Table 4.7 continued Queries That Locate Database Error Messages Description Query ColdFusion error message, can intitle:”Error Occurred While Processing reveal SQL statements and server Request” information ColdFusion error message, can intitle:”Error Occurred” “The error occurred reveal source code, full pathnames, in” filetype:cfm SQL query info, database name, SQL state information, and local time information Coldfusion Error Pages reveal “Error Diagnostic Information” many different types of information intitle:”Error Occurred While” DB2 error message can reveal “detected an internal error [IBM][CLI path names, function names, Driver][DB2/6000]” filenames, partial code and program state DB2 error message can reveal An unexpected token “END-OF-STATE path names, function names, MENT” was found filenames, partial code and program state DB2 error message, can reveal “detected an internal error [IBM] pathnames, function names, [CLI Driver][DB2/6000]” filenames, partial code, and program state DB2 error message, can reveal An unexpected token “END-OF-STATE pathnames, function names, MENT” was found filenames, partial code, and program state Discuz! Board error may reveal filetype:php inurl:”logging.php” path information or partial SQL “Discuz” error code listings Generic SQL message, can reveal “You have an error in your SQL syntax pathnames and partial SQL code near” Generic error can reveal path “Warning: Supplied argument is not a valid information File-Handle resource in” Generic error message can be used intitle:”Under construction” “does not to determine operating system currently have” and web server version Document Grinding and Database Digging • Chapter 4 141 Continued 452_Google_2e_04.qxd 10/5/07 12:42 PM Page 141 Table 4.7 continued Queries That Locate Database Error Messages Description Query Generic error message can reveal “Fatal error: Call to undefined function” - compiler used, language used, reply -the -next line numbers, program names and partial source code Generic error message reveals “Warning:” “SAFE MODE Restriction in full path information effect.” “The script whose uid is” “is not allowed to access owned by uid 0 in” “on line” Generic error message, reveals “Error Diagnostic Information” various information intitle:”Error Occurred While” Generic error messages reveal path intext:”Warning: Failed opening” “on line” names, php file names, line “include_path” numbers and include paths Generic error reveals full path info “Warning: Division by zero in” “on line” - forum HyperNews error reveals the server intitle:”Error using Hypernews” “Server software, server OS, server account Software” user/group (unix), server administrator email address, and even stack traces IIS 4.0 error messages reveal the intitle:”the page cannot be found” inetmgr existence of an extremely old version of IIS IIS error message reveals somewhat intitle:”the page cannot be found” unmodified (and perhaps “internet information services” unpatched) IIS servers Informix error message can reveal “A syntax error has occurred” filetype:ihtml path names, function names, filenames and partial code Informix error message can reveal “An illegal character has been found in the path names, function names, statement” -”previous message” filenames and partial code MYSQL error message reveals “supplied argument is not a valid MySQL path names result resource” MySQL error message can reveal “mySQL error with query” a variety of information. MySQL error message can reveal “Can’t connect to local” intitle:warning database name, path names and partial SQL code 142 Chapter 4 • Document Grinding and Database Digging Continued 452_Google_2e_04.qxd 10/5/07 12:42 PM Page 142 Table 4.7 continued Queries That Locate Database Error Messages Description Query MySQL error message can reveal “You have an error in your SQL syntax path names and partial SQL code near” MySQL error message can reveal “ORA-00921: unexpected end of SQL path names, function names, command” filenames and partial SQL code MySQL error message can reveal “Supplied argument is not a valid MySQL path names, function names, result resource” filenames and partial SQL code MySQL error message can reveal “Incorrect syntax near” path names, function names, filenames and partial code MySQL error message can reveal “Incorrect syntax near” -the path names, function names, filenames and partial code MySQL error message can reveal “Unclosed quotation mark before the path names, function names, character string” filenames and partial code MySQL error message can reveal “access denied for user” “using password” the username, database, path names and partial SQL code MySQL error message, reveals real “supplied argument is not a valid MySQL pathnames and listings of other result resource” PHP scripts on the server MySQL error message, reveals “MySQL error with query” various information MySQL error reveals database “Warning: mysql_query()” “invalid query” schema and usernames. Netscape Application Server or intitle:”404 SC_NOT_FOUND” iPlanet application servers error reveals the installation of extremely outdated software. ODBC SQL error may reveal table filetype:asp + “[ODBC SQL” or row queried, full database name and more Oracle SQL error message, reveals “ORA-00921: unexpected end of SQL full Web pathnames and/or php command” filenames Document Grinding and Database Digging • Chapter 4 143 Continued 452_Google_2e_04.qxd 10/5/07 12:42 PM Page 143 Table 4.7 continued Queries That Locate Database Error Messages Description Query Oracle SQL error message, “ORA-00933: SQL command not properly reveals pathnames, function names, ended” filenames, and partial SQL code Oracle SQL error message, reveals “ORA-00936: missing expression” pathnames, function names, filenames, and partial SQL code Oracle error message can reveal “ORA-00933: SQL command not properly path names, function names, ended” filenames and partial SQL code Oracle error message can reveal “ORA-00936: missing expression” path names, function names, filenames and partial database code Oracle error message may reveal “ORA-12541: TNS:no listener” intitle: partial SQL code, path names, ”error occurred” file names, and data sources Oracle error message, reveals SQL “ORA-12541: TNS:no listener” intitle: code, pathnames, filenames, and ”error occurred” data sources PHP error logs can reveal various filetype:log “PHP Parse error” | types of information “PHP Warning” | “PHP Error” PHP error message can reveal path “Warning: Cannot modify header inform- names, function names, filenames ation - headers already sent” and partial code PHP error message can reveal the “The script whose uid is “ “is not allowed webserver’s root directory and to access” user ID PHP error messages reveal path PHP application warnings failing names, PHP file names, line numbers “include_path” and include paths. PHP error reveals web root path “Parse error: parse error, unexpected T_VARIABLE” “on line” filetype:php PostgreSQL error message can “Warning: pg_connect(): Unable to connect reveal path information and to PostgreSQL server: FATAL” database names PostgreSQL error message can “PostgreSQL query failed: ERROR: parser: reveal path names, function names, parse error” filenames and partial code 144 Chapter 4 • Document Grinding and Database Digging Continued 452_Google_2e_04.qxd 10/5/07 12:42 PM Page 144 Table 4.7 continued Queries That Locate Database Error Messages Description Query PostgreSQL error message can “Supplied argument is not a valid reveal path names, function names, PostgreSQL result” filenames and partial code PostgreSQL error message, can “PostgreSQL query failed: ERROR: parser: reveal pathnames, function names, parse error” filenames, and partial code PostgreSQL error message, can “Supplied argument is not a valid reveal pathnames, function names, PostgreSQL result” filenames, and partial code Postgresql error message, “Warning: pg_connect(): Unable to connect reveals path information and to PostgreSQL server: FATAL” database names SQL error may reveal potential “[SQL Server Driver][SQL Server]Line 1: SQL injection points. Incorrect syntax near” -forum -thread - showthread SQL error message reveals full “Invision Power Board Database Error” path info SQL error message reveals full “ORA-00921: unexpected end of SQL pathnames and/or PHP filenames. command” SQL error message, can reveal “Can’t connect to local” intitle:warning pathnames, function names, filenames, and partial code (variation) SQL error message, can reveal “Incorrect syntax near” -the pathnames, function names, filenames, and partial code (variation) SQL error message, can reveal “access denied for user” “using password” pathnames, function names, filenames, and partial code (variation) SQL error message, can reveal “Incorrect syntax near” pathnames, function names, filenames, and partial code SQL error message, can reveal “Unclosed quotation mark before the pathnames, function names, character string” filenames, and partial code Document Grinding and Database Digging • Chapter 4 145 Continued 452_Google_2e_04.qxd 10/5/07 12:42 PM Page 145 Table 4.7 continued Queries That Locate Database Error Messages Description Query Sablotron XML error can reveal warning “error on line” php sablotron partial source code, path and filename information and more Snitz Microsoft Access database databasetype. Code : 80004005. Error error may reveal the location and Description : name of the database, potentially making the forum vulnerable to unwanted download Softcart error message may intitle:Configuration.File inurl:softcart.exe reveal configuration file location and server file paths This dork reveals logins to “Warning: mysql_connect(): Access denied databases that were denied for for user: ‘*@*” “on line” -help -forum some reason. Windows 2000 error messages intitle:”the page cannot be found” “2004 reveal the existence of an microsoft corporation” extremely old version of Windows cgiwrap error message reveals intitle:”Execution of this script not admin name and email, port permitted” numbers, path names, and may also include optional information like phone numbers for support personnel ht://Dig error can reveal intitle:”htsearch error” ht://Dig error administrative email, validation of a cgi-bin executable directory, directory structure, location of a search database file and possible naming conventions vbulletin error reveals SQL “There seems to have been a problem with code snippets the” “ Please try again by clicking the Refresh button in your web browser.” In addition to revealing information about the database server, error messages can also reveal much more dangerous information about potential vulnerabilities that exist in the server. For example, consider an error such as “SQL command not properly ended”, displayed in Figure 4.9.This error message indicates that a terminating character was not found at the end of an SQL statement. If a command accepts user input, an attacker could leverage the information in this error message to execute an SQL injection attack. 146 Chapter 4 • Document Grinding and Database Digging 452_Google_2e_04.qxd 10/5/07 12:42 PM Page 146 Figure 4.9 The Discovery of a Dangerous Error Message Database Dumps The output of a database into any format can be constituted as a database dump. For the purposes of Google hacking, however, we’ll us the term database dump to describe the text- based conversion of a database. As we’ll see next in this chapter, it’s entirely possible for an attacker to locate just about any type of binary database file, but standardized formats (such as the text-based SQL dump shown in Figure 4.10) are very commonplace on the Internet. Figure 4.10 A Typical SQL Dump Document Grinding and Database Digging • Chapter 4 147 452_Google_2e_04.qxd 10/5/07 12:42 PM Page 147 Using a full database dump, a database administrator can completely rebuild a database. This means that a full dump details not only the structure of the database’s tables but also every record in each and every table. Depending on the sensitivity of the data contained in the database, a database dump can be very revealing and obviously makes a terrific tool for an attacker.There are several ways an attacker can locate database dumps. One of the most obvious ways is by focusing on the headers of the dump, resulting in a query such as “#Dumping data for table”, as shown in Figure 4.10.This technique can be expanded to work on just about any type of database dump headers by simply focusing on headers that exist in every dump and that are unique phrases that are unlikely to produce false positives. Specifying additional specific interesting words or phrases such as username, password,or user can help narrow this search. For example, if the word password exists in a database dump, there’s a good chance that a password of some sort is listed inside the database dump. With proper use of the OR symbol ( | ), an attacker can craft an extremely effective search, such as “# Dumping data for table” (user | username | pass | password). In addition, an attacker could focus on file extensions that some tools add to the end of a database dump by querying for filetype:sql sql and further narrowing to specific words, phrases, or sites.The SQL file extension is also used as a generic description of batched SQL commands.Table 4.8 lists queries that locate SQL database dumps. Table 4.8 Queries That Locate SQL Database Dumps Query Description inurl:nuke filetype:sql php-nuke or postnuke CMS dumps filetype:sql password SQL database dumps or batched SQL com- mands filetype:sql “IDENTIFIED BY” –cvs SQL database dumps or batched SQL com- mands, focus on “IDENTIFIED BY”, which can locate passwords “# Dumping data for table SQL database dumps or batched SQL (username|user|users|password)” commands, focus on interesting terms “#mysql dump” filetype:sql SQL database dumps “# Dumping data for table” SQL database dumps “# phpMyAdmin MySQL-Dump” SQL database dumps created by filetype:txt phpMyAdmin “# phpMyAdmin MySQL-Dump” SQL database dumps created by “INSERT INTO” -”the” phpMyAdmin (variation) 148 Chapter 4 • Document Grinding and Database Digging 452_Google_2e_04.qxd 10/5/07 12:42 PM Page 148 Actual Database Files Another way an attacker can locate databases is by searching directly for the database itself. This technique does not apply to all database systems, only those systems in which the database is represented by a file with a specific name or extension. Be advised that Google will most likely not understand how to process or translate these files, and the summary (or “snippet”) on the search result page will be blank and Google will list the file as an “unknown type,” as shown in Figure 4.11. Figure 4.11 Database Files Themselves Are Often Unknown to Google If Google does not understand the format of a binary file, as with many of those located with the filetype operator, you will be unable to search for strings within that file.This consid- erably limits the options for effective searching, forcing you to rely on inurl or site operators instead.Table 4.9 lists some queries that can locate database files. Document Grinding and Database Digging • Chapter 4 149 452_Google_2e_04.qxd 10/5/07 12:42 PM Page 149 Table 4.9 Queries That Locate Database Files Query Description filetype:cfm “cfapplication name” ColdFusion source code password filetype:mdb inurl:users.mdb Microsoft Access user database inurl:email filetype:mdb Microsoft Access e-mail database inurl:backup filetype:mdb Microsoft Access backup databases inurl:forum filetype:mdb Microsoft Access forum databases inurl:/db/main.mdb ASP-Nuke databases inurl:profiles filetype:mdb Microsoft Access user profile databases filetype:asp DBQ=” * Server. Microsoft Access database connection MapPath(“*.mdb”) string search allinurl: admin mdb Microsoft Access administration databases Automated Grinding Searching for files is fairly straightforward—especially if you know the type of file you’re looking for. We’ve already seen how easy it is to locate files that contain sensitive data, but in some cases it might be necessary to search files offline. For example, assume that we want to troll for yahoo.com e-mail addresses.A query such as “@yahoo.com” email is not at all effec- tive as a Web search, and even as a Group search it is problematic, as shown in Figure 4.12. Figure 4.12 A Generic E-Mail Search Leaves Much to Be Desired 150 Chapter 4 • Document Grinding and Database Digging 452_Google_2e_04.qxd 10/5/07 12:42 PM Page 150 . function” - compiler used, language used, reply -the -next line numbers, program names and partial source code Generic error message reveals “Warning:” “SAFE MODE Restriction in full path information. points. Incorrect syntax near” -forum -thread - showthread SQL error message reveals full “Invision Power Board Database Error” path info SQL error message reveals full “ORA-00921: unexpected end of. logins to “Warning: mysql_connect(): Access denied databases that were denied for for user: ‘*@*” “on line” -help -forum some reason. Windows 2000 error messages intitle:”the page cannot be found”