Comment Articles

Google hacking for beginners

Ong Boon Kiat CNETAsia

Published: 08 Nov 2004 14:13 GMT

I tried my hand at Google hacking recently.

It was easy, and all done with, well, Google. As Google hackers know, what I did was to use Google to look for information residing in other people's Web-connected servers -- and machines connected to those servers. Stuff that I'm not supposed to see.

So how did I fare?

Well, I didn't manage to get my hands on Web sites belonging to any noteworthy organisations, companies or people. But what I did manage to uncover were a few dozen SQL server configuration files from a motley bunch of organisations. And all this in one afternoon's work.

The subject of Google hacking -- the use of Google as a hacking tool -- fuelled several prominent news headlines recently. Among them are: The perils of googling, by Scott Granneman of The Register; Robert Lemos's Google a favorite among hackers too from CNET News.com; and Dan Ilett's Hackers use Google to access photocopiers from ZDNet UK.

Want to read more related-articles? Type "Google hacking" into Google and you'll find no end of them.

These stories piqued my interest. As a novice Google hacker (trying my hand only in the name of research, obviously), I started by getting some juicy information from a Web site its owners called Johnny I Hack Stuff. There, one can find a whole stash of search phrases specially written to tease Google into spilling the beans on its subjects. As I found out, one can also easily modify these phrases for better results.

Try it. Type the phrase "access denied for user" and "using password" into Google. I did, and found 103,000 returned Webpages, some volunteering their SQL error messages. And among these were Websites that gave such harmless information as user IDs, SQL server stats and configuration details.