Finding Exposed Databases & Sites

G5 Cyber Security

2 weeks ago

TL;DR

Yes, many sites list publicly accessible databases and potentially vulnerable web applications beyond just Cross-Site Scripting (XSS). This guide shows you how to find them using search engines, dedicated websites, Shodan, and other tools. Remember: accessing these without permission is illegal.

Finding Exposed Databases & Sites

Understand the Risks

Accessing databases or sites without authorisation is illegal and unethical. This guide is for security research and vulnerability assessment of systems you own or have explicit permission to test.
Exposed databases can contain sensitive information, and handling it requires care to avoid data breaches.

Search Engine Dorking

Use advanced Google (or other search engine) operators to find potentially exposed resources.

File Exposure: Search for common database file types.

site:* inurl:/db/config.php OR site:* inurl:/database.sql

Default Admin Pages: Look for default login pages that haven’t been secured.
```
inurl:/admin OR inurl:/login OR intitle:/admin panel
```
Unindexed Directories: Find directories not intentionally indexed by search engines.
```
site:* filetype:php OR site:* filetype:sql
```

Dedicated Websites & Lists

Shodan (https://www.shodan.io/): A search engine for internet-connected devices. You can find databases, web servers, and other vulnerable systems.
```
host:192.0.2.1 port:3306
```
(Replace 192.0.2.1 with an IP address or range.)
Censys (https://censys.io/): Similar to Shodan, providing detailed information about internet-connected devices.
```
80.192.0.0/16 AND service:http AND product:"MySQL"
```
Exploit DB (https://www.exploit-db.com/): While focused on exploits, it often lists vulnerable software versions and associated databases.
Publicly Available Data Breaches: Sites like Have I Been Pwned? can indicate compromised systems that might still be exposed.

Subdomain Enumeration

Many vulnerable sites are found on subdomains of larger organisations.

Tools: Use tools like Sublist3r or AssetFinder to discover subdomains.
```
sublist3r -d example.com
```
DNS Records: Check DNS records for exposed services using tools like dig or online DNS lookup services.
```
dig example.com ANY
```

Vulnerability Scanners

Automated scanners can identify common vulnerabilities.

OWASP ZAP: A free, open-source web application security scanner.
Nessus Essentials: A popular vulnerability scanner (free for home use).
Nikto: A command-line web server scanner.
```
nikto -h example.com
```

Important Considerations

Permission is Key: Always obtain explicit permission before scanning or accessing any system you don’t own.
Legal Ramifications: Unauthorised access can lead to serious legal consequences.
Responsible Disclosure: If you find a vulnerability, report it responsibly to the owner of the affected system.