GOOGLE HACKING 系列文章 【FreeXploiT整理收集】

本文涉及作者 swap（慕容小雨），zhaohuan（Xfocus），snipe（4ngel）

信息安全的隐患-GoogleHacking原理和防范

作者：[email protected] 来源：www.phack.org

技术天地：GoogleHacking是利用Google的搜索引擎快速查找存在脆弱性的主机以及包含敏感数据的信息，最近这种以前由黑客手动进行操作的攻击手段可以通过一种新的蠕虫病毒来自动完成。为了引起大家对GoogleHacking的关注与重视，我们编发了这篇文章希望大家通过对Hack的攻击手段的了解，更好的保护自己的信息安全。本文中重在对GoogleHacking攻击手段的理解，对一些攻击的细节不予详述请谅解。

前言：

2004年在拉斯维加斯举行的BlackHat大会上，有两位安全专家分别作了名为You found that on google ? 和google attacks 的主题演讲。经过安全焦点论坛原版主WLJ大哥翻译整理后，个人觉得有必要补充完善一些细节部分。今天向大家讲述的是Google的又一功能：利用搜索引擎快速查找存在脆弱性的主机以及包含敏感数据的信息，甚至可以直接进行傻瓜入侵。


用google来进行“渗透测试”

我们今天渗透测试人员在实施攻击之前，往往会先进行信息搜集工作，而后才是漏洞确认和最终的漏洞利用、扩大战果。在这里我们现在要谈的是：
一、利用google查找被人安装了php webshell后门的主机，并测试能否使用;
二、利用google查找暴露出来的INC敏感信息.
OK，现在我们开始：

1.查找利用php webshell

我们在google的搜索框中填入：



  Code:
intitle:"php shell*" "Enable stderr" filetype:php



(注: intitle—网页标题  Enable stderr—UNIX标准输出和标准错误的缩写filetype—文件类型)。搜索结果中，你能找到很多直接在机器上执行命令的web shell来。如果找到的PHPSHELL不会利用,如果你不熟悉UNIX,可以直接看看LIST,这里就不详细说了,有很多利用价值。要说明的是,我们这里搜索出来的一些国外的PHPSHELL上都要使用UNIX命令,都是system调用出来的函数(其实用百度及其他搜索引擎都可以,只是填写搜索的内容不同)。通过我的检测,这个PHPWEBSHELL是可以直接Echo(Unix常用命令)。一句话就把首页搞定了:


  Code:
echo "召唤" > index.jsp



在得到的


  Code:
echo /



后再写上:"召唤"

现在看看首页,已经被我们改成: "召唤" 了

我们也可以用WGET上传一个文件上去(比如你要替换的叶子吧)。然后execute Command输入 cat file > index.html or echo "" > file

echo "test" >> file

这样一条条打出来,站点首页就成功被替换了。同样的也可以


  Code:
uname -a;cat /etc/passwd



不过有点要注意,有些WEBSHELL程序有问题，执行不了的，比如:
http://www.al3toof.com/card/smal ... c_html&command=
http://ramsgaard.net/upload/shell.php

这些站的php是global register off  

解决方案:
我们可以利用相关工具进行在互联网进行搜索，如果有信息被滥用，到http://www.google.com/remove.html 提交你希望删除的信息,
控制搜索引擎机器人的查询.

2.搜索INC敏感信息

我们在google的搜索框中填入:


  Code:
.org filetype:inc



我们现在搜索的是org域名的站点的INC信息(因为google屏蔽掉了搜索"COM"信息,我们还可以搜其他gov,cn,info,tw,jp,edu等等之类的)

PS:我在看许多PHP编程人员在编程时候，都喜欢把一些常写的代码或配置信息，写在一个.inc的文件中，如shared.inc、global.inc、conn.inc等等，当然这是一个很好的习惯，包括PHP官方网站都是如此，但不知你有没有注意到这里面含一个安全隐患问题。
我有一次在写一个PHP代码时，无意中写错了一句话，当我在浏览器里查看此PHP文件时，竟然发现屏幕详细的显示了我所出错的PHP文件路径及代码行。(PHP错误显示配置是开着的.此功能在PHP里是默认的!)，这就是说当我们无意写错代码(同样.inc文件也一样) 或者PHP代码解析出问题时，而PHP错误显示又是开着的,客户端的用户就会看到具体url地址的.inc文件，而.url文件如同txt文本一样,当在浏览器中浏览时,就毫无保留地显示了它的内容，而且不少站点在.inc文件写了重要的信息如用户密码之类!包括国内著名海尔公司以及嘉铃摩托公司,我之所以敢公布是因为我本人测试过,http://www.haier.com/su ***/inc/conn.inc 暴出的数据库ID密码用客户端连不上去,网站关闭了1215,而且防火墙也过滤掉了。

好,INC的知识说完后,我们继续又搜索到了好多,找到一个暴露了MYSQL口令的
我们又可以用客户端登陆上去修改数据了.这里涉及到数据库的知识,我们不谈太多,关于"INC暴露敏感信息"就到这里结束吧
当然我们可以通过一些办法解决：
1,你可以专门对.inc文件进行配置，避免用户直接获取源文件。
2,当然比较好的方法是，加上并且改文件扩展名为.php（PHP可以解析的扩展名）,这样客户端就不会获取源文件了。

这里,我将FreeMind绘制的图片用文本表示了.
有关Google Hack的详细信息,帮助我们分析踩点
连接符:


  Code:
+      -       :         .        *         |



操作符:


  Code:
"foo1 foo2"  
filetype:123  
site:foo.com  
intext:foo  
intitle:footitle  
allinurl:foo



密码相关


  Code:
：“index of”
htpasswd / passwd    
filetype:xls username password email    
"ws_ftp.log"    
  "config.php"    
allinurl:admin mdb  
service filetype:pwd (frontpage)  



敏感信息：


  Code:
"robots.tx"
"disallow:"
filetype:txt
  inurl:_vti_cnf (frontpage files)
allinurl:/msadc/samples/selector/showcode.asp
allinurl:/examples/jsp/snp/snoop.jsp
allinurl:phpsysinfo
ipsec filetype:conf
intitle:"error occurred" odbc request where (select|insert)
"mydomain.com" nessus  report
"report generated by"  



结尾:

如果要拿ROOT权限就要具体问题具体分析了,不过有了SHELL权限就好提了,网上有很多根据WEBSHELL提升权限的文章大家可以参照一下.
通过google我们还可以搜索到很多有用的东西,不过是细节,要通过信息收集慢慢分析、扩大、进行入侵.
这些我就不具体分析了.给大家个思路，大家慢慢研究好了
到这里,这篇文章就要结束了,写这篇文章的目的是为了引起大家的关注与重视,了解新的HACK手段,了解新的防护方法,事物都有两面性,在当今Google盛行的时代,在充分利用google的同时.也应该看得更全面.

 

 

 

google hacking的实现以及应用

 

 

google hacking的实现以及应用(上)

本文作者:sniper
文章出于:www.4ngel.net
日  期 : 05/01/26
修改/发布: 05/02/21
本文仅做于技术讨论于研究,请勿用做其他用途.
PS:庆祝一下暂时摆脱应试教育的魔爪,向那些打着素质教育暗地里搞应试教育的学校竖起中指!

前言
    google hacking其实并算不上什么新东西,在早几年我在一些国外站点上就看见过相关的介绍,但是由于当时并没有重视这种技术,认为最多就只是用来找找未改名的mdb或者别人留下的webshell什么的,并无太大实际用途.但是前段时间仔细啃了些资料才猛然发觉google hacking其实并非如此简单...

google hacking的简单实现
    记得以前看见过一篇文章写的就是简单的通过用www.google.com来搜索dvbbs6.mdb或conn.inc来获得一些站点的敏感信息.其实使用google中的一些语法可以提供给我们更多的信息(当然也提供给那些习惯攻击的人更多他们所想要的.),下面就来介绍一些常用的语法.
intext:
这个就是把网页中的正文内容中的某个字符做为搜索条件.例如在google里输入:intext:动网.将返回所有在网页正文部分包含"动网"的网页.allintext:使用方法和intext类似.

intitle:
和上面那个intext差不多,搜索网页标题中是否有我们所要找的字符.例如搜索:intitle:安全天使.将返回所有网页标题中包含"安全天使"的网页.同理allintitle:也同intitle类似.

cache:
搜索google里关于某些内容的缓存,有时候也许能找到一些好东西哦.

define:
搜索某个词语的定义,搜索:define:hacker,将返回关于hacker的定义.

filetype:
这个我要重点推荐一下,无论是撒网式攻击还是我们后面要说的对特定目标进行信息收集都需要用到这个.搜索指定类型的文件.例如输入:filetype:doc.将返回所有以doc结尾的文件URL.当然如果你找.bak、.mdb或.inc也是可以的,获得的信息也许会更丰富:)

info:
查找指定站点的一些基本信息.

inurl:
搜索我们指定的字符是否存在于URL中.例如输入:inurl:admin,将返回N个类似于这样的连接:http://www.xxx.com/xxx/admin,用来找管理员登陆的URL不错.allinurl也同inurl类似,可指定多个字符.

link:
例如搜索:inurl:www.4ngel.net可以返回所有和www.4ngel.net做了链接的URL.

site:
这个也很有用,例如:site:www.4ngel.net.将返回所有和4ngel.net这个站有关的URL.


    对了还有一些操作符也是很有用的:
+ 把google可能忽略的字列如查询范围
- 把某个字忽略
~ 同意词
. 单一的通配符
* 通配符，可代表多个字母
""    精确查询

    下面开始说说实际应用(我个人还是比较习惯用google.com,以下内容均在google上搜索),对于一个居心叵测的攻击者来说,可能他最感兴趣的就是密码文件了.而google正因为其强大的搜索能力往往会把一些敏感信息透露给他们.用google搜索以下内容:
intitle:"index of" etc
intitle:"Index of" .sh_history
intitle:"Index of" .bash_history
intitle:"index of" passwd
intitle:"index of" people.lst
intitle:"index of" pwd.db
intitle:"index of" etc/shadow
intitle:"index of" spwd
intitle:"index of" master.passwd
intitle:"index of" htpasswd
"# -FrontPage-" inurl:service.pwd
有时候因为各种各样的原因一些重要的密码文件被毫无保护的暴露在网络上,如果被别有用心的人获得,那么危害是很大的.下面是我找到的一个FreeBSD系统的passwd文件(我已做过处理):
图一


    同样可以用google来搜索一些具有漏洞的程序,例如ZeroBoard前段时间发现个文件代码泄露漏洞,我们可以用google来找网上使用这套程序的站点:
intext:ZeroBoard filetype:php
或者使用:
inurl:outlogin.php?_zb_path= site:.jp
来寻找我们所需要的页面.phpmyadmin是一套功能强大的数据库操作软件,一些站点由于配置失误,导致我们可以不使用密码直接对phpmyadmin进行操作.我们可以用google搜索存在这样漏洞的程序URL:
intitle:phpmyadmin intext:Create new database
图二


    还记得http://www.xxx.com/_vti_bin/..%5C..%5C..%5C..%5C..%5C../winnt/system32/cmd.exe?dir吗?用google找找，你也许还可以找到很多古董级的机器。同样我们可以用这个找找有其他cgi漏洞的页面。
allinurl：winnt system32
图三

    
    前面我们已经简单的说过可以用google来搜索数据库文件,用上一些语法来精确查找能够获得更多东西(access的数据库,mssql、mysql的连接文件等等).举个例子示例一下:
allinurl:bbs data
filetype:mdb inurl:database
filetype:inc conn
inurl:data filetype:mdb
intitle:"index of" data  //在一些配置不正确的apache+win32的服务器上经常出现这种情况
    和上面的原理一样,我们还可以用google来找后台,方法就略了,举一反三即可,毕竟我写这篇文章的目的是让大家了解google hacking,而不是让你用google去破坏.安全是把双刃剑,关键在于你如何去运用.





                                    google hacking的实现以及应用(下)

本文作者:sniper
文章出于:www.4ngel.net
日  期 : 05/01/26
本文仅做于技术讨论于研究,请勿用做其他用途.
本文的上半部分可在4ngel.net找到.

    利用google完全是可以对一个站点进行信息收集和渗透的，下面我们用google对特定站点进行一次测试。www.xxxx.com是全国著名大学之一，一次偶然的机会我决定对其站点进行一次测试(文中所涉及该学校的信息均已经过处理，请勿对号入座:).
    首先用google先看这个站点的一些基本情况(一些细节部分就略去了):
site:xxxx.com
    从返回的信息中，找到几个该校的几个系院的域名：
http://a1.xxxx.com
http://a2.xxxx.com
http://a3.xxxx.com
http://a4.xxxx.com
    顺便ping了一下，应该是在不同的服务器.(想想我们学校就那一台可怜的web服务器，大学就是有钱，汗一个)。学校一般都会有不少好的资料，先看看有什么好东西没:
site:xxxx.com filetype:doc
得到N个不错的doc。先找找网站的管理后台地址：
site:xxxx.com intext:管理
site:xxxx.com inurl:login
site:xxxx.com intitle:管理
超过获得2个管理后台地址：
http://a2.xxxx.com/sys/admin_login.asp
http://a3.xxxx.com:88/_admin/login_in.asp
还算不错，看看服务器上跑的是什么程序：
site:a2.xxxx.com filetype:asp
site:a2.xxxx.com filetype:php
site:a2.xxxx.com filetype:aspx
site:a3.xxxx.com filetype:asp
site:.......
......
a2服务器用的应该是IIS，上面用的是asp的整站程序，还有一个php的论坛
a3服务器也是IIS，aspx+asp。web程序都应该是自己开发的。有论坛那就看看能不能遇见什么公共的FTP帐号什么的：
site:a2.xxxx.com intext:ftp://*:*
没找到什么有价值的东西。再看看有没有上传一类的漏洞：
site:a2.xxxx.com inurl:file
site:a3.xxxx.com inurl:load
在a2上发现一个上传文件的页面：
http://a2.xxxx.com/sys/uploadfile.asp
用IE看了一下，没权限访问。试试注射，
site:a2.xxxx.com filetype:asp
得到N个asp页面的地址，体力活就让软件做吧，这套程序明显没有对注射做什么防范，dbowner权限，虽然不高但已足矣，back a shell我不太喜欢，而且看起来数据库的个头就不小，直接把web管理员的密码暴出来再说，MD5加密过。一般学校的站点的密码都比较有规律，通常都是域名+电话一类的变形，用google搞定吧。
site:xxxx.com    //得到N个二级域名
site:xxxx.com intext:*@xxxx.com  //得到N个邮件地址，还有邮箱的主人的名字什么的
site:xxxx.com intext:电话     //N个电话
把什么的信息做个字典吧，挂上慢慢跑。过了一段时间就跑出4个帐号，2个是学生会的，1个管理员，还有一个可能是老师的帐号。登陆上去：
name：网站管理员
pass：a2xxxx7619    //说了吧，就是域名+4个数字
要再怎么提权那就不属于本文讨论访问了，呵呵，到此为止。



关于google hacking的防范：
    以前我们站的晓风·残月写过一篇躲避google的文章，原理就是通过在站点根目录下建立一个robots.txt以避免网络机器人获得一些敏感的信息，具体大家看原文章：http://www.4ngel.net/article/26.htm。
    不过这种方法我个人不推荐，有点此地无银三百两的味道。简单一点的方法就是上google把自己站点的一些信息删除掉，访问这个URL：
http://www.google.com/remove.html
前几天看见又有人讨论用程序来欺骗robot的方法，我觉得可以试试：
代码如下：
<?php

if (strstr($_SERVER['HTTP_USER_AGENT'], "Googlebot"))
{
header("HTTP/1.1 301");
header("Location: http://www.google.com");
}

?>

asp的：
<%
if instr(Request.Servervariables("HTTP_USER_AGENT"),"Googlebot") then
  response.redirect("http://www.google.com")
end if
  
%>


后记
    这段时间在国外的一些google hack的研究站点看了看，其实也都差不多是一些基本语法的灵活运用，或者配合某个脚本漏洞，主要还是靠个人的灵活思维。国外对于google hack方面的防范也并不是很多，所以大家还是点到为止，不要去搞破坏拉，呵呵。对于一些在win上跑
apache的网管们应该多注意一下这方面，一个intitle:index of就差不多都出来了:) 

 

 

以下是来至swap的收集

 

 

google hack dat 又增加了一些比较新的数据

"cacheserverreport for";%22cacheserverreport+for%22+%22This+analysis+was+produced+by+calamaris%22&btnG=Google+Search
intitle:"Ganglia" "Cluster Report for";intitle%3A%22Ganglia%22+%22Cluster+Report+for%22&btnG=Search
intitle:"Apache HTTP Server" intitle:"documentation";intitle%3A%22Apache+HTTP+Server%22+intitle%3A%22documentation%22&btnG=Search
"Error Diagnostic Information" intitle:"Error Occurred While";%22Error+Diagnostic+Information%22+intitle%3A%22Error+Occurred+While%22&btnG=Search
intitle:"Index of" finance.xls;intitle%3A%22Index+of%22+finance.xls&btnG=Search
intitle:index.of finances.xls;intitle%3Aindex.of+finances.xls&btnG=Search
"# Dumping data for table";%22%23+Dumping+data+for+table%22&btnG=Search
intitle:index.of .bash_history;intitle%3Aindex.of+.bash_history&btnG=Search
intitle:index.of .sh_history;intitle%3Aindex.of+.sh_history&btnG=Search
intitle:"Index of" .mysql_history;intitle%3A%22Index+of%22+.mysql_history&btnG=Search
intitle:index.of mt-db-pass.cgi;intitle%3Aindex.of+mt-db-pass.cgi&btnG=Search
"Index of /backup";%22Index+of+%2Fbackup%22&btnG=Search
"powered by openbsd" +"powered by apache";%22powered+by+openbsd%22+%2B%22powered+by+apache%22&btnG=Search
intitle:index.of intext:"secring.skr"|"secring.pgp"|"secring.bak";intitle%3Aindex.of+intext%3A%22secring.skr%22%7C%22secring.pgp%22%7C%22secring.bak%22&btnG=Search
intitle:index.of passwd passwd.bak;intitle%3Aindex.of+passwd+passwd.bak&btnG=Search
intitle:index.of master.passwd;intitle%3Aindex.of+master.passwd&btnG=Search
intitle:"Index of" pwd.db;intitle%3A%22Index+of%22+pwd.db&btnG=Search
intitle:"Index of" ".htpasswd" htpasswd.bak;intitle%3A%22Index+of%22+%22.htpasswd%22+htpasswd.bak&btnG=Search
intitle:"Index of" ".htpasswd" "htgroup" -intitle:"dist" -apache -htpasswd.c;intitle%3A%22Index+of%22+%22.htpasswd%22+%22htgroup%22+-intitle%3A%22dist%22+-apache+-htpasswd.cpache&btnG=Search
intitle:"Index of" spwd.db passwd -pam.conf;intitle%3A%22Index+of%22+spwd.db+passwd+-pam.conf&btnG=Search
intitle:"Index of..etc" passwd;intitle%3A%22Index+of..etc%22+passwd&btnG=Search
buddylist.blt;buddylist.blt&btnG=Search
intitle:index.of config.php;intitle%3Aindex.of+config.php&btnG=Search
intitle:phpinfo "PHP Version";intitle%3Aphpinfo+%22PHP+Version%22&btnG=Search
"supplied argument is not a valid MySQL result resource";%22supplied+argument+is+not+a+valid+MySQL+result+resource%22&btnG=Search
intitle:index.of robots.txt;intitle%3Aindex.of+robots.txt&btnG=Search
index.of passlist;index.of+passlist&btnG=Search
index.of.secret;index.of.secret&btnG=Search
index.of.private;index.of.private&btnG=Search
index.of.etc;index.of.etc&btnG=Search
index.of.winnt;index.of.winnt&btnG=Search
index.of.secure;index.of.secure&btnG=Search
index.of.password;index.of.password&btnG=Search
"This report was generated by WebLog";%22This+report+was+generated+by+WebLog%22&btnG=Search
"These statistics were produced by getstats";%22These+statistics+were+produced+by+getstats%22&btnG=Search
"This summary was generated by wwwstat";%22This+summary+was+generated+by+wwwstat%22&btnG=Search
intitle:index.of haccess.ctl;intitle%3Aindex.of+haccess.ctl&btnG=Search
filetype:ctl Basic;filetype%3Actl+Basic&btnG=Search
filetype:xls username password email;filetype%3Axls+username+password+email&btnG=Search
site:edu admin grades;site%3Aedu+admin+grades&btnG=Search
allinurl:auth_user_file.txt;allinurl%3Aauth_user_file.txt&btnG=Search
inurl:config.php dbuname dbpass;inurl%3Aconfig.php+dbuname+dbpass&btnG=Search
inurl:tech-support inurl:show Cisco;inurl%3Atech-support+inurl%3Ashow+Cisco&btnG=Search
intitle:index.of trillian.ini;intitle%3Aindex.of+trillian.ini&btnG=Search
intitle:admin intitle:login;intitle%3Aadmin+intitle%3Alogin&btnG=Search
"ORA-00921: unexpected end of SQL command";%22ORA-00921%3A+unexpected+end+of+SQL+command%22&btnG=Search
inurl:passlist.txt;inurl%3Apasslist.txt&btnG=Search
inurl:sitebuildercontent;inurl%3Asitebuildercontent&btnG=Search
filetype:htpasswd htpasswd;filetype%3Ahtpasswd+htpasswd&btnG=Search
"YaBB SE Dev Team";%22YaBB+SE+Dev+Team%22&btnG=Search
inurl:custva.asp;inurl%3Acustva.asp&btnG=Search
"# phpMyAdmin MySQL-Dump" filetype:txt;%22%23+phpMyAdmin+MySQL-Dump%22+filetype%3Atxt&btnG=Search
"# phpMyAdmin MySQL-Dump" "INSERT INTO" -"the";%22%23+phpMyAdmin+MySQL-Dump%22+%22INSERT+INTO%22+-%22the%22&btnG=Search
intitle:"Gallery in Configuration mode";intitle%3A%22Gallery+in+Configuration+mode%22&btnG=Search
intitle:index.of cgiirc.config;intitle%3Aindex.of+cgiirc.config&btnG=Search
inurl:cgiirc.config;inurl%3Acgiirc.config&btnG=Search
inurl:ipsec.secrets -history -bugs;inurl%3Aipsec.secrets+-history+-bugs&btnG=Search
intitle:"500 Internal Server Error" "server at";intitle%3A%22500+Internal+Server+Error%22+%22server+at%22&btnG=Search
"mySQL error with query";%22mySQL+error+with+query%22&btnG=Search
"You have an error in your SQL syntax near";%22You+have+an+error+in+your+SQL+syntax+near%22&btnG=Search
"ORA-00921: unexpected end of SQL command";%22ORA-00921%3A+unexpected+end+of+SQL+command%22&btnG=Search
"Unclosed quotation mark before the character string";%22Unclosed+quotation+mark+before+the+character+string%22&btnG=Search
"PostgreSQL query failed: ERROR: parser: parse error";%22PostgreSQL+query+failed%3A+ERROR%3A+parser%3A+parse+error%22&btnG=Search
"Supplied argument is not a valid PostgreSQL result";%22Supplied+argument+is+not+a+valid+PostgreSQL+result%22&btnG=Search
"A syntax error has occurred" filetype:ihtml;%22A+syntax+error+has+occurred%22+filetype%3Aihtml&btnG=Search
intitle:"Usage Statistics for" "Generated by Webalizer";intitle%3A%22Usage+Statistics+for%22+%22Generated+by+Webalizer%22&btnG=Search
"robots.txt" "Disallow:" filetype:txt;%22robots.txt%22+%22Disallow%3A%22+filetype%3Atxt&btnG=Search
"phpMyAdmin" "running on" inurl:"main.php";%22phpMyAdmin%22+%22running+on%22+inurl%3A%22main.php%22&btnG=Search
inurl:main.php Welcome to phpMyAdmin;inurl%3Amain.php+Welcome+to+phpMyAdmin&btnG=Search
intitle:index.of "Apache" "server at";intitle%3Aindex.of+%22Apache%22+%22server+at%22&btnG=Search
"access denied for user" "using password";%22access+denied+for+user%22+%22using+password%22&btnG=Search
intitle:"Under construction" "does not currently have";intitle%3A%22Under+construction%22+%22does+not+currently+have%22&btnG=Search
"seeing this instead" intitle:"test page for apache";%22seeing+this+instead%22+intitle%3A%22test+page+for+apache%22&btnG=Search
intitle:"Test Page for Apache" "It Worked!";intitle%3A%22Test+Page+for+Apache%22+%22It+Worked%21%22&btnG=Search
"Can't connect to local" intitle:warning;%22Can%27t+connect+to+local%22+intitle%3Awarning&btnG=Search
intitle:index.of ws_ftp.ini;intitle%3Aindex.of+ws_ftp.ini&btnG=Search
intitle:index.of administrators.pwd;intitle%3Aindex.of+administrators.pwd&btnG=Search
intitle:Index.of etc shadow;intitle%3AIndex.of+etc+shadow&btnG=Search
"Select a database to view" intitle:"filemaker pro";%22Select+a+database+to+view%22+intitle%3A%22filemaker+pro%22&btnG=Search
"not for distribution" confidential;%22not+for+distribution%22+confidential&btnG=Search
"Thank you for your purchase" +download;%22Thank+you+for+your+purchase%22+%2Bdownload&btnG=Search
allinurl:intranet admin;allinurl%3Aintranet+admin&btnG=Search
"This report lists" "identified by Internet Scanner";%22This+report+lists%22+%22identified+by+Internet+Scanner%22&btnG=Search
"Network Host Assessment Report" "Internet Scanner";%22Network+Host+Assessment+Report%22+%22Internet+Scanner%22&btnG=Search
"Network Vulnerability Assessment Report";%22Network+Vulnerability+Assessment+Report%22&btnG=Search
"Host Vulnerability Summary Report";%22Host+Vulnerability+Summary+Report%22&btnG=Search
intitle:index.of inbox;intitle%3Aindex.of+inbox&btnG=Search
intitle:index.of inbox dbx;intitle%3Aindex.of+inbox+dbx&btnG=Search
"#mysql dump" filetype:sql;%22%23mysql+dump%22+filetype%3Asql&btnG=Search
allinurl:install/install.php;allinurl%3Ainstall%2Finstall.php&btnG=Search
inurl:vbstats.php "page generated";inurl%3Avbstats.php+%22page+generated%22&btnG=Search
inurl:zebra.conf intext:password -sample;inurl%3Azebra.conf+intext%3Apassword+-sample&btnG=Search
inurl:ospfd.conf intext:password -sample;inurl%3Aospfd.conf+intext%3Apassword+-sample&btnG=Search
intitle:"Index of /" modified php.exe;intitle%3A%22Index+of+%2F%22+modified+php.exe&btnG=Search
intitle:"Error using Hypernews" "Server Software";intitle%3A%22Error+using+Hypernews%22+%22Server+Software%22&btnG=Search
inurl:ccbill filetype:log;inurl%3Accbill+filetype%3Alog&btnG=Search
filetype:mdb inurl:users.mdb;filetype%3Amdb+inurl%3Ausers.mdb&btnG=Search
filetype:cfg ks intext:rootpw -sample;filetype%3Acfg+ks+intext%3Arootpw+-sample&btnG=Search
filetype:php inurl:"viewfile" -"index.php" -"idfil";filetype%3Aphp+inurl%3A%22viewfile%22+-%22index.php%22+-%22idfil%22&btnG=Search
intitle:"Microsoft Outlook Web Access - Logon";intitle%3A%22Microsoft+Outlook+Web+Access+-+Logon%22&btnG=Search
inurl:root.asp?acs=anon;inurl%3Aroot.asp%3Facs%3Danon&btnG=Search
"Looking Glass" (inurl:"lg/" | inurl:lookingglass);%22Looking+Glass%22+%28inurl%3A%22lg%2F%22+%7C+inurl%3Alookingglass%29&btnG=Search
filetype:cgi inurl:"irc.cgi";filetype%3Acgi+inurl%3A%22irc.cgi%22&btnG=Search
filetype:ctt ctt messenger;filetype%3Actt+ctt+messenger&btnG=Search
intitle:"Error Occurred While Processing Request";intitle%3A%22Error+Occurred+While+Processing+Request%22&btnG=Search
intitle:"htsearch error" ht://Dig error;intitle%3A%22htsearch+error%22+ht%3A%2F%2FDig+error&btnG=Search
filetype:asp inurl:"shopdisplayproducts.asp";filetype%3Aasp+inurl%3A%22shopdisplayproducts.asp%22&btnG=Search
inurl:/public/?Cmd=contents;inurl%3A%2Fpublic%2F%3FCmd%3Dcontents&btnG=Search
"Powered by: vBulletin * 3.0.1" inurl:newreply.php;%22Powered+by%3A+vBulletin+*+3.0.1%22+inurl%3Anewreply.php&btnG=Search
filetype:mny mny;filetype%3Amny+mny&btnG=Search
HTTP_USER_AGENT=Googlebot;HTTP_USER_AGENT%3DGooglebot&btnG=Search
"# Dumping data for table (username|user|users|password)";%22%23+Dumping+data+for+table+%28username%7Cuser%7Cusers%7Cpassword%29%22&btnG=Search
intitle:"Welcome to ntop!";intitle%3A%22Welcome+to+ntop%21%22&btnG=Search
filetype:conf inurl:unrealircd.conf -cvs -gentoo;filetype%3Aconf+inurl%3Aunrealircd.conf+-cvs+-gentoo&btnG=Search
intitle:"Index of" service.pwd;intitle%3A%22Index+of%22+service.pwd
intitle:"Index of" users.pwd;intitle%3A%22Index+of%22+users.pwd
intitle:"Index of" authors.pwd;intitle%3A%22Index+of%22+authors.pwd
intitle:"Index of" administrators.pwd;intitle%3A%22Index+of%22+administrators.pwd
intitle:"Index of" showcode.asp;intitle%3A%22Index+of%22+showcode.asp
intitle:"Index of" sendmail.cfm;intitle%3A%22Index+of%22+sendmail.cfm
intitle:"Index of" SessionServlet;intitle%3A%22Index+of%22+SessionServlet
intitle:"Index of" web_store.cgi;intitle%3A%22Index+of%22+web_store.cgi
intitle:"Index of" wwwboard.pl;intitle%3A%22Index+of%22+wwwboard.pl
intitle:"Index of" www-sql;intitle%3A%22Index+of%22+www-sql
intitle:"Index of" AT-admin.cgi;intitle%3A%22Index+of%22+AT-admin.cgi
intitle:"Index of" maillist.pl;intitle%3A%22Index+of%22+maillist.pl
intitle:"Index of" publisher;intitle%3A%22Index+of%22+publisher
intitle:"Index of" db.cgi;intitle%3A%22Index+of%22+db.cgi
intitle:"Index of" login.jsp;intitle%3A%22Index+of%22+login.jsp
intitle:"Index of" amadmin.pl;intitle%3A%22Index+of%22+amadmin.pl
inintitle:"Index of" (access_log|access-log);intitle%3A%22Index+of%22+%28access_log%7Caccess-log%29&btnG=Search
intitle:"Index of" log.htm;intitle%3A%22Index+of%22+log.htm&btnG=Search
intitle:"Index of" mailto.cgi.pwd;intitle%3A%22Index+of%22+mailto.cgi
intitle:"Index of" YaBB.pl.pwd;intitle%3A%22Index+of%22+YaBB.pl
intitle:"Index of" WSFTP.LOG;intitle%3A%22Index+of%22+WSFTP.LOG
intitle:"Index of" print.cgi;intitle%3A%22Index+of%22+print.cgi
intitle:"Index of" CrazyWWWBoard.cgi;intitle%3A%22Index+of%22+CrazyWWWBoard.cgi
intitle:"Index of" pwd.dat;intitle%3A%22Index+of%22+pwd.dat
intitle:"Index of" post-query;intitle%3A%22Index+of%22+post-query
intext:"404 Object Not Found" Microsoft-IIS/5.0;intext%3A%22404+Object+Not+Found%22+Microsoft-IIS%2F5.0
"Microsoft-IIS/5.0 server at";%22Microsoft-IIS%2F5.0+server+at%22&btnG=Search
"Microsoft-IIS/4.0" intitle:index.of;%22Microsoft-IIS%2F4.0%22+intitle%3Aindex.of&btnG=Search
"Microsoft-IIS/6.0" intitle:index.of;%22Microsoft-IIS%2F6.0%22+intitle%3Aindex.of&btnG=Search
"Novell, Inc" WEBACCESS Username Password "Version *.*" Copyright -inurl:help -guides|guide;%22Novell%2C+Inc%22+WEBACCESS+Username+Password+%22Version+*.*%22+Copyright++-inurl%3Ahelp+-guides%7Cguide&btnG=Search
"Red Hat Secure/2.0";%22Red+Hat+Secure%2F2.0%22&btnG=Search
allintext:"Powered by LionMax Software" "WWW File Share";allintext%3A%22Powered+by+LionMax+Software%22+%22WWW+File+Share%22&btnG=Zoeken&lr=
allinurl:".nsconfig" -sa;allinurl%3A%22.nsconfig%22+-sa
intitle:"Lotus Domino Go Webserver:" "Tuning your webserver" -site:ibm.com;intitle:%22Lotus+Domino+Go+Webserver:%22+%22Tuning+your+webserver%22+-site:ibm.com&hl=en&lr=&ie=UTF-8&filter=0
intitle:"Open WebMail" "Open WebMail version (2.20|2.21|2.30)";intitle%3A%22Open+WebMail%22+%22Open+WebMail+version+%282.20%7C2.21%7C2.30%29+%22&btnG=B%C3%BAsqueda&meta=
intitle:"Welcome To Xitami" -site:xitami.com;intitle%3A%22Welcome+To+Xitami%22+-site%3Axitami.com&btnG=Google+Search
intitle:"Welcome to windows 2000 Internet Services";intitle:%22Welcome+to+Windows+2000+Internet+Services%22
XAMPP "inurl:xampp/index";XAMPP+%22inurl:xampp/index%22
"Select a database to view" intitle:"filemaker pro";%22Select+a+database+to+view%22+intitle%3A%22filemaker+pro%22
"Welcome to PHP-Nuke" congratulations;%22Welcome+to+PHP-Nuke%22+congratulations
intitle:"Mail Server CMailServer Webmail" "5.2";intitle%3A%22Mail+Server+CMailServer+Webmail%22+%225.2%22
allintitle:Brains, Corp. camera;allintitle:Brains,+Corp.+camera
inurl:indexFrame.shtml Axis;inurl%3AindexFrame.shtml+Axis&btnG=Google+Search
intitle:"remote ui:top page";intitle%3A%22remote+ui%3Atop+page%22
intext:"Ready with 10/100T Ethernet";intext:%22Ready+with+10/100T+Ethernet%22
intitle:"EvoCam" inurl:"webcam.html";intitle:%22EvoCam%22+inurl:%22webcam.html%22
intitle:"my webcamXP server!" inurl:":8080";intitle%3A%22my+webcamXP+server!%22+inurl%3A%22%3A8080%22&btnG=Search
intitle:"toshiba network camera - User Login";intitle%3A%22toshiba+network+camera+-+User+Login%22
inurl:"ViewerFrame?Mode=";inurl%3A%22ViewerFrame%3FMode%3D%22
intext:centreware inurl:status;intext%3Acentreware+inurl%3Astatus
intext:"MOBOTIX M1" intext:"Open Menu";intext%3A%22MOBOTIX+M1%22+intext%3A%22Open+Menu%22
inurl:"printer/main.html" intext:"settings";inurl%3A%22printer%2Fmain.html%22+intext%3A%22settings%22
intitle:"Browser Launch Page";intitle%3A%22Browser+Launch+Page%22
intitle:liveapplet inurl:LvAppl;intitle%3Aliveapplet+inurl%3ALvAppl

还有篇差不多呢 收集的比较全

Google Hacker by [email protected];%22Alle+gro%C3%9Fen+Anarchisten+starben+am+23.%22&btnG=Search
"cacheserverreport for";%22cacheserverreport+for%22+%22This+analysis+was+produced+by+calamaris%22&btnG=Google+Search
intitle:"Ganglia" "Cluster Report for";intitle%3A%22Ganglia%22+%22Cluster+Report+for%22&btnG=Search
intitle:"Apache HTTP Server" intitle:"documentation";intitle%3A%22Apache+HTTP+Server%22+intitle%3A%22documentation%22&btnG=Search
"Error Diagnostic Information" intitle:"Error Occurred While";%22Error+Diagnostic+Information%22+intitle%3A%22Error+Occurred+While%22&btnG=Search
intitle:"Index of" finance.xls;intitle%3A%22Index+of%22+finance.xls&btnG=Search
intitle:index.of finances.xls;intitle%3Aindex.of+finances.xls&btnG=Search
"# Dumping data for table";%22%23+Dumping+data+for+table%22&btnG=Search
intitle:index.of .bash_history;intitle%3Aindex.of+.bash_history&btnG=Search
intitle:index.of .sh_history;intitle%3Aindex.of+.sh_history&btnG=Search
intitle:"Index of" .mysql_history;intitle%3A%22Index+of%22+.mysql_history&btnG=Search
intitle:index.of mt-db-pass.cgi;intitle%3Aindex.of+mt-db-pass.cgi&btnG=Search
intitle:"Welcome to windows 2000 Internet Services";intitle%3A%22Welcome+to+W