Kompleks intitle all user posts. Hide your friends list from prying eyes. Errors in the web application

And today I will tell you about another search engine that is used by pentesters / hackers - Google, more precisely about hidden opportunities Google.

What is Google Dorks?

Google Dork or Google Dork Queries (GDQ) are a set of queries to identify the grossest security holes. Anything that is not properly hidden from search engine crawlers.

For brevity, such requests are called Google Dorks or simply Dorks, like those admins whose resources were hacked using GDQ.

Google Operators

To begin with, I would like to give a small list useful commands Google. Among all the commands for advanced Google search, we are mainly interested in these four:

• site - search for a specific site;
• inurl - indicate that the search words should be part of the page / site address;
• intitle - search operator in the title of the pages themselves;
• ext or filetype - search for files of a specific type by extension.

Also, when creating a Dork, you need to know several important operators, which are set by special characters.

• | - OR operator, or vertical slash (logical or) indicates that you need to display results containing at least one of the words listed in the query.
• "" - The quotation mark operator indicates an exact match.
• - - the minus operator is used to exclude from the output results with the words specified after the minus.
• * - operator asterisk, or asterisk is used as a mask and means "anything".

Where to find Google Doors

The most interesting dorks are fresh, and the freshest are those that the pen tester found himself. However, if you get too carried away with experiments, you will be banned from Google ... until you enter the captcha.

If you don't have enough imagination, you can try to find fresh dorks on the net. The best site for finding dorks is Exploit-DB.

Exploit-DB online service is a non-profit project of Offensive Security. If anyone is not in the know, this company is engaged in training in the field information security and also provides pentest (penetration testing) services.

Exploit-DB has a huge number of dorks and vulnerabilities. To search for dorks, go to the site and go to the "Google Hacking Database" tab.

The base is updated daily. At the top, you can find the latest additions. On the left side is the date of adding the dork, title and category.

Exploit-DB website

At the bottom, you will find the doorways sorted by category.

Exploit-DB website
Exploit-DB website

Another good site is this. There you can often find interesting, new dorks that do not always end up on Exploit-DB.

Examples of using Google Dorks

Here are some examples of dorks. When experimenting with dorks, don't forget the disclaimer!

This material is for informational purposes only. It is addressed to specialists in the field of information security and those who are going to become one. The information presented in the article is provided for informational purposes only. Neither the editors of the website www.site nor the author of the publication bear any responsibility for any harm caused by the material of this article.

Roads for finding site problems

Sometimes it is useful to examine the structure of a site by getting a list of files on it. If the site is made on the WordPress engine, then the repair.php file stores the names of other PHP scripts.

The inurl tag tells Google to search for the first word in the link body. If we wrote allinurl, then the search would occur throughout the body of the link, and the search results would be more cluttered. Therefore, it is enough to make a request like this:

inurl: /maint/repair.php? repair = 1

As a result, you will get a list of WP sites, whose structure can be viewed through repair.php.

Examining the structure of a WP site

A lot of problems for administrators are delivered by WordPress with unnoticed configuration errors. From the open log you can find out at least the names of the scripts and uploaded files.

inurl: "wp-content / uploads / file-manager / log.txt"

In our experiment, the simplest request allowed us to find a direct link to the backup in the log and download it.

Finding valuable info in WP logs

A lot of valuable information can be fished out of the logs. It is enough to know how they look and how they differ from the mass of other files. For example, an open source database interface called pgAdmin creates a service file pgadmin.log. It often contains usernames, database column names, internal addresses, and the like.

The log is found by an elementary request:

ext: log inurl: "/ pgadmin"

There is an opinion that open source is safe code. However, in itself, the openness of the source means only the opportunity to research them, and the goals of such research are far from always good.

For example, Symfony Standard Edition is popular among web application development frameworks. When deployed, it automatically creates a parameters.yml file in the / app / config / directory, where it stores the name of the database, as well as the username and password.

You can find this file with the following query:

inurl: app / config / intext: parameters.yml intitle: index.of

f Another file with passwords

Of course, then the password could be changed, but most often it remains the same as it was set at the stage of deployment.

The open source UniFi API browser tool is increasingly used in corporate environments. It is used to manage segments wireless networks created on the principle of "seamless Wi-Fi". That is, in an enterprise network deployment scheme, in which multiple access points are controlled from a single controller.

The utility is designed to display data requested through the Ubiquiti's UniFi Controller API. With its help, it is easy to view statistics, information about connected clients and other information about the operation of the server through the UniFi API.

The developer honestly warns: “Please do keep in mind this tool exposes A LOT OF the information available in your controller, so you should somehow restrict access to it! There are no security controls built into the tool ... ". But many do not seem to take these warnings seriously.

Knowing about this feature and asking one more specific request, you will see a lot of service data, including application keys and passphrases.

inurl: "/ api / index.php" intitle: UniFi

General search rule: first, we define the most specific words that characterize the selected target. If it's a log file, what makes it different from other logs? If this is a file with passwords, then where and in what form can they be stored? Bullet words are always found in some specific place - for example, in the header of a web page or its address. By limiting the scope of your search and specifying precise markers, you will get raw search results. Then clean it of debris by specifying your request.

Open NAS search paths

Home and office network storages are popular these days. The NAS function is supported by many external drives and routers. Most of their owners do not bother with protection and do not even change the default passwords like admin / admin. You can find popular NAS by the typical titles of their web pages. For example, the request:

intitle: "Welcome to QNAP Turbo NAS"

will display a list of QNAP NAS IPs. All that remains is to find a weakly protected one among them.

The QNAP cloud service (like many others) has the function of providing general access to the files under the closed link. The problem is, it’s not that private.

inurl: share.cgi? ssid =

Finding shared files

This simple query shows files shared through the QNAP cloud. They can be viewed directly from the browser or downloaded for more detailed information.

Doors for searching IP cameras, media servers and web admin codes

Besides NAS, there are tons of other things you can find with advanced Google searches. network devices with control via the web interface.

CGI scripting is most commonly used for this, so the main.cgi file is a promising target. However, he can meet anywhere, so it is better to clarify the request.

For example, adding to it a typical call? Next_file. As a result, we get a dork of the form:

inurl: "img / main.cgi? next_file"

In addition to cameras, there are media servers in a similar way, open to everyone. This is especially true for Twonky servers manufactured by Lynx Technology. They have a very recognizable name and default port 9000.

For cleaner search results, it is better to include the port number in the URL and exclude it from the text portion of web pages. The request takes the form

intitle: "twonky server" inurl: "9000" -intext: "9000"

Video library by years

Typically, a Twonky server is a huge media library that shares content over UPnP. Authorization for them is often disabled "for convenience".

Vulnerability search paths

Big data is all the rage right now, and it is believed that adding Big Data to anything will magically work better. In reality, there are very few real specialists on this topic, and with the default configuration, big data leads to large vulnerabilities.

Hadoop is one of the simplest ways to compromise tera and even petabytes of data. This open source platform contains well-known headers, port numbers, and service pages that make it easy to find the nodes it controls.

intitle: "Namenode information" AND inurl: ": 50070 / dfshealth.html"

Big Data? Big vulnerabilities!

With such a query with concatenation, we get the search results with a list of vulnerable systems based on Hadoop. You can walk through the browser directly from the browser. file system HDFS and download any file.

Google Doors is a powerful tool for any pentester that not only an information security specialist, but also an ordinary network user should know about.

Additional commands to the Google search engine allow you to achieve much better results... With their help, you can limit the search area, and also tell the search engine that you do not need to view all pages.

Operator "Plus" (+):
For a situation when it is necessary to forcibly include any obligatory word in the text. To do this, use the "+" operator before the mandatory word. Suppose, if we have a request for Terminator 2, as a result of the request we will have information about the film Terminator, Terminator 2, Terminator 3. To leave only information about the movie Terminator 2, we put a plus sign in front of the deuce: quite a bit about “Home Alone I ". If we have a request of the form Terminator +2.

For example:
Magazine + Murzilka
Equation + Bernoulli

Site operator:

For example:
Music site: www.site
Books site: ru

Link operator:

For example:
link: www.site
Friends link: www.site

Range operator (..):
For those who have to work with numbers, Google has made it possible to search for ranges between numbers. In order to find all pages containing numbers in a certain range "from - to", it is necessary to put two dots (..) between these extreme values, that is, the range operator.

For example:
Buy the book $ 100 .. $ 150

Excluding words from the query. Logical NOT (-):
The minus (-) exclusion operators are used to exclude any words. That is, a logical "NOT". Useful in cases where direct search results are too cluttered

For example:
Aquarium-group - we are looking for everything about the aquarium, excluding the group "Aquarium"

Search for the exact phrase (""):
Useful for finding a specific text (an entire article by quote). To do this, you need to enclose the query in quotation marks (double quotation marks).

For example:
"And the dungeon is cramped, and there is only one freedom. And we always rely on it" - we are looking for Vysotsky's ballad one line at a time

Note: Google allows you to enter a maximum of 32 words per query string.

Truncate a word (*):
Sometimes it is required to search for information about a word combination of words in which one or more words are unknown. For these purposes, the "*" operator is used instead of unknown words. Those. "*" - any word or group of words.

For example:
Master and *
Leonardo * Vinci

Cache operator:
The search engine stores the version of the text that is indexed by the search engine spider in a special repository in a format called a cache. A cached version of a page can be retrieved if the original page is not available (for example, the server on which it is stored is down). The cached page is shown in the form in which it is stored in the database of the search engine and is accompanied by an inscription at the top of the page stating that this is a page from the cache. It also contains information about the creation time of the cached version. On the page from the cache, the query keywords are highlighted, and each word is highlighted with its own color for the convenience of the user. You can create a request that will immediately issue a cached version of a page with a specific address: cache: page_address, where instead of "page_address" is the address of the page stored in the cache. If you want to find any information in a cached page, you need to write a request for this information after the page address, separated by a space.

For example:
cache: www.site
cache: www.site tournaments

It must be remembered that there should be no space between the ":" and the page address!

Filetype operator:
As you know, Google indexes not only html page... If, for example, you need to find some information in a file type other than html, you can use the filetype operator, which allows you to search for information in a specific file type (html, pdf, doc, rtf ...).

For example:
Html filetype specification: pdf
Compositions filetype: rtf

Info statement:
The info statement allows you to see the information that Google knows about this page.

For example:
info: www.site
info: www.site

Site operator:
This operator restricts the search to a specific domain or site. That is, if you make a request: marketing intelligence site: www.site, then the results will be obtained from pages containing the words "marketing" and "intelligence" exactly on the site "www ..

For example:
Music site: www.site
Books site: ru

Link operator:
This operator allows you to see all pages that link to the page for which the request was made. So, a request for link: www.google.com will return pages that have links to google.com.

For example:
link: www.site
Friends link: www.site

Allintitle statement:
If you start a request with the allintitle operator, which translates as "everything in the title", then Google will return texts in which all the words of the request are contained in the titles (inside the TITLE tag in HTML).

For example:
allintitle: Free software
allintitle: Download Music Albums

Intitle operator:
Shows pages in which only the word immediately after the intitle operator is contained in the title, and all other query words can appear anywhere in the text. Putting an intitle statement before each word in the query is equivalent to using the allintitle statement.

For example:
Intitle programs: Download
intitle: Free intitle: download software

Allinurl operator:
If the request begins with the allinurl operator, then the search is limited to those documents in which all the words of the request are contained only in the page address, that is, in the url.

For example:
allinurl: rus games
allinurl: books fantasy

Inurl operator:
The word that is located directly merged with the inurl operator will be found only in the address of the Internet page, and the rest of the words - anywhere on such a page.

For example:
inurl: books download
inurl: games crack

Related statement:
This operator describes pages that "look like" to a particular page. So, a query related: www.google.com will return pages with topics similar to Google.

For example:
related: www.site
related: www.site

Define statement:
This operator acts as a kind of explanatory dictionary, which allows you to quickly get the definition of the word that is entered after the operator.

For example:
define: Kangaroo
define: Motherboard

Synonym search operator (~):
If you want to find texts containing not only your keywords, but also their synonyms, then you can use the "~" operator before the word for which you want to find synonyms.

For example:
Types ~ metamorphosis
~ Object orientation

Range operator (..):
For those who have to work with numbers, Google has made it possible to search for ranges between numbers. In order to find all pages containing numbers in a certain range "from - to", you need to put two dots (..) between these extreme values, that is, the range operator.

For example:
Buy the book $ 100 .. $ 150
Population 1913..1935

Who called from an unknown number and sniffed into the receiver? Who is "Lena of Mordor" that appeared in the phone book after Saturday's party? Enter 10 last digits phone into the search bar on Facebook, and, most likely, you will find out the answers. By default, the ability to find a person by phone number enabled for all users.

If you don't want this trick to go with you, change your privacy settings.

2. Disable the "Viewed" status in messages

This feature destroys relationships and lives! Of course, who is pleased when personally selected funny pictures and important news are openly ignored.

If you are not one of those who can leave unanswered messages of acquaintances in cold blood, use a browser extension. It disables the "Viewed / Not Viewed" status of messages in the desktop version of Facebook. For the Chrome browser, this is Facebook Unseen. For Firefox and Explorer - Chat Undetected. But there is also a negative point: with these extensions, you will also not be able to see the read status.

3. Hide your online status from pesky friends

If you are completely tired of a friend, then turn off the chat with him. Click on the gear in the right column with the list of friends and select "Advanced settings".

Messages from a disabled chat will be stored in the "Inbox" folder, but, unlike the previous point, you will not be able to read them unnoticed.

4. Look in the news feed only posts from friends and communities to which you subscribed

Facebook wants to drag everyone into their quagmires as deeply as possible. That is why it shows users the posts that have been liked and commented on by friends. But there is a way to leave in your feed only the entries of friends and communities to which you are subscribed.

Install the friends feed extension in Chrome. With him, extraneous posts will either hide, or become covered with gray drag - select in the settings.

5. Read hidden messages

Who knows, maybe your life is not as boring as it seems. Perhaps you were invited to a dream job, secret admirers confessed their love and their fans threatened to kill. But you didn't know anything about this, because Facebook posts messages from unauthorized users to hidden folder and does not notify you about them in any way. Click on the "Other" tab (many have recently called it "Correspondence Request") next to the main messages and see everything that was hidden!

6. Hide your friends list from prying eyes

Let's not even speculate why you might be ashamed of your Facebook friends. Just go to the "Friends" tab on your personal page, click on the pencil and indicate who can see the circle of your friends on Facebook.

7. Disable video autoplay

In one fell swoop, you can bring some peace of mind to your feed and save money mobile traffic... To do this, turn off automatic video playback. In the native Facebook app, go to Account Settings> Videos & Photos> Autoplay> select the desired setting.

8. Share GIFs on Facebook

Do you love GIFs the way you do? If the answer is yes, we will tell you how to share them on Facebook. Insert the link to the gif into the status field (yes, you won't be able to download it directly from your computer). After it is loaded, the link can be deleted. Publish.

9. Change the status of the relationship without unnecessary drama

It can take a long time between an internal decision to end the relationship and announcing it to the other party. And you want to start looking for new romantic adventures on Facebook right away. By default, a notification about a change in personal life appears in the feed of all friends. So remember to select the Just Me setting in Information> Family & Relationships.

10. Save interesting posts to bookmarks to read them later

Thousands of posts appear on your Facebook feed every day, everything is impossible to read, even if you completely abandon the idea of ​​working. Fortunately, the social network has a built-in bookmarking service. To save the post for future use, click the arrow in the upper right corner.

It is important for any company to protect confidential data. Leakage of client logins and passwords or loss system files hosted on the server can not only entail financial losses, but also destroy the reputation of the seemingly reliable organization itself. The author of the article - Vadim Kulish.

Considering all possible risks, companies are implementing Newest technologies and spend huge amounts of money trying to prevent unauthorized access to valuable data.
However, have you ever wondered that in addition to sophisticated and well-designed hacker attacks, there are simple ways detect files that were not well protected. We are talking about search operators - words that are added to search queries to get more accurate results. But first things first.

Surfing the Internet is impossible to imagine without search engines such as Google, Yandex, Bing and other services of this kind. The search engine is indexed by many sites on the web. They do this with the help of search robots that process a large number of data and make it searchable.

Popular Google search operators

Using the following operators allows you to make the process of finding the necessary information more accurate:

* site: restricts the search to a specific resource

Example: request site: example.com will find all the information that Google contains for example.com.

* filetype: allows you to search for information in a specific file type

Example: request will show the entire list of files on the site that are present in the Google search engine.

* inurl: - search in the resource URL

Example: request site: example.com inurl: admin- looking for the administration panel on the site.

* intitle: - search in the page title

Example: request site: example.com intitle: "Index of"- looks for pages on example.com with a list of files inside

* cache: - search in the Google cache

Example: request cache: example.com will return all cached resource pages example.com in the system

Unfortunately, search robots do not know how to determine the type and degree of confidentiality of information. Therefore, they treat the blog article, which is intended for a wide range of readers, and the backup copy of the database, which is stored in the root directory of the web server, and cannot be used by unauthorized persons in the same way.

Thanks to this feature, as well as using search operators, cybercriminals can detect vulnerabilities in web resources, various information leaks (backups and text of errors in the operation of a web application), hidden resources such as open admin panels, without authentication and authorization mechanisms.

What confidential data can be found on the web?

It should be borne in mind that information that may be found search engines and could potentially be of interest to hackers, includes:

* Domains of the third level of the researched resource

Third-level domains can be discovered using the word "site:". For example, a query like site: *. example.com will list all 3rd level domains for example.com. Such queries can reveal hidden resources for administration, version control systems, builds, and other applications that have a web interface.

* Hidden files on server

Various parts of a web application can appear in search results. To find them, you can use the request filetype: php site: example.com... This allows you to discover previously unavailable functionality in the application, as well as various information about the application.

* Backups

The filetype: keyword is used to search for backups. Various file extensions are used to store backups, but the most commonly used extensions are bak, tar.gz, sql. Request example: site: *. example.com filetype: sql... Backups often contain logins and passwords from administrative interfaces, as well as user and source website.

* Errors in the web application

The error text can include various information about the system components of the application (web server, database, web application platform). Such information is always very interesting for hackers, as it allows them to get more information about the attacked system and improve their attack on the resource. Request example: site: example.com "warning" "error".

* Logins and passwords

As a result of hacking a web application on the Internet, data from users of this service may appear. Inquiry filetype: txt "login" "password" allows you to find files with logins and passwords. In the same way, you can check if your mail or any account has been hacked. Just make a request filetype: txtuser_name_or_ email_mail ".

Combinations keywords and search strings used for discovery confidential information are called Google Dorks.

Google specialists have collected them in their public Google Hacking Database. This enables a company representative, be it CEO, developer or webmaster, to run a search query and determine how well valuable data is protected. All dorks are categorized for easy search.

Need help? Order a specialist consultation for testing security a1qa.

How Google Dorks made hacking history

Finally, here are some examples of how Google Dorks helped cybercriminals obtain sensitive but insecure information:

Case study # 1. Leak of confidential documents on the bank's website

As part of the analysis of the security of the bank's official website, a huge number of pdf documents were found. All documents were found using the query "site: bank-site filetype: pdf". The content of the documents turned out to be interesting, since there were plans for the premises in which the bank branches throughout the country were located. This information would be very interesting to bank robbers.

Practice example # 2. Search for payment card data

Very often, when hacking online stores, cybercriminals gain access to the data of users' payment cards. To organize sharing of this data, cybercriminals use public services that are indexed by Google. Example request: "Card Number" "Expiration Date" "Card Type" filetype: txt.

However, you shouldn't be limited to basic checks. Entrust a1qa with a comprehensive assessment of your product. After all, data theft is cheaper to prevent than to eliminate the consequences.