Page 94 - Hands-On Bug Hunting for Penetration Testers
P. 94
SQL, Code Injection, and Scanners Chapter 5
Google Dorks for SQLi
Using Google Dorksbsometimes called Google hackingbmeans employing specially-
crafted search queries to get search engines to return sites susceptible to SQLi and other
vulnerabilities. The name Google dork refers to a hapless employee misconfiguring their
site and exposing sensitive corporate information online.
Here are a few examples of common Google Dorks for discovering instances of SQLi:
inurl:index.php?id=
inurl:buy.php?category=
inurl:pageid=
inurl:page.php?file=
You can see the queries are designed to return results, where the sites discovered are at
least theoretically susceptible to SQLi (because of the sites' URL structure). The basic form
of a dork is TFBSDI@NFUIPE EPNBJO EPSL, where the TFBSDI@NFUIPE and dork are
calibrated to look for a specific type of vulnerability and EPNBJO is used for when you'd
like to target a specific application. For example, here's a dork designed to return insecure
CCTV feeds:
intitle:aEvoCama inurl:awebcam.htmla
This dork doesn't target a particular URL; it's simply looking for any site where the page's
title contains &WPDBN and the page's URL contains XFCDBN IUNM.
Validating a Dork
While browsing a small security site, I find the following dork, listed on the company's
Bugtraq section (the title of the company featured in the JOUFYU field has been changed):
inurl:index.jsp? intext:"some company title"
This dork, though it doesn't have a target URL, does focus on a particular company via the
JOUFYU search filter. For the JOVSM value, KTQ is the file extension for JSP, a web
application framework for Java servlets. KTQ is a little oldbit was Sun Microsystems'
response to Microsoft's Active Server Pages (ASP) in 1999bbut like so much tech, is still
employed in legacy industries, small businesses, and small EFW shops.
[ 79 ]
