Announcement

Collapse
No announcement yet.

Help searching apache servers

Collapse
X
Collapse
 
  • Page of 1
  • Filter
  • Time
  • Show
Clear All
new posts
Previous template Next
  • #1

    Help searching apache servers

    Is there any general way to search a domain that's hosted on an apache server for any active files? I'm trying to see what kind of files are going to popup on google that can be accessed without logging in. I don't have admin rights but I'm trying to prove a point. I know they at least have index searching turned off but I know there are certain commands you can use in google to see what's on a server.

    Thanks in advance.

    http://www.googleguide.com/advanced_operators.html#site:

    I don't see anything helpful on the googleguide.
    Tags: None
  • #2
    Generally speaking, unless you know the direct address of the item you are trying to find and apache has a default file to serve (index.php, index.htm, index.html...etc) for that directory, the only way to see all files in the directory is a recursive request that tries to guess file names and log's when a 404 header is not reached. I have not seen one of these services in a while mostly because you appear to be DNS attacking.

    Crawling on the other hand, done by search engine robots, breaks down every link to every item on every page it can find and stores your content in a cache. It will not find items you have not linked to on your site.
    Tera 4:1 + 4.88's = Slowest rig on here
    Baja-Bob.com

    Comment

    • #3
      I'm not trying to attack a site, I just want to prove that providing a direct link to claims where all of your customer info is available is a bad idea. All you'd need to do is change the claim number and you can see the next, the next, etc... I'm just curious if there are any other directories that someone could find through basic web searches.

      Comment

      • #4
        Like Bob said, unless there isn't a default page for the directory, the only two ways to discover the content would be crawling through the links or brute force guessing.
        Originally posted by Broncojohnny
        HOORAY ME and FUCK YOU!

        Comment

        • #5
          Originally posted by BP View Post
          I'm not trying to attack a site, I just want to prove that providing a direct link to claims where all of your customer info is available is a bad idea. All you'd need to do is change the claim number and you can see the next, the next, etc...
          Well there you go, you've proven the system is flawed.


          I'm just curious if there are any other directories that someone could find through basic web searches.
          You have to guess them if they exist. There is a reason Apache is as popular as it is


          If you post the site we might be able to help some more. It is possible if they aren't authenticating claims (sounds like a bad developer already) that you can inject your own SQL queries through a simple HTTP request.

          If you are seeing http://somesite.com/viewclaim/?claim=4352 or something similar, type in (everything between the quotes) "http://somesite.com/viewclaim/?claim=x' AND 1=(SELECT COUNT(*) FROM tabname); --"

          This will give you the table name in the database where claims are stored. From there we can pretty much do anything, as well as delete the whole table and all data.
          Tera 4:1 + 4.88's = Slowest rig on here
          Baja-Bob.com

          Comment

          • #6
            Originally posted by BajaBob View Post
            If you are seeing http://somesite.com/viewclaim/?claim=4352 or something similar, type in (everything between the quotes) "http://somesite.com/viewclaim/?claim=x' AND 1=(SELECT COUNT(*) FROM tabname); --"
            How's that going to work?
            Originally posted by Broncojohnny
            HOORAY ME and FUCK YOU!

            Comment

            • #7
              Originally posted by Nash B. View Post
              How's that going to work?
              Lets say the page outputs a claim ID in an echo statement, if the dev isn't escaping inputs on a simple SQL query you can add your own. This will output the number of rows in the DB as well as the table name (where the claim ID is typically printed)... It's a long shot but once you get the table name you can do quite a bit more.
              Tera 4:1 + 4.88's = Slowest rig on here
              Baja-Bob.com

              Comment

              • #8
                Yeah, but if the query is SELECT col1, col2, col3 FROM claims WHERE ClaimId = '$_REQ[ClaimId]', and you pass the string
                Code:
                x' AND 1=(SELECT COUNT(*) FROM tabname); --
                , wouldn't a.) you get an error because the table "tabname" doesn't exist, b.) get 0 results because there's no claim with an ID of 'x', and c.) still only see the data that they want you to see?
                Originally posted by Broncojohnny
                HOORAY ME and FUCK YOU!

                Comment

                • #9
                  Originally posted by Nash B. View Post
                  Yeah, but if the query is SELECT col1, col2, col3 FROM claims WHERE ClaimId = '$_REQ[ClaimId]', and you pass the string
                  Code:
                  x' AND 1=(SELECT COUNT(*) FROM tabname); --
                  , wouldn't a.) you get an error because the table "tabname" doesn't exist, b.) get 0 results because there's no claim with an ID of 'x', and c.) still only see the data that they want you to see?
                  a) isn't 'tabname' a variable in SQL to reference a predefined table name in a statement?

                  b) correct, obviously this would need some debugging. "x=x" which registers true.

                  c) depends on the print statement.
                  Tera 4:1 + 4.88's = Slowest rig on here
                  Baja-Bob.com

                  Comment

                  • #10
                    I'm not sure that's correct.
                    Originally posted by Broncojohnny
                    HOORAY ME and FUCK YOU!

                    Comment

                    • #11
                      Originally posted by Nash B. View Post
                      I'm not sure that's correct.
                      Well if we could get a link we could find out!
                      Tera 4:1 + 4.88's = Slowest rig on here
                      Baja-Bob.com

                      Comment

                      • #12
                        Send me the domain name.

                        Comment

                        • #13
                          Talk to the developer of the app and see if they can pass the claim number encrypted in the cookie. Or give a one-time use url to the claim each time it is requested.

                          For google foo "stuff you want hidden. -site:yourdomain see what it comes back with.

                          I would not test SQL Injection commands on my live app, but you do have valid concerns.

                          If you want to scan it yourself, nessus will work but take some configuration and work
                          There are cloud based vulnerability scanners than can be cost effective if your in a time crunch.
                          WRX

                          Comment

                          Previous template Next
                          Working...
                          X