RE: Google lists vulnerable sites.
From: Erick Arturo Perez Huemer (eperez@compuservice.net)Date: 07/06/02
- Previous message: Adam [wp-ckkl]: "Re: Google lists vulnerable sites."
- In reply to: silencedscream@hotmail.com: "Google lists vulnerable sites."
- Next in thread: Bryan Allerdice: "RE: Google lists vulnerable sites."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Erick Arturo Perez Huemer" <eperez@compuservice.net> To: <silencedscream@hotmail.com>, <vuln-dev@securityfocus.com> Date: Fri, 5 Jul 2002 18:12:27 -0500
Doing a query of a specific country/language and using inurl:iisadmin
revealed a simple list of sites running the Internet Information Server
administrator page, the list returned was 45. Of those, 9 had no
password and were visible from my side.
Several searches can be made: Ports in the url, specific cgi, specific
files (like the db) etc.
Using the db as an example, I was able to see several sites that use a
web program to manage statistics and other data. Those sites were under
an obfuscated URL and I guess they were supposed not to be seen by the
outsiders.
The only drawback is that I do not seem to be able to define a "set" of
ip addresses rather than domains to search.
Google.com.....Simple Nmap's rival?? (itīs a joke, dont start
blaming....)
Erick A. Perez H.
Asesor de Seguridad informatica
y TeleComunicaciones
Panama, Republica de Panama
Tel. (507) 226-6217
Movil. (507) 652-4889 (24 horas)
eperez@compuservice.net
> -----Original Message-----
> From: silencedscream@hotmail.com [mailto:silencedscream@hotmail.com]
> Sent: Viernes, 05 de Julio de 2002 02:01 p.m.
> To: vuln-dev@securityfocus.com
> Subject: Google lists vulnerable sites.
>
>
>
>
> Let me first say that I do now know if this issue has been brought to
> light before or in what detail it might have been discussed.
> On to the
> show...
>
> The problem I have found is that google may be archiving too much
> information on sites. By carefully crafting search strings you can
> reliably return sites who's root, cgi-bin, bin, admin, etc...
> directories
> are exposed and unprotected. The first thing you must do is
> select the
> name of a commonnly protected directory (I will use admin in this
> example). The second is to think of a filetype that only the
> administrator and not the average web surfer would have access to.
> Things like bin, txt, or htm are no good because they are
> commonly made
> available in other directories for legitimate reasons. For
> this example
> I choose to go with .db. Now to create the search string.
>
> inurl:admin filetype:db
> The above gives us,
> http://www.google.com/search?sourceid=navclient&q=inurl%3Aadmi
n+filetype%
3Adb
The above search sets the requirments that admin must be in the url and
only sites that contain a file of the type .db are returned.
Now most of the links you click on will take you to some meaningless url
or email database but if for exaple you had
www.somesite.org/admin/cgi-bin/url.db
and you removed the url.db from the link you are now free to traverse
through there directories and files. By useing carefully selected
search
terms like the ones above I have about a 90-95% success rate of
vulnerable sites returned. The trick is finding the right directory and
filetypes to use in the search.
- Previous message: Adam [wp-ckkl]: "Re: Google lists vulnerable sites."
- In reply to: silencedscream@hotmail.com: "Google lists vulnerable sites."
- Next in thread: Bryan Allerdice: "RE: Google lists vulnerable sites."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
