How To Find Unprotected Website Directories & Get “Interesting” Files

googleclassic   How To Find Unprotected Website Directories & Get Interesting FilesWith all the risks involved in using file sharing networks, browsing unprotected website directories is probably a lot easier and safer.  Only when you start doing that do you realise half the stuff that people keep in their website folders (Sports Illustrated magazines!)

Then you start to realise how silly they are for not password protecting those folders and leaving them wide open for the whole world to walk in and take a look!

This might be really old news for a lot of people but I thought I would just quickly jot down the search parameters for finding files in unprotected website directories.

In case you don’t know, an unprotected website directory is a website that doesn’t have an “index” file created for it – index.htm, index.html, index.php.  So if you try to access a website directory which doesn’t have a password controlling it or which doesn’t have an index page, you will be able to see a list of all the files and folders that are inside that directory. If you can see that, you can then click on the files and both download them and open them.

Here’s what a typical unprotected directory looks like :

unprotec   How To Find Unprotected Website Directories & Get Interesting Files

Directories like these will have all kinds of files. Things like pictures, music, video files, documents, you name it.

Now you can do a general search and go through literally hundreds of thousands of these directories. But to do that sort of search is both time consuming and a bit mind numbing. But if you want to do it, just put into the search box (be it Google, Yahoo, whatever) the following search string :

-inurl(html|htm|php) intitle:”index of” +”last modified” +”parent directory” +description +size

This will bring up EVERYTHING and you can go hunting for whatever you can find.  Good luck.

But don’t you want to be selective?  Don’t you want to look for something in particular?  Well, if so, you can change the search string to look for ONLY pictures or ONLY music or ONLY video.  So….

-inurl:(htm|html|php) intitle:”index of” +”last modified” +”parent directory” +description +size +(wmv|avi)

This will only look for wmv and avi video files.  You can easily alter it if you don’t want “wmv” or “avi” or if you want “mpg” instead.   You get the idea.

-inurl:(htm|html|php) intitle:”index of” +”last modified” +”parent directory” +description +size +(jpg|gif)

This will only look for jpg and gif files. Again, you can alter the file formats to suit yourself.

-inurl:(htm|html|php) intitle:”index of” +”last modified” +”parent directory” +description +size +(wma|mp3)

This will only look for wma and mp3 music files.  Again you can easily change the file formats to suit yourself.

Just put the search string you need into the search engine box.   Then hit the ‘enter’ button and your results will come up.   I guarantee you’ll be hooked for ages trying to see what you can find!   You can also put a certain search term after your file format so :

[-inurl:(htm|html|php) intitle:"index of" +"last modified" +"parent directory" +description +size +(jpg|gif) "britney spears"]

Obviously you are not going to get perfect results.   You are going to have to wade through a lot of irrelevant and useless stuff some of the time but quite often you do find a lot of good stuff too.   It’s quite fun peeking into people’s unprotected folders seeing what they have stashed away.   Stuff like embarrassing photos, drunken videos, “provocative” material, and much more.

Some people have embedded these search algorithims into software which makes it easier to search for files.  One of them is Clickster which I reviewed last May. It searches for MP3’s in peoples unprotected directories and it has a very nice simple GUI.

Some of you might say what right do we have to go browsing through people’s website folders?   But look at it this way – these people posted this stuff online – in an unprotected unsecure website folder. It’s as if they are asking for it to be found. They are making no effort to keep it hidden or secure and putting it out on the World Wide Web is the most stupidest thing in the world to do if you want to keep something private and hidden.

So go out there, find it and enjoy it. Oh and let us know in the comments some of the stuff you managed to find in your searches.

Image Credit : dullhunk

The comments were closed because the article is more than 180 days old.

If you have any questions related to what's mentioned in the article or need help with any computer issue, ask it on MakeUseOf Answers—We and our community will be more than happy to help.

31 Comments -

penetrarthur

Your next step will be something like hacking pentagon or the white house. true hax

Walker

That’s exactly what we need;)

Disappointed

I have to say this article is very beneath your site. Yes, some people know about this but now you just let everyone know…guess you ran out of decent things to write about and ask people to post it here. I’ll be unsubscribing from your RSS and let’s see if this post gets deleted or not.

Simon

Thanks, this is actually very cool :)

sean

What were you thinking? This and your article on how to spy on your spouse between them are as low as I am willing to go. You used to have a fantastic reputation, now you’re another bottom feeder.

sean

You dont need to do this kind of crap, you know

Yeti

Some of you might say what right do we have to go browsing through people’s website folders? But look at it this way – these people posted this stuff online – in an unprotected unsecure website folder. It’s as if they are asking for it to be found. They are making no effort to keep it hidden or secure and putting it out on the World Wide Web is the most stupidest thing in the world to do if you want to keep something private and hidden.

Whatever helps you justify your actions eh? I must say makeuseof has been going downhill lately and this just shows it.

boooooo!

I like a lot of what you have to say but more junk like this and I’m unsubscribing.

conditionalmorality

This is by the makeuseof editor? Yeah I have to agree, this takes the blog in a direction you probably don’t want it to go.

So Mark, next time you leave your car door unlocked remember everything inside is fair game for whoever walks by and looks in the window :)

Phil

Agreed with all the comments. This was not a proper article to publish. Just because you can, doesn’t mean you should…or teach others how to either.

riiiiiiight

I’ll bite. I object to the faux morality and holier-than-thou attitude illustrated by some of the comments to this post. Better to be educated as to how to use technological tools than to throw the baby out with the bathwater by presuming nefarious use and acting “disgusted”. What disgusts me is people who don’t respect the value of understanding how technology works, and instead turn up their noses as if they’ve never thrown a stone. Maybe if website owners were intelligent enough to educate themselves on security, they wouldn’t leave out in the open whatever it is you all are so intent on protecting. I.e., read the post and begin to learn how to secure your site. [/rant]

yepriiiiiight

Sure you can learn something positive from the article. But the article isn’t about how to secure your site or “understanding how technology works” – it is about how to take other people’s items with the understanding that they probably didn’t want you to.
It’s your blame the victim mentality that disgusts me. Yep, leave your front door unlocked and it’s ok to take your tv set because you weren’t intelligent enough to educate yourself. Riiiiiiight.

PatrickI

Must agree this was a poor choice for a topic. Trying to justify yourself in the post means you know what you are doing/suggesting in wrong. Look how your readers are reacting. I wonder what your sponsors will think when we start complaining to them.

Please be responsible, censor yourself, and remove this post. Don’t turn makeuseof.com into another one of “those” sites.

Mark O’Neill

Oh for God’s sake, shut up. If you’re going to unsubscribe over one post then just do it and go read the Disney website. Stop getting on your pulpit and getting all holier-than-thou.

flink

Most of the whiners don’t realize that Google’s search keywords are available for all to use and are very powerful.

Besides that, the majority of them don’t understand how the net works and think it is just a series of tubes.

:-)

Joan

Forget holier-than-thou and learn to turn the other cheek. These are the comments after all, and so far they are expressing dismay in a more than polite way than most flame-bait trolls tend to do.

Look, it’s an interesting article/read for those who don’t know how in-depth a search engine Google is, but the way the article was written felt more like a ‘rummaging files for dummies’ than the normal insightful reads this site usually had. You had a good idea, but the presentation was off.

You probably would have been better off touting the value of securing all types of files when creating websites and presenting this as a way of showing how these files can be accessed without the proper passwords or protocols when there’s no security in place. Cite how to secure said files, or at least allude that there’ll be another article to address it, and then MAYBE you wouldn’t have had the blowup in dismayed comments like you did.

flink

Quite the BS whining.

Just drop an blank index.html or index.htm file in the directory. Problem solved. Get a life, whiners.

Scott

There is nothing wrong with showing people how to find information using Google. This not hacking or cracking. This is a way to find publicly accessible files. There is nothing to suggest that these sites weren’t intentionally made public. For those of you thinking otherwise, I suggest you spend your time “warning” the owners of these sites that their directories are public.

geekamongus

Wow…this article seems to have upset a lot of people, and I’m not sure why (none of them take time to explain why they are upset, rather, they just say some mean things about the owners of this web site). Perhaps it is because the article is about “hacking”, a word which has a much maligned stigma about it. Clearly, these upset people are off base in their assumptions about what this article really means.

It is true that people have open directories they are unaware of, but just because you choose to peruse through them doesn’t make you a “hacker” or a criminal or put your moral integrity into question. There are many valid reasons for having open directories and for letting Google index them.

If anything, this article should help make people aware of such things, and that they need to close their directories if they don’t want their data to be discovered through such means. The bad guys are out there, and they *will* be looking through your open directories, so if you are so concerned about this, close them up!

Why are people not upset at Google for making this all possible in the first place? (Not that I think they should be…they should be aiming their displeasure at people who don’t know how to secure their web sites/servers).

JK the Fifth

Well I must say that this article was interesting and I am definitely going to try it ( just to test it ;) ).

But this article should have been more like “how to protect your website directories by not being stupid and making an index file” ,or something like that.

And to all the other “commenters” : Its not that big of an issue, and I think most of MUO readers are smart and sensible enough to not use this trick to breach others’ privacy just for fun.

And unless this article reaches digg ( which seems very unlikely :D ), it is virtually harmless.

penetrarthur

This article would be okey if it wasn’t about “HOW TO HAX THE INTERNETS”, but about “how to improve your searching skills” or “how to google for more results”. You don’t have to change the body of the article, just the title.

Guy McDowell

Anybody with unprotected directories might want to look into .htaccess and how to use it to protect those directories. Just Google .htaccess.

flink

It’s much easier for most users to simply drop an index.htm or index.html file in that directory.

Alternatively, Apache’s config allows you to forbid directory scans.

Willblogforfood

If they didn’t want people in their directories they would protect them. This is a great article and it allows people to use Google to search for types of files they would be intersted in. It is perfectly acceptable to look at these files and teach people how to access them. For all you nay sayers you might not want to visit websites anymore on Google because the site owner might not want you on it. Files in directories are no different than websites and are out on the net for the public to view

wut

I do not think this kind of open access is stealing- The parallel that was mentioned regarding stealing from an unlocked car is invalid.

I actually DID have something taken from my car before. That’s something entirely different because well- I don’t have that thing anymore- It was TAKEN.

If someone looks at a file, the owner would still have it. The more accurate parallel would be that if you leave your living room drapes WIDE OPEN (which a lot of people actually do) and someone driving past in a car on the street takes a brief look out of idle curiosity (hey, to see what the house owners are watching on TV… since the drapes are WIDE OPEN)

Even if this touches a gray area I think people are making it a bigger deal then it is. For example, would ANYONE leave their bank records in their own websites, even if they did bother put in an index.htm?

kmc212

You can take it a step further by using the “site:” Web site search.

Type the following into the Google search field:

site:apple.com index of

look at the results. cool

kmc212

Eslopy Franklin

Nice Work Bro Continue The Good Work…

LG

I stumbled on this article looking for something else, and IMO it’s good ‘need-to-know’ info for any admin wanting to protect their directories. Thanks for this heads-up.