Table 4.7 continued Queries That Locate Database Error Messages
Description Query
ColdFusion error message, can intitle:”Error Occurred While Processing
reveal SQL statements and server Request”
information
ColdFusion error message, can intitle:”Error Occurred” “The error occurred
reveal source code, full pathnames, in” filetype:cfm
SQL query info, database name,
SQL state information, and local
time information
Coldfusion Error Pages reveal “Error Diagnostic Information”
many different types of information intitle:”Error Occurred While”
DB2 error message can reveal “detected an internal error [IBM][CLI
path names, function names, Driver][DB2/6000]”
filenames, partial code and
program state
DB2 error message can reveal An unexpected token “END-OF-STATE
path names, function names, MENT” was found
filenames, partial code and
program state
DB2 error message, can reveal “detected an internal error [IBM]
pathnames, function names, [CLI Driver][DB2/6000]”
filenames, partial code, and
program state
DB2 error message, can reveal An unexpected token “END-OF-STATE
pathnames, function names, MENT” was found
filenames, partial code, and
program state
Discuz! Board error may reveal filetype:php inurl:”logging.php”
path information or partial SQL “Discuz” error
code listings

Generic SQL message, can reveal “You have an error in your SQL syntax
pathnames and partial SQL code near”
Generic error can reveal path “Warning: Supplied argument is not a valid
information File-Handle resource in”
Generic error message can be used intitle:”Under construction” “does not
to determine operating system currently have”
and web server version
Document Grinding and Database Digging • Chapter 4 141
Continued
452_Google_2e_04.qxd 10/5/07 12:42 PM Page 141
Table 4.7 continued Queries That Locate Database Error Messages
Description Query
Generic error message can reveal “Fatal error: Call to undefined function” -
compiler used, language used, reply -the -next
line numbers, program names
and partial source code
Generic error message reveals “Warning:” “SAFE MODE Restriction in
full path information effect.” “The script whose uid is” “is not
allowed to access owned by uid 0 in” “on
line”
Generic error message, reveals “Error Diagnostic Information”
various information intitle:”Error Occurred While”
Generic error messages reveal path intext:”Warning: Failed opening” “on line”
names, php file names, line “include_path”
numbers and include paths
Generic error reveals full path info “Warning: Division by zero in” “on line” -
forum
HyperNews error reveals the server intitle:”Error using Hypernews” “Server
software, server OS, server account Software”
user/group (unix), server

administrator email address, and
even stack traces
IIS 4.0 error messages reveal the intitle:”the page cannot be found” inetmgr
existence of an extremely old
version of IIS
IIS error message reveals somewhat intitle:”the page cannot be found”
unmodified (and perhaps “internet information services”
unpatched) IIS servers
Informix error message can reveal “A syntax error has occurred” filetype:ihtml
path names, function names,
filenames and partial code
Informix error message can reveal “An illegal character has been found in the
path names, function names, statement” -”previous message”
filenames and partial code
MYSQL error message reveals “supplied argument is not a valid MySQL
path names result resource”
MySQL error message can reveal “mySQL error with query”
a variety of information.
MySQL error message can reveal “Can’t connect to local” intitle:warning
database name, path names and
partial SQL code
142 Chapter 4 • Document Grinding and Database Digging
Continued
452_Google_2e_04.qxd 10/5/07 12:42 PM Page 142
Table 4.7 continued Queries That Locate Database Error Messages
Description Query
MySQL error message can reveal “You have an error in your SQL syntax
path names and partial SQL code near”
MySQL error message can reveal “ORA-00921: unexpected end of SQL
path names, function names, command”

filenames and partial SQL code
MySQL error message can reveal “Supplied argument is not a valid MySQL
path names, function names, result resource”
filenames and partial SQL code
MySQL error message can reveal “Incorrect syntax near”
path names, function names,
filenames and partial code
MySQL error message can reveal “Incorrect syntax near” -the
path names, function names,
filenames and partial code
MySQL error message can reveal “Unclosed quotation mark before the
path names, function names, character string”
filenames and partial code
MySQL error message can reveal “access denied for user” “using password”
the username, database, path
names and partial SQL code
MySQL error message, reveals real “supplied argument is not a valid MySQL
pathnames and listings of other result resource”
PHP scripts on the server
MySQL error message, reveals “MySQL error with query”
various information
MySQL error reveals database “Warning: mysql_query()” “invalid query”
schema and usernames.
Netscape Application Server or intitle:”404 SC_NOT_FOUND”
iPlanet application servers error
reveals the installation of
extremely outdated software.
ODBC SQL error may reveal table filetype:asp + “[ODBC SQL”
or row queried, full database
name and more

Oracle SQL error message, reveals “ORA-00921: unexpected end of SQL
full Web pathnames and/or php command”
filenames
Document Grinding and Database Digging • Chapter 4 143
Continued
452_Google_2e_04.qxd 10/5/07 12:42 PM Page 143
Table 4.7 continued Queries That Locate Database Error Messages
Description Query
Oracle SQL error message, “ORA-00933: SQL command not properly
reveals pathnames, function names, ended”
filenames, and partial SQL code
Oracle SQL error message, reveals “ORA-00936: missing expression”
pathnames, function names,
filenames, and partial SQL code
Oracle error message can reveal “ORA-00933: SQL command not properly
path names, function names, ended”
filenames and partial SQL code
Oracle error message can reveal “ORA-00936: missing expression”
path names, function names,
filenames and partial database code
Oracle error message may reveal “ORA-12541: TNS:no listener” intitle:
partial SQL code, path names, ”error occurred”
file names, and data sources
Oracle error message, reveals SQL “ORA-12541: TNS:no listener” intitle:
code, pathnames, filenames, and ”error occurred”
data sources
PHP error logs can reveal various filetype:log “PHP Parse error” |
types of information “PHP Warning” | “PHP Error”
PHP error message can reveal path “Warning: Cannot modify header inform-
names, function names, filenames ation - headers already sent”

and partial code
PHP error message can reveal the “The script whose uid is “ “is not allowed
webserver’s root directory and to access”
user ID
PHP error messages reveal path PHP application warnings failing
names, PHP file names, line numbers “include_path”
and include paths.
PHP error reveals web root path “Parse error: parse error, unexpected
T_VARIABLE” “on line” filetype:php
PostgreSQL error message can “Warning: pg_connect(): Unable to connect
reveal path information and to PostgreSQL server: FATAL”
database names
PostgreSQL error message can “PostgreSQL query failed: ERROR: parser:
reveal path names, function names, parse error”
filenames and partial code
144 Chapter 4 • Document Grinding and Database Digging
Continued
452_Google_2e_04.qxd 10/5/07 12:42 PM Page 144
Table 4.7 continued Queries That Locate Database Error Messages
Description Query
PostgreSQL error message can “Supplied argument is not a valid
reveal path names, function names, PostgreSQL result”
filenames and partial code
PostgreSQL error message, can “PostgreSQL query failed: ERROR: parser:
reveal pathnames, function names, parse error”
filenames, and partial code
PostgreSQL error message, can “Supplied argument is not a valid
reveal pathnames, function names, PostgreSQL result”
filenames, and partial code
Postgresql error message, “Warning: pg_connect(): Unable to connect

reveals path information and to PostgreSQL server: FATAL”
database names
SQL error may reveal potential “[SQL Server Driver][SQL Server]Line 1:
SQL injection points. Incorrect syntax near” -forum -thread -
showthread
SQL error message reveals full “Invision Power Board Database Error”
path info
SQL error message reveals full “ORA-00921: unexpected end of SQL
pathnames and/or PHP filenames. command”
SQL error message, can reveal “Can’t connect to local” intitle:warning
pathnames, function names,
filenames, and partial code
(variation)
SQL error message, can reveal “Incorrect syntax near” -the
pathnames, function names,
filenames, and partial code
(variation)
SQL error message, can reveal “access denied for user” “using password”
pathnames, function names,
filenames, and partial code
(variation)
SQL error message, can reveal “Incorrect syntax near”
pathnames, function names,
filenames, and partial code
SQL error message, can reveal “Unclosed quotation mark before the
pathnames, function names, character string”
filenames, and partial code
Document Grinding and Database Digging • Chapter 4 145
Continued
452_Google_2e_04.qxd 10/5/07 12:42 PM Page 145

Table 4.7 continued Queries That Locate Database Error Messages
Description Query
Sablotron XML error can reveal warning “error on line” php sablotron
partial source code, path and
filename information and more
Snitz Microsoft Access database databasetype. Code : 80004005. Error
error may reveal the location and Description :
name of the database, potentially
making the forum vulnerable to
unwanted download
Softcart error message may intitle:Configuration.File inurl:softcart.exe
reveal configuration file location
and server file paths
This dork reveals logins to “Warning: mysql_connect(): Access denied
databases that were denied for for user: ‘*@*” “on line” -help -forum
some reason.
Windows 2000 error messages intitle:”the page cannot be found” “2004
reveal the existence of an microsoft corporation”
extremely old version of Windows
cgiwrap error message reveals intitle:”Execution of this script not
admin name and email, port permitted”
numbers, path names, and may
also include optional information
like phone numbers for support
personnel
ht://Dig error can reveal intitle:”htsearch error” ht://Dig error
administrative email, validation of
a cgi-bin executable directory,
directory structure, location of a
search database file and possible

naming conventions
vbulletin error reveals SQL “There seems to have been a problem with
code snippets the” “ Please try again by clicking the
Refresh button in your web browser.”
In addition to revealing information about the database server, error messages can also
reveal much more dangerous information about potential vulnerabilities that exist in the
server. For example, consider an error such as “SQL command not properly ended”, displayed in
Figure 4.9.This error message indicates that a terminating character was not found at the
end of an SQL statement. If a command accepts user input, an attacker could leverage the
information in this error message to execute an SQL injection attack.
146 Chapter 4 • Document Grinding and Database Digging
452_Google_2e_04.qxd 10/5/07 12:42 PM Page 146
Figure 4.9 The Discovery of a Dangerous Error Message
Database Dumps
The output of a database into any format can be constituted as a database dump. For the
purposes of Google hacking, however, we’ll us the term database dump to describe the text-
based conversion of a database. As we’ll see next in this chapter, it’s entirely possible for an
attacker to locate just about any type of binary database file, but standardized formats (such
as the text-based SQL dump shown in Figure 4.10) are very commonplace on the Internet.
Figure 4.10 A Typical SQL Dump
Document Grinding and Database Digging • Chapter 4 147
452_Google_2e_04.qxd 10/5/07 12:42 PM Page 147
Using a full database dump, a database administrator can completely rebuild a database.
This means that a full dump details not only the structure of the database’s tables but also
every record in each and every table. Depending on the sensitivity of the data contained in
the database, a database dump can be very revealing and obviously makes a terrific tool for
an attacker.There are several ways an attacker can locate database dumps. One of the most
obvious ways is by focusing on the headers of the dump, resulting in a query such as
“#Dumping data for table”, as shown in Figure 4.10.This technique can be expanded to work
on just about any type of database dump headers by simply focusing on headers that exist in

every dump and that are unique phrases that are unlikely to produce false positives.
Specifying additional specific interesting words or phrases such as username, password,or
user can help narrow this search. For example, if the word password exists in a database dump,
there’s a good chance that a password of some sort is listed inside the database dump. With
proper use of the OR symbol ( | ), an attacker can craft an extremely effective search, such
as “# Dumping data for table” (user | username | pass | password). In addition, an attacker
could focus on file extensions that some tools add to the end of a database dump by
querying for filetype:sql sql and further narrowing to specific words, phrases, or sites.The
SQL file extension is also used as a generic description of batched SQL commands.Table
4.8 lists queries that locate SQL database dumps.
Table 4.8 Queries That Locate SQL Database Dumps
Query Description
inurl:nuke filetype:sql php-nuke or postnuke CMS dumps
filetype:sql password SQL database dumps or batched SQL com-
mands
filetype:sql “IDENTIFIED BY” –cvs SQL database dumps or batched SQL com-
mands, focus on “IDENTIFIED BY”, which
can locate passwords
“# Dumping data for table SQL database dumps or batched SQL
(username|user|users|password)” commands, focus on interesting terms
“#mysql dump” filetype:sql SQL database dumps
“# Dumping data for table” SQL database dumps
“# phpMyAdmin MySQL-Dump” SQL database dumps created by
filetype:txt phpMyAdmin
“# phpMyAdmin MySQL-Dump” SQL database dumps created by
“INSERT INTO” -”the” phpMyAdmin (variation)
148 Chapter 4 • Document Grinding and Database Digging
452_Google_2e_04.qxd 10/5/07 12:42 PM Page 148
Actual Database Files
Another way an attacker can locate databases is by searching directly for the database itself.

This technique does not apply to all database systems, only those systems in which the
database is represented by a file with a specific name or extension. Be advised that Google
will most likely not understand how to process or translate these files, and the summary (or
“snippet”) on the search result page will be blank and Google will list the file as an
“unknown type,” as shown in Figure 4.11.
Figure 4.11 Database Files Themselves Are Often Unknown to Google
If Google does not understand the format of a binary file, as with many of those located
with the filetype operator, you will be unable to search for strings within that file.This consid-
erably limits the options for effective searching, forcing you to rely on inurl or site operators
instead.Table 4.9 lists some queries that can locate database files.
Document Grinding and Database Digging • Chapter 4 149
452_Google_2e_04.qxd 10/5/07 12:42 PM Page 149
Table 4.9 Queries That Locate Database Files
Query Description
filetype:cfm “cfapplication name” ColdFusion source code
password
filetype:mdb inurl:users.mdb Microsoft Access user database
inurl:email filetype:mdb Microsoft Access e-mail database
inurl:backup filetype:mdb Microsoft Access backup databases
inurl:forum filetype:mdb Microsoft Access forum databases
inurl:/db/main.mdb ASP-Nuke databases
inurl:profiles filetype:mdb Microsoft Access user profile databases
filetype:asp DBQ=” * Server. Microsoft Access database connection
MapPath(“*.mdb”) string search
allinurl: admin mdb Microsoft Access administration databases
Automated Grinding
Searching for files is fairly straightforward—especially if you know the type of file you’re
looking for. We’ve already seen how easy it is to locate files that contain sensitive data, but in
some cases it might be necessary to search files offline. For example, assume that we want to
troll for yahoo.com e-mail addresses.A query such as “@yahoo.com” email is not at all effec-

tive as a Web search, and even as a Group search it is problematic, as shown in Figure 4.12.
Figure 4.12 A Generic E-Mail Search Leaves Much to Be Desired
150 Chapter 4 • Document Grinding and Database Digging
452_Google_2e_04.qxd 10/5/07 12:42 PM Page 150