What’s the result? Right, 25k of unprotected Dropbox photo galleries. You can click on any of the links to see the contents of the selected gallery or folder right in your web browser. (Please note that we are not saying that Dropbox is not doing enough to inform users about that fact)

Even better, you can combine the default search with additional parameters, e.g. wallpapers, to find themed photos on Dropbox.

Second task. Search for site:http://www.dropbox.com/s/ or site:http://dl.dropbox.com/ and let me know what you find. Right, another batch of public folders hosted on Dropbox, again with the possibility to combine the standard search phrase with custom keywords for filtered results.

I’d assume that at least some of Dropbox’s users do not know that their photos and data may be publicly accessible on the Internet. You see, the Dropbox photo folder, or more precisely its subfolders, is public by design. The Dropbox help explains:

The Photos folder automatically creates online galleries. Any image files you move or copy to your Photos folder are automatically included in an online gallery anyone can view from the Dropbox website. People can download the photos or view them as a slideshow. Because you don’t have to deal with uploaders or uploading files through a website one by one, the Photos folder is the easiest way to make your images accessible online.

If you use the Dropbox photo folder for your pictures, you make them accessible for anyone, which includes search engine bots. The only option for you is to store the photos in a different folder to block this from happening. For that, you need to create a new photo folder in your Dropbox structure and use that folder from then on to store your images. The gallery feature however is not available in that new folder which means that other Dropbox users that you share the url with will not be able to see the photos in a gallery in their web browser.

Two folders are public by default. The photo folder and the Public folder. If you copy files into either one, you make them accessible for everyone.

You can share additional folders which are then however only accessible by users that you specify during creation.

Dropbox users may want to check their public folders to make sure that the data stored inside should indeed be public. You can move the data out of the public folders if that is not the case. (via Caschy)

Most users do not want to subscribe to the newspaper website just to read that one article which is probably the reason why some where looking for ways around this content restriction.

Amit over at Digital Inspiration has discovered an easy option to access limited content on newspaper websites.

Two steps need to be taken to read the full article.

• Copy the url of the article
• Paste the url into the Google Search engine.

The article should show up as the first search result. A click on that will load the full article. It sometimes works better with the title instead of the url but the results are usually the same.

Why is that working right now? One of the requirements of becoming a subscription based site in Google News is to allow access full Googlebot to the website in question which will happily index the site’s contents in Google’s vast index.

Our goal now is to give you a wider understanding of a thing called “google hacking”. This time we will give you a basic understanding of whats possible and how to achieve this.

Before we start with the essay I want you to make sure that you understand that every move you make on the internet leaves traces that can be used to identify you. I will write a tutorial about “anonymous surfing” soon. This article encourages no one to hack into servers that you don´t own or have the permission to hack.

Lets start by asking some questions. Besides Google and the knowledge of search commands – what do you need to do some hacking with google ?

The answer is simple, you need a vulnerability that you can search for. There are lots of sites that posts vulnerabilities, also known as exploits. I will name two that you can use as a start, you know how to use google to find more.

Packetstormsecurity.org
Securiteam.com

Lets use the packetstorm site as an example. When you open it you see lots of tables starting with filename ending with MD5 Checksum. Whats interesting to us is a) the filename and b) the description.

The description gives a short exerpt of what this exploit is about. Interessing for google hacking are only eploits that are web based or web connected. That means the first exploit for winrar 3.5 is not what we are looking for. The second in the list is more of our liking.

The description read “e107 content management system versions 0.617, 0.6171, 0.6172 resetcore.php utility SQL Injection, login bypass, remote code execution, and cross site scripting exploit.”

When we click the filename we see a textfile with lots of information about this exploit. I won´t give you information about the type of exploit (sql injection) because this time I only explain how you find new exploits and search for them using google.

The interesting line for us atm is “move to http://[target]/[path]/e107/e107_files/resetcore.php” and “e107 0.617 stable/ 0.6171 / 0.6172″

we see a filename and some folder names. in the first one and release numbers in the second one.

Using this information we open up google and enter one of the following strings, think of more if you like.

inurl:resetcore.php
“e107 powered website v0.617″

If you search for the first line make sure you check the version of the script first, second line automatically looks for the script that is vulnerable, you will have to navigate manually to the resetcore.php file

Thats all there is to do, you know now where to look for new vulnerabilities and how to use google to find vulnerable files.

There are other ways of looking for exploits, but those are for the advanced users, they find their own, for example by looking at the source code files.

If you really want to learn more try to find some sites with other exploits using google. You can also lookup what SQL Injection for instance means.

let me know if you have any problems following this article or comments about it.

Most of the hacks are pretty basic stuff, for example hack 6 “Check Your Spelling”, and the explanation “Google sometimes takes the liberty of “correcting” what it perceives is a spelling error in your query” Not such a great hack if you ask me.

Most of the hacks published there are probably not hacks but advices. The advanced user should know most of them if he uses that services, so nothing new for us.

The inexperienced user has the chance to learn some new concepts, but he might receive the same level of insight from googles help pages.

Update:The page on the O’Reilly website is no longer available, which leaves Google’s own help page as the only source for this information.

Google divides the information on multiple pages. The basic search help page offers tips for better searches. Tips on the page include keeping it simple by using as few terms as possible and choosing descriptive words. Results will for instance be better if you are searching for headaches instead of “my head hurts”.

A click on the more search tips link at the bottom of the page opens a page that lists some of the operators that are supported by Google Search.

• Phrase Search: Use double quotes to ask Google to consider the exact phrase, e.g. “ghacks technology news”.
• Search single word exactly: Use double quotes for this as well, e.g. “headaches”
• Search within a specific site: Use the site: command for that, e.g. site:ghacks.net
• Exclude terms: Use the minus sign to exclude terms from the search, e.g. apples -green
• Use wildcards: Add * where appropriate, for instance Mercedes Benz model *
• The Or operator: Google will only consider one of the OR terms, e.g. New York Mets 2010 OR 2011

To achieve this we will borrow some of the operators from the Mp3 Search, namely -inurl:htm -inurl:html intitle:”index of”

You could also add “-inurl:php” to avoid those nasty index.php files as well.

Lets take a look at what those operators do:

Now we could simply add the known movie file extensions like mpg, avi, wmv to the search and look at the first results.

We probably want to find special movies, like TV commercials, movies with a special actor in it, adult movies aso. What you do is to simply add what you are looking for to the search. For example movies with Claudia Schiffer would be found with the following search

-inurl:htm -inurl:html -inurl:php intitle:”index of? (mpg|avi|wmv) “Claudia Schiffer”

The (mpg|avi|wmv) operator can also be written (mpg or avi or wmv).

Update: You can still use the operators and searches to find media on the Internet. You may want to add new video formats to the search though, for instance mkv, ogg or flv to increase the number of search results that are displayed by the search engine.

You can also exclude file types from the results by using the minus operator. The operator -ogg would for instance exclude all results with off files in the search results.

The main ebook format is .pdf, but ebooks also are delivered as .chm, doc and even .txt format. That means we will have to include at least pdf, doc and chm to get good results in our searches. Ebooks are unfortunately sometimes packed, that means you probably would like to include zip and rar as well to your search

(pdf|chm|doc|txt|zip|rar)

To get good results we need to exclude the following -inurl:htm -inurl:html

To search for directories that contain ebooks you use the following search string.

-inurl:htm -inurl:asp -inurl:html (“index of|"last modified"|"parent of") AND ("ebook"|"ebooks"|"book"|"books") AND (pdf|chm|doc|txt|zip|rar) AND "Oct-2005"

You should really add another keyword, a title, author or publisher to get better results than that general search. Simply add the keyword at the end of your search using +”keyword”

Update: Here are explanations for the commands listed on this page:

• -inurl:htm -inurl:asp -inurl:html (This one forces the search engine to only include pages in the results that do not have htm, asp or html in their urls.
• (“index of|”last modified”|”parent of”) AND (“ebook”|”ebooks”|”book”|”books”) AND (pdf|chm|doc|txt|zip|rar) AND “Oct-2005″ (a large command with several operators tied together. It basically tells Google to only include pages in the results that contain at least one phrase of each, for instance index of AND ebook AND pdf AND Oct-2005.

You can naturally modify the parameters to suite your needs better. You could for instance change the date, remove a phrase or add a new file extension to the mix for more versatility.

The search string that we constructed looked like the following:

-inurl:htm -inurl:html “index of mp3 “Oct-2005″ “Fresh Fantasy Dizzy Singers

There are more filetypes that we should exclude from our searches to get better results, those are:

php, asp, doc, pdf, shtml and txt

You may want to add additional file types and extensions. Just add -inurl:extension to your search query to exclude them from search.

To exclude these as well we use the following search string:

-inurl:htm -inurl:html -inurl:php -inurl:asp -inurl:doc -inurl:pdf -inurl:shtml -inurl:txt “index of mp3 “Oct-2005″ “Fresh Fantasy Dizzy Singers

We also don´t want the following results to appear in our search results:

ringtones, lyric and playlists

That means we exclude those as well and get:

-inurl:htm -inurl:html -inurl:php -inurl:asp -inurl:doc -inurl:pdf -inurl:shtml -inurl:txt “index of mp3 -ringtone -lyric -playlist “Oct-2005″ “Fresh Fantasy Dizzy Singers/code>

You can again add keywords that you do not want to see in your search results. Just use the -keyword parameter for that.

The last step is to add more possibly words that appear in the directory structure, those are

"parent of" and "last modified"

Our final searchstring now looks like this:

-inurl:htm -inurl:html -inurl:php -inurl:asp -inurl:doc -inurl:pdf -inurl:shtml -inurl:txt AND (“index of|"last modified"|"parent of") AND mp3 -ringtone -lyric -playlist AND “Oct-2005″ AND “dizzy singers

You can of course exclude more search types from your searches, this depends on the circumstances, maybe you don´t want audiobooks to be displayed, or only audiobooks..
I think you have the basic understanding now to enhance the searches yourself and get pretty good results using google.