渗透测试之信息收集（下篇）

简介

   上一篇文章主要是对信息收集各方面中各种工具的利用，既有在线工具，也有本地工具。如果这些工具可以玩得很溜，起码当一个脚本小子不成问题。但是谁不想成为大字辈呢？大牛、大咖、大V…………，大表哥应该不算。
   从一个脚本小子升级为大子辈，其实是真正想从事安全事业的人的究极理想。对于信息收集阶段而言，会用各种工具，最多也就算会了一半，或许也就三分之一。信息收集行当还有个非常牛的社会工程学，我理解这是一门不算技术的高深技术，属于情商+智商双高的人才能玩得溜的（例如凯文米特尼克，应该算是黑阔界社工的鼻祖级人物）。另外一个表明你已经向大字辈过渡的标志，就是熟练掌握谷歌语法。
   谷歌搜索引擎行业的老大，没有之一，起码目前没有。谷歌语法就是利用谷歌搜索引擎的庞大资源，通过特殊构造的语句，单单利用一个浏览器，就可以在广大赛博空间中，找到自己想知道的大多数信息。
   谷歌语法最好利用于在谷歌及其镜像或者学习站中使用效果最好。百度也可使用，但当你真正想搜索自己想要的东西时，会让你崩溃。此外，可以利用微软的bing。我自己感受，bing虽抵不上谷歌那么好用，起码比百度强一些。

一、常用语法说明

1、inurl: 在url地址栏中显示的信息页面
例如：inurl:360

2、intext: 显示在正文信息中的内容页面
例如：intext:“360”

3、site: 限制显示你某个域名的所有页面（子域名查询）
例如：site:360.cn

4、filetype: 搜索文件的后缀或者扩展名
例如：filetype:pdf

5、intitle: 限制你搜索的网页标题页面
例如：intitle:“安全”

6、link: 将显示有到指定网页的链接的网页（搜索所有包含关键字链接的网页）
7、cache:将显示在Google cache中的网页（搜索所有缓存关键字的网页）

二、常用操作符说明

• 把google可能忽略的字列如查询范围

• 把某个字忽略
  ~ 同意词
  . 单一的通配符

• 通配符，可代表多个字母
  “” 精确查询
  | 或者逗号(,)多个选择,只要有一个关键字匹配即可

三、日常应用

1、查找管理后台
site:域名 inurl:login|admin|manage|member|admin_login|login_admin|system|login|user|main|cms

2、查找文件
filetype:doc
filetype:.doc site:.mil classified //直接搜索军方相关word
filetype:xml
filetype:rar
filetype:docx
filetype:inc
filetype:mdb
filetype:txt
filetype:emali
filetype:xls
filetype:.sql
filetype:inc
filetype:conf
filetype:txt
filetye:xml
filetyep:pdf
学生信息 fitepy:xls

3.查看网站支持的脚本
filetype:asp
filetype:jsp
filetyp:php
filetype:ASPX

4、目录遍历及敏感信息泄露
intitle:“index of” etc
intitle:“Index of” .sh_history
intitle:“Index of” .bash_history
intitle:“index of” passwd
intitle:“index of” people.lst
intitle:“index of” pwd.db
intitle:“index of” etc/shadow
intitle:“index of” spwd
intitle:“index of” master.passwd
intitle:“index of” htpasswd
intitle:“index of” admin
inurl:service.pwd
intitle:phpmyadmin intext:Create new database //搜索phpmyadmin直接进入后台
intitle:“php shell*” “Enable stderr” filetype:php//批量搜索webshell
intitle:“index of” data //列出data目录
intilte:“error occurred” ODBC request where (select|insert) //搜索sql注入出错页面
intitle:index.of filetype:log //搜索日志文件

5、intitle查找管理后台
intitle:管理
intitle:登录
intitle:后台
intitel:“后台登录”

6、查找警告错误信息
intile:error
intitle:warning

7、inurl中的管理后台路径
nurl:admin/manager
admin
admin_index
admin_admin
index_admin
admin/index
admin/default
admin/manage
admin/login
manage_index
index_manage
manager/login
manager/login.asp
manager/admin.asp
login/admin/admin.asp
houtai/admin.asp
guanli/admin.asp
denglu/admin.asp
admin_login/admin.asp
admin_login/login.asp
admin/manage/admin.asp
admin/manage/login.asp
admin/default/admin.asp
admin/default/login.asp
member/admin.asp
member/login.asp
administrator/admin.asp
administrator/login.asp

8、inurl中的数据库和配置文件
inurl:editor/db/
inurl:eWebEditor/db/
inurl:bbs/data/
inurl:databackup/
inurl:blog/data/
inurl:okedata
inurl:bbs/database/
inurl:conn.asp
inurl:inc/conn.asp
inurl:“viewerframe?mode=”//搜索摄像头地址
inurl:db
inurl:mdb
inurl:config.txt
inurl:bash_history
inurl:data filetype:mdb //搜索mdb格式数据库

9、inurl中的搜索备份文件
inurl:temp
inurl:tmp
inurl:backup
inurl:bak

10、inurl中查找注入点
site:xx.com filetype:asp
site:tw inurl:asp?id= //这个是找台湾的
site:jp inurl:php?id= // 这个是找日本的
site:ko inurl:jsp?id= // 这个是找韩国的

11、inurl之上传漏洞
site:xx.com inurl:file
site:xx.com inurl:load

12、目标遍历漏洞
Index of /admin
Index of /passwd
Index of /password
Index of /mail
“Index of /” +passwd
“Index of /” +password.txt
“Index of /” +.htaccess
“Index of /secret”
“Index of /confidential”
“Index of /root”
“Index of /cgi-bin”
“Index of /credit-card”
“Index of /logs”
“Index of /config”
“indexof/”inurl:lib //搜索图书馆一般目录遍历下载

13、突破下载文件和任意文件下载
"indexof/"ppt
"indexof/"mp3
"indexof/"word
"indexof/"xls
"indexof/"swf 等

14、实例googel语法入侵
1.site: scu.edu.cn//得出该主域名下的所有其他子域名或者页面信息如：http://a1.xxxx.com http://a2.xxxx.com http://a3.xxxx.com http://a4.xxxx.com 2.找各个子域名的管理后台：
site: a1.xxxx.com intitle:管理 或者后台 或者登陆等关键字
site:a1.xxxx.com inurl:login 或者inurl:admin 可以跟常用的后台路径
site:a1.xxxx.com intext:管理 或者后台 或者登陆等关键字
这里我们得到2个后台管理地址：
http://a2.xxxx.com/sys/admin_login.asp
http://a3.xxxx.com:88/_admin/login_in.asp
3.查看各个子域名网站服务器跑的脚步对应的程序：site:a1.xxxx.com filetype:jsp site：a1.xxxx.com filetype:aspx site:a1.xxxx.com filetype:php site:al.xxxx.com filetype:asp 从上面我们看到该子域名上跑有一个php的后台和一个asp的留言系统 4.查找上传路径地址：
site:a2.xxxx.com inurl:file
site:a3.xxxx.com inurl:load
site:a4.xxx.com inurl:file
5.查找铭感信息`
site: scu.edu.cn intext:*@ scu.edu.cn 查找所有的邮箱地址
site:xxxx.com intext:电话查找所有电话
site:xxxx.com intext:身份证 查找所有身份证

－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－
配置文件泄露：site:lyshark.com ext:xml | ext:conf | ext:inf | ext:cfg | ext:txt | extra | ext:ini
目录遍历语法: site:lyshark.com intitle:index.of
数据库文件泄露：site:lyshark.com ext:sql | ext:dbf | ext:mdb

---

查找后台地址：site:域名 inurl:login|admin|manage|member|admin_login|login_admin|system|login|user|main|cms

查找文本内容：site:域名 intext:管理|后台|登陆|用户名|密码|验证码|系统|帐号|admin|login|sys|managetem|password|username

查找可注入点：site:域名 inurl:aspx|jsp|php|asp

查找上传漏洞：site:域名 inurl:file|load|editor|Files

找eweb编辑器：site:域名 inurl:ewebeditor|editor|uploadfile|eweb|edit

存在的数据库：site:域名 filetype:mdb|asp|#

查看脚本类型：site:域名 filetype:asp/aspx/php/jsp

迂回策略入侵：inurl:cms/data/templates/images/index/

---

利用谷歌语法搜索各种漏洞

tomcat

如果使用暴力破解成功突破tomcat的basic认证，上传恶意war包，可以很轻易的getshell
#site用于限制查询范围,intitle和intext用于匹配tomcat关键字
intitle:apache tomcat site:domain
intext:$CATALIN{A}_{H}OME/webapps/ROOT/intitle:apachetomcatsite:domainintext:$CATALINA_HOME/webapps/ROOT/ inurl:8080/ site:domain

weblogic

weblogic框架曾爆出不少漏洞，如果存在该框架，是一个突破口
#site用于限制查询范围,inurl和intitle用于匹配weblogic的关键字
inurl:/console/login/LoginForm.jsp site:domain
inurl:/console/login/LoginForm.jsp intitle:Oracle WebLogic Server site:domain
inurl:/console/login/ intitle:“Oracle WebLogic Server 管理控制台” site:domain

jboss

jboss框架曾爆出不少漏洞，如果存在该框架，是一个突破口
#site用于限制查询范围,inurl用于匹配jboss的关键字
inurl:/jmx-console/htmladaptor site:domain

websphere

websphere框架曾爆出不少漏洞，如果存在该框架，是一个突破口
#site用于限制查询范围,inurl用于匹配websphere的关键字
inurl:/ibm/console/logon.jsp site:domain

phpmyadmin

phpmyadmin是MySQL的管理平台，并且可被爆破，一旦爆破成功，即可获取MySQL的权限，进而提权getshell
#site用于限定范围,inurl和intext用于匹配phpMyAdmin的关键字
inurl:/phpMyAdmin site:domain
inurl:/phpMyAdmin/index.php site:domain
inurl:/phpMyAdmin/index.php site:domain db+information_schema
inurl:/phpMyAdmin/index.php intext:phpMyAdmin site:domain

webmin

webmin是一个web版的linux系统管理工具，默认情况下工作在web的10000端口上
#site用于限制查询范围 intitle和intext用于匹配webmin的关键字
intitle:Login to Webmin intext:“login to the Webmin server on” site:domain

wordpress

wordpress是PHP的开源博客平台，其框架存在大量漏洞，尤其其框架存在很多SQL注入，通过SQL注入getshell
#site用于限制查询范围,inurl和index of用于匹配wordpress的关键字
inurl:/wp-login.php site:domain
index of /wp-content/uploads inurl:/wp-login.php site:domain
inurl:/wp-content/themes/theagency site:domain

joomla

joomla框架曾爆出不少漏洞，如果存在该框架，是一个突破口
#site用于限制查询范围,inurl用于匹配joomla的关键字
inurl:/administrator/index.php site:domain
inurl:index.php?option=com_advertisementboard site:domain 找注入
inurl:index.php?option=com_carocci site:domain
inurl:index.php?option=com_product site:domain
inurl:/administrator/index.php site:domain

drupal

drupal框架曾爆出不少漏洞，如果存在该框架，是一个突破口
#site用于限制查询范围,inurl和intext用于匹配drupal的关键字
inurl:CHANGELOG.txt intext:drupal intext:“SA-CORE” -site:github.com -site:domain

特征查找

个人觉得这个不错
#在使用时最好加上site限制查询范围,且版本号也可忽略
power by wordpress powered by discuz x3.2
powered by phpcms 2008 powered by drupal 7
powered by dedecmsv57_gbk powered by CubeCart 3.0.6
Powered by phpBB 2.0.6 powered by paBugs 2.0 Beta 3
inurl:wp-login.php inurl:/administrator/index.php
inurl:/admina.php

owa

outlook邮箱
inurl:/owa/auth/logon.aspx site:domain

vpn

inurl:/sslvpn site:domain
mirapoint

自行添加site以限制查询范围
inurl:/cgi-bin/search.cgi site:domain
inurl:/cgi-bin/madmin.cgi site:domain

zimbra

自行添加site以限制查询范围
inurl:7071/zimbraAdmin/ site:domain
inurl:/help/en_US/standard/version.htm site:domain

常见的后台地址

有用 ！！ 自行添加site以限制查询范围
inurl:/manager/login.php site:domain
inurl:/cms/login.php site:domain
inurl:/manage/index.php site:domain
inurl:/system/login.php site:domain
inurl:/webadmin/login.php site:domain
inurl:admin_login.php intitle:admin login site:domain
inurl:admin_login.php intitle:admin page site:domain
inurl:/admin/login.php site:domain
inurl:/admin/index.php site:domain
inurl:/system/adminlogin.asp site:domain
inurl:/manage/login.aspx site:domain
inurl:/sysadm/index.php site:domain
intext:“Website Design & Developed By : WebSay” 默认后台/admin
intext:“Powered by ENS Consultants” 默认后台/admin/login.php
intext:“Desenvolvimento - MW Way” 默认后台/admin/index.php
inurl:.php?id= intext:“Web realizada por Soma Estudio”
inurl:/_mycps/login.php
intext:“design by weli” 默认后台: /adm/login.php 除了弱口令还有注入(linjizen@gmail.com/lin719192)
inurl:categorysearch.php?indus= site:domain SQL注入

svn

自行添加site以限制查询范围
inurl:/.svn/entries site:domain

上传点

自行添加site以限制查询范围
intext:" Powered by JADBM " JADBM Cms upload shell 注册后登陆上传即可
inurl:"/index.php/frontend/login/en" Estate cms upload shell 注册后登陆上传即可
inurl:/Content/Roxy_Fileman/ 该路径下直接就是上传点
index of:“filemanager/dialog.php” 该脚本就是上传脚本直接上传即可
intext:“Desenvolvido por Webnet Soluções Tecnológicas.” fck上传
inurl:“subir_foto.php” 上传点
inrul:"/imce?dir=" intitle:“File Browser”
inurl:“Powered by Vision Helpdesk 3.9.10 Stable” 注册后登陆进去编辑个人配置上传
index of /admin/fckeditor site:.tw
inurl:/ewebeditor/ site:.tw
inurl:/admin/upload_file.php
inurl:/admin/upfile.php
inurl:/admin/upload.asp

文件包含和命令执行

自行添加site以限制查询范围
inurl:footer.inc.php?settings=
inurl:/pb_inc/admincenter/index.php?page=
inurl:/pnadmin/categories.inc.php?subpage=
inurl:/index.php??view=src/sistema/vistas/
inurl:/edit.php?em=file&filename=
inurl:/path_to_athena/athena.php?athena_dir= 远程包含
inurl:/path_to_qnews/q-news.php?id= 远程包含
inurl:/inc/backend_settings.php?cmd=
inurl:login.action strus2系列执行漏洞利用
inurl:php?x= inurl:php?open=
inurl:php?visualizar= inurl:php?pagina=
inurl:php?inc= inurl:php?include_file=
inurl:php?page= inurl:php?pg=
inurl:php?show= inurl:php?cat=
inurl:php?file= inurl:php?path_local=
inurl:php?filnavn= inurl:php?HCL_path=
inurl:php?doc= inurl:php?appdir=
inurl:php?phpbb_root_dir= inurl:php?phpc_root_path=
inurl:php?path_pre= inurl:php?nic=
inurl:php?sec= inurl:php?content=
inurl:php?link= inurl:php?filename=
inurl:php?dir= inurl:php?document=
inurl:index.php?view= inurl:.php?locate=
inurl:.php?place= inurl:.php?layout=
inurl:.php?go= inurl:.php?catch=
inurl:.php?mode= inurl:.php?name=
inurl:.php?loc= inurl:.php?f=
inurl:.php?inf= inurl:.php?pg=
inurl:.php?load= inurl:.php?naam=
allinurl:php?page= allinurl:php?file=
inurl:php?x= inurl:admin.php?cal_dir=
inurl:php?include= inurl:php?nav=
inurl:.php?sel= inurl:php?p=
inurl:php?conf= inurl:php?prefix=
inurl:theme.php?THEME_DIR=
inurl:php?lvc_include_dir=
inurl:php?basepath= inurl:php?pm_path=
inurl:php?user_inc= inurl:php?cutepath=
inurl:php?fil_config= inurl:php?libpach=
inurl:php?pivot_path= inurl:php?rep=
inurl:php?conteudo= inurl:php?root=
inurl:php?configFile inurl:php?pageurl
inurl:php?inter_url inurl:php?url=
inurl:php?cmd= inurl:path.php?my=
inurl:php?xlink= inurl:php?to=
inurl:file.php?disp=

商城类

自行添加site以限制查询范围
inurl:".php?catid=" intext:“View cart”
inurl:".php?catid=" intext:“Buy Now”
inurl:".php?catid=" intext:“add to cart”
inurl:".php?catid=" intext:“shopping”
inurl:".php?catid=" intext:“boutique”
inurl:".php?catid=" intext:"/store/"
inurl:".php?catid=" intext:"/shop/"
inurl:".php?catid=" intext:“Toys”
inurl:details.php?BookID=
inurl:shop.php?do=part&id=

CMS

自行添加site以限制查询范围
inurl:article.php?ID= inurl:newsDetail.php?id=
inurl:show.php?id= inurl:newsone.php?id=
inurl:news.php?id= inurl:event.php?id=
inurl:preview.php?id= inurl:pages.php?id=
inurl:main.php?id= inurl:prod_detail.php?id=
inurl:view.php?id= inurl:product.php?id=
inurl:contact.php?Id= inurl:display_item.php?id=
inurl:item.php?id= inurl:view_items.php?id=
inurl:details.asp?id= inurl:profile.asp?id=
inurl:content.asp?id= inurl:display_item.asp?id=
inurl:view_detail.asp?ID= inurl:section.php?id=
inurl:theme.php?id= inurl:produit.php?id=
inurl:chappies.php?id= inurl:readnews.php?id=
inurl:rub.php?idr= inurl:pop.php?id=
inurl:person.php?id= inurl:read.php?id=
inurl:reagir.php?num= inurl:staff_id=
inurl:gallery.php?id= inurl:humor.php?id=
inurl:spr.php?id= inurl:gery.php?id=
inurl:profile_view.php?id=
inurl:fellows.php?id= inurl:ray.php?id=
inurl:productinfo.php?id=
inurl:file.php?cont= inurl:include.php?chapter=
inurl:principal.php?param=
inurl:general.php?menue= inurl:php?pref=
inurl:nota.php?chapter= inurl:php?str=
inurl:php?corpo= inurl:press.php?[]*=
inurl:asp?pid= inurl:php?id=
inurl:aspx?id= inurl:jsp?id=
inurl:do?id= inurl:cgi?id=

万能密码

自行添加site以限制查询范围
inurl:“wladmin/login.asp”
Username : ‘=’ ‘or’
Password : ‘=’ ‘or’
intext:POWERED BY Versatile Software Services 默认后台/alogin.aspx
User ==> ‘or’’=’
Pass ==> ‘or’’=’
inurl:/media.php?hal=login
Email: ‘=’‘or’@gmail.com
Pass: ‘=’‘or’
intext:“Powered by : Best Webmasterz.” 默认后台/admin
User : ‘=’ ‘OR’
Pass : ‘=’ ‘OR’
intext:“Web Design and Maintenance by Cloud 5 Solutions” 默认后台/admin/login.php
User : ‘=’ ‘OR’
Pass : ‘=’ ‘OR’
intext:“网站设计：火龙科技” 默认后台/maintain/login.php
Username : ‘=’ ‘or’
Password : ‘=’ ‘or’
intext:“Powered by Moodyworld” 默认后台/admin/
Username : ‘=’ ‘or’
Password : ‘=’ ‘or’

敏感信息泄露

自行添加site以限制查询范围
site:domain inurl:/phpinfo.php
filetype:log “PHP Parse error”| “PHP Warning”
site:domain “id=” & intext:"Warning: mysql_fetch_array()
site:domain “id=” & intext:"Warning: getimagesize()
site:domain “id=” & intext:"Warning: array_merge()
site:domain “id=” & intext:"Warning: mysql_fetch_assoc()
site:domain “id=” & intext:"Warning: mysql_result()
site:domain “id=” & intext:"Warning: pg_exec()
site:domain “id=” & intext:"Warning: require()
inurl:/robots.txt site:.
inurl:/application/configs/ 配置文件名为/application/configs/application.ini
----------------------------htpasswd--------------------------------
htpasswd.bak filetype:htpasswd
-----------------------------cisco vpn----------------------------
filetype:pcf “GroupPwd”
cisco在线密码解密网站==>https://www.unix-ag.uni-kl.de/~massar/bin/cisco-decode
-----------------ftp 账号密码-----------------------------
“index of/” “ws_ftp.ini” “parent directory”
“your password is” filetype:log
filetype:ini inurl:“serv-u.ini”
filetype:ini inurl:flashFXP.ini
filetype:ini ServUDaemon
filetype:ini wcx_ftp
filetype:ini ws_ftp pwd
ext:inc “pwd=” “UID=”
auth_user_file.txt
filetype:sql inurl:backup inurl:wp-content
inurl:/eWebEditor/db/ site:domain
filetype:xls QQ site:cn

目录遍历

site:domain index of /admin
site:domain index of /upfiles
site:domain index of /fckeditor/editor/
site:domain index of /admin/uploadfile
site:domain index of /admin/file
site:domain index of /system/file
site:domain index of /phpmyadmin
site:domain index of /web/backup/
inurl:/phpmyadmin/index.php site:domain

遗留webshell

自行添加site以限制查询范围
inurl:b374k.php filetype:php
inurl:c99.php
inurl:c100.php Generation time:
inurl:itsecteam_shell.php
intext:x2300 Locus7Shell v. 1.0a beta Modded by
intext:c99shell inurl:c99.php
powered by Captain Crunch Security Team
“inurl:c99.php” + “intext:safe”
intitle:r57shell
intitle:c99shell +uname
inurl:c99.php uid=0(root)
intitle:c99shell+filetype:php
intitle:ly0kha shell
inurl:.php “cURL: ON MySQL: ON MSSQL: OFF”
“Shell” filetypehp intext:“uname -a:” “EDT 2010”
intitle:“intitle:r57shell”
inurl:“c99.php” & intext:Encoder Tools Proc.
inurl:“c100.php” & intext:Encoder Tools Proc.
intitle:“Shell” inurl:".php" & intext:Encoder Tools Proc.

－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－

批量找目标的后台未授权访问:

    intext:"Website Design & Developed By : WebSay"  默认后台/admin
    intext:"Powered by ENS Consultants"  默认后台/admin/login.php
    intext:"Desenvolvimento - MW Way"    默认后台/admin/index.php
    inurl:.php?id= intext:"Web realizada por Soma Estudio" 
    inurl:/_mycps/login.php

批量找弱口令:

    intext:"design by weli"   默认后台: /adm/login.php 除了弱口令还有注入
    username : linjizen@gmail.com
    password : lin719192

尽可能多的找到能够利用的各种上传点[比如:各种典型的漏洞编辑器地址 ,ck,kindeditor,fck,ewebeditor……]:

    intext:" Powered by JADBM "   JADBM Cms upload shell 注册后登陆上传即可
    inurl:"/index.php/frontend/login/en"  Estate cms upload shell 注册后登陆上传即可
    inurl:/Content/Roxy_Fileman/   该路径下直接就是上传点
    index of:"filemanager/dialog.php"  该脚本就是上传脚本直接上传即可
    intext:"Desenvolvido por Webnet Soluções Tecnológicas." fck上传
    inurl:"subir_foto.php" 上传点
    inrul:"/imce?dir=" intitle:"File Browser"
    inurl:"Powered by Vision Helpdesk 3.9.10 Stable" 注册后登陆进去编辑个人配置上传
    index of /admin/fckeditor site:*.tw
    inurl:/ewebeditor/  site:*.tw
    inurl:/admin/upload_file.php
    inurl:/admin/upfile.php 
    inurl:/admin/upload.asp

找到可能存在的包含和命令执行类漏洞:

    inurl:footer.inc.php?settings=
    inurl:/pb_inc/admincenter/index.php?page=
    inurl:/pnadmin/categories.inc.php?subpage=
    inurl:/index.php??view=src/sistema/vistas/
    inurl:/edit.php?em=file&filename=
    inurl:/path_to_athena/athena.php?athena_dir= 远程包含
    inurl:/path_to_qnews/q-news.php?id=  远程包含
    inurl:/inc/backend_settings.php?cmd=
     inurl:login.action strus2系列执行漏洞利用
    inurl:php?x=                    inurl:php?open=
inurl:php?visualizar=         inurl:php?pagina=
inurl:php?inc=                 inurl:php?include_file=
inurl:php?page=                inurl:php?pg=
inurl:php?show=                inurl:php?cat=
inurl:php?file=                inurl:php?path_local=
inurl:php?filnavn=            inurl:php?HCL_path=
inurl:php?doc=                 inurl:php?appdir=
inurl:php?phpbb_root_dir=    inurl:php?phpc_root_path=
inurl:php?path_pre=           inurl:php?nic=
inurl:php?sec=                 inurl:php?content=
inurl:php?link=                inurl:php?filename=
inurl:php?dir=                 inurl:php?document=
inurl:index.php?view=         inurl:*.php?locate=
inurl:*.php?place=             inurl:*.php?layout=
inurl:*.php?go=                inurl:*.php?catch=
inurl:*.php?mode=            inurl:*.php?name=
inurl:*.php?loc=             inurl:*.php?f=
inurl:*.php?inf=             inurl:*.php?pg=
inurl:*.php?load=            inurl:*.php?naam=
allinurl:php?page=           allinurl:php?file= 
inurl:php?x=                  inurl:admin.php?cal_dir=
inurl:php?include=           inurl:php?nav=
inurl:*.php?sel=             inurl:php?p=
inurl:php?conf=              inurl:php?prefix=
inurl:theme.php?THEME_DIR= 
inurl:php?lvc_include_dir=  
inurl:php?basepath=          inurl:php?pm_path=
inurl:php?user_inc=          inurl:php?cutepath=
inurl:php?fil_config=        inurl:php?libpach=
inurl:php?pivot_path=        inurl:php?rep=
inurl:php?conteudo=          inurl:php?root=
inurl:php?configFile         inurl:php?pageurl
inurl:php?inter_url          inurl:php?url=
inurl:php?cmd=                inurl:path.php?my=
inurl:php?xlink=              inurl:php?to=
inurl:file.php?disp=

找各类数据库注入:

    inurl:categorysearch.php?indus=
    intext:"樂天台東民宿網" inurl:news_board.php 

小商城类注入:

            inurl:".php?catid=" intext:"View cart"
            inurl:".php?catid=" intext:"Buy Now"
            inurl:".php?catid=" intext:"add to cart"
            inurl:".php?catid=" intext:"shopping"
            inurl:".php?catid=" intext:"boutique"
            inurl:".php?catid=" intext:"/store/"
            inurl:".php?catid=" intext:"/shop/"
            inurl:".php?catid=" intext:"Toys"
            inurl:details.php?BookID=
            inurl:shop.php?do=part&id=

普通cms类注入: inurl:article.php?ID

inurl:newsDetail.php?id=
inurl:show.php?id= inurl:newsone.php?id=
inurl:news.php?id= inurl:event.php?id=
inurl:preview.php?id= inurl:pages.php?id=
inurl:main.php?id= inurl:prod_detail.php?id=
inurl:view.php?id= inurl:product.php?id=
inurl:contact.php?Id= inurl:display_item.php?id=
inurl:item.php?id= inurl:view_items.php?id=
inurl:details.asp?id= inurl:profile.asp?id=
inurl:content.asp?id= inurl:display_item.asp?id=
inurl:view_detail.asp?ID= inurl:section.php?id=
inurl:theme.php?id= inurl:produit.php?id=
inurl:chappies.php?id= inurl:readnews.php?id=
inurl:rub.php?idr= inurl:pop.php?id=
inurl:person.php?id= inurl:read.php?id=
inurl:reagir.php?num= inurl:staff_id=
inurl:gallery.php?id= inurl:humor.php?id=
inurl:spr.php?id= inurl:gery.php?id=
inurl:profile_view.php?id=
inurl:fellows.php?id= inurl:ray.php?id=
inurl:productinfo.php?id=
inurl:file.php?cont= inurl:include.php?chapter=
inurl:principal.php?param=
inurl:general.php?menue= inurl:php?pref=
inurl:nota.php?chapter= inurl:php?str=
inurl:php?corpo= inurl:press.php?*
除了上面这些常规找注入的方式,你不妨还可以想下面这样,直接在网页标题或者url中搜sql语句,说不定也会有收获:
intitle:注入常用的一些sql语句,比如:常用的union,substr(),select等等……

批量搜集万能密码(属于注入的一种):

    inurl:"wladmin/login.asp"  
    Username : '=' 'or'
    Password : '=' 'or'
    
    intext:POWERED BY Versatile Software Services       默认后台/alogin.aspx
    User ==> 'or''='
    Pass ==> 'or''='

    inurl:/media.php?hal=login
    Email: '=''or'@gmail.com
    Pass: '=''or'
    
    intext:"Powered by : Best Webmasterz." 默认后台/admin
    User : '=' 'OR'
    Pass : '=' 'OR'
    
    intext:"Web Design and Maintenance by Cloud 5 Solutions" 默认后台/admin/login.php
    User : '=' 'OR'
    Pass : '=' 'OR'
    
    intext:"网站设计：火龙科技" 默认后台/maintain/login.php
    Username : '=' 'or'
    Password : '=' 'or'
    
    intext:"Powered by Moodyworld" 默认后台/admin/
    Username : '=' 'or'
    Password : '=' 'or'

找遗留的各种数据库报错,物理路径,数据库版本,服务器探针类文件等等……:

    site:*.tw  inurl:/phpinfo.php
    filetype:log "PHP Parse error"| "PHP Warning"
    site:*.tw  "id=" & intext:"Warning: mysql_fetch_array()
    site:*.jp  "id=" & intext:"Warning: getimagesize()
    site:*.br  "id=" & intext:"Warning: array_merge()
    site:*.tw  "id=" & intext:"Warning: mysql_fetch_assoc()
    site:*.tw  "id=" & intext:"Warning: mysql_result()
    site:*.jp  "id=" & intext:"Warning: pg_exec()
    site:*.tw  "id=" & intext:"Warning: require()
    inurl:/robots.txt site:*.*

搜集各种账号密码,比如,数据库密码,ftp,vpn,htpasswd,telnet等等……:

    可能会遗留的密码文件:
            inurl:passlist.txt
            inurl:password.txt

    重要配置文件泄露:
            inurl:/application/configs/  配置文件名为/application/configs/application.ini

    htpasswd:
            htpasswd.bak filetype:htpasswd

    vpn(cisco)[为捅内网,做准备]:
            filetype:pcf  "GroupPwd"

    cisco在线密码解密网站:
            https://www.unix-ag.uni-kl.de/~massar/bin/cisco-decode



    ftp:
            "index of/" "ws_ftp.ini" "parent directory"
            "your password is" filetype:log
            filetype:ini inurl:"serv-u.ini"
            filetype:ini inurl:flashFXP.ini
            filetype:ini ServUDaemon
            filetype:ini wcx_ftp
            filetype:ini ws_ftp pwd
            ext:inc "pwd=" "UID="
            auth_user_file.txt
            例如:
                    http://www.cryptoman.com/ftp/
                    http://www.cryptoman.com/ftp/WS_FTP.ini
    其他密码:
            admin account info" filetype:log

批量找目录遍历

[上传点,数据库文件下载,phpmyadmin,网站后台及网站各种备份,源代码泄露等同样也可以用这种方式慢慢找]:
site:.hk index of /admin
site:.hk index of /upfiles
site:.hk index of /fckeditor/editor/
site:.tw index of /admin/uploadfile
site:.tw index of /admin/file
site:.tw index of /system/file
site:.tw index of /phpmyadmin
site:.tw index of /web/backup/
inurl:/phpmyadmin/index.php site:*.tw

找别人遗留的各种webshell

,平时注意多搜集一些镜内外常用的大马特征,这里只是随便举几个例子,你可以随意组装自己的:
inurl:b374k.php filetype:php
inurl:c99.php
inurl:c100.php Generation time:
inurl:itsecteam_shell.php
intext:x2300 Locus7Shell v. 1.0a beta Modded by
intext:c99shell inurl:c99.php
powered by Captain Crunch Security Team
“inurl:c99.php” + “intext:safe”
intitle:r57shell
intitle:c99shell +uname
inurl:c99.php uid=0(root)
intitle:c99shell+filetype:php
intitle:ly0kha shell
inurl:.php “cURL: ON MySQL: ON MSSQL: OFF”
“Shell” filetypehp intext:“uname -a:” “EDT 2010”
intitle:“intitle:r57shell”
inurl:“c99.php” & intext:Encoder Tools Proc.
inurl:“c100.php” & intext:Encoder Tools Proc.
intitle:“Shell” inurl:".php" & intext:Encoder Tools Proc.

找到目标的owa和vpn入口[内网入口]:

    owa入口:
 inurl:/owa/auth/logon intitle:outlook
 inurl:/owa/auth/logon intext:outlook

vpn入口:
 inurl:/sslvpn site:hk

找些好下手的目标子域

:
site:polyu.edu.hk inurl:asp?pid=
site:polyu.edu.hk inurl:aspx?id=
site:polyu.edu.hk inurl:php?id=
site:polyu.edu.hk inurl:jsp?id=
site:polyu.edu.hk inurl:do?id=
site:polyu.edu.hk inurl:cgi?id=

shodan语法

shodan 内置的几个简单过滤器:
city: 城市,貌似只支持英文
country: 国别,比如:cn,us,jp,tw,br,ph,vn,hk
hostname: 主机名[域名如果是子域还需要在前面加个.]
net: 网络地址范围,可以是单个ip或者cidr格式
os : 操作系统 centOS,win32,red hat,suse 等等
port: 根据端口,HTTP (80),FTP (21),SSH (22),SNMP (161),SIP (5060)等等
product: 具体的产品名称

下面是一些简单的搜索实例:
搜集某个城市的特定设备标识[自己多收集一些常见的软件和设备标识]:
Microsoft-IIS/5.0 city:“TOKYO” 可以逐个尝试写权限
Microsoft-IIS/6.0 city:“Seoul”
Microsoft-IIS/7.5 city:“Hong Kong”
apache city:“Nagoya”
Apache/2.2.27 city:“Nagoya”
Tomcat city:“Seoul”
cisco city:“Osaka”
tplink city:“nanjing”
搜索特定版本操作系统及特定端口:
os:“linux” net:“72.34.62.0/24”
os:“windows” net:“195.40.91.0/24”
Apache city:“Hong Kong” port:“8080” product:“Apache Tomcat/Coyote JSP engine”
Apache city:“Seoul” port:“8080”
hostname:".polyu.edu.hk" os:“windows”

    搜索指定国家地域的特定类型软件(还是那句话,多搜集一些软件标识):
            product:"tomcat"  net:"158.132.18.0/24"
            product:"apache"  net:"158.132.18.0/24"
            product:"iis"     net:"158.132.18.0/24"
            port:"8080" jboss country:CN
                    
    扫描指定网段的所有数据库服务器:
            product:"Mysql"  net:"140.117.13.0/24" port:"3306"
            port:"1433" net:"78.131.197.0/24"
            port:"5432" net:"77.55.149.0/24"
            port:"1521" net:"78.143.192.0/12"
            port:"1521" city:"Osaka"
                    
    搜索远程管理终端:
            os:"windows" port:"3389" net:"107.160.1.0/24"
            os:"linux" port:"22" net:"107.160.1.0/24"
            os:"linux" port:"23" net:"107.160.1.0/24"
            os:"linux" port:"23" net:"87.124.0.0/15"
            
    搜路由:

搜索ftp:
port:“21” net:“107.160.1.0/24”
port:“69” net:“218.242.16.0/24”

    在某个城市中搜索指定的端口,操作系统及设备:
            city:"Hong Kong" port:"69"
            city:"Hong Kong" port:"3389"
            city:"Hong Kong" port:"22"
            city:"Hong Kong" port:"23"
            city:"Hong Kong" port:"3306"
            city:"Hong Kong" port:"110"
            city:"Hong Kong" os:"windows"
            city:"Hong Kong" product:"cisco"
            city:"Hong Kong" port:"8080"
            
    按照国家进行搜索指定的设备,端口,服务器:
            port:"23" country:CN
            port:"1433" country:CN
            port:"3389" country:CN
            tplink country:CN
            huawei country:CN
            netcam  country:CN
            country:CN net:"115.225.113.0/24" port:"22"
            country:CN router
            admin login  country:HK
            hacked by country:HK

    搜集缺省密码:
            "default password" city:"Hong Kong"
            country:CN "default password"

    搜exp[其实,就是把exploit上的东西扒下来]:
            https://exploits.shodan.io/welcome

    搜索各类漏洞摄像头:
            netcam net:"187.189.82.0/24"

    批量搜集一些开源程序,尝试0day批量利用:

    下面是一些常见的默认用户名密码,可以撞撞运气:
            ACTi: admin/123456 or Admin/123456
            Axis (traditional): root/pass,
            Axis (new): requires password creation during first login
            Cisco: No default password, requires creation during first login
            Grandstream: admin/admin
            IQinVision: root/system
            Mobotix: admin/meinsm
            Panasonic: admin/12345
            Samsung Electronics: root/root or admin/4321
            Samsung Techwin (old): admin/1111111
            Samsung Techwin (new): admin/4321
            Sony: admin/admin
            TRENDnet: admin/admin
            Toshiba: root/ikwd
            Vivotek: root/<blank>
            WebcamXP: admin/ <blank>

补充一些

信息收集：
1目录遍历漏洞 语法为: site:jiebao8.top intitle:index.of
2 配置文件泄露 语法为: site:jiebao8.top ext:xml | ext:conf | ext:cnf | ext:reg | ext:inf | ext:rdp | ext:cfg | ext:txt | extra | ext:ini
3数据库文件泄露 site:jiebao8.top ext:sql | ext:dbf | ext:mdb
4日志文件泄露 site:jiebao8.top ext:log
5备份和历史文件 site:jiebao8.top ext:bkf | ext:bkp | ext:bak | extld | ext:backup
6SQL错误 site:jiebao8.top intext:”sql syntax near” | intext:”syntax error has occurred” | intext:”incorrect syntax near” | intext:”unexpected end of SQL command” | intext:”Warning: mysql_connect()” | intext:”Warning: mysql_query()” | intext:”Warning: pg_connect()”
7公开文件信息 site:jiebao8.top ext:doc | ext:docx | extdt | ext:pdf | ext:rtf | ext:sxw | ext:psw | ext:ppt | ext:pptx | ext:pps | ext:csv
8 phpinfo() site:jiebao8.top ext:php intitle:phpinfo “published by the PHP Group”
9.不可靠程序透露的信息
（1)php version：
intitle:phpinfo
inurl:info.php
(2)程序中含有SQL注入漏洞并且路径可以修改弱口
“advanced guestbook * powered”:
inurl:addentry.php
intitle:“View img” inurl:viewimg.php
10.安全扫描报告 “Assessment report” “nessus”: filetype:pdf
11.数据库程序和错误文件
“Welcome to phpmyadmin **" "running on * as root@” intitle:phpmyadmin
“mysql error with query”
12.暴库
inurl:/inc/conn.asp
inurl:/inc+conn.asp
intext:to parent directory 目录遍历
inurl:/inc/conn.asp
inurl:/inc+conn.asp
intext:to parent directory+intext:mdb site:xxx.com

隐私信息

1.用户名和密码

“create table” insert into"
“pass|passwd|password” (ext:sql | ext:dump | ext:txt)
“your password * is” (ext:csv | ext.doc | ext:txt)
密匙
“index of” slave_datatrans OR from_master
3.隐私的密码

“Begin (DSA | RSA)” intext:key
“index of”
“secring.gpg”
4.经过加密的消息

“public | pubring | pubkeysignature | pgp | and | or |release” ext:gpg-intext:“and” (ext:enc | ext:axx)
“ciphervalue” ext:xml
5.机密信息，那些期望成为机密以杜绝未经授权人查看的信息
data that is expected to stay confidential against unauthorized access

1.聊天日志 “session start” “session ident” thomas ext:txt
2.私人信件/邮件 “index of” inbox.dbx
“To parent directory” inurl:“Identities”
3.机密的目录和文件 “index of” (private | secure | geheim | gizli)
“robots.txt” “User-agent” ext:txt
“this document is private | confidential(机密的) | secret” ext:doc | ext:pdf | ext:xls
intitle:“index of” “jpg | png | bmp” inurl"personal | inurl:private
4.在线网络摄像头 intitle:“live View/ -AXIS” | inurl:view/view.shtml
inurl:“ViewFrame?Mode=”
inurl:“MultiCameraFrame?Mode=”
inturl:“axis-cgi/mjpg”
intext:“MOBOTIX M1”
intext:“Open Menu”
inurl:“view/index.shtml”
www.undertree.us/allcams.html //这个应该是相关网站吧。我也不是很清楚，翻墙了也没打开。有打开的请PM我！
Google Video supergirl duration:(short | medium | long) is:free
在线设备 inurl:“hp/device/this.LCDispatcher”
intitle:liveapplet inurl:LvAppl
“Please wait …” intitle:“SWW link”
敏感信息

（那些通常公众于世但它的透露可能会给当事人带来麻烦的信息） Data which is normally public but whose reveal may disturb its owner

1.位于讨论会，邮局等场所 inurl:“search.php?search_author=thomas”
inurl:pipermail “thomas fischer”
2.敏感的目录
intitle:“index of” inurl:“backup”
3.Web 2.0
“thomas fischer” site:blogspot.com
“thomas” site:flickr.com
“thomas” site:youtube.com
鉴定资料

1.描述标识私人的信息
姓名，地址，电话，电话分机
allintext: name email phone address intext:“thomas fischer(人物)” ext:pdf
Twiki inurl:“View/Main” “thomas fischer”
个人简历
intitle:CV OR intitle:Lebenslauf “thomas fischer”
intitle:CV OR intitle:Lebenslauf ext:pdf OR ext:doc
2 用户姓名
intitle:“usage Statistics(统计表) for” intext:“Total Unique Usernames”

以上就是我收集整理的涵盖常用测试所需要的语法，虽然文章类型我设为原创，但其中大部分是各位大佬无私分享的，还是那句话，只是方便自己日常查询使用，大佬勿喷。