[翻译] Google: A Hacker's Best Friend

最新推荐文章于 2024-07-24 23:05:54 发布

morre

最新推荐文章于 2024-07-24 23:05:54 发布

阅读量2.1k

点赞数

分类专栏： Google 文章标签： google search string database microsoft forms

Google 专栏收录该内容

4 篇文章 0 订阅

订阅专栏

Paris2K Labs
http://Paris2K.at.box.sk
Paris2K@box.sk
Paris2K Labs
http://Paris2K.at.box.sk
Paris2K@box.sk
Google: A Hacker's Best Friend

谷歌：黑客的最佳搭档

In the last few years a number of news articles appeared that warned of the fact that hackers (or crackers if you will) make use of the google search engine to gain access to files they shouldn't be allowed to see or have access to. This knowledge is nothing new to some people but personally I have always wondered how exactly a thing like this works. VNUnet’s James Middleton wrote an article in 2001 talking about hackers using a special search string on google to find sensitive banking data:

在过去几年里，一些新闻文章报导了一个危险的事情，即黑客（也可以叫他们骇客）们利用Google搜索引擎来获得不应该允许他们看到或访问的档案。这对一些人来说并不是什么新鲜事，但我个人始终不知道他们到底是如何做到的。vnunet的詹姆斯Middleton写过一篇文章，在2001年谈论黑客使用一支特殊的搜寻字串对Google寻找敏感的银行数据：

"One such posting on a security newsgroup claimed that searching using the string 'Index of / +banques +filetype:xls' eventually turned up sensitive Excel spreadsheets from French banks. The same technique could also be used to find password files"[1]

“某安全新闻组发帖子声称用这个字符串'Index of / +banques +filetype:xls'最终能翻出法国银行的存有敏感信息的Excel表格。而相同的技术也可以被用来查找密码文件。”[1]

Another article that appeared on wired.com told us how Adrian Lamo, a hacker who made the news often the last couple of years, explained that google could be used to gain access to websites of big corporations.

在wired.com上的另一篇文章告诉我们Adrian Lamo,一个最近几年经常上新闻的黑客，如何利用谷歌来取得各个大公司的网站的访问权限。

“For example, typing the phrase "Select a database to view" --a common phrase in the FileMaker Pro database interface -- into Google recently yielded about 200 links, almost all of which led to FileMaker databases accessible online.”[2]

“举个例子来说，输入语句"Select a database to view"（在FileMaker Pro数据库中很平常的一个语句）到谷歌中，会得到将近200条链接，几乎所有这些链接都指向在线可访问的FileMaker数据库。”[2]

These articles kept on coming up in the online news. U.S. Military and Government websites were vulnerable because admin scripts could be found using google, medical files, personal records, everything suddenly seemed just one google search away. But these articles seemed to show up once every half year and always talked about it as if it was something new. Another thing was, the articles never explained how one would actually go about doing this. Almost never an example of a search string was given. The last time I read one of these articles I decided it was time to find out for myself, whether google actually could do all they say it can. The following is a report of my findings and a
description of some techniques and search strings one could use.

这样的文章在网上新闻中层出不穷。由于用谷歌能够找到管理脚本，这使得美国军方和政府网站变得很脆弱。在谷歌搜索上很快就能找到诸如病历，私人记录这样的资料。但这些文章好像每半年就出现，而且经常把它当新生事物来讨论。另一点就是，这些文章从来不给出黑客们是怎样做到这些的，甚至连一个简单的检索语句都不给出。最近又读到这样的文章，于是我决定自己来找出那些黑客声称利用谷歌来攻击的方法。以下就是我的研究结果以及能够用到的技术和检索语句。

Theory

原理（无论干什么事，都要有理论基础！！）

The theory behind this is actually quite simple. Either you think of certain data you would like to acquire and try and imagine in what files this kind of data could be stored and you search for these files directly. (Search for *.xls files for example) Or you take the more interesting approach and you try to think of a certain software that allows you to perform certain tasks or to access certain things and you search for critical files of this software. An example could be a content management system. You read up on this particular content management system, check out of what files it exists and search for those. A great example is that of the databases mentioned above, where you know the string “view database” is used on pages that shouldn’t be accessible to you and you then search for pages containing that string, or you check the software and notice that the option to view a database is linked on a webpage within this software called “viewdbase.htm” and you search for “viewdbase.htm”

这一切背后的原理其实非常简单。要么你就考虑你确切要什么数据，尽力设想这些数据能存放在什么样的文件里，直接搜索这些文件即可（比如搜索*.xls文件），要么你就用更多有趣的方式，尽力去想哪个软件能让执行你想要的任务或者访问你想要的东西，然后就搜索这个软件的关键文件即可。这里有个content管理系统的例子。钻研这个特定的content管理系统，找出它有哪些文件，然后搜索它们。一个显著的例子就是前文提及的数据库，你知道在页面上用字符串“view database”是不会达到目标的，于是搜索包含这个字符串的页面，或者找相关软件，发现某个可行的方法说用一个叫“viewdbase.htm”的软件可以把数据库链接到网页，于是就继续搜索“viewdbase.htm”。

The most important thing is to have a clear goal, to know what it is you want to find. Then search for these specific files or trademarks that these files have.

最重要的事情就是必须有一个确切的目标，一个你知道到底要找什么的目标。然后搜索这些特定的文件或者这些文件拥有的特征。

Google Search Options

谷歌搜索选项

Specific file types: *.xls, *.doc, *.pdf *.ps *.ppt *.rtf

特定的文件类型：*.xls, *.doc, *.pdf *.ps *.ppt *.rtf

Google allows you to search for specific file types, so instead of getting html-files as a result (websites) you get Microsoft excel files for example. The search string you would use would be this:

谷歌允许你搜索特定的文件类型，比如你可以检索到Excel文件而不是HTML文件。检索字符串你可以这样输入：

Filetype:xls (for excel files) or filetype:doc for word files.

Filetype:xls (用于搜索excel文件)或者 filetype:doc 用于Word文档。

But maybe more interesting would be searching for *.db files and *.mdb files. Google by the way doesn’t tell you you can search for *.db and *mdb files. I wonder what other file types one can search for. Things that come to mind are *.cfg files or *.pwd files, *.dat files, stuff like that. Try and think of something that might get you some interesting results.

但也许更多黑客会对搜索*.db和*.mdb文件更感兴趣。随便说一句，谷歌不会说允许你搜索*.db和*.mdb文件。我想知道能否搜索到其他的文件格式，比如说：*.cfg文件，*.dat文件，*.dat文件，诸如此类。尝试并思考些事情，你会发现有趣的结果。

Inurl

谷歌搜索选项之Inurl

Another useful search option is the inurl: option which allows one to search for a certain word one would want to be in the url. This gives you the opportunity to search for specific directories/folders, especially in combination with the “index of” option, about which I will talk later on.

另一个有用的搜索选项是inurl：这个选项可以让你搜索在这个URL中的特定短语。这给你提供了搜索特定的文件夹/文件的机会，尤其是当和“index of”选项组合，关于这个问题我一会回提到。

An example would be inurl:admin which would give you results of website urls that have the word “admin” in the url.

举个例子，输入"inurl:admin"会得到在这个URL下所有包含“admin”短语的网站

Index of

谷歌搜索选项之Index of

The index of option is another option that isn’t especially thought of by the creators of google, but comes in very handy. If you use the “index of” string you will find directory listings of specific folders on servers. An example could be:

这个index of是另一个并非谷歌独创的选项，但它非常有用。如果你用“index of”字符串你会找到服务器上特定文件夹的目录列表，举个例子：

‘index of” admin or index.of.admin

“index of” admin 或者 index.of.admin

which would get you many directory listings of admin folders. (don’t forget to use the quotes in this case since you are looking for the entire “index of” string, not just for “index” and “of”)

这样能得到许多管理员文件夹的目录列表。（在这里别忘了用引号，因为你需要的是整个“index”而不是“index”或者“of”）

Site

谷歌搜索选项之Site

The site option allows you to come up with results that only belong to a certain domain name extension or to a specific site. For example one could search for .com sites or .box.sk sites or .nl sites, but also for results from just one site, but more interesting might be to search for specific military or government websites. An example of a search string would be:

这个site选项允许你得到确定域名部分的搜索结果。举个例子可以检索.com网站，.box.sk网站或.nl网站，也可以得到针对某一个网站的搜索结果，但大家更感兴趣的应该是某个军方或者政府网站。举个这样的搜索字符串的例子：

Site:mil or site:gov

Site:mil 或者 site:gov

Site:neworder.box.sk “board”

Intitle

谷歌搜索选项之Intitle

Intitle is another nice option. It allows you to search for html files that have a certain word or words in the title. The format would be intitle:wordhere. You could check out what words appear in the title of some online control panel or content management system and then search google for this word with the intitle option, to find these control panel pages.

Intitle也是个很不错的选项。它能让你搜索标题含有某个特定字符串的HTML文件。这个格式是：intitle:特定字符串。你可以找出在线控制面板或者CONTENT管理系统的标题中的短语，然后在谷歌中利用intitle选项来搜索，得到这些控制面板的页面。

Link

谷歌搜索选项之Link

The Link option allows you to check which sites link to a specific site. As described in Hacking Exposed Third Edition, this could be useful:

这个Link选项能让你找到链接到指定网站的那些网站。正如黑客大曝光第三版所言，是这样的：

These search engines provide a handy facility that allows you to search for all sites that have links back to the target organization’s domain. This may not seem significant at first but let’s explore the implications. Suppose someone in an organization decides to put up a rogue website at home or on the target network’s site.“”[4]

这些搜索引擎提供能够让你方便地找到所有的链接到目标公司域名的站点。猛一看这可能没有什么意义，但是让我们好好挖掘一下深意，这能找出公司内某人在家或在目标网络网站决定挂起一个rogue网站。

Combining search options

组合搜索选项

The above mentioned search options might or might not be known to you, but even though they can amount to some interesting results, it’s a fact that when you start combining them, that’s when google’s magic starts to show. For example, one could try this search string:

前文所提到的搜索选项你可能知道或从未知晓，但只要你把它们组合起来使用就能得到有趣的结果，这正是展示谷歌魔法的开始。举个例子，你可以试试这个搜索字符串：

inurl:nasa.gov filetype:xls "restricted" or this one: site:mil filetype:xls "password" or maybe site:mil “index of” admin

inurl:nasa.gov filetype:xls "restricted" 或者 this one: site:mil filetype:xls "password" 或者也可以试试这个 site:mil “index of” admin

(I’m just producing these from the top of my head, I don’t know whether they’d result in anything interesting, that’s where you come in. You got to find a search string that gets the results you want.)

（这些东西都是我寻思出来的，并不知道你点进去后能否找到有趣的东西。你应该尝试找个能够得到你想要的搜索字符串）

Examples; The Good Stuff

例子；好材料

Specific file types: *.xls, *.doc, *.pdf *.ps *.ppt *.rtf

特定的文件类型：*.xls, *.doc, *.pdf, *p.s *.ppt *.rtf

To start out simple, you can try and search directly for files that you believe might hold interesting information. The obvious choices for me were things like:

从简单的开始，你可以尝试直接搜索你认为包含有趣信息的文件。对我来说最直接的选择就是像这样：

Password, passwords, pwd, account, accounts, userid, uid, login, logins, secret, secrets, all followed by either *.doc or *.xls or *.db

Password, passwords, pwd, account, accounts, userid, uid, login, logins, secret, secrets 都在*.doc或*.xls或*.db中。

This led me to quite some interesting results, especially with the *.db option but I actually also found some passwords.doc files, containing working passwords.

这能给我带来些有趣的结果，尤其是用*.db选项，但我也可以找到一些包含可用密码的passwords.doc文件。

http://www.doc.state.ok.us/Spreadsheets/private%20prison%20survey%20for%20web.xls
http://www.bmo.com/investorrelations/current/current/suppnew/private.xls
http://www.nescaum.org/Greenhouse/Private/Participant_List.xls
http://www.dscr.dla.mil/aviationinvest/attendance_5Apr01.xls
http://web.nps.navy.mil/~drdolk/is3301/PART_IS3301.XLS

Admin.cfg

Admin.cfg is, most of the times, an admin configuration file of some sort. Many different software obviously use names like “config” or “admin” or “setup”, etc. And most of the times these files contain sensitive information and thus, shouldn’t be accessible for people browsing the web. I tried a search for admin.cfg, using the following search string on google:

Admin.cfg在大多数情况下是某些人的管理配置文件。许多不同的软件显式地用象“config”或“admin”或“setup”等等名字。而大多数这些文件都包含敏感信息，因此不能够让浏览网页的人们访问到。我在谷歌上用下面的搜索字符串：

inurl:admin.cfg “index of”

This led me to many results of which many were useless. But some paid out. I found for example: http://www.alternetwebdesign.com/cgi-bin/directimi/admin.cfg Which contained a password. This was the admin password for a database located at http://www.alternetwebdesign.com/cgi-bin/directimi/database.cgi?admin.cfg

这能给我带来许多无用的结果，但是有些奏效了。我找到了个例子：http://www.alternetwebdesign.com/cgi-bin/directimi/admin.cfg，这个文件包含了一个密码。这个是个连接到http://www.alternetwebdesign.com/cgi-bin/directimi/database.cgi?admin.cfg的数据库管理员密码。

This database contained sensitive client data of this particular company. I then proceeded to e-mail the company and tell them about the flaw. They replied to me in a very friendly manner and told me they appreciated my help and that they would take the necessary steps to solve the problem.

这个数据库包含了这个特定公司的客户敏感数据。于是我就通过email给那个公司，告诉他们这个漏洞。他们非常客气地回复我，说非常感谢我的帮助并且会采取必要的措施解决这个问题。

Webadmin

A short while back, while working on this article, I ran into this website:

回到正题，我点进这个网站：

http://wacker-welt.de/webadmin/

The website explains that “webadmin” is a small piece of software that allows one to remotely edit parts of a website, upload files, etc. The main page for the webadmin control centre is called ‘webeditor.php”. So obviously, my next step was to visit google and use the inurl tag to find webeditor.php pages that I could reach. I used the following search string:

这个网站指出“webadmin”是个提供远程编辑网站，上传文件等功能的软件的一小部分。webadmin的控制中心主页叫“webeditor.php”。所以显然，我下一步就是访问谷歌，然后用inurl选项去找那个webeditor.php。我用如下的搜索字符串：

inurl:webeditor.php

and I found the following results:

然后我找到如下结果：

http://orbyonline.com/php/webeditor.php
http://www-user.tu-chemnitz.de/~hkri/Neuer%20Ordner/webeditor.php
http://artematrix.org/webeditor/webeditor.php
http://www.directinfo.hu/kapu/webeditor.php

All these webeditor.php files were reachable by anyone, merely because the owners failed to (correctly) protect these pages by using .htacces. This mistake allows whomever to change the webpages on the server and thus defacing the site, uploading files and thus possible gaining full access to the server.

任何人都能访问这些webeditor.php文件，这只不过是因为它们的所有者没有很好地（用正确的方法）利用.htacces保护这些页面。这个错误使得任何人都能在服务器上修改这些网页，由此攻击网站、上传文件，甚至获得服务器的完全访问权限。

In browsing through these sites I noticed that the file that allows one to upload files is called “file_upload.php”, which I could then search for at google and find more examples.

通过访问这些这些站点，我发现允许上传文件的页面是“file_upload.php”，于是我就在谷歌上搜索，并找到更多例子。

http://www.hvcc.edu/~kantopet/ciss_225/examples/begphp/ch10/file_upload.php

A good example:

一个好例子：

http://www.pelicandecals.com/admin/webeditor.php

The script allows you to change files, like in the above examples, including the index.php. In theory one could write or download whatever malicious script one wants, paste this code into an existing file or just upload it and well, the consequences are obvious.

这个脚本允许你修改包括index.php的所有文件，就像以上的例子。理论上你能够编写或下载任何一种恶意脚本，把它们粘贴到其中一个文件中或直接上传它，其造成的后果是显然的。

there was also a link “Return Administration” and clicking on it took me to:

还有一个“返回管理”的链接，我点击后进入下面网址：

http://www.pelicandecals.com/admin/administration.html

Where there were customer addresses, where one could change pricing, etc.

里面有客户地址，还可以修改定价，等等。

Content Management Systems

CONTENT管理系统

Content Management Systems are software programs that allow a webmaster to edit, alter and control the content of his website. But the same goes for online control panels of websites. The idea is to find out what files are for example the main files of these software programs. “cms.html” could be one or “panel.html” or “control.cfg” You find out what filenames a certain package uses, you then think of a good search string and hope you strike gold.

CONTENT管理系统是允许WEB管理员编辑，切换和控制网站的CONTENT的软件。但网站的在线控制面板也一样可行。该方法可以用来找到这些软件程序的主要文件。“cms.html”，“panel.html”，“control.cfg”都有可能是你要找的那个包，然后你就可以想出一个搜索字符串，并希望自己能挖到金子。

Frontpage Server Extensions HTML Administration Forms

Frontpage扩展服务器的HTML管理表格

“You can remotely administer the FrontPage Server Extensions from any computer connected to the Internet by using the FrontPage Server Extensions HTML Administration Forms, a set of Web pages that allow you to administer the FrontPage Server Extensions remotely.[3]

你可以利用FrontPage扩展服务器的HTML管理表格来远程控制该服务器，HTML管理表格是一些网页，它们能让你远程管理FrontPage服务扩展。

Well, that’s what Microsoft’s manual has to say about it. This means, users with access to these forms are able to perform a number of administrative functions, remotely. And that means, these forms should be well protected from non-authorized people. Now how would one go about finding non-protected forms over the internet? The first thing we do is try to find out what files these scripts consist of. A short visit to the Microsoft website or a peek into the frontpage manual tells us that the main page for these administration forms is a file called “fpadmin.htm”. So that’s what we need to search for. Now to find a correct search string that will get us the results we want. When a default install is performed, the files get installed in a directory called “admin”. Putting to use what we have learned about google search options and the theory behind this technique, a good search string might be:

好，这些都是微软的用户手册中提到的。这就意味着，用户可以通过访问这些表格来远程执行一系列管理员操作。这也意味着，这些表格本应该保护起来，不让未授权的人访问。现在我们怎么找到这些没被保护起来的表格呢？我们首先要做的就是找到这些脚本组成了哪些文件。简单访问一下微软网站或者看一眼frontpage用户手册，就可以知道这些管理表格的主页的文件名叫“fpadmin.htm”。这正是我们要找的文件，现在我们就要找一个恰当的搜索字符串来帮我们找到想要的结果。在默认设置下，这些文件都放在admin文件夹下。利用我们们学过的谷歌搜索选项和这个技术的理论基础来看，这个搜索字符串应该不错：

inurl:fpadmin.htm “index of” admin or maybe inurl:admin/fpadmin.htm

Well, these were the results I got:

好啦，我得到的结果是这样的：

http://www.lehigh.edu/~ineduc/degree_programs/tbte/admin/

http://blackadder.eng.monash.edu.au/frontpage/admin/
http://www.lehigh.edu/collegeofeducation/degree_programs/tbte/admin/
http://www.vsl.gifu-u.ac.jp/freeman/frontpage4/admin/
http://www.tech-geeks.org/contrib/loveless/e-smith-fp2002/
frontpage/version5.0/admin/1033/fpadmin.htm
http://fp.nsk.fio.ru/admin/1033/fpadmin.htm

But the frontpage manual says more:

但frontpage用户手册还有一些话：

“Because of the security implications of making remote FrontPage administration possible from Web browsers, the HTML Administration Forms are not active when they are first installed.”[3]

因为远程FrontPage管理有可能是在浏览器上完成的，所以说HTML管理表格在第一次设置的时候是未激活的。[3]

This means that some of these could be active and thus useful to us and some might not. There is of course, only one way to find out and that is to perform one of the possible administrative functions and see if you get results. I for one decided not to go that far, because it would mean breaking the law. But I’m not here to teach ethics, or at least not today.

这就意味着其中一些需要激活，而且

Freesco Router

The Freesco router software for Linux as a default, installs a small web browser which allows owners
to control the router through the http protocol. In other words, a website automatically gets setup that
allows you to control the router. The default password and login for this control panel is “admin” and
“admin”. Many people who use freesco don’t know this. You could search for these Freesco router
control websites by using a string such as:

intitle:”freesco control panel” or “check the connection” which are words that either are in the title of
these pages or on the pages itself. That’s what it’s all about; you check out a certain software, find the
part you’d want to be able to reach and figure out which search string would get you the good results.

Extra Tips

其他部分

Remember English is the most used language online, but it’s not the only one. Try and search for words or strings that are specific to your language or French or German, etc. For example “beheer” is a Dutch word for “administration” or “privat” is German for “private”.

记住英语是网上最常用的语言，但不是唯一的。试试搜索你母语，或者法语、德语等其他语言的单词或者字符串。举个例子，“beheer”是荷兰语“管理”的意思，或者“privat”是德语的“私有”。

You can check vulnerability scanners’ scan lists for interesting search strings you might want to use or combine with your own strings. Check http://paris2k.at.box.sk/tools/listings/ for some examples.

你可以检查漏洞扫描器的扫描列表来找对你有用的搜索字符串，也可以再加上你自己的字符串。检查http://paris2k.at.box.sk/tools/listings/来举些例子

Search for files like “config.inc.php” or “mysql.cfg” that could contain mySQL password and username combinations. Try to think of good search strings using words like PHP, SQL, mySQl, etc.

像这样搜索“config.inc.php”或者“mysql.cfg”这样能够包含mySQL密码和用户名组合的文件。尝试思考下好的搜索字符串，多用用像PHP, SQL, mySQL, 等等的短语。

Try things like: inurl:admin "index of" "database" or inurl:phpmyadmin "index of" or inurl:mysql "index of" site:neworder.box.sk intitle:index.of or intitle:index.of.private( = intitle:"index of private")

试试诸如这些：inurl:admin "index of" "database" 或者 inurl:phpmyadmin "index of" 或者 inurl:mysql "index of" site:neworder.box.sk intitle:index.of 或者 intitle:index.of.private (=intitle:"index of private")

Conclusion

结论

The internet is a network to which hundreds of thousands, if not millions of web servers are connected and in theory, all data can be reached, unless properly protected. Both software designers and end users should pay more attention to default installation security configuration and security policy. In the end, there are always going to be people who make mistakes, use default installs, use poorly secured software or just don’t care or still believe there’s no danger in putting this kind of data online. And in the end there’s also always going to be curious people who love to find that interesting information they have been hoping for. Google can help you considerably, in locating this kind of information and it’s easy and fun.

因特网是个连接着成千上万WEB服务器的网络，而且理论上，，除非数据被恰当地保护起来，否则数据都能被看到。软件设计者和终端用户应该更加注意默认安全设置框架和安全策略。但每个人都会犯错误，比如采用默认设置，采用差劲的安全软件或者不关心安全问题，甚至认为把这些数据放在网上是无风险的。最后，总有好奇者在网上寻找他们感兴趣的信息。谷歌可以极大地帮助你，它能指出这类信息，而且这很容易，很有趣。

Sidenote

I have used in this article, “live examples” because “foobar examples” in this case wouldn’t have been very useful. I hope you choose to learn from these examples and not use them to commit malicious acts. Think of a great search string yourself and don’t abuse the ones I have shown to explain the technique a little bit. (Guess I couldn’t stay away from the ethics lesson after all)

我在本文中用的是“实际例子”，因为“foobar例子”在这种情况下不会很适用。我希望你能研究下这些例子，而不要用它们实施犯罪。你自己想出一个伟大的搜索语句而不要滥用我为了展示技术而用的例子。（想想看，我毕竟不能置身道德之外）

Afterword

To not abandon tradition I would like to take the chance to greet some people. People like JLP, Rattlesnake, Drew, X, Tek, Sean, Marek, Resolution and others… you all know who you are, Thanks for helping me out numerous times with numerous different things.

照例我应该感谢一些人，像JLP,响尾蛇，Drew，X，Tek，Sean，Marek，决心，等等……你们都知道你们是谁，谢谢你们在各个方面多次帮助我。

Bibliography