Tuesday 5 March 2013

[EN] Why is good to turn off error display

this is a foobar-temporary-name, not for some tutorial 'how to 1,2,3', but
for tutorial of 'how to think about possibilities of vulnerability'.
Questions?

No? thanks. Go.

Trick 1. What is the purpose?

Answer: Cash. Hacktivism. Stupidity.

Trick 2. Most 'common' ways of hacking?

In my opinion - the most dangerous bug, is input-vulnerabilities kind of bugs.
(code/php injections, others rce - I'm calling it all: 'rce' ;))

So 'most dangerous' and 'most simple to re-script'.

Trick 3. No sample, just idea.

'What if' an attacker will go to google.com search bar, and few ideas about
how to connect parameters of 'google-hacks', to find _really_ useful things, maybe will
change your site to one of those already 'h4ck3d'?

hm...
ok. ;]

simple arsenal: 5 parameters:
(param:example)#


site:com # find sites.COM
site:com -site:com.br # find sites.COM without .com.br
site:org intext:findme # find all sites.ORG with 'findme' word
ext:php # find all php type of files (extensions)
intitle:motel # find all pages contains 'title' with motel word

Great.

If you have some knowledge about writting php pages,
you can get few simple ideas right now.
As a coder you saw 'few times' some error-messages,
for example 'Error in line...' whatever.

Remember those errors from MySQL? ;>
Maybe this simple example will refresh your memory:

site:r0x intext:"SQL.Syntax" ext:php intext:error

ok not bad, but not so good also. ;)

Upgrade:
intext:"SQL.Syntax" ext:php intext:error inurl:".php?*=2"site:stillr0x

this google-dork actually gives you 'few' vulnerable to sqlinjection attacks
sites, so b patient and think what you're doing. if you're doing anything with this ideas,
do NOT do bad things and remember to test it only against your sites.

Remember. ;)


More? here.
o/

1 comment:

  1. i think this blog will be so helpful for IT

    ---------------------------
    Thank you
    mark

    Aricho IT

    ReplyDelete

What do You think...?