Punct of ircsb.com revealed how you can actually find passwords by using Google search engine. Among the files that you can retrieve passwords from are auth_user_file.txt, passlist.txt,config.php, etc. If your web server or your web hosting account is revealing these files, that means you are potentially at risk of security breach.
Modified passwords
intitle:"Index of" passwords modified
auth_user_file.txt
allinurl:auth_user_file.txt
passlist.txt
inurl:passlist.txt
FrontPage files
"# -FrontPage-" inurl:service.pwd
config.php
intitle:"Index of" config.php
inline url passwords
"http://*:*@"
Using the search keywords given by Punct in Google, you are returned a list of urls. Behind these urls are password files, containing username and passwords. I’ve tried and manage to get in one of them, but of course with a little unmentioned process in the middle. So get more alert with what you are revealing on your web account. For starters, make sure you have a index.html on all folders, to avoid all files in the folder getting listed.
Post a Comment