NO BS, here's the info. I'm not trying to sell ya. Here's how I do it. Obviously, the best URLs have a pattern to them. For example, it might be username.website.com, or a subdirectory, and so on. Bruteforcing the subdomains is one method but mainly I use search engine harvesting. My favorite urls have a numerical sequence, ie: ...?user=23, 24, etc. Search engine harvesting is limited to 1000 per engine, but gathering fresh urls monthly or so works out to a decent list. Some spammable services include javascript code that you are supposed to put on your website, These usually have a sequence. I can't give much more info because obviously I don't want my methods jacked, but this is how I got started. By the way, you aren't limited to 1000 results with your google harvests. Just to play around I did site:www.blah.com/?, site:www.blah.com/? a, site:www.blah.com/? b, site:www.blah.com/? c . Interesting results. That + a dictionary attack. Of course, you need to know how to code something that collects the URLs, or just collect them manually which really would suck. My best tip: Reconnaissance. Go search for Guestbooks of one type, sign up to the services and see how it works. You can tell a lot more from that little exploration and possibly find some search strings you can use. Show your thanks, send me URLs with patterns! lol - Ub
*puts fingers on temples and closes eyes* I foresee, I foresee, I foreseeeeeee...posters saying "pm me the details" very soon.
/me defends the boos and hisses Nah, this is it. This is the info. I mean, I'm trying to explain something without revealing exact URLs. Knowing the URLs won't really help either. The concept is what's important. For more information on advanced google search queries and operands, check out The Google Hacking Database No sales, no pitch, this is a true blue honest post revealing great info for those who don't know it.
It's useless for that example, unless you want to limit the result to ?id=4, ?id=6 etc. Makes for less to parse afterwards. I should have used ?id= instead of nothing in my example. - Ub
site:www.domain.com will yield 1000 (aprox.) results. Sometimes 890, w/e. from there, you use the technique I first posted. Alright guys, I'll pull a live one out. site:users2.smartgb.com site:users2.smartgb.com 21 site:users2.smartgb.com 22 site:users2.smartgb.com 23 site:users2.smartgb.com 24 You'll notice there's not much there, BUT the more astute of you will know what to do. For the rest of you.... - How did I find out the subdomain users2 was the one to search? - Are there more subdomains? - What are queries to reveal more subdomains? One thing... I *actually* use ***************************** for this kind of work. If you really want details, please, join my blackhat secrets list in my sig. Send me an email by replying to the list message you get. I will personally help you and I will not spam you. You can opt out anytime. (Sorry Perry, couldn't resist after letting such an example go by)