RE: Google lists vulnerable sites.

From: Bryan Allerdice (bryanat_private)
Date: Fri Jul 05 2002 - 16:05:47 PDT

Next message: Kurt Seifried: "Re: Google lists vulnerable sites."

Previous message: Erick Arturo Perez Huemer: "RE: Google lists vulnerable sites."
In reply to: silencedscreamat_private: "Google lists vulnerable sites."
Next in thread: Kurt Seifried: "Re: Google lists vulnerable sites."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

If not on this list, this certainly gets regular mentions on other similar
lists and in books on hacking. Nevertheless, new subscribers to this list
may not have heard about it. Bringing it up again is therefore useful in
educating newcomers.

Google is certainly a useful beast.

BRYAN ALLERDICE

-----Original Message-----
From: silencedscreamat_private [mailto:silencedscreamat_private]
Sent: Friday, July 05, 2002 3:01 PM
To: vuln-devat_private
Subject: Google lists vulnerable sites.




Let me first say that I do now know if this issue has been brought to
light before or in what detail it might have been discussed.  On to the
show...

The problem I have found is that google may be archiving too much
information on sites.  By carefully crafting search strings you can
reliably return sites who's root, cgi-bin, bin, admin, etc... directories
are exposed and unprotected.  The first thing you must do is select the
name of a commonnly protected directory (I will use admin in this
example).  The second is to think of a filetype that only the
administrator and not the average web surfer would have access to.
Things like bin, txt, or htm are no good because they are commonly made
available in other directories for legitimate reasons.  For this example
I choose to go with .db.  Now to create the search string.

inurl:admin filetype:db
The above gives us,
http://www.google.com/search?sourceid=navclient&q=inurl%3Aadmin+filetype%
3Adb

The above search sets the requirments that admin must be in the url and
only sites that contain a file of the type .db are returned.

Now most of the links you click on will take you to some meaningless url
or email database but if for exaple you had

www.somesite.org/admin/cgi-bin/url.db

and you removed the url.db from the link you are now free to traverse
through there directories and files.  By useing carefully selected search
terms like the ones above I have about a 90-95% success rate of
vulnerable sites returned.  The trick is finding the right directory and
filetypes to use in the search.

Next message: Kurt Seifried: "Re: Google lists vulnerable sites."
Previous message: Erick Arturo Perez Huemer: "RE: Google lists vulnerable sites."
In reply to: silencedscreamat_private: "Google lists vulnerable sites."
Next in thread: Kurt Seifried: "Re: Google lists vulnerable sites."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Jul 05 2002 - 22:52:37 PDT