Excellent tricks and techniques of Google Hacks
ws_ftp.ini is a configuration file for a popular FTP client that stores usernames,
(weakly) encoded passwords, sites and directories that the user can store for later reference.
These should not be on the web!
That's some good stuff. Just copy/paste the text into your own WS FTP ini file
and you're good as gold (assuming you're using the same version). Don't forget -
even if they have taken the file offline, use the "cache:FULL_URL/wsftp.ini" to see the contents.
probably one of the best exploits I have seen in a long time, when I did it
there were about 20 vulnerable computers, just recently there was 4
so I hope whitehats got to this before anyone else. really nice !!
To see results; just write in the (http://www.google.com/) search engine the code:
intitle:index.of ws_ftp.ini
==============================================
Frontpage.. very nice clean search results listing !!
I magine with me that you can steal or know the password of any web site designed by
"Frontpage". But the file containing the password might be encrypted; to decrypt the
file download the program " john the ripper".
To see results; just write in the (http://www.google.com/) search engine the code:
"# -FrontPage-" inurl:service.pwd
==============================================
This searches the password for "Website Access Analyzer", a Japanese software that
creates webstatistics.
To see results; just write in the (http://www.google.com/) search engine the code:
"AutoCreate=TRUE password=*"
==============================================
This is a query to get inline passwords from search engines (not just Google),
you must type in the query followed with the the domain name without the .com or .net.
To see results; just write in the (http://www.google.com/) search engine the code:
"http://*:*@www" bangbus or "http://*:*@www"bangbus
Or
http://bob:bob@www
Or
http://admin:*@www
==============================================
This search is a cleanup of a previous entry by J0hnny. It uses "parent directory"
to avoid results other than directory listings.
WS_FTP.ini is a configuration file for a popular win32 FTP client that stores
usernames and weakly encoded passwords.
To see results; just write in the (http://www.google.com/) search engine the code:
filetype:ini ws_ftp pwd
Or
"index of/" "ws_ftp.ini" "parent directory"
==============================================
Microsoft Frontpage extensions appear on virtually every type of scanner. In the late 90's
people thought they where hardcore by defacing sites with Frontpage. Today, there are still
vulnerable servers found with Google.
An attacker can simply take advantage from administrators who 'forget' to set up the policies
for Frontpage extensions. An attacker can also search for 'filetype:pwd users'.
To see results; just write in the (http://www.google.com/) search engine the code:
filetype:pwd service
==============================================
Not all of these pages are administrator's access databases containing usernames, passwords and
other sensitive information, but many are! And much adminstrated passwords and user passwords,
a lot of emails and the such too…
To see results; just write in the (http://www.google.com/) search engine the code:
allinurl: admin mdb
==============================================
DCForum's password file. This file gives a list of (crackable) passwords, usernames and email
addresses for DCForum and for DCShop (a shopping cart program(!!!). Some lists are bigger than others, all are fun.
To see results; just write in the (http://www.google.com/) search engine the code:
allinurl:auth_user_file.txt
==============================================
This search brings up sites with "config.php" files. To skip the technical discussion,
this configuration file contains both a username and a password for an SQL database.
Most sites with forums run a PHP message base. This file gives you the keys to that forum,
including FULL ADMIN access to the database. To see view the PHP files; there in lies the catch.
Browsers are made to process the commands of PHP before display, so if no commands, nothing to show.
You can't use that persay to get into the config file, but it would show potential threats
if someone got into server anyway. (If that happens you're basically boned anyway, not much around that.
To see results; just write in the (http://www.google.com/) search engine the code:
intitle:index.of config.php
By the way, to know how to view the PHP file contents, you can use this code:
intitle:"Index of" phpinfo.php
==============================================
These files contain ColdFusion source code. In some cases, the pages are examples that are found in
discussion forums. However, in many cases these pages contain live sourcecode with usernames,
database names or passwords in plaintext.
To see results; just write in the (http://www.google.com/) search engine the code:
filetype:cfm "cfapplication name" password
==============================================
FlashFXP offers the easiest and fastest way to transfer any file using FTP, providing an exceptionally
stable and robust program that you can always count on to get your job done quickly and efficiently.
There are many, many features available in FlashFXP.
The flashFXP.ini file is its configuration file and may contain usernames/passwords and everything
else that is needed to use FTP.
To see results; just write in the (http://www.google.com/) search engine the code:
filetype:ini inurl:flashFXP.ini
==============================================
The encryption method used in WS_FTP is _extremely_ weak. These files can be found with the "index of"
keyword or by searching directly for the PWD= value inside the configuration file.
There is an easy way to decrypt the hash, use the decryptor at:
http://www.codebluehacks.com/Tools.php?ID=1
Or
http://www.hispasec.com/directorio/laboratorio/Software/ws_ftp.html
To see results; just write in the (http://www.google.com/) search engine the code:
filetype:ini ws_ftp pwd
==============================================
These files contain cleartext usernames and passwords, as well as the sites associated with those credentials.
Attackers can use this information to log on to that site as that user.
To see results; just write in the (http://www.google.com/) search engine the code:
filetype:log inurl:"password.log"
==============================================
Web Wiz Forums is a free ASP Bulletin Board software package. It uses a Microsoft Access database for storage.
The installation instructions clearly indicate to change the default path and filename (admin/database/wwForum.mdb).
vendor: http://www.webwizguide.info/web_wiz_forums/
The forum database contains the members passwords, either encrypted or in plain text, depending on the version.
Please note: this search is proof that results can stay in Google's index for a long time, even when they are not
on the site any longer. Currently only 2 out of 9 are actually still downloadable by an attacker.
To see results; just write in the (http://www.google.com/) search engine the code:
filetype:mdb wwforum
==============================================
VNC is a remote-controlled desktop product. Depending on the configuration, remote users may not be presented with
a password. Even when presented with a password, the mere existance of VNC can be important to an attacker,
as is the open port of 5800.
To see results; just write in the (http://www.google.com/) search engine the code:
"VNC Desktop" inurl:5800
By the way, New version of VNC changed title to VNC Viewer so now you can search for…
intitle:vnc.desktop inurl:5800
==============================================
linux vpns store their usernames and passwords for CHAP authentification in a file called "chap-secrets"
where the usernames and the passwords are in cleartext.
To see results; just write in the (http://www.google.com/) search engine the code:
inurl:chap-secrets -cvs
==============================================
These lock files often contain usernames of the user that has locked the file.
Username harvesting can be done using this technique.
To see results; just write in the (http://www.google.com/) search engine the code:
"index of" / lck
==============================================
A standard FTP configuration file that provides far too many details about how the server
is setup, including installation paths, location of logfiles, generic username and associated group, etc.
To see results; just write in the (http://www.google.com/) search engine the code:
filetype:conf inurl:proftpd.conf -sample
==============================================
This search finds registry files from the Windows Operating system. Considered the "soul" of the system,
these files, and snippets from these files contain sensitive information, in this case usernames and/or passwords.
To see results; just write in the (http://www.google.com/) search engine the code:
filetype:reg reg HKEY_CURRENT_USER username
==============================================
Allows an attacker to create an account on a server running Argosoft mail server pro for windows
with unlimited disk quota (but a 5mb per message limit should you use your account to send mail).
To see results; just write in the (http://www.google.com/) search engine the code:
"adding new user" inurl:addnewuser -"there are no domains"
==============================================
The famous Sun linux appliance. The default page displays this text:
"Congratulations on Choosing a Cobalt RaQ - the premier server appliance platform for web hosting.
This page can easily be replaced with your own page. To replace this page, transfer
your new content to the directory /home/sites/home/web".
To see results; just write in the (http://www.google.com/) search engine the code:
(inurl:81/cgi-bin/.cobalt/)
(intext:"Welcome to the Cobalt RaQ")
==============================================
WS_FTP.LOG can be used in many ways to find more information about a server.
This query is very flexible, just substitute "+htpasswd" for "+FILENAME" and
you may get several hits that you hadn't seen with the 'normal' search.
Filenames suggested by the forum to explore are: phpinfo, admin, MySQL, password,
htdocs, root, Cisco, Oracle, IIS, resume, inc, sql, users, mdb, frontpage,
CMS, backend, https, editor, intranet . The list goes on and on..
A different approach might be "allinurl: "some.host.com" WS_FTP.LOG filetype:log"
which tells you more about who's uploading files to a specific site.
To see results; just write in the (http://www.google.com/) search engine the code:
+htpasswd +WS_FTP.LOG filetype:log
==============================================
The Web Data Administrator is a utility program implemented in ASP.NET
that enables you to easily manage your SQL Server data wherever you are.
Using its built-in features, you can do the following from Internet Explorer
or your favorite Web browser.
Create and edit databases in Microsoft SQL Server 2000 or Microsoft SQL Server
2000 Desktop Engine (MSDE) Perform ad-hoc queries against databases and save
them to your file system Export and import database schema and data.
To see results; just write in the (http://www.google.com/) search engine the code:
intitle:"Web Data Administrator - Login"
==============================================
The Aanval Intrusion Detection Console is an advanced intrusion detection monitor
and alerting system. Currently supporting modules for Snort and syslog - Aanval
provides real-time monitoring, reporting, alerting and stability. Aanval's
web-browser interface provides real-time event viewing and system/sensor management.
To see results; just write in the (http://www.google.com/) search engine the code:
intitle:"remote assessment" OpenAanval Console
