSA|RSA) filetype:key
200. Private key(s)!
201. BEGIN (CERTIFICATE|DSA|RSA) filetype:csr
202. Private key(s)!
203. BEGIN (CERTIFICATE|DSA|RSA) filetype:crt
204. Private key(s)!
205. intitle:"Index of" passwd passwd.bak
206. passwd file!
207. intitle:"Index of" master.passwd
208. master.passwd file!
209. intitle:"Index of" pwd.db
210. pwd.db file may contain password information
211. intitle:"Index of..etc" passwd
212. passwd file!
213. filetype:cfg ks intext:rootpw -sample -test -howto
214. This file may contain the root password (encrypted)
215. intitle:"index.of.personal"
216. Directory may contain sensitive information
217. intitle:"Index of" login.jsp
218. The login.jsp file may contain database username or password information
219. intitle:"Index of" logfile
220. Directory may contain sensitive log files
221. filetype:php inurl:"viewfile" -"index.php" -"idfil
222. File may contain PHP source code
223. allinurl:intranet admin
224. Page may contain sensitive information
225. "supplied argument is not a valid MySQL result resource"
226. mysql error message may reveal sensitive information
227. "Error Diagnostic Information" intitle:"Error Occurred While"
228. Error message may reveal sensitive information
229. HTTP_USER_AGENT=Googlebot
230. Page may contain sensitive environment details