Evil Things to Type into Google – part 1

Posted by: Rea Maor In: Search Engines - Tuesday, September 11th, 2007

Google hacks. They pop up one at a time on StumbleUpon, Digg, or Slashdot, and some web admins get wise to them over time… and some just fail to get a clue. Here’s the kinds of things you might type into Google if you are looking for sites to hack… or are testing your own site’s security. NOTE: These are all related to commonly known hacks, so if your site shows up as a result in any of these searches, fix it right now!

Google is suspicious

Oh, and if you do this too much, Google might get suspicious… which is how I got the screenshot above! Also, you might have to go several pages deep in the search results, since the highest ranking hits will usually be people in a forum discussing the error. Or check the cache in case the server admin fixed the problem. Onward:

“mySQL error with query” – You see SQL database errors pop up here and there, but this will return strings which name specifics of the site’s database such as row, column, and table name. And if somebody’s stupid enough to put their username and password in the query string…

“supplied argument is not a valid MySQL result resource” – Another SQL error. Sometimes it rats out the server architecture or location of sensitive files, like “/users/cwq00/base/web/system/dbwrappers/db.mysql_db.php on line 114”. Oh, thanks, we know right where to go, now.

inurl:awstats file:txt – Awstats is a data-reporting utility for webmasters. Some of whom keep a text copy around, so strangers can find out far more about their site traffic than they might be comfortable giving away…

“This summary was generated by wwwstat” – Another stat finder. Especially dangerous when it’s an intranet system, such as on a corporate server.

buddylist.blt – It finds AOL Instant Messenger buddy lists. Old, ancient, crawling horror of a hack; I think the prophet Isaiah was the first one to find this. So why am I still finding buddy lists this way? You know you have one if the title starts out “Config { version 1 }”…

intitle:phpinfo “PHP Version” – So this one isn’t completely evil; the phpinfo() function is there to dump server information after all. Also, there isn’t too much of this that you couldn’t find through checking the site through places like Netcraft. Still, cool information to view, and could help an attacker in combination with other methods.

“phpMyAdmin” “running on” inurl:”main.php” – Well, hey, let’s just leave our site’s system administration panel wide open for everybody to use, shall we? It just saves everybody a lot of time.

“your password is” filetype:log – Oh, for heaven’s sake! IRC chat logs. A few actual hits, here.

ext:inc “pwd=” “UID=” – Database connection strings! Hits galore! User ID’s, passwords, database details, get ’em while they’re hot!

Carry on to Part two: More evil things to type into google

Related Posts:

2 Responses to “Evil Things to Type into Google – part 1”

  1. Binny V A Says:

    ‘filetype:inc’ – is a better way to do the last item – and it is the most dangerous.

  2. Evil Things to Type into Google - part 2 | Geeks and Technology - Linux Windows Unix system and Making money online Says:

    […] Part one is Available here: Evil Things to type into Google […]

Leave a Reply