More Google Hacking: Looking for Hidden Stuff

Written by: Peter Jalbert on Tuesday, September 19th, 2006
Posted to: Google, Search
One comment, add yours!

We recently talked about hiding your stuff from Google. From using password protection, to hidden directories, to the robots.txt file, you can stay under Google’s radar and keep your private stuff private. But other people may not be so knowledgeable about this. Sad to say, even some webmasters are not familiar with how to secure their files from the prying eyes of Google (or Google users).

Here are some ways by which you can look for supposedly hidden files and other content with Google.

Look for error messages. Finding error messages on websites may be indicative of vulnerabilities in the system or some mis-configuration that can be exploited. While there are a vast number of error messages you can get from websites, here’s one common message that might mean a server can easily be compromised: A syntax error has occurred. Hence, on Google, you can simply search using this syntax for such sites:

“A syntax error has occurred” filetype:ihtml

These sites could have database errors or missing files, and this means you can probably access information if you know how to poke around.

Look for password lists. Some sites and webmasters store their password lists in unencrypted text or excel files, and these can easily be accessed if their hosts are not hidden or protected. You can do a search using the following string.

(password | passcode) (username | userid | user) filetype:csv

Chances are, some passwords are encrypted, but still you get username and email information–sometimes you can even get the default passwords (which some people don’t change, anyway).

Look for weak servers. There are good servers and there are weak servers. Sometimes, it’s the consumer-grade web server solutions that are quite easy to crack. For instance, take Microsoft IIS. You can use the following search string to look for IIS-powered sites with some errors.

intitle:”the page cannot be found” inetmgr

Chances are these are hosted on home or office computers that are less likely to be secured than enterprise or professional hosting solutions. Sometimes even regular Windows file sharing or FTP can give you access to the files hosted on these sites.

A caveat

Of course, we don’t condone cracking, but this information is useful for information purposes, and for testing your own sites for vulnerabilities. You can always add the “site:” operator to these commands to see if your own site is vulnerable.

More “uncovering hidden stuff” hacks to come soon.

Don't miss another post! Subscribe by RSS feed or by email today!

Share This   One comment so far, add yours!

Related posts

One Response to “More Google Hacking: Looking for Hidden Stuff”

  1. # More Google Hacking: Looking for Hidden Stuff : Tech Tipson 21 Sep 2006 at 9:48 am

    [...] More Google Hacking: Looking for Hidden Stuff [...]