ColdFusion error message, can intitle:”Error Occurred While Processing reveal SQL statements and server Request” information ColdFusion error message, can intitle:”Error Occurred” “The e
Trang 1ColdFusion error message, can intitle:”Error Occurred While Processing
reveal SQL statements and server Request”
information
ColdFusion error message, can intitle:”Error Occurred” “The error occurred reveal source code, full pathnames, in” filetype:cfm
SQL query info, database name,
SQL state information, and local
time information
Coldfusion Error Pages reveal “Error Diagnostic Information”
many different types of information intitle:”Error Occurred While”
DB2 error message can reveal “detected an internal error [IBM][CLI
path names, function names, Driver][DB2/6000]”
filenames, partial code and
program state
DB2 error message can reveal An unexpected token “END-OF-STATE
path names, function names, MENT” was found
filenames, partial code and
program state
DB2 error message, can reveal “detected an internal error [IBM]
pathnames, function names, [CLI Driver][DB2/6000]”
filenames, partial code, and
program state
DB2 error message, can reveal An unexpected token “END-OF-STATE
pathnames, function names, MENT” was found
filenames, partial code, and
program state
Discuz! Board error may reveal filetype:php inurl:”logging.php”
path information or partial SQL “Discuz” error
code listings
Generic SQL message, can reveal “You have an error in your SQL syntax
pathnames and partial SQL code near”
Generic error can reveal path “Warning: Supplied argument is not a valid
Generic error message can be used intitle:”Under construction” “does not
to determine operating system currently have”
and web server version
Continued
Trang 2Generic error message can reveal “Fatal error: Call to undefined function” -compiler used, language used, reply -the -next
line numbers, program names
and partial source code
Generic error message reveals “Warning:” “SAFE MODE Restriction in full path information effect.” “The script whose uid is” “is not
allowed to access owned by uid 0 in” “on line”
Generic error message, reveals “Error Diagnostic Information”
Generic error messages reveal path intext:”Warning: Failed opening” “on line” names, php file names, line “include_path”
numbers and include paths
Generic error reveals full path info “Warning: Division by zero in” “on line”
-forum HyperNews error reveals the server intitle:”Error using Hypernews” “Server software, server OS, server account Software”
user/group (unix), server
administrator email address, and
even stack traces
IIS 4.0 error messages reveal the intitle:”the page cannot be found” inetmgr existence of an extremely old
version of IIS
IIS error message reveals somewhat intitle:”the page cannot be found”
unmodified (and perhaps “internet information services”
unpatched) IIS servers
Informix error message can reveal “A syntax error has occurred” filetype:ihtml path names, function names,
filenames and partial code
Informix error message can reveal “An illegal character has been found in the path names, function names, statement” -”previous message”
filenames and partial code
MYSQL error message reveals “supplied argument is not a valid MySQL
MySQL error message can reveal “mySQL error with query”
a variety of information
MySQL error message can reveal “Can’t connect to local” intitle:warning database name, path names and
partial SQL code
Trang 3MySQL error message can reveal “You have an error in your SQL syntax
path names and partial SQL code near”
MySQL error message can reveal “ORA-00921: unexpected end of SQL
path names, function names, command”
filenames and partial SQL code
MySQL error message can reveal “Supplied argument is not a valid MySQL
path names, function names, result resource”
filenames and partial SQL code
MySQL error message can reveal “Incorrect syntax near”
path names, function names,
filenames and partial code
MySQL error message can reveal “Incorrect syntax near” -the
path names, function names,
filenames and partial code
MySQL error message can reveal “Unclosed quotation mark before the
path names, function names, character string”
filenames and partial code
MySQL error message can reveal “access denied for user” “using password”
the username, database, path
names and partial SQL code
MySQL error message, reveals real “supplied argument is not a valid MySQL
pathnames and listings of other result resource”
PHP scripts on the server
MySQL error message, reveals “MySQL error with query”
various information
MySQL error reveals database “Warning: mysql_query()” “invalid query”
schema and usernames
Netscape Application Server or intitle:”404 SC_NOT_FOUND”
iPlanet application servers error
reveals the installation of
extremely outdated software
ODBC SQL error may reveal table filetype:asp + “[ODBC SQL”
or row queried, full database
name and more
Oracle SQL error message, reveals “ORA-00921: unexpected end of SQL
full Web pathnames and/or php command”
filenames
Trang 4Oracle SQL error message, “ORA-00933: SQL command not properly reveals pathnames, function names, ended”
filenames, and partial SQL code
Oracle SQL error message, reveals “ORA-00936: missing expression”
pathnames, function names,
filenames, and partial SQL code
Oracle error message can reveal “ORA-00933: SQL command not properly path names, function names, ended”
filenames and partial SQL code
Oracle error message can reveal “ORA-00936: missing expression”
path names, function names,
filenames and partial database code
Oracle error message may reveal “ORA-12541: TNS:no listener” intitle:
partial SQL code, path names, ”error occurred”
file names, and data sources
Oracle error message, reveals SQL “ORA-12541: TNS:no listener” intitle:
code, pathnames, filenames, and ”error occurred”
data sources
PHP error logs can reveal various filetype:log “PHP Parse error” |
PHP error message can reveal path “Warning: Cannot modify header inform-names, function inform-names, filenames ation - headers already sent”
and partial code
PHP error message can reveal the “The script whose uid is “ “is not allowed webserver’s root directory and to access”
user ID
PHP error messages reveal path PHP application warnings failing
names, PHP file names, line numbers “include_path”
and include paths
PHP error reveals web root path “Parse error: parse error, unexpected
T_VARIABLE” “on line” filetype:php PostgreSQL error message can “Warning: pg_connect(): Unable to connect reveal path information and to PostgreSQL server: FATAL”
database names
PostgreSQL error message can “PostgreSQL query failed: ERROR: parser: reveal path names, function names, parse error”
filenames and partial code
Trang 5PostgreSQL error message can “Supplied argument is not a valid
reveal path names, function names, PostgreSQL result”
filenames and partial code
PostgreSQL error message, can “PostgreSQL query failed: ERROR: parser:
reveal pathnames, function names, parse error”
filenames, and partial code
PostgreSQL error message, can “Supplied argument is not a valid
reveal pathnames, function names, PostgreSQL result”
filenames, and partial code
Postgresql error message, “Warning: pg_connect(): Unable to connect reveals path information and to PostgreSQL server: FATAL”
database names
SQL error may reveal potential “[SQL Server Driver][SQL Server]Line 1:
SQL injection points Incorrect syntax near” forum thread
-showthread SQL error message reveals full “Invision Power Board Database Error”
path info
SQL error message reveals full “ORA-00921: unexpected end of SQL
pathnames and/or PHP filenames command”
SQL error message, can reveal “Can’t connect to local” intitle:warning
pathnames, function names,
filenames, and partial code
(variation)
SQL error message, can reveal “Incorrect syntax near” -the
pathnames, function names,
filenames, and partial code
(variation)
SQL error message, can reveal “access denied for user” “using password”
pathnames, function names,
filenames, and partial code
(variation)
SQL error message, can reveal “Incorrect syntax near”
pathnames, function names,
filenames, and partial code
SQL error message, can reveal “Unclosed quotation mark before the
pathnames, function names, character string”
filenames, and partial code
Trang 6Sablotron XML error can reveal warning “error on line” php sablotron partial source code, path and
filename information and more
Snitz Microsoft Access database databasetype Code : 80004005 Error error may reveal the location and Description :
name of the database, potentially
making the forum vulnerable to
unwanted download
Softcart error message may intitle:Configuration.File inurl:softcart.exe reveal configuration file location
and server file paths
This dork reveals logins to “Warning: mysql_connect(): Access denied databases that were denied for for user: ‘*@*” “on line” -help -forum some reason
Windows 2000 error messages intitle:”the page cannot be found” “2004 reveal the existence of an microsoft corporation”
extremely old version of Windows
cgiwrap error message reveals intitle:”Execution of this script not
admin name and email, port permitted”
numbers, path names, and may
also include optional information
like phone numbers for support
personnel
ht://Dig error can reveal intitle:”htsearch error” ht://Dig error
administrative email, validation of
a cgi-bin executable directory,
directory structure, location of a
search database file and possible
naming conventions
vbulletin error reveals SQL “There seems to have been a problem with
Refresh button in your web browser.”
In addition to revealing information about the database server, error messages can also reveal much more dangerous information about potential vulnerabilities that exist in the
server For example, consider an error such as “SQL command not properly ended”, displayed in
Figure 4.9.This error message indicates that a terminating character was not found at the end of an SQL statement If a command accepts user input, an attacker could leverage the information in this error message to execute an SQL injection attack
Trang 7Database Dumps
The output of a database into any format can be constituted as a database dump For the
purposes of Google hacking, however, we’ll us the term database dump to describe the
text-based conversion of a database As we’ll see next in this chapter, it’s entirely possible for an
attacker to locate just about any type of binary database file, but standardized formats (such
as the text-based SQL dump shown in Figure 4.10) are very commonplace on the Internet
Figure 4.10 A Typical SQL Dump
Trang 8every record in each and every table Depending on the sensitivity of the data contained in the database, a database dump can be very revealing and obviously makes a terrific tool for
an attacker.There are several ways an attacker can locate database dumps One of the most obvious ways is by focusing on the headers of the dump, resulting in a query such as
“#Dumping data for table”, as shown in Figure 4.10.This technique can be expanded to work
on just about any type of database dump headers by simply focusing on headers that exist in every dump and that are unique phrases that are unlikely to produce false positives
Specifying additional specific interesting words or phrases such as username, password, or user can help narrow this search For example, if the word password exists in a database dump,
there’s a good chance that a password of some sort is listed inside the database dump With
proper use of the OR symbol ( | ), an attacker can craft an extremely effective search, such
as “# Dumping data for table” (user | username | pass | password) In addition, an attacker
could focus on file extensions that some tools add to the end of a database dump by
querying for filetype:sql sql and further narrowing to specific words, phrases, or sites.The
SQL file extension is also used as a generic description of batched SQL commands.Table 4.8 lists queries that locate SQL database dumps
Table 4.8Queries That Locate SQL Database Dumps
inurl:nuke filetype:sql php-nuke or postnuke CMS dumps
filetype:sql password SQL database dumps or batched SQL com-mands
filetype:sql “IDENTIFIED BY” –cvs SQL database dumps or batched SQL
com-mands, focus on “IDENTIFIED BY”, which
can locate passwords
“# Dumping data for table SQL database dumps or batched SQL
(username|user|users|password)” commands, focus on interesting terms
“#mysql dump” filetype:sql SQL database dumps
“# Dumping data for table” SQL database dumps
“# phpMyAdmin MySQL-Dump” SQL database dumps created by
filetype:txt phpMyAdmin
“# phpMyAdmin MySQL-Dump” SQL database dumps created by
“INSERT INTO” -”the” phpMyAdmin (variation)
Trang 9This technique does not apply to all database systems, only those systems in which the
database is represented by a file with a specific name or extension Be advised that Google
will most likely not understand how to process or translate these files, and the summary (or
“snippet”) on the search result page will be blank and Google will list the file as an
“unknown type,” as shown in Figure 4.11
Figure 4.11 Database Files Themselves Are Often Unknown to Google
If Google does not understand the format of a binary file, as with many of those located
with the filetype operator, you will be unable to search for strings within that file.This consid-erably limits the options for effective searching, forcing you to rely on inurl or site operators
instead.Table 4.9 lists some queries that can locate database files
Trang 10filetype:cfm “cfapplication name” ColdFusion source code
password
filetype:mdb inurl:users.mdb Microsoft Access user database
inurl:email filetype:mdb Microsoft Access e-mail database
inurl:backup filetype:mdb Microsoft Access backup databases
inurl:forum filetype:mdb Microsoft Access forum databases
inurl:/db/main.mdb ASP-Nuke databases
inurl:profiles filetype:mdb Microsoft Access user profile databases
filetype:asp DBQ=” * Server. Microsoft Access database connection
MapPath(“*.mdb”) string search
allinurl: admin mdb Microsoft Access administration databases
Automated Grinding
Searching for files is fairly straightforward—especially if you know the type of file you’re looking for We’ve already seen how easy it is to locate files that contain sensitive data, but in some cases it might be necessary to search files offline For example, assume that we want to
troll for yahoo.com e-mail addresses A query such as “@yahoo.com” email is not at all
effec-tive as a Web search, and even as a Group search it is problematic, as shown in Figure 4.12
Figure 4.12A Generic E-Mail Search Leaves Much to Be Desired