Google serves some 80 percent of all
search queries on the Internet, making
it by far the most popular search
engine. Its popularity is due not only to excellent
search effectiveness, but also extensive
querying capabilities. However, we should
also remember that the Internet is a highly
dynamic medium, so the results presented
by Google are not always up-to-date – some
search results might be stale, while other
relevant resources might not yet have been
visited by Googlebot (the automatic script
that browses and indexes Web resources for
Google).
Table 1 presents a summary of the most
important and most useful query operators
along with their descriptions, while Figure 1
shows document locations referred to by the
operators when applied to Web searches. Of
course, this is just a handful of examples – skilful
Google querying can lead to much more
interesting results.
Hunting for Prey
Google makes it possible to reach not just
publicly available Internet resources, but also
some that should never have been revealed.
Operator Description Sample query
site restricts results to sites within the
specified domain
site:google.com fox will find all sites containing the
word fox, located within the *.google.com domain
intitle restricts results to documents whose
title contains the specified phrase
intitle:fox fire will find all sites with the word fox in the
title and fire in the text
allintitle restricts results to documents
whose title contains all the specified
phrases
allintitle:fox fire will find all sites with the words fox
and fire in the title, so it's equivalent to intitle:fox
intitle:fire
inurl restricts results to sites whose URL
contains the specified phrase
inurl:fox fire will find all sites containing the word fire
in the text and fox in the URL
allinurl restricts results to sites whose URL
contains all the specified phrases
allinurl:fox fire will find all sites with the words fox
and fire in the URL, so it's equivalent to inurl:fox
inurl:fire
filetype, ext restricts results to documents of the
specified type
filetype:pdf fire will return PDFs containing the word
fire, while filetype:xls fox will return Excel spreadsheets
with the word fox
numrange restricts results to documents containing
a number from the specified
range
numrange:1-100 fire will return sites containing a number
from 1 to 100 and the word fire. The same result can be
achieved with 1..100 fire
link restricts results to sites containing
links to the specified location
link:www.google.com will return documents containing
one or more links to www.google.com
inanchor restricts results to sites containing
links with the specified phrase in
their descriptions
inanchor:fire will return documents with links whose
description contains the word fire (that's the actual link
text, not the URL indicated by the link)
allintext restricts results to documents containing
the specified phrase in the
text, but not in the title, link descriptions
or URLs
allintext:"fire fox" will return documents which contain
the phrase fire fox in their text only
+ specifies that a phrase should occur
frequently in results
+fire will order results by the number of occurrences of
the word fire
- specifies that a phrase must not occur
in results
-fire will return documents that don't contain the word
fire
"" delimiters for entire search phrases
(not single words)
"fire fox" will return documents containing the phrase
fire fox
. wildcard for a single character fire.fox will return documents containing the phrases
fire fox, fireAfox, fire1fox, fire-fox etc.
* wildcard for a single word fire * fox will return documents containing the phrases
fire the fox, fire in fox, fire or fox etc.
logical OR "fire fox"
firefox will return documents containing the
phrase fire fox or the word firefox
----------------------------------------------------------------------------------------------
Table 2. Google queries for locating various Web servers
Query Server
"Apache/1.3.28 Server at" intitle:index.of Apache 1.3.28
"Apache/2.0 Server at" intitle:index.of Apache 2.0
"Apache/* Server at" intitle:index.of any version of Apache
"Microsoft-IIS/4.0 Server at" intitle:index.of Microsoft Internet Information Services 4.0
"Microsoft-IIS/5.0 Server at" intitle:index.of Microsoft Internet Information Services 5.0
"Microsoft-IIS/6.0 Server at" intitle:index.of Microsoft Internet Information Services 6.0
"Microsoft-IIS/* Server at" intitle:index.of any version of Microsoft Internet Information Services
"Oracle HTTP Server/* Server at" intitle:index.of any version of Oracle HTTP Server
"IBM _ HTTP _ Server/* * Server at" intitle:index.of any version of IBM HTTP Server
"Netscape/* Server at" intitle:index.of any version of Netscape Server
"Red Hat Secure/*" intitle:index.of any version of the Red Hat Secure server
"HP Apache-based Web Server/*" intitle:index.of any version of the HP server
Table 3. Queries for discovering standard post-installation Web server pages
Query Server
intitle:"Test Page for Apache Installation" "You are free" Apache 1.2.6
intitle:"Test Page for Apache Installation" "It worked!"
"this Web site!"
Apache 1.3.0 – 1.3.9
intitle:"Test Page for Apache Installation" "Seeing this
instead"
Apache 1.3.11 – 1.3.33, 2.0
intitle:"Test Page for the SSL/TLS-aware Apache
Installation" "Hey, it worked!"
Apache SSL/TLS
intitle:"Test Page for the Apache Web Server on Red Hat
Linux"
Apache on Red Hat
intitle:"Test Page for the Apache Http Server on Fedora
Core"
Apache on Fedora
intitle:"Welcome to Your New Home Page!" Debian Apache on Debian
intitle:"Welcome to IIS 4.0!" IIS 4.0
intitle:"Welcome to Windows 2000 Internet Services" IIS 5.0
intitle:"Welcome to Windows XP Server Internet Services" IIS 6.0
-----------------------------------------------------------------------------------
with SQL database support, used
for adding guestbooks to websites.
In April 2004, information
was published about a vulnerability
in the application's 2.2 version,
making it possible to access the
administration panel using an SQL
injection attack (see SQL Injection
Attacks with PHP/MySQL in hakin9
3/2005). It's enough to navigate
to the panel login screen (see
Figure 4) and log in leaving the
username blank and entering ') OR
('a' = 'a as password or the other
way around – leaving password
blank and entering ? or 1=1 -- for
username. The potential aggressor
can locate vulnerable websites
by querying Google for intitle:
Guestbook "Advanced Guestbook 2.2
Powered" or "Advanced Guestbook
2.2" Username inurl:admin.
To prevent such security leaks,
administrators should track current
information on all the applications
used by their systems and immediately
patch any vulnerabilities.
Another thing to bear in mind is that
it's well worth removing application
banners, names and versions from
any pages or files that might contain
them.
Information about
Networks and Systems
Practically all attacks on IT systems
require preparatory target
reconnaissance, usually involving
scanning computers in an attempt
Table 4. Querying for application-generated system reports
Query Type of information
"Generated by phpSystem" operating system type and version, hardware configuration,
logged users, open connections, free memory and
disk space, mount points
"This summary was generated by wwwstat" web server statistics, system file structure
"These statistics were produced by getstats" web server statistics, system file structure
"This report was generated by WebLog" web server statistics, system file structure
intext:"Tobias Oetiker" "traffic analysis" system performance statistics as MRTG charts, network
configuration
intitle:"Apache::Status" (inurl:server-status
inurl:
status.html
inurl:apache.html)
server version, operating system type, child process list,
current connections
intitle:"ASP Stats Generator *.*" "ASP Stats
Generator" "2003-2004 weppos"
web server activity, lots of visitor information
intitle:"Multimon UPS status page" UPS device performance statistics
intitle:"statistics of" "advanced web statistics" web server statistics, visitor information
intitle:"System Statistics" +"System and Network
Information Center"
system performance statistics as MRTG charts, hardware
configuration, running services
intitle:"Usage Statistics for" "Generated by
Webalizer"
web server statistics, visitor information, system file
structure
intitle:"Web Server Statistics for ****" web server statistics, visitor information
inurl:"/axs/ax-admin.pl" -script web server statistics, visitor information
inurl:"/cricket/grapher.cgi" MRTG charts of network interface performance
inurl:server-info "Apache Server Information" web server version and configuration, operating system
type, system file structure
"Output produced by SysWatch *" operating system type and version, logged users, free
memory and disk space, mount points, running processes,
system logs...
tu je la... penat nk copy paste..