google黑客命令搜集
| 关于google hack的几个基础过滤器使用[请务必谨记,过滤器虽然是死的,但人是活的,把自己的脑洞放到最大,才能拼装出高质量dorks]: intitle: 从网页标题中搜索指定的关键字,可专门用来搜索指定版本名称的各类web程序,也可用allintitle inurl: 从url中搜索指定的关键字,可专门用来构造各种形式的漏洞url,也可用allinurl intext: 从网页中搜索指定的关键字,可专门用它来穿透到漏洞页面等……也可用allintext filetype: 搜索指定的文件后缀,例如:sql mdb txt bak backup ini zip rar doc xls…… site: 在某个特定的网站内中搜索指定的内容 link: 搜索和该链接有关联连接,比如:友情链接 index of: 找目录遍历会用到 google所支持的一些通配符(建议选择性的用,越精确,就意味着结果越少,这样我们容易漏掉一些目标,毕竟不是正则,我们的最终目的是找到漏洞): + 强制包含某个字符进行查询 - 查询的时候忽略某个字符 "" 查询的时候精确匹配双引号内的字符 . 匹配某单个字符进行查询 * 匹配任意字符进行查询 | 或者,多个选择,只要有一个关键字匹配上即可 找各种web入口: 当然,这并非仅限于常规的网站后台,这里说到网站后台,一定要手工多尝试几个路径,例如:一些疑似目标内网web管理系统入口,web端的数据库管理入口,某些设备的web端配置入口,以及一些常见的java控制台等等……脑洞要大,东西在你手里随便尝试: 搜集tomcat入口[默认8080端口]: 直接这样搜无疑目标会非常多 intext:$CATALINA_HOME/webapps/ROOT/ intitle:apache tomcat 我们也可以带指定端口号去搜,因为有些web不在默认端口上,这样搜的话,可以更为精准 intext:$CATALINA_HOME/webapps/ROOT/ inurl:8080/ 针对特定版本去搜 intext:$CATALINA_HOME/webapps/ROOT/ intitle:Apache Tomcat/5.5.27 site:*.hk intext:$CATALINA_HOME/webapps/ROOT/ intitle:Apache Tomcat/7.0.32 site:*.gov.br intext:$CATALINA_HOME/webapps/ROOT/ intitle:Apache Tomcat/5.0.12 site:*.cn intext:$CATALINA_HOME/webapps/ROOT/ intitle:Apache Tomcat/6.0.24 site:*.com 搜特定类型的目标站点 intext:$CATALINA_HOME/webapps/ROOT/ intitle:apache tomcat site:*.edu.* intext:$CATALINA_HOME/webapps/ROOT/ intitle:apache tomcat site:*.gov.* intext:$CATALINA_HOME/webapps/ROOT/ intitle:apache tomcat site:*.org.* intext:$CATALINA_HOME/webapps/ROOT/ intitle:Apache Tomcat/7.0 site:*.org.* intext:$CATALINA_HOME/webapps/ROOT/ intitle:apache tomcat site:*.jp intext:$CATALINA_HOME/webapps/ROOT/ intitle:apache tomcat site:*.vn intext:$CATALINA_HOME/webapps/ROOT/ intitle:apache tomcat site:*.ph intext:$CATALINA_HOME/webapps/ROOT/ intitle:Apache Tomcat site:*.uk 无意中发现百度的某个子域,变成了博彩站 intext:$CATALINA_HOME/webapps/ROOT/ intitle:apache tomcat site:baidu.com intext:$CATALINA_HOME/webapps/ROOT/ intitle:apache tomcat site:org.tw 搜集weblogic入口: inurl:/console/login/LoginForm.jsp 这样范围太大,可根据上面的事例进行随意变形 inurl:/console/login/LoginForm.jsp intitle:Oracle WebLogic Server inurl:/console/login/ intitle:"Oracle WebLogic Server 管理控制台" 搜集jboss入口: inurl:/jmx-console/htmladaptor inurl:/jmx-console/htmladaptor site:*.edu.* inurl:/jmx-console/htmladaptor site:*.org.* inurl:/jmx-console/htmladaptor site:*.tw 搜集websphere入口: inurl:/ibm/console/logon.jsp 搜集phpmyadmin入口: inurl:/phpMyAdmin/index.php inurl:/phpMyAdmin/index.php db+information_schema 指定命中数据 inurl:/phpMyAdmin/index.php intext:phpMyAdmin 2.7.0 直接针对特定版本号去搜索,更加精准 inurl:/phpMyAdmin/index.php site:*.tw inurl:/phpMyAdmin/index.php site:*.hk 批量搜集webmin入口[默认10000端口]: intitle:Login to Webmin intext:"login to the Webmin server on" 批量搜wordpress程序[特征比较多,请大家自行随意构造]: index of /wp-content/uploads inurl:/wp-login.php inurl:/wp-content/themes/theagency 上传漏洞 批量搜joomla程序: inurl:/administrator/index.php inurl:index.php?option=com_advertisementboard 找注入 inurl:index.php?option=com_carocci inurl:index.php?option=com_product 批量搜drupal程序: inurl:CHANGELOG.txt intext:drupal intext:"SA-CORE" -site:github.com -site:drupal.org 批量搜discuz程序: 批量搜集opencart程序: 批量搜集phpbb程序: 当然,你也可以根据下面的一些特征去找特定的开源程序[这种命中率显然没有直接用特征目录的命中率高]: power by wordpress powered by discuz x3.2 powered by phpcms 2008 powered by drupal 7 powered by dedecmsv57_gbk powered by CubeCart 3.0.6 Powered by phpBB 2.0.6 powered by paBugs 2.0 Beta 3 inurl:wp-login.php inurl:/administrator/index.php inurl:/admina.php 批量搜集目标的各类邮件系统web端入口[不一定有,多尝试,反正是信息搜集嘛,找到东西价值越高越好,webmail]: owa: inurl:/owa/auth/logon.aspx inurl:/owa/auth/logon.aspx site:*.org.* mirapoint(ShellShock): inurl:/cgi-bin/search.cgi site:*.org.* inurl:/cgi-bin/madmin.cgi Zimbra(本地包含): inurl:7071/zimbraAdmin/ inurl:/help/en_US/standard/version.htm Atmail(用于连接数据库的配置文件泄露): TurboMail(配置错误,进入任意邮箱): U-mail(注入&getshell): Lotus Domino Webmail(越权访问): 批量找常规网站后台,下面的php也可以换成asp,aspx,jsp 进行多次尝试,因为每个国家对后台的命名习惯都各有特色,所以,这里只列举了一些相对命中率比较高的,找到后台以后,记得习惯性多尝试几个弱口令和万能密码之类的东西: inurl:/manager/login.php site:*.jp inurl:/cms/login.php site:*.jp inurl:/manage/index.php site:*.jp inurl:/system/login.php site:*.jp inurl:/webadmin/login.php site:*.tw inurl:admin_login.php intitle:admin login inurl:admin_login.php intitle:admin page inurl:/admin/login.php site:*.tw inurl:/admin/index.php site:*.tw inurl:/system/adminlogin.asp site:*.tw inurl:/manage/login.aspx site:*.tw inurl:/sysadm/index.php site:*.com …… 别忽视了svn泄露问题: inurl:/.svn/entries inurl:/.svn/entries site:*.org.* inurl:/.svn/entries site:*.gov.br inurl:/.svn/entries site:*.hk 批量找目标的后台未授权访问: intext:"Website Design & Developed By : WebSay" 默认后台/admin intext:"Powered by ENS Consultants" 默认后台/admin/login.php intext:"Desenvolvimento - MW Way" 默认后台/admin/index.php inurl:.php?id= intext:"Web realizada por Soma Estudio" inurl:/_mycps/login.php 批量找弱口令: intext:"design by weli" 默认后台: /adm/login.php 除了弱口令还有注入 username : [email protected] password : lin719192 尽可能多的找到能够利用的各种上传点[比如:各种典型的漏洞编辑器地址,ck,kindeditor,fck,ewebeditor……]: intext:" Powered by JADBM " JADBM Cms upload shell 注册后登陆上传即可 inurl:"/index.php/frontend/login/en" Estate cms upload shell 注册后登陆上传即可 inurl:/Content/Roxy_Fileman/ 该路径下直接就是上传点 index of:"filemanager/dialog.php" 该脚本就是上传脚本直接上传即可 intext:"Desenvolvido por Webnet Soluções Tecnológicas." fck上传 inurl:"subir_foto.php" 上传点 inrul:"/imce?dir=" intitle:"File Browser" inurl:"Powered by Vision Helpdesk 3.9.10 Stable" 注册后登陆进去编辑个人配置上传 index of /admin/fckeditor site:*.tw inurl:/ewebeditor/ site:*.tw inurl:/admin/upload_file.php inurl:/admin/upfile.php inurl:/admin/upload.asp 找到可能存在的包含和命令执行类漏洞: inurl:footer.inc.php?settings= inurl:/pb_inc/admincenter/index.php?page= inurl:/pnadmin/categories.inc.php?subpage= inurl:/index.php??view=src/sistema/vistas/ inurl:/edit.php?em=file&filename= inurl:/path_to_athena/athena.php?athena_dir= 远程包含 inurl:/path_to_qnews/q-news.php?id= 远程包含 inurl:/inc/backend_settings.php?cmd= inurl:login.action strus2系列执行漏洞利用 inurl:php?x= inurl:php?open= inurl:php?visualizar= inurl:php?pagina= inurl:php?inc= inurl:php?include_file= inurl:php?page= inurl:php?pg= inurl:php?show= inurl:php?cat= inurl:php?file= inurl:php?path_local= inurl:php?filnavn= inurl:php?HCL_path= inurl:php?doc= inurl:php?appdir= inurl:php?phpbb_root_dir= inurl:php?phpc_root_path= inurl:php?path_pre= inurl:php?nic= inurl:php?sec= inurl:php?content= inurl:php?link= inurl:php?filename= inurl:php?dir= inurl:php?document= inurl:index.php?view= inurl:*.php?locate= inurl:*.php?place= inurl:*.php?layout= inurl:*.php?go= inurl:*.php?catch= inurl:*.php?mode= inurl:*.php?name= inurl:*.php?loc= inurl:*.php?f= inurl:*.php?inf= inurl:*.php?pg= inurl:*.php?load= inurl:*.php?naam= allinurl:php?page= allinurl:php?file= inurl:php?x= inurl:admin.php?cal_dir= inurl:php?include= inurl:php?nav= inurl:*.php?sel= inurl:php?p= inurl:php?conf= inurl:php?prefix= inurl:theme.php?THEME_DIR= inurl:php?lvc_include_dir= inurl:php?basepath= inurl:php?pm_path= inurl:php?user_inc= inurl:php?cutepath= inurl:php?fil_config= inurl:php?libpach= inurl:php?pivot_path= inurl:php?rep= inurl:php?conteudo= inurl:php?root= inurl:php?configFile inurl:php?pageurl inurl:php?inter_url inurl:php?url= inurl:php?cmd= inurl:path.php?my= inurl:php?xlink= inurl:php?to= inurl:file.php?disp= 找各类数据库注入: inurl:categorysearch.php?indus= intext:"樂天台東民宿網" inurl:news_board.php 小商城类注入: inurl:".php?catid=" intext:"View cart" inurl:".php?catid=" intext:"Buy Now" inurl:".php?catid=" intext:"add to cart" inurl:".php?catid=" intext:"shopping" inurl:".php?catid=" intext:"boutique" inurl:".php?catid=" intext:"/store/" inurl:".php?catid=" intext:"/shop/" inurl:".php?catid=" intext:"Toys" inurl:details.php?BookID= inurl:shop.php?do=part&id= 普通cms类注入: inurl:article.php?ID= inurl:newsDetail.php?id= inurl:show.php?id= inurl:newsone.php?id= inurl:news.php?id= inurl:event.php?id= inurl:preview.php?id= inurl:pages.php?id= inurl:main.php?id= inurl:prod_detail.php?id= inurl:view.php?id= inurl:product.php?id= inurl:contact.php?Id= inurl:display_item.php?id= inurl:item.php?id= inurl:view_items.php?id= inurl:details.asp?id= inurl:profile.asp?id= inurl:content.asp?id= inurl:display_item.asp?id= inurl:view_detail.asp?ID= inurl:section.php?id= inurl:theme.php?id= inurl:produit.php?id= inurl:chappies.php?id= inurl:readnews.php?id= inurl:rub.php?idr= inurl:pop.php?id= inurl:person.php?id= inurl:read.php?id= inurl:reagir.php?num= inurl:staff_id= inurl:gallery.php?id= inurl:humor.php?id= inurl:spr.php?id= inurl:gery.php?id= inurl:profile_view.php?id= inurl:fellows.php?id= inurl:ray.php?id= inurl:productinfo.php?id= inurl:file.php?cont= inurl:include.php?chapter= inurl:principal.php?param= inurl:general.php?menue= inurl:php?pref= inurl:nota.php?chapter= inurl:php?str= inurl:php?corpo= inurl:press.php?*
|