Vulnerability Development mailing list archives
Re: Google lists vulnerable sites.
From: "KF" <dotslash () snosoft com>
Date: Mon, 10 Jun 2002 18:47:02 -0700
Altavista is good for finding cgi script vulns... url:cgi-bin, url:template or in spanish or some thing like url:cgi-bin, url:pagina then stuff a few ../../../../'s in some variables... get creative ... but I wouldn't really call any of this fancy searching a vulnerability nor is it specific to google. I have seen similar techniques used in wormish type tools that spider through web pages looking for new cgi vulns. -KF ----- Original Message ----- From: <silencedscream () hotmail com> To: <vuln-dev () securityfocus com> Sent: Friday, July 05, 2002 12:01 PM Subject: Google lists vulnerable sites.
Let me first say that I do now know if this issue has been brought to light before or in what detail it might have been discussed. On to the show... The problem I have found is that google may be archiving too much information on sites. By carefully crafting search strings you can reliably return sites who's root, cgi-bin, bin, admin, etc... directories are exposed and unprotected. The first thing you must do is select the name of a commonnly protected directory (I will use admin in this example). The second is to think of a filetype that only the administrator and not the average web surfer would have access to. Things like bin, txt, or htm are no good because they are commonly made available in other directories for legitimate reasons. For this example I choose to go with .db. Now to create the search string. inurl:admin filetype:db The above gives us, http://www.google.com/search?sourceid=navclient&q=inurl%3Aadmin+filetype% 3Adb The above search sets the requirments that admin must be in the url and only sites that contain a file of the type .db are returned. Now most of the links you click on will take you to some meaningless url or email database but if for exaple you had www.somesite.org/admin/cgi-bin/url.db and you removed the url.db from the link you are now free to traverse through there directories and files. By useing carefully selected search terms like the ones above I have about a 90-95% success rate of vulnerable sites returned. The trick is finding the right directory and filetypes to use in the search.
Current thread:
- Google lists vulnerable sites. silencedscream (Jul 05)
- Re: Google lists vulnerable sites. Benjamin Krueger (Jul 05)
- Re: Google lists vulnerable sites. sirexar (Jul 06)
- Re: Google lists vulnerable sites. De Velopment (Jul 06)
- Re: Google lists vulnerable sites. Jose Nazario (Jul 06)
- RE: Google lists vulnerable sites. Bryan Allerdice (Jul 06)
- Re: Google lists vulnerable sites. Luis Bruno (Jul 07)
- Re: Google lists vulnerable sites. sirexar (Jul 06)
- Re: Google lists vulnerable sites. Benjamin Krueger (Jul 05)
- Re: Google lists vulnerable sites. Charles 'core' Stevenson (Jul 06)
- <Possible follow-ups>
- Re: Google lists vulnerable sites. Muhammad Faisal Rauf Danka (Jul 06)
- Re: Google lists vulnerable sites. Octavio / Super (Jul 06)
- Re: Google lists vulnerable sites. Ron DuFresne (Jul 07)
- Re: Google lists vulnerable sites. Alex DeLarge (Jul 08)
- Re: Google lists vulnerable sites. Skot (Jul 08)