Friday, 6 March 2015

Using to locate your targets باستخدام robots.txt لتحديد الأهداف الخاصة بك والتعرف عليها

As you know, the majority of the webmasters upload a file called robots.txt to their servers in order to give instructions to the crawlers like Google, Yahoo, Bing... about what pages mustn't be indexed.
Example: 
http://behindthefirewalls.blogspot.com.es/robots.txt

Why does the webmaster want to hide some URLs? One of the first things the hackers can do is check these files. Hackers can get a lot of valuable information trying to locate the data, scripts... that the webmaster wants to keep hiding...
Sometimes Google indexes the robots.txt, giving hackers the oportunity to locate words in this file through Google searches.
For example, if a hacker wants to locate phpMyAdmin installations, he could use the robots.txt files indexed in Google to locate them and then try to exploit them.
inurl:.com/robots.txt- + "Disallow: /phpmyadmin/ "
The hackers could locate Wordpress installations...inurl:".com/robots.txt" + "Disallow: /wp-admin/
The hackers could locate Drupal installations...inurl:".com/robots.txt" + "Disallow: ?q=admin"
The hackers could locate Joomla installations...inurl:"/robots.txt" + "Disallow: joomla"
The hackers could locate Plesk Statistics installations...inurl:"/robots.txt" + "Disallow: plesk-stat"
The hackers could locate Tinymce installations in order to try to get information about the plugins installed on these servers and then try to exploit them...inurl:".com/robots.txt" + "Disallow: tinymce"
Is someone trying to hide their password? Oh my god...inurl:"/robots.txt" + "Disallow: passwords.txt"

You should be careful when you are writing your robots.txt because if someone checks it or someone with imagination searches on Google with this types of queries, you could be a hacker's target

No comments:

Post a Comment