Google Hacking

原文:klionsec

基本命令

intitle:	从网页标题中搜索指定的关键字
inurl:		从url中搜索指定的关键字
intext:		从网页中搜索指定的关键字
filetype:	搜索指定的文件后缀
site:		在某个指定的网站内搜索指定的内容
link:		搜索与该链接有关的链接

通配符

+			强制包含某个字符进行查询
-			查询时忽略某个字符
""			查询时精确匹配双引号内的字符
.			匹配某单个字符进行查询
*			匹配任意字符进行查询
|			或者逗号(,)多个选择,只要有一个关键字匹配即可

Google Hacking引发的思路

尤其在大范围渗透测试中,需要花大量的时间找到能进行突破的入口,这时使用Google Hacking可能会有不错的收益,使用Google Hacking最好能结合漏洞相关的关键字,才能发挥出比较好的效果

tomcat

如果使用暴力破解成功突破tomcat的basic认证,上传恶意war包,可以很轻易的getshell

# site用于限制查询范围,intitle和intext用于匹配tomcat关键字
intitle:apache tomcat site:domain
intext:$CATALINA_HOME/webapps/ROOT/ intitle:apache tomcat site:domain
intext:$CATALINA_HOME/webapps/ROOT/ inurl:8080/ site:domain

weblogic

weblogic框架曾爆出不少漏洞,如果存在该框架,是一个突破口

# site用于限制查询范围,inurl和intitle用于匹配weblogic的关键字
inurl:/console/login/LoginForm.jsp site:domain
inurl:/console/login/LoginForm.jsp intitle:Oracle WebLogic Server site:domain
inurl:/console/login/ intitle:"Oracle WebLogic Server 管理控制台" site:domain

jboss

jboss框架曾爆出不少漏洞,如果存在该框架,是一个突破口

# site用于限制查询范围,inurl用于匹配jboss的关键字
inurl:/jmx-console/htmladaptor site:domain

websphere

websphere框架曾爆出不少漏洞,如果存在该框架,是一个突破口

# site用于限制查询范围,inurl用于匹配websphere的关键字
inurl:/ibm/console/logon.jsp site:domain

phpmyadmin

phpmyadmin是MySQL的管理平台,并且可被爆破,一旦爆破成功,即可获取MySQL的权限,进而提权getshell

# site用于限定范围,inurl和intext用于匹配phpMyAdmin的关键字
inurl:/phpMyAdmin site:domain
inurl:/phpMyAdmin/index.php site:domain
inurl:/phpMyAdmin/index.php site:domain db+information_schema
inurl:/phpMyAdmin/index.php intext:phpMyAdmin site:domain 

webmin

webmin是一个web版的linux系统管理工具,默认情况下工作在web的10000端口上

# site用于限制查询范围 intitle和intext用于匹配webmin的关键字
intitle:Login to Webmin intext:"login to the Webmin server on" site:domain

wordpress

wordpress是PHP的开源博客平台,其框架存在大量漏洞,尤其其框架存在很多SQL注入,通过SQL注入getshell

# site用于限制查询范围,inurl和index of用于匹配wordpress的关键字
inurl:/wp-login.php  site:domain
index of /wp-content/uploads inurl:/wp-login.php site:domain
inurl:/wp-content/themes/theagency site:domain

joomla

joomla框架曾爆出不少漏洞,如果存在该框架,是一个突破口

# site用于限制查询范围,inurl用于匹配joomla的关键字
inurl:/administrator/index.php site:domain
inurl:index.php?option=com_advertisementboard site:domain 找注入
inurl:index.php?option=com_carocci site:domain
inurl:index.php?option=com_product site:domain
inurl:/administrator/index.php site:domain

drupal

drupal框架曾爆出不少漏洞,如果存在该框架,是一个突破口

# site用于限制查询范围,inurl和intext用于匹配drupal的关键字
inurl:CHANGELOG.txt intext:drupal intext:"SA-CORE" -site:github.com -site:domain

特征查找

个人觉得这个不错

# 在使用时最好加上site限制查询范围,且版本号也可忽略
power by wordpress                powered by discuz x3.2
powered by phpcms 2008            powered by drupal 7
powered by dedecmsv57_gbk         powered by CubeCart 3.0.6
Powered by phpBB 2.0.6            powered by paBugs 2.0 Beta 3
inurl:wp-login.php                inurl:/administrator/index.php    
inurl:/admina.php

owa

outlook邮箱

inurl:/owa/auth/logon.aspx site:domain

vpn

inurl:/sslvpn site:domain

mirapoint

自行添加site以限制查询范围

inurl:/cgi-bin/search.cgi site:domain
inurl:/cgi-bin/madmin.cgi site:domain

zimbra

自行添加site以限制查询范围

inurl:7071/zimbraAdmin/ site:domain
inurl:/help/en_US/standard/version.htm site:domain

常见的后台地址

有用 !! 自行添加site以限制查询范围

inurl:/manager/login.php site:domain
inurl:/cms/login.php site:domain
inurl:/manage/index.php site:domain
inurl:/system/login.php site:domain
inurl:/webadmin/login.php site:domain
inurl:admin_login.php intitle:admin login site:domain
inurl:admin_login.php intitle:admin page site:domain
inurl:/admin/login.php site:domain
inurl:/admin/index.php site:domain
inurl:/system/adminlogin.asp  site:domain
inurl:/manage/login.aspx  site:domain
inurl:/sysadm/index.php  site:domain
intext:"Website Design & Developed By : WebSay"  默认后台/admin
intext:"Powered by ENS Consultants"  默认后台/admin/login.php
intext:"Desenvolvimento - MW Way"    默认后台/admin/index.php
inurl:.php?id= intext:"Web realizada por Soma Estudio" 
inurl:/_mycps/login.php
intext:"design by weli"   默认后台: /adm/login.php 除了弱口令还有注入(linjizen@gmail.com/lin719192)
inurl:categorysearch.php?indus= site:domain		SQL注入

svn

自行添加site以限制查询范围

inurl:/.svn/entries site:domain

上传点

自行添加site以限制查询范围

intext:" Powered by JADBM "   JADBM Cms upload shell 注册后登陆上传即可
inurl:"/index.php/frontend/login/en"  Estate cms upload shell 注册后登陆上传即可
inurl:/Content/Roxy_Fileman/   该路径下直接就是上传点
index of:"filemanager/dialog.php"  该脚本就是上传脚本直接上传即可
intext:"Desenvolvido por Webnet Soluções Tecnológicas." fck上传
inurl:"subir_foto.php" 上传点
inrul:"/imce?dir=" intitle:"File Browser"
inurl:"Powered by Vision Helpdesk 3.9.10 Stable" 注册后登陆进去编辑个人配置上传
index of /admin/fckeditor site:*.tw
inurl:/ewebeditor/  site:*.tw
inurl:/admin/upload_file.php
inurl:/admin/upfile.php 
inurl:/admin/upload.asp

文件包含和命令执行

自行添加site以限制查询范围

inurl:footer.inc.php?settings=
inurl:/pb_inc/admincenter/index.php?page=
inurl:/pnadmin/categories.inc.php?subpage=
inurl:/index.php??view=src/sistema/vistas/
inurl:/edit.php?em=file&filename=
inurl:/path_to_athena/athena.php?athena_dir= 远程包含
inurl:/path_to_qnews/q-news.php?id=  远程包含
inurl:/inc/backend_settings.php?cmd=
inurl:login.action strus2系列执行漏洞利用
inurl:php?x=                 inurl:php?open=
inurl:php?visualizar=        inurl:php?pagina=
inurl:php?inc=               inurl:php?include_file=
inurl:php?page=              inurl:php?pg=
inurl:php?show=              inurl:php?cat=
inurl:php?file=              inurl:php?path_local=
inurl:php?filnavn=           inurl:php?HCL_path=
inurl:php?doc=               inurl:php?appdir=
inurl:php?phpbb_root_dir=    inurl:php?phpc_root_path=
inurl:php?path_pre=          inurl:php?nic=
inurl:php?sec=               inurl:php?content=
inurl:php?link=              inurl:php?filename=
inurl:php?dir=               inurl:php?document=
inurl:index.php?view=        inurl:*.php?locate=
inurl:*.php?place=           inurl:*.php?layout=
inurl:*.php?go=              inurl:*.php?catch=
inurl:*.php?mode=            inurl:*.php?name=
inurl:*.php?loc=             inurl:*.php?f=
inurl:*.php?inf=             inurl:*.php?pg=
inurl:*.php?load=            inurl:*.php?naam=
allinurl:php?page=           allinurl:php?file= 
inurl:php?x=                 inurl:admin.php?cal_dir=
inurl:php?include=           inurl:php?nav=
inurl:*.php?sel=             inurl:php?p=
inurl:php?conf=              inurl:php?prefix=
inurl:theme.php?THEME_DIR= 
inurl:php?lvc_include_dir=  
inurl:php?basepath=          inurl:php?pm_path=
inurl:php?user_inc=          inurl:php?cutepath=
inurl:php?fil_config=        inurl:php?libpach=
inurl:php?pivot_path=        inurl:php?rep=
inurl:php?conteudo=          inurl:php?root=
inurl:php?configFile         inurl:php?pageurl
inurl:php?inter_url          inurl:php?url=
inurl:php?cmd=               inurl:path.php?my=
inurl:php?xlink=             inurl:php?to=
inurl:file.php?disp=

商城类

自行添加site以限制查询范围

inurl:".php?catid=" intext:"View cart"
inurl:".php?catid=" intext:"Buy Now"
inurl:".php?catid=" intext:"add to cart"
inurl:".php?catid=" intext:"shopping"
inurl:".php?catid=" intext:"boutique"
inurl:".php?catid=" intext:"/store/"
inurl:".php?catid=" intext:"/shop/"
inurl:".php?catid=" intext:"Toys"
inurl:details.php?BookID=
inurl:shop.php?do=part&id=

CMS

自行添加site以限制查询范围

inurl:article.php?ID=        inurl:newsDetail.php?id=
inurl:show.php?id=           inurl:newsone.php?id=
inurl:news.php?id=           inurl:event.php?id=
inurl:preview.php?id=        inurl:pages.php?id=
inurl:main.php?id=           inurl:prod_detail.php?id=
inurl:view.php?id=           inurl:product.php?id=
inurl:contact.php?Id=        inurl:display_item.php?id=
inurl:item.php?id=           inurl:view_items.php?id=
inurl:details.asp?id=        inurl:profile.asp?id=
inurl:content.asp?id=        inurl:display_item.asp?id=
inurl:view_detail.asp?ID=    inurl:section.php?id=
inurl:theme.php?id=          inurl:produit.php?id=
inurl:chappies.php?id=       inurl:readnews.php?id=
inurl:rub.php?idr=           inurl:pop.php?id=
inurl:person.php?id=         inurl:read.php?id=
inurl:reagir.php?num=        inurl:staff_id=
inurl:gallery.php?id=        inurl:humor.php?id=
inurl:spr.php?id=            inurl:gery.php?id=
inurl:profile_view.php?id=
inurl:fellows.php?id=        inurl:ray.php?id=
inurl:productinfo.php?id=
inurl:file.php?cont=         inurl:include.php?chapter=
inurl:principal.php?param=
inurl:general.php?menue=     inurl:php?pref=
inurl:nota.php?chapter=      inurl:php?str=
inurl:php?corpo=             inurl:press.php?*[*]*=
inurl:asp?pid=				 inurl:php?id=
inurl:aspx?id=				 inurl:jsp?id=
inurl:do?id=				 inurl:cgi?id=

万能密码

自行添加site以限制查询范围

inurl:"wladmin/login.asp"  
Username : '=' 'or'
Password : '=' 'or'
intext:POWERED BY Versatile Software Services       默认后台/alogin.aspx
User ==> 'or''='
Pass ==> 'or''='
inurl:/media.php?hal=login
Email: '=''or'@gmail.com
Pass: '=''or'
intext:"Powered by : Best Webmasterz." 默认后台/admin
User : '=' 'OR'
Pass : '=' 'OR'
intext:"Web Design and Maintenance by Cloud 5 Solutions" 默认后台/admin/login.php
User : '=' 'OR'
Pass : '=' 'OR'
intext:"网站设计:火龙科技" 默认后台/maintain/login.php
Username : '=' 'or'
Password : '=' 'or'
intext:"Powered by Moodyworld" 默认后台/admin/
Username : '=' 'or'
Password : '=' 'or'

敏感信息泄露

自行添加site以限制查询范围

site:domain  inurl:/phpinfo.php
filetype:log "PHP Parse error"| "PHP Warning"
site:domain  "id=" & intext:"Warning: mysql_fetch_array()
site:domain  "id=" & intext:"Warning: getimagesize()
site:domain  "id=" & intext:"Warning: array_merge()
site:domain  "id=" & intext:"Warning: mysql_fetch_assoc()
site:domain  "id=" & intext:"Warning: mysql_result()
site:domain  "id=" & intext:"Warning: pg_exec()
site:domain  "id=" & intext:"Warning: require()
inurl:/robots.txt site:*.*
inurl:/application/configs/  配置文件名为/application/configs/application.ini
----------------------------htpasswd--------------------------------
htpasswd.bak filetype:htpasswd
-----------------------------cisco vpn----------------------------
filetype:pcf  "GroupPwd"   
cisco在线密码解密网站==>https://www.unix-ag.uni-kl.de/~massar/bin/cisco-decode
-----------------ftp 账号密码-----------------------------
"index of/" "ws_ftp.ini" "parent directory"
"your password is" filetype:log
filetype:ini inurl:"serv-u.ini"
filetype:ini inurl:flashFXP.ini
filetype:ini ServUDaemon
filetype:ini wcx_ftp
filetype:ini ws_ftp pwd
ext:inc "pwd=" "UID="
auth_user_file.txt
filetype:sql inurl:backup inurl:wp-content
inurl:/eWebEditor/db/ site:domain
filetype:xls QQ site:cn

目录遍历

site:domain index of /admin
site:domain index of /upfiles
site:domain index of /fckeditor/editor/
site:domain index of /admin/uploadfile
site:domain index of /admin/file
site:domain index of /system/file
site:domain index of /phpmyadmin
site:domain index of /web/backup/
inurl:/phpmyadmin/index.php site:domain

遗留webshell

自行添加site以限制查询范围

inurl:b374k.php filetype:php
inurl:c99.php
inurl:c100.php Generation time:
inurl:itsecteam_shell.php
intext:x2300 Locus7Shell v. 1.0a beta Modded by
intext:c99shell inurl:c99.php
powered by Captain Crunch Security Team
"inurl:c99.php" + "intext:safe"
intitle:r57shell
intitle:c99shell +uname
inurl:c99.php uid=0(root)
intitle:c99shell+filetype:php
intitle:ly0kha shell
inurl:.php "cURL: ON MySQL: ON MSSQL: OFF"
"Shell" filetypehp intext:"uname -a:" "EDT 2010"
intitle:"intitle:r57shell"
inurl:"c99.php" & intext:Encoder Tools Proc. 
inurl:"c100.php" & intext:Encoder Tools Proc. 
intitle:"Shell" inurl:".php" & intext:Encoder Tools Proc.
posted @ 2019-05-31 17:43  JerryLocker  阅读(5766)  评论(1编辑  收藏  举报