1 11 "cacheserverreport for" "This analysis was produced by calamaris" "cacheserverreport for" "This analysis was produced by calamaris" These are squid server cache reports. Fairly benign, really except when you consider using them for evil purposes. For example, an institution stands up a proxy server for their internal users to get to the outside world. Then, the internal user surf all over to their hearts content (including intranet pages cuz well, the admins are stupid) Voila, intranet links show up in the external cache report. Want to make matters worse for yourself as an admin? OK, configure your external proxy server as a trusted internal host. Load up your web browser, set your proxy as their proxy and surf your way into their intranet. Not that I've noticed any examples of this in this google list. *COUGH* *COUGH* *COUGH* unresolved DNS lookups give clues *COUGH* *COUGH* ('scuse me. must be a furball) OK, lets say BEST CASE scenario. Let's say there's not security problems revealed in these logs. Best case scenario is that outsiders can see what your company/agency/workers are surfing. 2 11 intitle:"Ganglia" "Cluster Report for" intitle:"Ganglia" "Cluster Report for" These are server cluster reports, great for info gathering. Lesse, what were those server names again? 3 11 intitle:"Index of" dbconvert.exe chats intitle:"Index of" dbconvert.exe chats ICQ (http://www.icq.com) allows you to store the contents of your online chats into a file. These folks have their entire ICQ directories online. On purpose? 4 7 intitle:"Apache HTTP Server" intitle:"documentation" intitle:"Apache HTTP Server" intitle:"documentation" When you install the Apache web server, you get a nice set of online documentation. When you learn how to use Apache, your supposed to delete these online Apache manuals. These sites didn't. If they're in such a hurry with Apache installs, I wonder what else they rushed through? 5 10 "Error Diagnostic Information" intitle:"Error Occurred While" "Error Diagnostic Information" intitle:"Error Occurred While" These aren't too horribly bad, but there are SO MANY of them. These sites got googlebotted while the site was having "technical difficulties." The resulting cached error message gives lots of juicy tidbits about the target site. 6 11 intitle:"Index of" finance.xls intitle:"Index of" finance.xls "Hey! I have a great idea! Let's put our finances on our website in a secret directory so we can get to it whenever we need to!" 7 11 intitle:index.of finances.xls intitle:index.of finances.xls "Hey! I have a great idea! Let's put our finances on our website in a secret directory so we can get to it whenever we need to!" 8 11 "# Dumping data for table" "# Dumping data for table" SQL database dumps. LOTS of data in these. So much data, infact, I'm pressed to think of what else an ev1l hax0r would like to know about a target database.. What's that? Usernames and passwords you say? Patience, grasshopper..... 9 12 intitle:index.of .bash_history intitle:index.of .bash_history Ok, this file contains what a user typed at a shell command prompt. You shouldn't advertise this file. You shouldn't flash it to a web crawler. It contains COMMANDS and USERNAMES and stuff... *sigh* Sometimes there aren't words to describe how lame people can be. This particular theme can be carried further to find all sorts of things along these lines like .profile, .login, .logout files, etc. I just got bored with all the combinations... 10 12 intitle:index.of .sh_history intitle:index.of .sh_history Ok, this file contains what a user typed at a shell command prompt. You shouldn't advertise this file. You shouldn't flash it to a web crawler. It contains COMMANDS and USERNAMES and stuff... *sigh* Sometimes there aren't words to describe how lame people can be. This particular theme can be carried further to find all sorts of things along these lines like .profile, .login, .logout files, etc. I just got bored with all the combinations... 11 13 intitle:"Index of" .mysql_history intitle:"Index of" .mysql_history The .mysql_history file contains commands that were performed against a mysql database. A "history" of said commands. First, you shouldn't show this file to anyone, especially not a MAJOR SEARCH ENGINE! Secondly, I sure hope you wouldn't type anything sensitive while interacting with your databases, like oh say USERNAMES AND PASSWORDS... 12 11 intitle:index.of mt-db-pass.cgi intitle:index.of mt-db-pass.cgi These folks had the technical prowess to unpack the movable type files, but couldn't manage to set up their web servers properly. Check the mt.cfg files for interesting stuffs... 13 7 intitle:"Welcome to Windows 2000 Internet Services" intitle:"Welcome to Windows 2000 Internet Services" At first glance, this search reveals even more examples of operating system users enabling the operating system default web server software. This is generally accepted to be a Bad Idea(TM) as mentioned in the previous example. However, the googleDork index on this particular category gets quite a boost from the fact that this particular screen should NEVER be seen by the general public. To quote the default index screen: "Any users attempting to connect to this site are currently receiving an 'Under Construction page'" THIS is not the 'Under Construction page.' I was only able to generate this screen while sitting at the console of the server. The fact that this screen is revealed to the general public may indicate a misconfiguration of a much more insidious nature... 14 7 intitle:"Welcome to IIS 4.0" intitle:"Welcome to IIS 4.0" Moving from personal, lightweight web servers into more production-ready software, we find that even administrators of Microsoft's Internet Information Server (IIS) sometimes don't have a clue what they're doing. By searching on web pages with titles of "Welcome to IIS 4.0" we find that even if they've taken the time to change their main page, some dorks forget to change the titles of their default-installed web pages. This is an indicator that their web server is most likely running, or was upgraded from, the now considered OLD IIS 4.0 and that at least portions of their main pages are still exactly the same as they were out of the box. Conclusion? The rest of the factory-installed stuff is most likely lingering around on these servers as well. Old code: FREE with operating system. Poor content management: an average of $40/hour. Factory-installed default scripts: FREE with operating system. Getting hacked by a script kiddie that found you on Google: PRICELESS. For all the things money can't buy, there's a googleDork award. 15 6 "Index of /backup" "Index of /backup" Backup directories are often very interesting places to explore. More than one server has been compromised by a hacker's discovery of sensitive information contained in backup files or directories. Some of the sites in this search meant to reveal the contents of their backup directories, others did not. Think about it. What.s in YOUR backup directories? Would you care to share the contents with the whole of the online world? Probably not. Whether intentional or not, bsp.gsa.gov reveals backup directory through Google. Is this simply yet another misconfigured .gov site? You decide. BSP stands for "best security practices," winning this site the Top GoogleDork award for this category. 16 7 "powered by openbsd" +"powered by apache" "powered by openbsd" +"powered by apache" I like the OpenBSD operating system. I really do. And I like the Apache web server software. Honestly. I admire the mettle of administrators who take the time to run quality, secure software. The problem is that you never know when security problems will pop up. A BIG security problem popped up within the OpenBSD/Apache combo back in the day.Now, every administrator that advertised this particular combo with cute little banners has a problem. Hackers can find them with Google. I go easy on these folks since the odds are they.ve patched their sites already. Then again, they may just show up on zone-h.. 17 13 intitle:index.of intext:"secring.skr"|"secring.pgp"|"secring.bak" intitle:index.of intext:"secring.skr"|"secring.pgp"|"secring.bak" PGP is a great encryption technology. It keeps secrets safe. Everyone from drug lords to the head of the DEA can download PGP to encrypt their sensitive documents. Everyone, that is except googleDorks. GoogleDorks, it seems, don't understand that anyone in possession of your private keyring (secring) can get to your secret stuff. It should noever be given out, and should certainly not be posted on the Internet. The highest ranking is awarded for this surprising level of ineptitude. 18 13 intitle:index.of people.lst intitle:index.of people.lst *sigh* 19 13 intitle:index.of passwd passwd.bak intitle:index.of passwd passwd.bak There's nothing that defines a googleDork more than getting your PASSWORDS grabbed by Google for the world to see. Truly the epitome of a googleDork. The hits in this search show "passwd" files which contain encrypted passwords which may look like this: "guest MMCHhvZ6ODgFo" A password cracker can eat cheesy hashes faster than Elvis eatin' jelly doughnuts. Bravo googleDorks! Good show! 20 13 intitle:index.of master.passwd intitle:index.of master.passwd There's nothing that defines a googleDork more than getting your PASSWORDS grabbed by Google for the world to see. Truly the epitome of a googleDork. The hits in this search show "master.passwd" files which contain encrypted passwords which may look like this: "guest MMCHhvZ6ODgFo" A password cracker can eat cheesy hashes faster than Elvis eatin' jelly doughnuts. Bravo googleDorks! Good show! For master.passwd, be sure to check other files in the same directory... 21 13 intitle:"Index of" pwd.db intitle:"Index of" pwd.db There's nothing that defines a googleDork more than getting your PASSWORDS grabbed by Google for the world to see. Truly the epitome of a googleDork. The his in this search show "pwd.db" files which contain encrypted passwords which may look like this: "guest MMCHhvZ6ODgFo" A password cracker can eat cheesy hashes faster than Elvis eatin' jelly doughnuts. Bravo googleDorks! Good show! 22 13 intitle:"Index of" ".htpasswd" htpasswd.bak intitle:"Index of" ".htpasswd" htpasswd.bak There's nothing that defines a googleDork more than getting your PASSWORDS grabbed by Google for the world to see. Truly the epitome of a googleDork. And what if the passwords are hashed? A password cracker can eat cheesy password hashes faster than Elvis eatin' jelly doughnuts. Bravo googleDorks! Good show! 23 13 intitle:"Index of" ".htpasswd" "htgroup" -intitle:"dist" -apache -htpasswd.c intitle:"Index of" ".htpasswd" "htgroup" -intitle:"dist" -apache -htpasswd.c There's nothing that defines a googleDork more than getting your PASSWORDS grabbed by Google for the world to see. Truly the epitome of a googleDork. And what if the passwords are hashed? A password cracker can eat cheesy password hashes faster than Elvis eatin' jelly doughnuts. Bravo googleDorks! Good show! You'll need to sift through these results a bit... 24 13 intitle:"Index of" spwd.db passwd -pam.conf intitle:"Index of" spwd.db passwd -pam.conf There's nothing that defines a googleDork more than getting your PASSWORDS grabbed by Google for the world to see. Truly the epitome of a googleDork. And what if the passwords are hashed? A password cracker can eat cheesy password hashes faster than Elvis eatin' jelly doughnuts. Bravo googleDorks! Good show! 25 13 intitle:"Index of..etc" passwd intitle:"Index of..etc" passwd There's nothing that defines a googleDork more than getting your PASSWORDS grabbed by Google for the world to see. Truly the epitome of a googleDork. And what if the passwords are hashed? A password cracker can eat cheesy password hashes faster than Elvis eatin' jelly doughnuts. Bravo googleDorks! Good show! 26 11 buddylist.blt buddylist.blt These searches bring up common names for AOL Instant Messenger "buddylists". These lists contain screen names of your "online buddies" in Instant Messenger. Not that's not too terribly exciting or stupid unless you want to mess with someone's mind, and besides, some people make these public on purpose. The thing that's interesting are the files that get stored ALONG WITH buddylists. Often this stuff includes downloaded pictures, resumes, all sorts of things. This is really for the peepers out there, and it' possible to spend countless hours rifling through people's personal crap. Also try buddylist.blt, buddy.blt, buddies.blt. 27 13 intitle:index.of config.php intitle:index.of config.php This search brings up sites with "config.php" files. To skip the technical discussion, this configuration file contains both a username and a password for an SQL database. Most sites with forums run a PHP message base. This file gives you the keys to that forum, including FULL ADMIN access to the database. Way to go, googleDorks!! 28 11 intitle:phpinfo "PHP Version" intitle:phpinfo "PHP Version" this brings up sites with phpinfo(). There is SO much cool stuff in here that you just have to check one out for yourself! I mean full blown system versioning, SSL version, sendmail version and path, ftp, LDAP, SQL info, Apache mods, Apache env vars, *sigh* the list goes on and on! Thanks "joe!" =) 29 10 "supplied argument is not a valid MySQL result resource" "supplied argument is not a valid MySQL result resource" One of many potential error messages that spew interesting information. The results of this message give you real path names inside the webserver as well as more php scripts for potential "crawling" activities. 31 11 intitle:index.of robots.txt intitle:index.of robots.txt The robots.txt file contains "rules" about where web spiders are allowed (and NOT allowed) to look in a website's directory structure. Without over-complicating things, this means that the robots.txt file gives a mini-roadmap of what's somewhat public and what's considered more private on a web site. Have a look at the robots.txt file itself, it contains interesting stuff. However, don't forget to check out the other files in these directories since they are usually at the top directory level of the web server! 32 13 index.of passlist index.of passlist I'm not sure what uses this, but the passlist and passlist.txt files contain passwords in CLEARTEXT! That's right, no decoding/decrypting/encrypting required. How easy is this? *sigh* Supreme googledorkage 33 6 index.of.secret index.of.secret What kinds of goodies lurk in directories marked as "secret?" Find out... 34 6 index.of.private index.of.private What kinds of things might you find in directories marked "private?" let's find out.... 35 13 index.of.etc index.of.etc This search gets you access to the etc directory, where many many many types of password files can be found. This link is not as reliable, but crawling etc directories can be really fun! 36 6 index.of.winnt index.of.winnt The \WINNT directory is the directory that Windows NT is installed into by default. Now just because google can find them, this doesn't necessarily mean that these are Windows NT directories that made their way onto the web. However, sometimes this happens. Other times, they aren't Windows NT directories, but backup directories for Windows NT data. Wither way, worthy of a nomination. 37 6 index.of.secure index.of.secure What could be hiding in directories marked as "secure?" let's find out... 38 6 index.of.protected index.of.protected What could be in a directory marked as "protected?" Let's find out... 39 6 index.of.password index.of.password These directories are named "password." I wonder what you might find in here. Warning: sometimes p0rn sites make directories on servers with directories named "password" and single html files inside named things liks "horny.htm" or "brittany.htm." These are to boost their search results. Don't click them (unless you want to be buried in an avalanche of p0rn... 40 11 "This report was generated by WebLog" "This report was generated by WebLog" These are weblog-generated statistics for web sites... A roadmap of files, referrers, errors, statistics... yummy... a schmorgasbord! =P 41 11 "These statistics were produced by getstats" "These statistics were produced by getstats" Another web statistics package. This one originated from a google scan of an ivy league college. *sigh* There's sooo much stuff in here! 42 11 "This summary was generated by wwwstat" "This summary was generated by wwwstat" More www statistics on the web. This one is very nice.. Lots of directory info, and client access statistics, email addresses.. lots os good stuff. You know, these are SOOO dangerous, especially if INTRANET users get logged... talk about mapping out an intranet quickly... thanks, sac =) 43 11 intitle:index.of haccess.ctl intitle:index.of haccess.ctl this is the frontpage(?) equivalent of htaccess, I believe. Anyhow, this file describes who can access the directory of the web server and where the other authorization files are. nice find. 44 11 filetype:ctl Basic filetype:ctl Basic haccess.ctl is the frontpage(?) equivalent of the .htaccess file. Either way, this file decribes who can access a web page, and should not be shown to web surfers. Way to go, googledork. =P This method is very reliable due to the use of this google query: filetype:ctl Basic This pulls out the file by name then searches for a string inside of it (Basic) which appears in the standard template for this file. 45 13 filetype:xls username password email filetype:xls username password email This search shows Microsoft Excel spreadsheets containing the words username, password and email. Beware that there are a ton of blank "template" forms to weed through, but you can tell from the Google summary that some of these are winners... err losers.. depending on your perspective. 46 9 inurl:shop "Hassan Consulting's Shopping Cart Version 1.18" inurl:shop "Hassan Consulting's Shopping Cart Version 1.18" These servers can be messed with in many ways. One specific way is by way of the "../" bug. This lets you cruise around the web server in a somewhat limited fashion. 47 11 site:edu admin grades site:edu admin grades I never really thought about this until I started coming up with juicy examples for DEFCON 11.. A few GLARINGLY bad examples contain not only student grades and names, but also social security numbers, securing the highest of all googledork ratings! 48 13 allinurl:auth_user_file.txt allinurl:auth_user_file.txt DCForum's password file. This file gives a list of (crackable) passwords, usernames and email addresses for DCForum and for DCShop (a shopping cart program(!!!). Some lists are bigger than others, all are fun, and all belong to googledorks. =) 49 13 inurl:config.php dbuname dbpass inurl:config.php dbuname dbpass The old config.php script. This puppy should be held very closely. It should never be viewable to your web visitors because it contains CLEARTEXT usernames and passwords! The hishest of all googledorks ratings! 50 7 inurl:tech-support inurl:show Cisco inurl:tech-support inurl:show Cisco This is a way to find Cisco products with an open web interface. These are generally supposed to be user and password protected. Google finds ones that aren't. Be sure to use Google's cache if you have trouble connecting. Also, there are very few results (2 at the time of posting.) 51 7 i_index.shtml Ready i_index.shtml Ready These printers are not-only web-enabled, but their management interface somehow got crawled by google! These puppies should not be public! You can really muck with these printers. In some cases, going to the "password.shtml" page, you can even lock out the admins if a username and password has not already been set! Thanks to mephisteau@yahoo.co.uk for the idea =) 52 7 aboutprinter.shtml aboutprinter.shtml More Xerox printers on the web! Google found these printers. Should their management interface be open to the WHOLE INTERNET? I think not. 53 10 "Chatologica MetaSearch" "stack tracking:" "Chatologica MetaSearch" "stack tracking:" There is soo much crap in this error message... Apache version, CGI environment vars, path names, stack-freaking-dumps, process ID's, perl version, yadda yadda yadda... 54 11 intitle:index.of mystuff.xml intitle:index.of mystuff.xml This particular file contains web links that trillian users have entered into the tool. Trillian combines many different messaging programs into one tool. AIM, MSN, Yahoo, ICQ, IRC, etc. Although this particular file is fairly benign, check out the other files in the same directory. There is usually great stuff here! 55 13 intitle:index.of trillian.ini intitle:index.of trillian.ini Trillian pulls together all sort of messaging clients like AIM MSN, Yahoo, IRC, ICQ, etc. The various ini files that trillian uses include files like aim.ini and msn.ini. These ini files contain encoded passwords, usernames, buddy lists, and all sorts of other fun things. Thanks for putting these on the web for us, googledorks! 56 14 intitle:admin intitle:login intitle:admin intitle:login Admin Login pages. Now, the existance of this page does not necessarily mean a server is vulnerable, but it sure is handy to let Google do the discovering for you, no? Let's face it, if you're trying to hack into a web server, this is one of the more obvious places to poke. 57 10 "ORA-00921: unexpected end of SQL command" "ORA-00921: unexpected end of SQL command" Another SQL error message from Cesar. This one coughs up full web pathnames and/or php filenames. 58 13 inurl:passlist.txt inurl:passlist.txt Cleartext passwords. No decryption required! 59 10 inurl:sitebuildercontent inurl:sitebuildercontent This is a default directory for the sitebuilder web design software program. If these people posted web pages with default sitebuilder sirectory names, I wonder what else they got wrong? 60 10 inurl:sitebuilderfiles inurl:sitebuilderfiles This is a default directory for the sitebuilder web design software program. If these people posted web pages with default sitebuilder sirectory names, I wonder what else they got wrong? 61 10 inurl:sitebuilderpictures inurl:sitebuilderpictures This is a default directory for the sitebuilder web design software program. If these people posted web pages with default sitebuilder sirectory names, I wonder what else they got wrong? 62 13 filetype:htpasswd htpasswd filetype:htpasswd htpasswd This is a nifty way to find htpasswd files. Htpasswd files contain usernames and crackable passwords for web pages and directories. They're supposed to be server-side, not available to web clients! *duh* 63 9 "YaBB SE Dev Team" "YaBB SE Dev Team" Yet Another Bulletin Board (YABB) SE (versions 1.5.4 and 1.5.5 and perhaps others) contain an SQL injection vulnerability which may allow several attacks including unauthorized database modification or viewing. See http://www.securityfocus.com/bid/9674 for more information. Also see http://www.securityfocus.com/bid/9677 for information about an information leakage vulnerability in versions YaBB Gold - Sp 1.3.1 and others. 64 19 inurl:custva.asp inurl:custva.asp The EarlyImpact Productcart contains multiple vulnerabilites, which could exploited to allow an attacker to steal user credentials or mount other attacks. See http://www.securityfocus.com/bid/9669 for more informationfor more information. Also see http://www.securityfocus.com/bid/9677 for information about an information leakage vulnerability in versions YaBB Gold - Sp 1.3.1 and others. 65 19 "Powered by mnoGoSearch - free web search engine software" "Powered by mnoGoSearch - free web search engine software" According to http://www.securityfocus.com/bid/9667, certain versions of mnGoSearch contain a buffer overflow vulnerability which allow an attacker to execute commands on the server. 66 10 intitle:"the page cannot be found" inetmgr intitle:"the page cannot be found" inetmgr IIS 4.0 servers. Extrememly old, incredibly easy to hack... 67 10 intitle:"the page cannot be found" "2004 microsoft corporation" intitle:"the page cannot be found" "2004 microsoft corporation" Windows 2000 web servers. Aging, fairly easy to hack, especially out of the box... 68 10 intitle:"the page cannot be found" "internet information services" intitle:"the page cannot be found" "internet information services" This query finds various types of IIS servers. This error message is fairly indicative of a somewhat unmodified IIS server, meaning it may be easier to break into... 69 11 "# phpMyAdmin MySQL-Dump" filetype:txt "# phpMyAdmin MySQL-Dump" filetype:txt From phpmyadmin.net : "phpMyAdmin is a tool written in PHP intended to handle the administration of MySQL over the WWW." Great, easy to use, but don't leave your database dumps laying around on the web. They contain all SORTS of sensitive information... 70 11 "# phpMyAdmin MySQL-Dump" "INSERT INTO" -"the" "# phpMyAdmin MySQL-Dump" "INSERT INTO" -"the" From phpmyadmin.net : "phpMyAdmin is a tool written in PHP intended to handle the administration of MySQL over the WWW." Great, easy to use, but don't leave your database dumps laying around on the web. They contain all SORTS of sensitive information... 71 9 intitle:"Gallery in Configuration mode" intitle:"Gallery in Configuration mode" Gallery is a nice little php program that allows users to post personal pictures on their website. So handy, in fact, that I use it on my site! However, the Gallery configuration mode allows outsiders to make changes to your gallery. This is why you shouldn't leave your gallery in configuration mode. These people, unfortunately, have done just that! 72 11 intitle:index.of cgiirc.config intitle:index.of cgiirc.config CGIIRC is a web-based IRC client. Very cool stuff. The cgiirc.config file lists the options for this porgram, including the default sites that can be attached to, server passwords, and crypts of admin passwords. This file is for CGIIRC, not Google surfers! 73 11 inurl:cgiirc.config inurl:cgiirc.config This is another less reliable way of finding the cgiirc.config file. CGIIRC is a web-based IRC client. Very cool stuff. The cgiirc.config file lists the options for this porgram, including the default sites that can be attached to, server passwords, and crypts of admin passwords. This file is for CGIIRC, not Google surfers! 74 11 inurl:ipsec.secrets -history -bugs inurl:ipsec.secrets -history -bugs from the manpage for ipsec_secrets: "It is vital that these secrets be protected. The file should be owned by the super-user, and its permissions should be set to block all access by others." So let's make it plain: DO NOT SHOW THIS FILE TO ANYONE! Googledorks rejoice, these files are on the web! 75 11 inurl:ipsec.secrets "holds shared secrets" inurl:ipsec.secrets "holds shared secrets" from the manpage for ipsec_secrets: "It is vital that these secrets be protected. The file should be owned by the super-user, and its permissions should be set to block all access by others." So let's make it plain: DO NOT SHOW THIS FILE TO ANYONE! Googledorks rejoice, these files are on the web! 76 11 inurl:ipsec.conf -intitle:manpage inurl:ipsec.conf -intitle:manpage The ipsec.conf file could help hackers figure out what uber-secure users of freeS/WAN are protecting.... 77 10 intitle:"500 Internal Server Error" "server at" intitle:"500 Internal Server Error" "server at" This one shows the type of web server running on the site, and has the ability to show other information depending on how the message is internally formatted. 78 10 "mySQL error with query" "mySQL error with query" Another error message, this appears when an SQL query bails. This is a generic mySQL message, so there's all sort of information hackers can use, depending on the actual error message... 79 10 "You have an error in your SQL syntax near" "You have an error in your SQL syntax near" Another generic SQL message, this message can display path names and partial SQL code, both of which are very helpful for hackers... 81 10 "Supplied argument is not a valid MySQL result resource" "Supplied argument is not a valid MySQL result resource" Another generic SQL message, this message can display path names, function names, filenames and partial SQL code, all of which are very helpful for hackers... 80 10 "ORA-00936: missing expression" "ORA-00936: missing expression" A generic ORACLE error message, this message can display path names, function names, filenames and partial database code, all of which are very helpful for hackers... 82 10 "ORA-00921: unexpected end of SQL command" "ORA-00921: unexpected end of SQL command" Another generic SQL message, this message can display path names, function names, filenames and partial SQL code, all of which are very helpful for hackers... 83 10 "ORA-00933: SQL command not properly ended" "ORA-00933: SQL command not properly ended" An Oracle error message, this message can display path names, function names, filenames and partial SQL code, all of which are very helpful for hackers... 84 10 "Unclosed quotation mark before the character string" "Unclosed quotation mark before the character string" An SQL Server error message, this message can display path names, function names, filenames and partial code, all of which are very helpful for hackers... 85 10 "Incorrect syntax near" "Incorrect syntax near" An SQL Server error message, this message can display path names, function names, filenames and partial code, all of which are very helpful for hackers... 86 10 "Incorrect syntax near" -the "Incorrect syntax near" -the An SQL Server error message, this message can display path names, function names, filenames and partial code, all of which are very helpful for hackers... 87 10 "PostgreSQL query failed: ERROR: parser: parse error" "PostgreSQL query failed: ERROR: parser: parse error" An PostgreSQL error message, this message can display path names, function names, filenames and partial code, all of which are very helpful for hackers... 88 10 "Supplied argument is not a valid PostgreSQL result" "Supplied argument is not a valid PostgreSQL result" An PostgreSQL error message, this message can display path names, function names, filenames and partial code, all of which are very helpful for hackers... 89 10 "Syntax error in query expression " -the "Syntax error in query expression " -the An Access error message, this message can display path names, function names, filenames and partial code, all of which are very helpful for hackers... 90 10 "An illegal character has been found in the statement" -"previous message" "An illegal character has been found in the statement" -"previous message" An Informix error message, this message can display path names, function names, filenames and partial code, all of which are very helpful for hackers... 91 10 "A syntax error has occurred" filetype:ihtml "A syntax error has occurred" filetype:ihtml An Informix error message, this message can display path names, function names, filenames and partial code, all of which are very helpful for hackers 92 10 "detected an internal error [IBM][CLI Driver][DB2/6000]" "detected an internal error [IBM][CLI Driver][DB2/6000]" A DB2 error message, this message can display path names, function names, filenames, partial code and program state, all of which are very helpful for hackers... 93 10 An unexpected token "END-OF-STATEMENT" was found An unexpected token "END-OF-STATEMENT" was found A DB2 error message, this message can display path names, function names, filenames, partial code and program state, all of which are very helpful for hackers... 94 11 intitle:"statistics of" "advanced web statistics" intitle:"statistics of" "advanced web statistics" the awstats program shows web statistics for web servers. This information includes who is visiting the site, what pages they visit, error codes produced, filetypes hosted on the server, number of hits, and more which can provide very interesting recon information for an attacker. 95 11 intitle:"Usage Statistics for" "Generated by Webalizer" intitle:"Usage Statistics for" "Generated by Webalizer" The webalizer program shows web statistics for web servers. This information includes who is visiting the site, what pages they visit, error codes produced, filetypes hosted on the server, number of hits, referrers, exit pages, and more which can provide very interesting recon information for an attacker. 96 11 "robots.txt" "Disallow:" filetype:txt "robots.txt" "Disallow:" filetype:txt The robots.txt file serves as a set of instructions for web crawlers. The "disallow" tag tells a web crawler where NOT to look, for whatever reason. Hackers will always go to those places first! 514 10 "Warning: pg_connect(): Unable to connect to PostgreSQL server: FATAL" "Warning: pg_connect(): Unable to connect to PostgreSQL server: FATAL" This search reveals Postgresql servers in yet another way then we had seen before. Path information appears in the error message and sometimes database names. 98 11 "phpMyAdmin" "running on" inurl:"main.php" "phpMyAdmin" "running on" inurl:"main.php" From phpmyadmin.net : "phpMyAdmin is a tool written in PHP intended to handle the administration of MySQL over the WWW." Great, easy to use, but lock it down! Things you can do include viewing MySQL runtime information and system variables, show processes, reloading MySQL, changing privileges, and modifying or exporting databases. Hacker-fodder for sure! 99 11 inurl:main.php phpMyAdmin inurl:main.php phpMyAdmin From phpmyadmin.net : "phpMyAdmin is a tool written in PHP intended to handle the administration of MySQL over the WWW." Great, easy to use, but lock it down! Things you can do include viewing MySQL runtime information and system variables, show processes, reloading MySQL, changing privileges, and modifying or exporting databases. Hacker-fodder for sure! 100 11 inurl:main.php Welcome to phpMyAdmin inurl:main.php Welcome to phpMyAdmin From phpmyadmin.net : "phpMyAdmin is a tool written in PHP intended to handle the administration of MySQL over the WWW." Great, easy to use, but lock it down! Things you can do include viewing MySQL runtime information and system variables, show processes, reloading MySQL, changing privileges, and modifying or exporting databases. Hacker-fodder for sure! 101 10 "Warning: Cannot modify header information - headers already sent" "Warning: Cannot modify header information - headers already sent" A PHP error message, this message can display path names, function names, filenames and partial code, all of which are very helpful for hackers... 102 11 intitle:"wbem" compaq login "Compaq Information Technologies Group" intitle:"wbem" compaq login "Compaq Information Technologies Group" These devices are running HP Insight Management Agents for Servers which "provide device information for all managed subsystems. Alerts are generated by SNMP traps." The information on these pages include server addresses and other assorted SNMP information. 103 9 intitle:osCommerce inurl:admin intext:"redistributable under the GNU" intext:"Online Catalog" -demo -site:oscommerce.com intitle:osCommerce inurl:admin intext:"redistributable under the GNU" intext:"Online Catalog" -demo -site:oscommerce.com This is a decent way to explore the admin interface of osCommerce e-commerce sites. Depending on how bad the setup of the web store is, web surfers can even Google their way into customer details and order status, all from the Google cache. 104 11 intitle:index.of "Apache" "server at" intitle:index.of "Apache" "server at" This is a very basic string found on directory listing pages which show the version of the Apache web server. Hackers can use this information to find vulnerable targets without querying the servers. 105 10 "access denied for user" "using password" "access denied for user" "using password" Another SQL error message, this message can display the username, database, path names and partial SQL code, all of which are very helpful for hackers... 106 10 intitle:"Under construction" "does not currently have" intitle:"Under construction" "does not currently have" This error message can be used to narrow down the operating system and web server version which can be used by hackers to mount a specific attack. 107 7 "seeing this instead" intitle:"test page for apache" "seeing this instead" intitle:"test page for apache" This is the default web page for Apache 1.3.11 - 1.3.26. Hackers can use this information to determine the version of the web server, or to search Google for vulnerable targets. In addition, this indicates that the web server is not well maintained. 108 7 intitle:"Test Page for Apache" "It Worked!" intitle:"Test Page for Apache" "It Worked!" This is the default web page for Apache 1.2.6 - 1.3.9. Hackers can use this information to determine the version of the web server, or to search Google for vulnerable targets. In addition, this indicates that the web server is not well maintained. 109 7 intitle:"Test Page for Apache" "It Worked!" "on this web" intitle:"Test Page for Apache" "It Worked!" "on this web" This is the default web page for Apache 1.2.6 - 1.3.9. Hackers can use this information to determine the version of the web server, or to search Google for vulnerable targets. In addition, this indicates that the web server is not well maintained. 110 10 "Can't connect to local" intitle:warning "Can't connect to local" intitle:warning Another SQL error message, this message can display database name, path names and partial SQL code, all of which are very helpful for hackers... 111 11 intitle:index.of dead.letter intitle:index.of dead.letter dead.letter contains the contents of unfinished emails created on the UNIX platform. Emails (finished or not) can contain sensitive information. 112 11 intitle:index.of ws_ftp.ini intitle:index.of ws_ftp.ini ws_ftp.ini is a configuration file for a popular FTP client that stores usernames, (weakly) encoded passwords, sites and directories that the user can store for later reference. These should not be on the web! 113 13 intitle:index.of administrators.pwd intitle:index.of administrators.pwd This file contains administrative user names and (weakly) encrypted password for Microsoft Front Page. The file should not be readble to the general public. 114 13 inurl:secring ext:skr | ext:pgp | ext:bak inurl:secring ext:skr | ext:pgp | ext:bak This file is the secret keyring for PGP encryption. Armed with this file (and perhaps a passphrase), a malicious user can read all your encrypted files! This should not be posted on the web! 115 13 intitle:Index.of etc shadow intitle:Index.of etc shadow This file contains usernames and (lame) encrypted passwords! Armed with this file and a decent password cracker, an attacker can crack passwords and log into a UNIX system. 116 9 inurl:ManyServers.htm inurl:ManyServers.htm Microsoft Terminal Services Multiple Clients pages. These pages are not necessarily insecure, sine many layers of security can be wrapped around the actual use of this service, but simply being able to find these in Google gives hackers an informational advantage, and many of the sites are not implemented securely. 117 9 intitle:"Terminal Services Web Connection" intitle:"Terminal Services Web Connection" Microsoft Terminal Services Web Connector pages. These pages are not necessarily insecure, sine many layers of security can be wrapped around the actual use of this service, but simply being able to find these in Google gives hackers an informational advantage, and many of the sites are not implemented securely. In the worst case scenario these pages may allow an attacker to bypass a firewall gaining access to a "protected" machine. 118 9 intitle:"Remote Desktop Web Connection" intitle:"Remote Desktop Web Connection" Microsoft Remote Desktop Connection Web Connection pages. These pages are not necessarily insecure, sine many layers of security can be wrapped around the actual use of this service, but simply being able to find these in Google gives hackers an informational advantage, and many of the sites are not implemented securely. In the worst case scenario these pages may allow an attacker to bypass a firewall gaining access to an otherwise inaccessible machine. 119 9 "Welcome to Intranet" "Welcome to Intranet" According to whatis.com: "An intranet is a private network that is contained within an enterprise. [...] The main purpose of an intranet is to share company information and computing resources among employees [...] and in general looks like a private version of the Internet." Intranets, by definition should not be available to the Internet's unwashed masses as they may contain private corporate information. 120 9 inurl:search.php vbulletin inurl:search.php vbulletin Version 3.0.0 candidate 4 and earlier of Vbulletin may have a cross-site scripting vulnerability. See http://www.securityfocus.com/bid/9656 for more info. 121 9 inurl:footer.inc.php inurl:footer.inc.php From http://www.securityfocus.com/bid/9664, the AllMyPHP family of products (Versions 0.1.2 - 0.4) contains several potential vulnerabilities, som elalowing an attacker to execute malicious code on the web server. 122 9 inurl:info.inc.php inurl:info.inc.php From http://www.securityfocus.com/bid/9664, the AllMyPHP family of products (Versions 0.1.2 - 0.4) contains several potential vulnerabilities, som elalowing an attacker to execute malicious code on the web server. 123 11 inurl:admin intitle:login inurl:admin intitle:login This search can find administrative login pages. Not a vulnerability in and of itself, this query serves as a locator for administrative areas of a site. Further investigation of the surrounding directories can often reveal interesting information. 124 11 intitle:admin intitle:login intitle:admin intitle:login This search can find administrative login pages. Not a vulnerability in and of itself, this query serves as a locator for administrative areas of a site. Further investigation of the surrounding directories can often reveal interesting information. 125 10 filetype:asp "Custom Error Message" Category Source filetype:asp "Custom Error Message" Category Source This is an ASP error message that can reveal information such as compiler used, language used, line numbers, program names and partial source code. 126 10 "Fatal error: Call to undefined function" -reply -the -next "Fatal error: Call to undefined function" -reply -the -next This error message can reveal information such as compiler used, language used, line numbers, program names and partial source code. 127 11 inurl:admin filetype:xls inurl:admin filetype:xls This search can find Excel spreadsheets in an administrative directory or of an administrative nature. Many times these documents contain sensitive information. 128 12 inurl:admin inurl:userlist inurl:admin inurl:userlist This search reveals userlists of administrative importance. Userlists found using this method can range from benign "message group" lists to system userlists containing passwords. 129 12 inurl:admin filetype:asp inurl:userlist inurl:admin filetype:asp inurl:userlist This search reveals userlists of administrative importance. Userlists found using this method can range from benign "message group" lists to system userlists containing passwords. 130 6 inurl:backup intitle:index.of inurl:admin inurl:backup intitle:index.of inurl:admin This query reveals backup directories. These directories can contain various information ranging from source code, sql tables, userlists, and even passwords. 131 9 "Welcome to PHP-Nuke" congratulations "Welcome to PHP-Nuke" congratulations This finds default installations of the postnuke CMS system. In many cases, default installations can be insecure especially considering that the administrator hasn't gotten past the first few installation steps. 132 7 allintitle:Netscape FastTrack Server Home Page allintitle:Netscape FastTrack Server Home Page This finds default installations of Netscape Fasttrack Server. In many cases, default installations can be insecure especially considering that the administrator hasn't gotten past the first few installation steps. 133 6 "Welcome to phpMyAdmin" " Create new database" "Welcome to phpMyAdmin" " Create new database" phpMyAdmin is a widly spread webfrontend used to mantain sql databases. The default security mechanism is to leave it up to the admin of the website to put a .htaccess file in the directory of the application. Well gues what, obviously some admins are either too lazy or don't know how to secure their directories. These pages should obviously not be accessable to the public without some kind of password ;-) 134 6 intitle:"Index of c:\Windows" intitle:"Index of c:\Windows" These pages indicate that they are sharing the C:\WINDOWS directory, which is the system folder for many Windows installations. 135 10 warning "error on line" php sablotron warning "error on line" php sablotron Sablotron is an XML toolit thingie. This query hones in on error messages generated by this toolkit. These error messages reveal all sorts of interesting stuff such as source code snippets, path and filename info, etc. 136 11 "Most Submitted Forms and Scripts" "this section" "Most Submitted Forms and Scripts" "this section" More www statistics on the web. This one is very nice.. Lots of directory info, and client access statistics, email addresses.. lots of good stuff. These are SOOO dangerous, especially if INTRANET users get logged... talk about mapping out an intranet quickly... 137 11 inurl:changepassword.asp inurl:changepassword.asp This is a common script for changing passwords. Now, this doesn't actually reveal the password, but it provides great information about the security layout of a server. These links can be used to troll around a website. 138 9 "Select a database to view" intitle:"filemaker pro" "Select a database to view" intitle:"filemaker pro" An oldie but a goodie. This search locates servers which provides access to Filemaker pro databases via the web. The severity of this search varies wildly depending on the security of the database itself. Regardless, if Google can crawl it, it's potentially using cleartext authentication. 139 11 "not for distribution" confidential "not for distribution" confidential The terms "not for distribution" and confidential indicate a sensitive document. Results vary wildly, but web-based documents are for public viewing, and should neither be considered confidential or private. 140 0 "Thank you for your purchase" +download "Thank you for your purchase" +download Many web-based businesses provide a method for customers to pay for and subsequently download software via the web. The post-purchase pages often contain the terms "Thank you for your purchase" and provide a link to download the purchased software. In many cases, these pages provide a method to download pay software without paying, a practice I do not advocate. 141 11 "Thank you for your order" +receipt "Thank you for your order" +receipt After placing an order via the web, many sites provide a page containing the phrase "Thank you for your order" and provide a receipt for future reference. At the very least, these pages can provide insight into the structure of a web-based shop. 142 9 allinurl:intranet admin allinurl:intranet admin According to whatis.com: "An intranet is a private network that is contained within an enterprise. [...] The main purpose of an intranet is to share company information and computing resources among employees [...] and in general looks like a private version of the Internet." Intranets, by definition should not be available to the Internet's unwashed masses as they may contain private corporate information. Some of these pages are simply portals to an Intranet site, which helps with information gathering. 143 16 intitle:"Nessus Scan Report" "This file was generated by Nessus" intitle:"Nessus Scan Report" "This file was generated by Nessus" This search yeids nessus scan reports. Even if some of the vulnerabilities have been fixed, we can still gather valuable information about the network/hosts. This also works with ISS and any other vulnerability scanner which produces reports in html or text format. 144 6 intitle:"index.of.personal" intitle:"index.of.personal" This directory has various personal documents and pictures. 145 16 "This report lists" "identified by Internet Scanner" "This report lists" "identified by Internet Scanner" This search yeids ISS scan reports, revealing potential vulnerabilities on hosts and networks. Even if some of the vulnerabilities have been fixed, information about the network/hosts can still be gleaned. 146 16 "Network Host Assessment Report" "Internet Scanner" "Network Host Assessment Report" "Internet Scanner" This search yeids ISS scan reports, revealing potential vulnerabilities on hosts and networks. Even if some of the vulnerabilities have been fixed, information about the network/hosts can still be gleaned. 147 11 "Network Vulnerability Assessment Report" "Network Vulnerability Assessment Report" This search yeids vulnerability scanner reports, revealing potential vulnerabilities on hosts and networks. Even if some of the vulnerabilities have been fixed, information about the network/hosts can still be gleaned. 148 11 "Host Vulnerability Summary Report" "Host Vulnerability Summary Report" This search yeids host vulnerability scanner reports, revealing potential vulnerabilities on hosts and networks. Even if some of the vulnerabilities have been fixed, information about the network/hosts can still be gleaned. 149 11 intitle:index.of inbox intitle:index.of inbox This search reveals potential location for mailbox files. In some cases, the data in this directory or file may be of a very personal nature and may include sent and received emails and archives of email data. 150 11 intitle:index.of inbox dbx intitle:index.of inbox dbx This search reveals potential location for mailbox files. In some cases, the data in this directory or file may be of a very personal nature and may include sent and received emails and archives of email data. 151 11 intitle:index.of inbox dbx intitle:index.of inbox dbx This search reveals potential location for mailbox files by keying on the Outlook Express cleanup.log file. In some cases, the data in this directory or file may be of a very personal nature and may include sent and received emails and archives of email data. 152 11 "#mysql dump" filetype:sql "#mysql dump" filetype:sql This reveals mySQL database dumps. These database dumps list the structure and content of databases, which can reveal many different types of sensitive information. 153 9 allinurl:install/install.php allinurl:install/install.php Pages with install/install.php files may be in the process of installing a new service or program. These servers may be insecure due to insecure default settings. In some cases, these servers may allow for a new installation of a program or service with insecure settings. In other cases, snapshot data about an install process can be gleaned from cached page images. 154 11 inurl:vbstats.php "page generated" inurl:vbstats.php "page generated" This is your typical stats page listing referrers and top ips and such. This information can certainly be used to gather information about a site and its visitors. 155 12 "index of" / lck "index of" / lck These lock files often contain usernames of the user that has locked the file. Username harvesting can be done using this technique. 156 11 "Index of" / "chat/logs" "Index of" / "chat/logs" This search reveals chat logs. Depending on the contents of the logs, these files could contain just about anything! 157 12 index.of perform.ini index.of perform.ini This file contains information about the mIRC client and may include channel and user names. 158 16 "SnortSnarf alert page" "SnortSnarf alert page" Snort is an intrusion detection system. SnorfSnarf creates pretty web pages from intrusion detection data. These pages show what the bad guys are doing to a system. Generally, it's a bad idea to show the bad guys what you've noticed. 159 11 inurl:"newsletter/admin/" intitle:"newsletter admin" inurl:"newsletter/admin/" intitle:"newsletter admin" These pages generally contain newsletter administration pages. Some of these site are password protected, others are not, allowing unauthorized users to send mass emails to an entire mailing list. 160 11 inurl:"newsletter/admin/" inurl:"newsletter/admin/" These pages generally contain newsletter administration pages. Some of these site are password protected, others are not, allowing unauthorized users to send mass emails to an entire mailing list. This is a less acurate search than the similar intitle:"newsletter admin" search. 161 16 inurl:phpSysInfo/ "created by phpsysinfo" inurl:phpSysInfo/ "created by phpsysinfo" This statistics program allows the an admin to view stats about a webserver. Some sites leave this in a publically accessible web page. Hackers could have access to data such as the real IP address of the server, server memory usage, general system info such as OS, type of chip, hard-drive makers and much more. 162 13 allinurl: admin mdb allinurl: admin mdb Not all of these pages are administrator's access databases containing usernames, passwords and other sensitive information, but many are! 163 17 allinurl:"exchange/logon.asp" allinurl:"exchange/logon.asp" According to Microsoft "Microsoft (R) Outlook (TM) Web Access is a Microsoft Exchange Active Server Application that gives you private access to your Microsoft Outlook or Microsoft Exchange personal e-mail account so that you can view your Inbox from any Web Browser. It also allows you to view Exchange server public folders and the Address Book from the World Wide Web. Anyone can post messages anonymously to public folders or search for users in the Address Book. " Now, consider for a moment and you will understand why this could be potentially bad. 164 0 intitle:big.brother attention trouble unavailable offline intitle:big.brother attention trouble unavailable offline The "Big Brother" program shows so much information it's sickening! I mean ping data, connection headers, stat info... With an info page like this, an attacker hardly has to run any reconnaisance... they can just throw an attack.. sickening. 165 6 intitle:"Index of" cfide intitle:"Index of" cfide This is the top level directory of ColdFusion, a powerful web development environment. This directory most likely contains sensitive information about a ColdFusion developed site. 166 17 intitle:"ColdFusion Administrator Login" intitle:"ColdFusion Administrator Login" This is the default login page for ColdFusion administration. Although many of these are secured, this is an indicator of a default installation, and may be inherantly insecure. In addition, this search provides good information about the version of ColdFusion as well as the fact that ColdFusion is installed on the server. 167 10 intitle:"Error Occurred" "The error occurred in" filetype:cfm intitle:"Error Occurred" "The error occurred in" filetype:cfm This is a typical error message from ColdFusion. A good amount of information is available from an error message like this including lines of source code, full pathnames, SQL query info, database name, SQL state info and local time info. 168 17 inurl:login.cfm inurl:login.cfm This is the default login page for ColdFusion. Although many of these are secured, this is an indicator of a default installation, and may be inherantly insecure. In addition, this search provides good information about the version of ColdFusion as well as the fact that ColdFusion is installed on the server. 169 13 filetype:cfm "cfapplication name" password filetype:cfm "cfapplication name" password These files contain ColdFusion source code. In some cases, the pages are examples that are found in discussion forums. However, in many cases these pages contain live sourcecode with usernames, database names or passwords in plaintext. 170 17 inurl:":10000" intext:webmin inurl:":10000" intext:webmin Webmin is a html admin interface for Unix boxes. It is run on a proprietary web server listening on the default port of 10000. 171 11 allinurl:/examples/jsp/snp/snoop.jsp allinurl:/examples/jsp/snp/snoop.jsp These pages reveal information about the server including path information, port information, etc. 172 11 allinurl:servlet/SnoopServlet allinurl:servlet/SnoopServlet These pages reveal server information such as port, server software version, server name, full paths, etc. 173 7 intitle:"Test Page for Apache" intitle:"Test Page for Apache" This is the default web page for Apache 1.2.6 - 1.3.9. Hackers can use this information to determine the version of the web server, or to search Google for vulnerable targets. In addition, this indicates that the web server is not well maintained. 174 17 inurl:login.asp inurl:login.asp This is a typical login page. It has recently become a target for SQL injection. Comsec's article at http://www.governmentsecurity.org/articles/SQLinjectionBasicTutorial.php brought this to my attention. 175 17 inurl:/admin/login.asp inurl:/admin/login.asp This is a typical login page. It has recently become a target for SQL injection. Comsec's article at http://www.governmentsecurity.org/articles/SQLinjectionBasicTutorial.php brought this to my attention. 176 11 "Running in Child mode" "Running in Child mode" This is a gnutella client that was picked up by google. There is a lot of data present including transfer statistics, port numbers, operating system, memory, processor speed, ip addresses, and gnutella client versions. 177 11 "This is a Shareaza Node" "This is a Shareaza Node" These pages are from Shareaza client programs. Various data is displayed including client version, ip address, listening ports and uptime. 178 17 "VNC Desktop" inurl:5800 "VNC Desktop" inurl:5800 VNC is a remote-controlled desktop product. Depending on the configuration, remote users may not be presented with a password. Even when presented with a password, the mere existance of VNC can be important to an attacker, as is the open port of 5800. 179 6 "index of cgi-bin" "index of cgi-bin" CGI directories contain scripts which can often be exploited by attackers. Regardless of the vulnerability of such scripts, a directory listing of these scripts can prove helpful. 180 7 intitle:Snap.Server inurl:Func= intitle:Snap.Server inurl:Func= This page reveals the existance of a SNAP server (Netowrk attached server or NAS devices) Depending on the configuration, these servers may be vulnerable, but regardless the existance of this server is useful for information gathering. 181 11 inurl:server-status "apache" inurl:server-status "apache" This page shows all sort of information about the Apache web server. It can be used to track process information, directory maps, connection data, etc. 182 13 eggdrop filetype:user user eggdrop filetype:user user These are eggdrop config files. Avoiding a full-blown descussion about eggdrops and IRC bots, suffice it to say that this file contains usernames and passwords for IRC users. 183 13 intitle:"index of" intext:connect.inc intitle:"index of" intext:connect.inc These files often contain usernames and passwords for connection to mysql databases. In many cases, the passwords are not encoded or encrypted. 184 17 intitle:"MikroTik RouterOS Managing Webpage" intitle:"MikroTik RouterOS Managing Webpage" This is the front page entry point to a "Mikro Tik" Router. 185 11 inurl:fcgi-bin/echo inurl:fcgi-bin/echo This is the fastcgi echo script, which provides a great deal of information including port numbers, server software versions, port numbers, ip addresses, path names, file names, time zone, process id's, admin email, fqdns, etc! 186 11 inurl:cgi-bin/printenv inurl:cgi-bin/printenv This is the print environemnts script which lists sensitive information such as path names, server names, port numbers, server software and version numbers, administrator email addresses and more. 187 10 intitle:"Execution of this script not permitted" intitle:"Execution of this script not permitted" This is a cgiwrap error message which displays admin name and email, port numbers, path names, and may also include optional information like phone numbers for support personnel. 188 11 inurl:perl/printenv inurl:perl/printenv This is the print environemnts script which lists sensitive information such as path names, server names, port numbers, server software and version numbers, administrator email addresses and more. 189 6 inurl:j2ee/examples/jsp inurl:j2ee/examples/jsp This directory contains sample JSP scripts which are installed on the server. These programs may have security vulnerabilities and can be used by an attacker to footprint the server. 190 6 inurl:ojspdemos inurl:ojspdemos This directory contains sample Oracle JSP scripts which are installed on the server. These programs may have security vulnerabilities and can be used by an attacker to footprint the server. 191 11 inurl:server-info "Apache Server Information" inurl:server-info "Apache Server Information" This is the Apache server-info program. There is so much sensitive stuff listed on this page that it's hard to list it all here. Some informatino listed here includes server version and build, software versions, hostnames, ports, path info, modules installed, module info, configuration data and so much more.... 192 0 inurl:admin_/globalsettings.htm inurl:admin_/globalsettings.htm This page is a part of the Oracle HTTP Listener and potentially allows for the modification of settings on the server. If the application is secured, this page at least allows for footprinting of the server. 193 9 inurl:pls/admin_/gateway.htm inurl:pls/admin_/gateway.htm This is a default login portal used by Oracle. In addition to the fact that this file can be used to footprint a web server and determine it's version and software, this page has been targeted in many vulnerability reports as being a source of an SQL injection vulnerability. This problem, when exploited can lead to unauthorized privileges to the databse. In addition, this page may allow unauthorized modification of parameters on the server. 194 6 inurl:/pls/sample/admin_/help/ inurl:/pls/sample/admin_/help/ This is the default installation location of Oracle manuals. This helps in footprinting a server, allowing an attacker to determine software version information which may aid in an attack. 195 9 intitle:"Gateway Configuration Menu" intitle:"Gateway Configuration Menu" This is a normally protected configuration menu for Oracle Portal Database Access Descriptors (DADs) and Listener settings. This page is normally password protected, but Google has uncovered sites which are not protected. Attackers can make changes to the servers found with this query. 196 17 intitle:Remote.Desktop.Web.Connection inurl:tsweb intitle:Remote.Desktop.Web.Connection inurl:tsweb This is the login page for Microsoft's Remote Desktop Web Connection, which allows remote users to connect to (and optionally control) a user's desktop. Although authentication is built into this product, it is still possible to run this service without authentication. Regardless, this search serves as a footprinting mechanisms for an attacker. 197 12 inurl:php inurl:hlstats intext:"Server Username" inurl:php inurl:hlstats intext:"Server Username" This page shows the halflife stat script and reveals the username to the system. Table structure, database name and recent SQL queries are also shown on most systems. 198 11 intext:"Tobias Oetiker" "traffic analysis" intext:"Tobias Oetiker" "traffic analysis" This is the MRTG traffic analysis pages. This page lists information about machines on the network including CPU load, traffic statistics, etc. This information can be useful in mapping out a network. 199 11 inurl:tdbin inurl:tdbin This is the default directory for TestDirector (http://www.mercuryinteractive.com/products/testdirector/). This program contains sensitive information including software defect data which should not be publically accessible. 200 12 +intext:"webalizer" +intext:"Total Usernames" +intext:"Usage Statistics for" +intext:"webalizer" +intext:"Total Usernames" +intext:"Usage Statistics for" The webalizer program displays various information but this query displays usernames that have logged into the site. Attckers can use this information to mount an attack. 201 13 inurl:perform filetype:ini inurl:perform filetype:ini Displays the perform.ini file used by the popular irc client mIRC. Often times has channel passwords and/or login passwords for nickserv. 202 13 intitle:"index of" intext:globals.inc intitle:"index of" intext:globals.inc contains plaintext user/pass for mysql database 203 16 filetype:pdf "Assessment Report" nessus filetype:pdf "Assessment Report" nessus These are reports from the Nessus Vulnerability Scanner. These report contain detailed information about the vulnerabilities of hosts on a network, a veritable roadmap for attackers to folow. 204 11 inurl:"smb.conf" intext:"workgroup" filetype:conf inurl:"smb.conf" intext:"workgroup" filetype:conf These are samba configuration files. They include information about the network, trust relationships, user accounts and much more. Attackers can use this information to recon a network. 205 9 intitle:"Samba Web Administration Tool" intext:"Help Workgroup" intitle:"Samba Web Administration Tool" intext:"Help Workgroup" This search reveals wide-open samba web adminitration servers. Attackers can change options on the server. 206 13 filetype:properties inurl:db intext:password filetype:properties inurl:db intext:password The db.properties file contains usernames, decrypted passwords and even hostnames and ip addresses of database servers. This is VERY severe, earning the highest danger rating. 207 17 inurl:names.nsf?opendatabase inurl:names.nsf?opendatabase A Login portal for Lotus Domino servers. Attackers can attack this page or use it to gather information about the server. 208 6 "index of" inurl:recycler "index of" inurl:recycler This is the default name of the Windows recycle bin. The files in this directory may contain sensitive information. Attackers can also crawl the directory structure of the site to find more information. In addition, the SID of a user is revealed also. An attacker could use this in a variety of ways. 209 11 filetype:conf inurl:firewall -intitle:cvs filetype:conf inurl:firewall -intitle:cvs These are firewall configuration files. Although these are often examples or sample files, in many cases they can still be used for information gathering purposes. 210 13 filetype:inc intext:mysql_connect filetype:inc intext:mysql_connect INC files have PHP code within them that contain unencrypted usernames, passwords, and addresses for the corresponding databases. Very dangerous stuff. The mysql_connect file is especially dangerous because it handles the actual connection and authentication with the database. 211 11 "HTTP_FROM=googlebot" googlebot.com "Server_Software=" "HTTP_FROM=googlebot" googlebot.com "Server_Software=" These pages contain trace information that was collected when the googlebot crawled a page. The information can include many different things such as path names, header information, server software versions and much more. Attackers can use information like this to formulate an attack against a site. 212 11 "Request Details" "Control Tree" "Server Variables" "Request Details" "Control Tree" "Server Variables" These pages contain a great deal of information including path names, session ID's, stack traces, port numbers, ip addresses, and much much more. Attackers can use this information to formulate a very advanced attack against these targets. 213 13 filetype:reg reg +intext:"defaultusername" +intext:"defaultpassword" filetype:reg reg +intext:"defaultusername" +intext:"defaultpassword" These pages display windows registry keys which reveal passwords and/or usernames. 214 17 inurl:metaframexp/default/login.asp | intitle:"Metaframe XP Login" inurl:metaframexp/default/login.asp | intitle:"Metaframe XP Login" These are Citrix Metaframe login portals. Attackers can use these to profile a site and can use insecure setups of this application to access the site. 215 17 inurl:/Citrix/Nfuse17/ inurl:/Citrix/Nfuse17/ These are Citrix Metaframe login portals. Attackers can use these to profile a site and can use insecure setups of this application to access the site. 216 11 filetype:wab wab filetype:wab wab These are Microsoft Outlook Mail address books. The information contained will vary, but at the least an attacker can glean email addresses and contact information. 217 12 filetype:reg reg HKEY_CURRENT_USER username filetype:reg reg HKEY_CURRENT_USER username This search finds registry files from the Windows Operating system. Considered the "soul" of the system, these files, and snippets from these files contain sensitive information, in this case usernames and/or passwords. 218 13 filetype:reg reg HKEY_CURRENT_USER SSHHOSTKEYS filetype:reg reg HKEY_CURRENT_USER SSHHOSTKEYS This search reveals SSH host key fro the Windows Registry. These files contain information about where the user connects including hostnames and port numbers, and shows sensitive information such as the SSH host key in use by that client. 219 6 inurl:/tmp inurl:/tmp Many times, this search will reveal temporary files and directories on the web server. The information included in these files and directories will vary, but an attacker could use this information in an information gathering campaign. 220 11 filetype:mbx mbx intext:Subject filetype:mbx mbx intext:Subject These searches reveal Outlook v 1-4 or Eudora mailbox files. Often these are made public on purpose, sometimes they are not. Either way, addresses and email text can be pulled from these files. 221 17 intitle:"eMule *" intitle:"- Web Control Panel" intext:"Web Control Panel" "Enter your password here." intitle:"eMule *" intitle:"- Web Control Panel" intext:"Web Control Panel" "Enter your password here." This iks the login page for eMule, the p2p file-sharing program. These pages forego the login name, prompting only for a password. Attackers can use this to profile a target, gather information and ultimately upload or download files from the target (which is a function of the emule program itself) 222 17 inurl:"webadmin" filetype:nsf inurl:"webadmin" filetype:nsf This is a standard login page for Domino Web Administration. 223 12 filetype:reg reg +intext:"internet account manager" filetype:reg reg +intext:"internet account manager" This google search reveals users names, pop3 passwords, email addresses, servers connected to and more. The IP addresses of the users can also be revealed in some cases. 224 11 filetype:eml eml +intext:"Subject" +intext:"From" filetype:eml eml +intext:"Subject" +intext:"From" These are oulook express email files which contain emails, with full headers. The information in these emails can be useful for information gathering about a target. 225 13 inurl:vtund.conf intext:pass -cvs inurl:vtund.conf intext:pass -cvs Theses are vtund configuration files (http://vtun.sourceforge.net). Vtund is an encrypted tunneling program. The conf file holds plaintext passwords. Many sites use the default password, but some do not. Regardless, attackers can use this information to gather information about a site. 226 17 inurl:login filetype:swf swf inurl:login filetype:swf swf This search reveals sites which may be using Shockwave (Flash) as a login mechanism for a site. The usernames and passwords for this type of login mechanism are often stored in plaintext inside the source of the .swl file. 227 13 filetype:url +inurl:"ftp://" +inurl:"@" filetype:url +inurl:"ftp://" +inurl:"@" These are FTP Bookmarks, some of which contain plaintext login names and passwords. 228 19 intitle:guestbook "advanced guestbook 2.2 powered" intitle:guestbook "advanced guestbook 2.2 powered" Advanced Guestbook v2.2 has an SQL injection problem which allows unauthorized access. Attacker From there, hit "Admin" then do the following: Leave username field blank. For password, enter this exactly: ') OR ('a' = 'a You are now in the Guestbook's Admin section. http://www.securityfocus.com/bid/10209 229 7 intitle:"300 multiple choices" intitle:"300 multiple choices" This search shows sites that have the 300 error code, but also reveal a server tag at the bottom of the page that an attacker could use to profile a system. 230 11 intitle:"index of" mysql.conf OR mysql_config intitle:"index of" mysql.conf OR mysql_config This file contains port number, version number and path info to MySQL server. 231 11 filetype:lic lic intext:key filetype:lic lic intext:key License files for various software titles that may contain contact info and the product version, license, and registration in a .LIC file. 232 17 "please log in" "please log in" This is a simple search for a login page. Attackers view login pages as the "front door" to a site, but the information about where this page is stored and how it is presented can provide clues about breaking into a site. 233 12 filetype:log username putty filetype:log username putty These log files record info about the SSH client PUTTY. These files contain usernames, site names, IP addresses, ports and various other information about the SSH server connected to. 234 13 filetype:log inurl:"password.log" filetype:log inurl:"password.log" These files contain cleartext usernames and passwords, as well as the sites associated with those credentials. Attackers can use this information to log on to that site as that user. 235 17 intitle:"Dell Remote Access Controller" intitle:"Dell Remote Access Controller" This is the Dell Remote Access Controller that allows remote administration of a Dell server. 236 16 filetype:vsd vsd network -samples -examples filetype:vsd vsd network -samples -examples Reveals network maps (or any other kind you seek) that can provide sensitive information such as internal IPs, protocols, layout, firewall locations and types, etc. Attackers can use these files in an information gathering campaign. 237 6 intitle:intranet inurl:intranet +intext:"human resources" intitle:intranet inurl:intranet +intext:"human resources" According to whatis.com: "An intranet is a private network that is contained within an enterprise. [...] The main purpose of an intranet is to share company information and computing resources among employees [...] and in general looks like a private version of the Internet." This search allows you to not only access a companies private network, but also provides employee listings and other sensitive information that can be incredibly useful for any social engineering endeavour 238 11 filetype:log cron.log filetype:log cron.log Displays logs from cron, the *nix automation daemon. Can be used to determine backups, full and realtive paths, usernames, IP addresses and port numbers of trusted network hosts, or just about anything the admin of the box decides to automate. An attacker could use this information to possibly determine what extra vulnerable services are running on the machine, to find the location of backups, and, if the sysadmin uses cron to backup their logfiles, this cron log will give that away too. 239 11 filetype:log access.log -CVS filetype:log access.log -CVS These are http server access logs which contain all sorts of information ranging from usernames and passwords to trusted machines on the network to full paths on the server. Could be VERY useful in scoping out a potential target. 240 11 filetype:blt blt +intext:screenname filetype:blt blt +intext:screenname Reveals AIM buddy lists, including screenname and who's on their 'buddy' list and their 'blocked' list. 241 13 filetype:dat "password.dat" filetype:dat "password.dat" This file contains plaintext usernames and password. Deadly information in the hands of an attacker. 242 11 intitle:intranet inurl:intranet +intext:"phone" intitle:intranet inurl:intranet +intext:"phone" These pages are often private intranet pages which contain phone listings and email addresses. These pages can be used as a sort of online "dumpster dive". 243 13 filetype:conf slapd.conf filetype:conf slapd.conf slapd.conf is the file that contains all the configuration for OpenLDAP, including the root password, all in clear text. Other useful information that can be gleaned from this file includes full paths of other related installed applications, the r/w/e permissions for various files, and a bunch of other stuff. 244 11 inurl:php.ini filetype:ini inurl:php.ini filetype:ini The php.ini file contains all the configuration for how PHP is parsed on a server. It can contain default database usernames, passwords, hostnames, IP addresses, ports, initialization of global variables and other information. Since it is found by default in /etc, you might be able to find a lot more unrelated information in the same directory. 245 7 inurl:domcfg.nsf inurl:domcfg.nsf This will return a listing of servers running Lotus Domino. These servers by default have very descriptive error messages which can be used to obtain path and OS information. In addition, adding "Login Form Mapping" to the search will allow you to see detailed information about a few of the servers that have this option enabled. 246 13 filetype:pem intext:private filetype:pem intext:private This search will find private key files... Private key files are supposed to be, well... private. 247 11 "Mecury Version" "Infastructure Group" "Mecury Version" "Infastructure Group" Mecury is a centralized ground control program for research satellites. This query simply locates servers running this software. As it seems to run primarily on PHP and MySQL, there are many possible vulnerabilities associated with it. 248 12 filetype:conf inurl:proftpd.conf -sample filetype:conf inurl:proftpd.conf -sample A standard FTP configuration file that provides far too many details about how the server is setup, including installation paths, location of logfiles, generic username and associated group, etc 249 14 +htpasswd +WS_FTP.LOG filetype:log +htpasswd +WS_FTP.LOG filetype:log WS_FTP.LOG can be used in many ways to find more information about a server. This query is very flexible, just substitute "+htpasswd" for "+FILENAME" and you may get several hits that you hadn't seen with the 'normal' search. Filenames suggested by the forum to explore are: phpinfo, admin, MySQL, password, htdocs, root, Cisco, Oracle, IIS, resume, inc, sql, users, mdb, frontpage, CMS, backend, https, editor, intranet . The list goes on and on.. A different approach might be "allinurl: "some.host.com" WS_FTP.LOG filetype:log" which tells you more about who's uploading files to a specific site. 433 10 "error found handling the request" cocoon filetype:xml "error found handling the request" cocoon filetype:xml Cocoon is an XML publishing framework. It allows you to define XML documents and transformations to be applied on it, to eventually generate a presentation format of your choice (HTML, PDF, SVG). For more information read http://cocoon.apache.org/2.1/overview.html This Cocoon error displays library functions, cocoon version number, and full and/or relative path names. 250 11 intitle:"Big Sister" +"OK Attention Trouble" intitle:"Big Sister" +"OK Attention Trouble" This search reveals Internal network status information about services and hosts. 251 11 inurl:"/cricket/grapher.cgi" inurl:"/cricket/grapher.cgi" This search reveals information about internal networks, such as configuration, services, bandwidth. 252 11 inurl:"cacti" +inurl:"graph_view.php" +"Settings Tree View" -cvs -RPM inurl:"cacti" +inurl:"graph_view.php" +"Settings Tree View" -cvs -RPM This search reveals internal network info including architecture, hosts and services available. 253 11 intitle:"System Statistics" +"System and Network Information Center" intitle:"System Statistics" +"System and Network Information Center" This search reveals internal network information including network configuratino, ping times, services, and host info. 254 13 inurl:"wvdial.conf" intext:"password" inurl:"wvdial.conf" intext:"password" The wvdial.conf is used for dialup connections. it contains phone numbers, usernames and passwords in cleartext. 255 13 filetype:inc dbconn filetype:inc dbconn This file contains the username and password the website uses to connect to the db. Lots of these Google results don't take you straight to 'dbconn.inc', instead they show you an error message -- that shows you exactly where to find dbconn.inc!! 256 13 inurl:"slapd.conf" intext:"credentials" -manpage -"Manual Page" -man: -sample inurl:"slapd.conf" intext:"credentials" -manpage -"Manual Page" -man: -sample Slapd.conf is the configuration file for slapd, the opensource LDAP deamon. The key "credentinals" contains passwords in cleartext. 257 13 inurl:"slapd.conf" intext:"rootpw" -manpage -"Manual Page" -man: -sample inurl:"slapd.conf" intext:"rootpw" -manpage -"Manual Page" -man: -sample Slapd.conf is the configuration file for slapd, the opensource LDAP deamon. You can view a cleartext or crypted password for the "rootdn". 258 13 filetype:ini ws_ftp pwd filetype:ini ws_ftp pwd The encryption method used in WS_FTP is _extremely_ weak. These files can be found with the "index of" keyword or by searching directly for the PWD= value inside the configuration file. 259 11 inurl:forward filetype:forward -cvs inurl:forward filetype:forward -cvs Users on *nix boxes can forward their mail by placing a .forward file in their home directory. These files reveal email addresses. 260 10 "Invision Power Board Database Error" "Invision Power Board Database Error" These are SQL error messages, ranging from to many connections, access denied to user xxx, showing full path info to the php files etc.. There is an exploitable bug in version 1.1 of this software and the current version is 1.3 available for download on the site. 261 13 filetype:netrc password filetype:netrc password The .netrc file is used for automatic login to servers. The passwords are stored in cleartext.