Les Jones

E-commerce > Google as a Hacking Tool

Googler explains how to find unprotected Web directories using everyone's favorite search engine.

This has been common knowledge for the search savvy for some time, but now it's getting more press. You can easily query Google to find doors left open by webmasters. I call it "Google keychain" because it's one (search) string that has keys to many doors :)

By default the usually hidden directories have the words "name last modified size description" in the heading. Use those exact words as your Google query and watch what you find (though I suggest adding the extra search operator intitle:index to make it more focused).

Here's why this exploit works. Normally, users can enter a directory name in a URL (such as http://www.lesjones.com/images for the images directory). Notice that no file was speficied in the URL. Apache will look for a default file in that directory, such such as index.html, default.htm, or other files defined in the httpd.conf file.

If there is no default file present, Apache may display the contents of the directory, depending on the configuration settings. The default is to display files in the directory. To keep that from happening, open the httpd.conf file, disable the IndexOptions directive, and restart Apache. (Details at Apache.org.) If anyone tries to access a directory without a default file, they'll get a 403 Forbidden error, like this one.

There's an older exploit involving Web-enabled FileMaker Pro databases, though I can't seem to find the details right now. When a FileMaker Pro database is Web-enabled, it has a default welcome message. If the database isn't password-protected, search engines will index that message, and hackers can search for that message on Google and other search engines.