Table 4.2Log File Search ExamplesQueryProgram “ZoneAlarm ZoneAlarm log files Logging Client” +htpasswd WS_FTP.LOG filetype:log WS_FTP client log files +intext:”webalizer” +intext: Webali
Trang 1Table 4.2Log File Search Examples
QueryProgram “ZoneAlarm ZoneAlarm log files
Logging Client”
+htpasswd WS_FTP.LOG filetype:log WS_FTP client log files
+intext:”webalizer” +intext: Webalizer statistics
”Total Usernames” +intext:”Usage
Statistics for”
ext:log “Software: Microsoft IIS server log files
Internet Information Services *.*”
ext:log password END_FILE Java password files
filetype:cfg login “LoginServer=” Ultima Online log files
filetype:log “PHP Parse error” | PHP error logs
“PHP Warning” | “
filetype:log “See `ipsec —copyright” BARF log files
filetype:log access.log –CVS HTTPD server access logs
filetype:log hijackthis “scan saved” Hijackthis scan log
filetype:log inurl:”password.log” Password logs
filetype:log inurl:access.log TCP_HIT Squid access log
filetype:log inurl:cache.log Squid cache log
filetype:log inurl:store.log RELEASE Squid disk store log
filetype:log inurl:useragent.log Squid useragent log
filetype:log iserror.log MS Install Shield logs
filetype:log iserror.log MS Install Shield logs
filetype:log iserror.log MS Install Shield logs
filetype:log username putty Putty SSH client logs
filetype:log username putty Putty SSH client logs
intext:”Session Start * * * *:*:* *” IRC/AIM log files
filetype:log
intitle:”HostMonitor log” | intitle: HostMonitor
”HostMonitor report”
intitle:”Index Of” -inurl:maillog Mail log files
maillog size
intitle:”LOGREP - Log file Logrep
reporting system” -site:itefix.no
Continued
Trang 2Table 4.2Log File Search Examples
intitle:index.of bash_history UNIX bash shell history file
intitle:index.of sh_history UNIX shell history file
intitle:index.of cleanup.log Outlook Express cleanup logs
inurl:access.log filetype:log –cvs Apache access log (Windows)
inurl:error.log filetype:log -cvs Apache error log
log inurl:linklint filetype:txt Linklint logs
-”checking”
Squid cache server reports squid server cache reports
Log files reveal various types of information, as shown in the search for filetype:log user-name putty in Figure 4.6.This log file lists machine user-names and associated useruser-names that
could be reused in an attack against the machine
Figure 4.6Putty Log Files Reveal Sensitive Data
Trang 3Office Documents
The term office document generally refers to documents created by word processing software,
spreadsheet software, and lightweight database programs Common word processing software
includes Microsoft Word, Corel WordPerfect, MacWrite, and Adobe Acrobat Common
spreadsheet programs include Microsoft Excel, Lotus 1-2-3, and Linux’s Gnumeric Other
documents that are generally lumped together under the office document category include
Microsoft PowerPoint, Microsoft Works, and Microsoft Access documents.Table 4.3 lists
some of the more common office document file types, organized roughly by their Internet
popularity (based on number of Google hits)
Table 4.3Popular Office Document File Types
Adobe Portable Document Format Pdf
MacWrite Mw
In many cases, simply searching for these files with filetype is pointless without an
addi-tional specific search Google hackers have successfully uncovered all sorts of interesting files
by simply throwing search terms such as private or password or admin onto the tail end of a
filetype search However, simple base searches such as (inurl:xls OR inurl:doc OR inurl:mdb)
can be used as a broad search across many file types
Table 4.4 lists some searches from the GHDB that specifically target office documents
This list shows quite a few specific techniques that we can learn from Some searches, such
as filetype:xls inurl:password.xls, focus on a file with a specific name.The password.xls file does
not necessarily belong to any specific software package, but it sounds interesting simply
because of the name Other searches, such as filetype:xls username password email, shift the
focus from the file’s name to its contents.The reasoning here is that if an Excel spreadsheet
Trang 4contains the words username password and e-mail, there’s a good chance the spreadsheet
con-tains sensitive data such as passwords.The heart and soul of a good Google search involves refining a generic search to uncover something extremely relevant Google’s ability to search inside different types of documents is an extremely powerful tool in the hands of an
advanced Google user
Table 4.4Sample Queries That Locate Potentially Sensitive Office Documents
filetype:xls username Passwords
password email
filetype:xls inurl:”password.xls” Passwords
filetype:xls private Private data (use as base search)
Inurl:admin filetype:xls Administrative data
filetype:xls inurl:contact Contact information, e-mail addresses
filetype:xls inurl:”email.xls” E-mail addresses, names
allinurl: admin mdb Administrative database
filetype:mdb inurl:users.mdb User lists, e-mail addresses
Inurl:email filetype:mdb User lists, e-mail addresses
Data filetype:mdb Various data (use as base search)
Inurl:backup filetype:mdb Backup databases
Inurl:profiles filetype:mdb User profiles
Inurl:*db filetype:mdb Various data (use as base search)
Database Digging
There has been intense focus recently on the security of Web-based database applications, specifically the front-end software that interfaces with a database Within the security com-munity, talk of SQL injection has all but replaced talk of the once-common CGI vulnera-bility, indicating that databases have arguably become a greater target than the underlying operating system or Web server software
An attacker will not generally use Google to break into a database or muck with a
database front-end application; rather, Google hackers troll the Internet looking for bits and pieces of database information leaked from potentially vulnerable servers.These bits and pieces of information can be used to first select a target and then to mount a more educated attack (as opposed to a ground-zero blind attack) against the target Bearing this in mind, understand that here we do not discuss the actual mechanics of the attack itself, but rather
Trang 5the surprisingly invasive information-gathering phase an accomplished Google hacker will
employ prior to attacking a target
Login Portals
As we discussed in Chapter 8, a login portal is the “front door” of a Web-based application
Proudly displaying a username and password dialog, login portals generally bear the scrutiny
of most Web attackers simply because they are the one part of an application that is most
carefully secured.There are obvious exceptions to this rule, but as an analogy, if you’re going
to secure your home, aren’t you going to first make sure your front door is secure?
A typical database login portal is shown in Figure 4.7.This login page announces not only the existence of an SQL Server but also the Microsoft Web Data Administrator
soft-ware package
Figure 4.7A Typical Database Login Portal
Regardless of its relative strength, the mere existence of a login portal provides a glimpse into the type of software and hardware that might be employed at a target Put simply, a
login portal is terrific for footprinting In extreme cases, an unsecured login portal serves as a welcome mat for an attacker.To this end, let’s look at some queries that an attacker might
use to locate database front ends on the Internet.Table 4.5 lists queries that locate database
front ends or interfaces Most entries are pulled from the GHDB
Trang 6Table 4.5Queries That Locate Database Interfaces
Inurl:backup filetype:mdb Backup databases
“ClearQuest Web Logon” ClearQuest (CQWEB)
filetype:fp5 fp5 -”cvs log” FileMaker Pro
“Select a database to view” intitle: FileMaker Pro
”filemaker pro”
“Welcome to YourCo Financial” IBM Websphere
“(C) Copyright IBM” “Welcome IBM Websphere
to Websphere”
inurl:names.nsf?opendatabase Lotus Domino
inurl:”/catalog.nsf” intitle:catalog Lotus Domino
intitle:”messaging login” Lotus Messaging
“© Copyright IBM”
intitle:”Web Data Administrator MS SQL login
- Login”
intitle:”Gateway Configuration Oracle
Menu”
inurl:/pls/sample/admin_/help/ Oracle default manuals
inurl:1810 “Oracle Enterprise Oracle Enterprise Manager
Manager”
inurl:admin_/globalsettings.htm Oracle HTTP Listener
intitle:”oracle http server index” Oracle HTTP Server
“Copyright * Oracle Corporation.”
inurl:pls/admin_/gateway.htm Oracle login portal
inurl:orasso.wwsso_app_ Oracle Single Sign-On
admin.ls_login
“phpMyAdmin” “running on” phpMyAdmin
inurl:”main.php”
“Welcome to phpMyAdmin” phpMyAdmin
“ Create new database”
Continued
Trang 7Table 4.5 continuedQueries That Locate Database Interfaces
intitle:”index of /phpmyadmin” phpMyAdmin
modified
intitle:phpMyAdmin “Welcome to phpMyAdmin
phpMyAdmin ***” “running on *
as root@*”
inurl:main.php phpMyAdmin phpMyAdmin
intitle:”phpPgAdmin - Login” phpPgAdmin (PostgreSQL) Admin tool
Language
intext:SQLiteManager inurl:main.php SQLite Manager
Data filetype:mdb Various data (use as base search)
Underground Googling
Login Portals
One way to locate login portals is to focus on the word login Another way is to focus
on the copyright at the bottom of a page Most big-name portals put a copyright
notice at the bottom of the page Combine this with the product name, and a
wel-come or two, and you’re off to a good start If you run out of ideas for new databases
to try, go to http://labs.google.com/sets, enter oracle and mysql, and click Large Set
for a list of databases
Support Files
Another way an attacker can locate or gather information about a database is by querying
for support files that are installed with, accompany, or are created by the database software
These can include configuration files, debugging scripts, and even sample database files.Table 4.6 lists some searches that locate specific support files that are included with or are created
by popular database clients and servers
Trang 8Table 4.6Queries That Locate Database Support Files
inurl:default_content.asp ClearQuest ClearQuest Web help files
intitle:”index of” intext:globals.inc MySQL globals.inc file, lists connection and
credential information
filetype:inc intext:mysql_connect PHP MySQL Connect file, lists connection
and credential information
filetype:inc dbconn Database connection file, lists connection
and credential information
intitle:”index of” intext:connect.inc MySQL connection file, lists connection and
credential information
filetype:properties inurl:db db.properties file, lists connection
intitle:”index of” mysql.conf OR MySQL configuration file, lists port number,
mysql_config version number, and path information to
MySQL server
inurl:php.ini filetype:ini PHP.INI file, lists connection and credential
information
filetype:ldb admin Microsoft Access lock files, list database and
username
inurl:config.php dbuname dbpass The old config.php script, lists user and
password information
intitle:index.of config.php The config.php script, lists user and
pass-word information
“phpinfo.php” -manual The output from phpinfo.php, lists a great
deal of information
intitle:”index of” +myd size The MySQL data directory
filetype:cnf my.cnf -cvs -example The MySQL my.cnf file, can list information,
ranging from paths and database names to passwords and usernames
filetype:ora ora ORA configuration files, list Oracle
database information
filetype:pass pass intext:userid dbman files, list encoded passwords
filetype:pdb pdb backup (Pilot | Palm database files, can list all sorts of
As an example of a support file, PHP scripts using the mysql_connect function reveal
machine names, usernames, and cleartext passwords, as shown in Figure 4.8 Strictly
Trang 9speaking, this file contains PHP code, but the INC extension makes it an include file It’s the
content of this file that is of interest to a Google hacker
Figure 4.8PHP Files Can Reveal Machine Names, Usernames, and Passwords
Error Messages
As we’ve discussed throughout this book, error messages can be used for all sorts of profiling
and information-gathering purposes Error messages also play a key role in the detection and profiling of database systems As is the case with most error messages, database error messages can also be used to profile the operating system and Web server version Conversely,
oper-ating system and Web server error messages can be used to profile and detect database
servers.Table 4.7 shows queries that leverage database error messages
Table 4.7Queries That Locate Database Error Messages
.NET error message reveals data “ASP.NET_SessionId” “data source=”
sources, and even authentication
credentials
500 “Internal Server Error” reveals “Internal Server Error” “server at”
the server administrator’s email
address, and Apache server banners
Continued
Trang 10Table 4.7 continuedQueries That Locate Database Error Messages
500 “Internal Server Error” reveals intitle:”500 Internal Server Error” “server the type of web server running on at”
the site, and has the ability to
show other information depending
on how the message is internally
formatted
ASP error message reveals compiler filetype:asp “Custom Error Message”
used, language used, line numbers, Category Source
program names and partial source
code
Access error message can reveal “Syntax error in query expression “ -the path names, function names,
filenames and partial code
Apache Tomcat Error messages can intitle:”Apache Tomcat” “Error Report” reveal various kinds information
depending on the type of error
CGI error messages may reveal intext:”Error Message : Error loading
partial code listings, PERL version, required libraries.”
detailed server information,
usernames, setup file names, form
and query information, port and
path information, and more
Chatologica MetaSearch error “Chatologica MetaSearch” “stack tracking:” reveals Apache version, CGI
environment vars, path names,
stack dumps, process ID’s, PERL
version, and more
Cocoon XML reveals library “error found handling the request” cocoon functions, cocoon version number, filetype:xml
and full and/or relative path names
Cold fusion error messages trigger intitle:”Error Occurred While Processing
on SQL SELECT or INSERT statements Request” +WHERE (SELECT|INSERT)
which could help locate SQL filetype:cfm
injection points
ColdFusion error message can intitle:”Error Occurred” “The error occurred reveal partial source code, full in” filetype:cfm
pathnames, SQL query info,
database name, SQL state info
and local time info
Continued