Pete Finnigan's Oracle Security Weblog

I talked about a good paper about google hacking the other day in a post titled "Google hacking is on the up!" that talked about Nitesh Dhanjani's paper on google hacking. The paper mentioned a link to a great web site on the subject of google hacking called Johnny, I hack Stuff's website. This site includes a forum on the subject, some downloads for some tools and also a database of over 1000 search strings that can be used for hacking with google search. Nitesh's paper at the end includes a sample tool that can be used to run multiple queries against google to test your own site (or someone else’s) for any search strings that show up data and URL's that could be a security risk. The Johnny behind the site is Johnny Long and he has also written a book published by Syngress (ISBN:1931836361) and published 1 December 2004. The book "Google Hacking for Penetration Testers" is available from Amazon amongst others.

The book has good reviews and sounds very thorough. I plan to buy it at the weekend in Borders or Waterstones if they have it in, if not from Amazon - I will let you know what I think after I get it and read it.

The website contains also a database of search strings - the database is called http://johnny.ihackstuff.com/index.php?module=prodreviews - (broken link) Google Hacking Database (GHDB)!. This is a great list broken down into categories such as advisories and vulnerabilities, error messages, files containing passwords, files containing juicy info, pages containing login portals, sensitive directories, vulnerable files and many more.

There are of course many Oracle security search strings in the database but there doesn't seem to be a search box for the database to isolate the all of the Oracle search strings or anyway to download all of a particular group of searches such as the Oracle ones.

There is also a list of "signatures" that were part of Nitesh's article that may be useful but again they are not Oracle specific.