Re: Google lists vulnerable sites.

From: KF (dotslashat_private)
Date: Mon Jun 10 2002 - 18:47:02 PDT

  • Next message: KF: "Re: LOCAL ROOT EXPLOIT - SUPPORT FULL-DISCLOSURE - LOCAL ROOT EXPLOIT"

    Altavista is good for finding cgi script vulns... url:cgi-bin, url:template
    or in spanish or some thing like url:cgi-bin, url:pagina then stuff a few
    ../../../../'s in some variables... get creative ... but I wouldn't really
    call any of this fancy searching a vulnerability nor is it specific to
    google. I have seen similar techniques used in wormish type tools that
    spider through web pages looking for new cgi vulns.
    -KF
    
    ----- Original Message -----
    From: <silencedscreamat_private>
    To: <vuln-devat_private>
    Sent: Friday, July 05, 2002 12:01 PM
    Subject: Google lists vulnerable sites.
    
    
    >
    >
    > Let me first say that I do now know if this issue has been brought to
    > light before or in what detail it might have been discussed.  On to the
    > show...
    >
    > The problem I have found is that google may be archiving too much
    > information on sites.  By carefully crafting search strings you can
    > reliably return sites who's root, cgi-bin, bin, admin, etc... directories
    > are exposed and unprotected.  The first thing you must do is select the
    > name of a commonnly protected directory (I will use admin in this
    > example).  The second is to think of a filetype that only the
    > administrator and not the average web surfer would have access to.
    > Things like bin, txt, or htm are no good because they are commonly made
    > available in other directories for legitimate reasons.  For this example
    > I choose to go with .db.  Now to create the search string.
    >
    > inurl:admin filetype:db
    > The above gives us,
    > http://www.google.com/search?sourceid=navclient&q=inurl%3Aadmin+filetype%
    > 3Adb
    >
    > The above search sets the requirments that admin must be in the url and
    > only sites that contain a file of the type .db are returned.
    >
    > Now most of the links you click on will take you to some meaningless url
    > or email database but if for exaple you had
    >
    > www.somesite.org/admin/cgi-bin/url.db
    >
    > and you removed the url.db from the link you are now free to traverse
    > through there directories and files.  By useing carefully selected search
    > terms like the ones above I have about a 90-95% success rate of
    > vulnerable sites returned.  The trick is finding the right directory and
    > filetypes to use in the search.
    >
    



    This archive was generated by hypermail 2b30 : Fri Jul 05 2002 - 22:46:14 PDT