DC Long
DC Long
Watchers
Target Exploitation via Public
Search Engines
mail://[email protected]
http://johnny.ihackstuff.com
what’s this about?
Google offers a
very nice
language
translation
service.
proxy
for example,
translating from
english to
spanish...
proxy
Our english-to-spanish translated Google page is:
we’re surfing
through Google,
not to the evil
DEFCON page.
The boss will be
sooo proud! 8P
proxy
this is a copy of a
production site found on
a web development
company’s server...
finding development sites
• eventually, creative searching can lead to pay dirt: a source code dump
auth bypass
*this site was notified and secured before making this public. sorry, kids ;-)
evil searching: the
basics
A simple search...
simple word search
site:defcon.org defcon
inurl:admin
users mbox
inurl:admin users
passwords
filetype:
filetype:xls “checking
account” “credit card”
80000 69 ,30 0
6 4,2 00 65 ,00 0
70000 60 ,50 0 62 ,90 0
60000 45,200
50000
40000
27,300
30000
20000 9,4 00
10000 33 30 24 5 310 5 207 93 74 61 3 9 20 2 1,130 4 74
1,120
739
0
1.3.26+interserver
1.3.xx
1.3.23-dev
1.3.24-dev
1.3.15-dev
1.3.21-dev
2.0.37-dev
2.0.40-dev
1.3.4-dev
1.3.7-dev
1.2.6
1.3.17-HOF
1.3.11
2.0.28
2.0.32
2.0.35
2.0.36
1.3.17
1.3b6
1.3.0
1.3.1
1.3.2
1.3.4
2.0.16
2.0.18
Apa che Ve rsio n
Common Apache Versions
Common Apache Versions found on Google
query: intitle:"Index of" "Apache/[ver] Server at"
1,000,000.00 896,000
Number of Servers
800,000.00
600,000.00 495,000
353,000
400,000.00 300,000
260,000 259,000 256,000
159,000 171,000 151,000 203,000
200,000.00 119,000
0.00
1.3.6
1.3.9
1.3.12
1.3.14
1.3.20
1.3.22
1.3.23
1.3.24
1.3.3
1.3.19
1.3.26
2.0.39
Apache Server Version
vulnerability trolling
The “intitle”
keyword is one
of the most
powerful in the
google master’s
arsenal...
Directory Example
notice that the
directory listing
shows the
names of the
files in the
directory.
we can combine
our “intitle”
search with
another search
to find specific
files available on
the web.
Intitle:”Index of” .htpasswd
Lots more
examples
coming. Stick
around for the
grand finale...
finding interesting stuff
automation: googlescan
Googlescan
cat temp |
awk -F"|" '{print "<A HREF=\"" $2 "\">" $1 " (" $3 "hits)
</A><BR><BR>"}' | grep -v "(1,770,000" > report.html
Googlescan.sh output
...to output an
html list of
potentially
vulnerable or
interesting web
servers
according to
Google.
http://johnny.ihackstuff.com/googledorks.shtml
more interesting stuff
http://somehost/cgi-bin/script.pl?p1=../../../../attack
http://somehost/cgi-bin/script.pl?p1=;attack
http://somehost/cgi-bin/script.pl?p1=|attack
http://somehost/cgi-bin/script.pl?p1=`attack`
http://somehost/cgi-bin/script.pl?p1=$(attack)
http://somehost:54321/attack?`id`
http://somehost/AAAAAAAAAAAAAAAAAAAAA...
Rise of the Robots: Results
Locking it down
Google’s advice