Table 4.2 Log File Search Examples
Query Description
QueryProgram “ZoneAlarm ZoneAlarm log files
Logging Client”
+htpasswd WS_FTP.LOG filetype:log WS_FTP client log files
+intext:”webalizer” +intext: Webalizer statistics
”Total Usernames” +intext:”Usage
Statistics for”
ext:log “Software: Microsoft IIS server log files
Internet Information Services *.*”
ext:log password END_FILE Java password files
filetype:cfg login “LoginServer=” Ultima Online log files
filetype:log “PHP Parse error” | PHP error logs
“PHP Warning” | “
filetype:log “See `ipsec —copyright” BARF log files
filetype:log access.log –CVS HTTPD server access logs
filetype:log cron.log UNIX cron logs
filetype:log hijackthis “scan saved” Hijackthis scan log
filetype:log inurl:”password.log” Password logs
filetype:log inurl:access.log TCP_HIT Squid access log
filetype:log inurl:cache.log Squid cache log
filetype:log inurl:store.log RELEASE Squid disk store log
filetype:log inurl:useragent.log Squid useragent log
filetype:log iserror.log MS Install Shield logs
filetype:log iserror.log MS Install Shield logs
filetype:log iserror.log MS Install Shield logs
filetype:log username putty Putty SSH client logs
filetype:log username putty Putty SSH client logs
intext:”Session Start ****:*:**” IRC/AIM log files
filetype:log
intitle:”HostMonitor log” | intitle: HostMonitor

”HostMonitor report”
intitle:”Index Of” -inurl:maillog Mail log files
maillog size
intitle:”LOGREP - Log file Logrep
reporting system” -site:itefix.no
Document Grinding and Database Digging • Chapter 4 131
Continued
452_Google_2e_04.qxd 10/5/07 12:42 PM Page 131
Table 4.2 Log File Search Examples
Query Description
intitle:index.of .bash_history UNIX bash shell history file
intitle:index.of .sh_history UNIX shell history file
intitle:index.of cleanup.log Outlook Express cleanup logs
inurl:access.log filetype:log –cvs Apache access log (Windows)
inurl:error.log filetype:log -cvs Apache error log
inurl:log.nsf -gov Lotus Domino
log inurl:linklint filetype:txt Linklint logs
-”checking”
Squid cache server reports squid server cache reports
Log files reveal various types of information, as shown in the search for filetype:log user-
name putty in Figure 4.6.This log file lists machine names and associated usernames that
could be reused in an attack against the machine.
Figure 4.6 Putty Log Files Reveal Sensitive Data
132 Chapter 4 • Document Grinding and Database Digging
452_Google_2e_04.qxd 10/5/07 12:42 PM Page 132
Office Documents
The term office document generally refers to documents created by word processing software,
spreadsheet software, and lightweight database programs. Common word processing software
includes Microsoft Word, Corel WordPerfect, MacWrite, and Adobe Acrobat. Common
spreadsheet programs include Microsoft Excel, Lotus 1-2-3, and Linux’s Gnumeric. Other

documents that are generally lumped together under the office document category include
Microsoft PowerPoint, Microsoft Works, and Microsoft Access documents.Table 4.3 lists
some of the more common office document file types, organized roughly by their Internet
popularity (based on number of Google hits).
Table 4.3 Popular Office Document File Types
File Type Extension
Adobe Portable Document Format Pdf
Adobe PostScript Ps
Lotus 1-2-3 wk1, wk2, wk3, wk4, wk5, wki, wks, wku
Lotus WordPro Lwp
MacWrite Mw
Microsoft Excel Xls
Microsoft PowerPoint Ppt
Microsoft Word Doc
Microsoft Works wks, wps, wdb
Microsoft Write Wri
Rich Text Format Rtf
Shockwave Flash Swf
Text ans, txt
In many cases, simply searching for these files with filetype is pointless without an addi-
tional specific search. Google hackers have successfully uncovered all sorts of interesting files
by simply throwing search terms such as private or password or admin onto the tail end of a
filetype search. However, simple base searches such as (inurl:xls OR inurl:doc OR inurl:mdb)
can be used as a broad search across many file types.
Table 4.4 lists some searches from the GHDB that specifically target office documents.
This list shows quite a few specific techniques that we can learn from. Some searches, such
as filetype:xls inurl:password.xls, focus on a file with a specific name.The password.xls file does
not necessarily belong to any specific software package, but it sounds interesting simply
because of the name. Other searches, such as filetype:xls username password email, shift the
focus from the file’s name to its contents.The reasoning here is that if an Excel spreadsheet

Document Grinding and Database Digging • Chapter 4 133
452_Google_2e_04.qxd 10/5/07 12:42 PM Page 133
contains the words username password and e-mail, there’s a good chance the spreadsheet con-
tains sensitive data such as passwords.The heart and soul of a good Google search involves
refining a generic search to uncover something extremely relevant. Google’s ability to search
inside different types of documents is an extremely powerful tool in the hands of an
advanced Google user.
Table 4.4 Sample Queries That Locate Potentially Sensitive Office Documents
Query Potential Exposure
filetype:xls username Passwords
password email
filetype:xls inurl:”password.xls” Passwords
filetype:xls private Private data (use as base search)
Inurl:admin filetype:xls Administrative data
filetype:xls inurl:contact Contact information, e-mail addresses
filetype:xls inurl:”email.xls” E-mail addresses, names
allinurl: admin mdb Administrative database
filetype:mdb inurl:users.mdb User lists, e-mail addresses
Inurl:email filetype:mdb User lists, e-mail addresses
Data filetype:mdb Various data (use as base search)
Inurl:backup filetype:mdb Backup databases
Inurl:profiles filetype:mdb User profiles
Inurl:*db filetype:mdb Various data (use as base search)
Database Digging
There has been intense focus recently on the security of Web-based database applications,
specifically the front-end software that interfaces with a database. Within the security com-
munity, talk of SQL injection has all but replaced talk of the once-common CGI vulnera-
bility, indicating that databases have arguably become a greater target than the underlying
operating system or Web server software.
An attacker will not generally use Google to break into a database or muck with a

database front-end application; rather, Google hackers troll the Internet looking for bits and
pieces of database information leaked from potentially vulnerable servers.These bits and
pieces of information can be used to first select a target and then to mount a more educated
attack (as opposed to a ground-zero blind attack) against the target. Bearing this in mind,
understand that here we do not discuss the actual mechanics of the attack itself, but rather
134 Chapter 4 • Document Grinding and Database Digging
452_Google_2e_04.qxd 10/5/07 12:42 PM Page 134
the surprisingly invasive information-gathering phase an accomplished Google hacker will
employ prior to attacking a target.
Login Portals
As we discussed in Chapter 8, a login portal is the “front door” of a Web-based application.
Proudly displaying a username and password dialog, login portals generally bear the scrutiny
of most Web attackers simply because they are the one part of an application that is most
carefully secured.There are obvious exceptions to this rule, but as an analogy, if you’re going
to secure your home, aren’t you going to first make sure your front door is secure?
A typical database login portal is shown in Figure 4.7.This login page announces not
only the existence of an SQL Server but also the Microsoft Web Data Administrator soft-
ware package.
Figure 4.7 A Typical Database Login Portal
Regardless of its relative strength, the mere existence of a login portal provides a glimpse
into the type of software and hardware that might be employed at a target. Put simply, a
login portal is terrific for footprinting. In extreme cases, an unsecured login portal serves as a
welcome mat for an attacker.To this end, let’s look at some queries that an attacker might
use to locate database front ends on the Internet.Table 4.5 lists queries that locate database
front ends or interfaces. Most entries are pulled from the GHDB.
Document Grinding and Database Digging • Chapter 4 135
452_Google_2e_04.qxd 10/5/07 12:42 PM Page 135
Table 4.5 Queries That Locate Database Interfaces
Query Database Utility
allinurl: admin mdb Administrative database

Inurl:backup filetype:mdb Backup databases
“ClearQuest Web Logon” ClearQuest (CQWEB)
inurl:/admin/login.asp Common login page
inurl:login.asp Common login page
filetype:fp5 fp5 -”cvs log” FileMaker Pro
filetype:fp3 fp3 FileMaker Pro
filetype:fp7 fp7 FileMaker Pro
“Select a database to view” intitle: FileMaker Pro
”filemaker pro”
“Welcome to YourCo Financial” IBM Websphere
“(C) Copyright IBM” “Welcome IBM Websphere
to Websphere”
inurl:names.nsf?opendatabase Lotus Domino
inurl:”/catalog.nsf” intitle:catalog Lotus Domino
intitle:”messaging login” Lotus Messaging
“© Copyright IBM”
intitle:”Web Data Administrator MS SQL login
- Login”
intitle:”Gateway Configuration Oracle
Menu”
inurl:/pls/sample/admin_/help/ Oracle default manuals
inurl:1810 “Oracle Enterprise Oracle Enterprise Manager
Manager”
inurl:admin_/globalsettings.htm Oracle HTTP Listener
intitle:”oracle http server index” Oracle HTTP Server
“Copyright * Oracle Corporation.”
inurl:pls/admin_/gateway.htm Oracle login portal
inurl:orasso.wwsso_app_ Oracle Single Sign-On
admin.ls_login
“phpMyAdmin” “running on” phpMyAdmin

inurl:”main.php”
“Welcome to phpMyAdmin” phpMyAdmin
“ Create new database”
136 Chapter 4 • Document Grinding and Database Digging
Continued
452_Google_2e_04.qxd 10/5/07 12:42 PM Page 136
Table 4.5 continued Queries That Locate Database Interfaces
Query Database Utility
intitle:”index of /phpmyadmin” phpMyAdmin
modified
intitle:phpMyAdmin “Welcome to phpMyAdmin
phpMyAdmin ***” “running on *
as root@*”
inurl:main.php phpMyAdmin phpMyAdmin
intitle:”phpPgAdmin - Login” phpPgAdmin (PostgreSQL) Admin tool
Language
intext:SQLiteManager inurl:main.php SQLite Manager
Data filetype:mdb Various data (use as base search)
Underground Googling
Login Portals
One way to locate login portals is to focus on the word login. Another way is to focus
on the copyright at the bottom of a page. Most big-name portals put a copyright
notice at the bottom of the page. Combine this with the product name, and a wel-
come or two, and you’re off to a good start. If you run out of ideas for new databases
to try, go to enter oracle and mysql, and click Large Set
for a list of databases.
Support Files
Another way an attacker can locate or gather information about a database is by querying
for support files that are installed with, accompany, or are created by the database software.
These can include configuration files, debugging scripts, and even sample database files.Table

4.6 lists some searches that locate specific support files that are included with or are created
by popular database clients and servers.
Document Grinding and Database Digging • Chapter 4 137
452_Google_2e_04.qxd 10/5/07 12:42 PM Page 137
Table 4.6 Queries That Locate Database Support Files
Query Description
inurl:default_content.asp ClearQuest ClearQuest Web help files
intitle:”index of” intext:globals.inc MySQL globals.inc file, lists connection and
credential information
filetype:inc intext:mysql_connect PHP MySQL Connect file, lists connection
and credential information
filetype:inc dbconn Database connection file, lists connection
and credential information
intitle:”index of” intext:connect.inc MySQL connection file, lists connection and
credential information
filetype:properties inurl:db db.properties file, lists connection
intext:password information
intitle:”index of” mysql.conf OR MySQL configuration file, lists port number,
mysql_config version number, and path information to
MySQL server
inurl:php.ini filetype:ini PHP.INI file, lists connection and credential
information
filetype:ldb admin Microsoft Access lock files, list database and
username
inurl:config.php dbuname dbpass The old config.php script, lists user and
password information
intitle:index.of config.php The config.php script, lists user and pass-
word information
“phpinfo.php” -manual The output from phpinfo.php, lists a great
deal of information

intitle:”index of” +myd size The MySQL data directory
filetype:cnf my.cnf -cvs -example The MySQL my.cnf file, can list information,
ranging from paths and database names to
passwords and usernames
filetype:ora ora ORA configuration files, list Oracle
database information
filetype:pass pass intext:userid dbman files, list encoded passwords
filetype:pdb pdb backup (Pilot | Palm database files, can list all sorts of
Pluckerdb) personal information
As an example of a support file, PHP scripts using the mysql_connect function reveal
machine names, usernames, and cleartext passwords, as shown in Figure 4.8. Strictly
138 Chapter 4 • Document Grinding and Database Digging
452_Google_2e_04.qxd 10/5/07 12:42 PM Page 138
speaking, this file contains PHP code, but the INC extension makes it an include file. It’s the
content of this file that is of interest to a Google hacker.
Figure 4.8 PHP Files Can Reveal Machine Names, Usernames, and Passwords
Error Messages
As we’ve discussed throughout this book, error messages can be used for all sorts of profiling
and information-gathering purposes. Error messages also play a key role in the detection and
profiling of database systems. As is the case with most error messages, database error messages
can also be used to profile the operating system and Web server version. Conversely, oper-
ating system and Web server error messages can be used to profile and detect database
servers.Table 4.7 shows queries that leverage database error messages.
Table 4.7 Queries That Locate Database Error Messages
Description Query
.NET error message reveals data “ASP.NET_SessionId” “data source=”
sources, and even authentication
credentials
500 “Internal Server Error” reveals “Internal Server Error” “server at”
the server administrator’s email

address, and Apache server banners
Document Grinding and Database Digging • Chapter 4 139
Continued
452_Google_2e_04.qxd 10/5/07 12:42 PM Page 139
Table 4.7 continued Queries That Locate Database Error Messages
Description Query
500 “Internal Server Error” reveals intitle:”500 Internal Server Error” “server
the type of web server running on at”
the site, and has the ability to
show other information depending
on how the message is internally
formatted
ASP error message reveals compiler filetype:asp “Custom Error Message”
used, language used, line numbers, Category Source
program names and partial source
code
Access error message can reveal “Syntax error in query expression “ -the
path names, function names,
filenames and partial code
Apache Tomcat Error messages can intitle:”Apache Tomcat” “Error Report”
reveal various kinds information
depending on the type of error
CGI error messages may reveal intext:”Error Message : Error loading
partial code listings, PERL version, required libraries.”
detailed server information,
usernames, setup file names, form
and query information, port and
path information, and more
Chatologica MetaSearch error “Chatologica MetaSearch” “stack tracking:”
reveals Apache version, CGI

environment vars, path names,
stack dumps, process ID’s, PERL
version, and more
Cocoon XML reveals library “error found handling the request” cocoon
functions, cocoon version number, filetype:xml
and full and/or relative path names
Cold fusion error messages trigger intitle:”Error Occurred While Processing
on SQL SELECT or INSERT statements Request” +WHERE (SELECT|INSERT)
which could help locate SQL filetype:cfm
injection points.
ColdFusion error message can intitle:”Error Occurred” “The error occurred
reveal partial source code, full in” filetype:cfm
pathnames, SQL query info,
database name, SQL state info
and local time info
140 Chapter 4 • Document Grinding and Database Digging
Continued
452_Google_2e_04.qxd 10/5/07 12:42 PM Page 140