Yesterday we had a brainstorming session with our programmers on google hacking. It is soooooo easy to grab php codes, passwords, databases from all over the Web, thanks to sloppy coders. For instance, do a search for
index.of
index.of/php
index.of/pswd
index.of/db
index.of/mda
index.of/pgp
or check the list at http://www.thenetworkadministrator.com/googlesearches.htm These types of searches will spit out directory trees.
There are many “smart cookies” posting derivatives of these lists all over the Web.
And how about typos?
Try filetype command searches with extra characters in extensions like
0php
1php
phps
php.
etc….
Servers will spit out entire php codes.
The great offenders are large sites like those belonging to .edu, .gov, .org, not to mention large .com and .net sites.
Ho, Ho, Ho, Merry Christmas, Santa.
More smart searches here:
http://it.toolbox.com/blogs/managing-infosec/google-hacking-master-list-28302
Know of other lists? Drop relevant link.