Overview : About Google Dorking
Google Dorking is a technique that involves using specific search queries and advanced search operators within Google’s search engine to find targeted information on the internet. It’s also sometimes referred to as "Google Hacking," although the term is somewhat misleading since the process doesn’t involve any actual hacking. Instead, it’s more similar to using Google to perform targeted searches that can uncover hidden or hard-to-find information.
=============================
Checking logs for credentials
allintext:username filetype:log
We will get a list of log files that contain the text “username”. This can be useful (for hackers) if the log by mistake contains the user credentials. If you explore the results a little bit and apply filters, you will be able to find usernames or passwords for further exploitation.
=============================
Webcamas are super safe right - - Naaaah!
intitle:"webcamxp 5"
Google - intitle:"webcamxp 5" and you will find a list of webcams you can dive right into.
=============================
• intitle:index.of ws_ftp.ini
Or
• cache:FULL_URL/wsftp.ini
ws_ftp.ini is a configuration file for a popular FTP client that stores usernames, (weakly) encoded passwords, sites and directories that the user can store for later reference. These should not be on the web!
That’s some good stuff. Just copy/paste the text into your own WS FTP ini file and you’re good as gold (assuming you’re using the same version). Don’t forget - even if they have taken the file offline, use the "cache:FULL_URL/wsftp.ini" to see the contents.
Probably one of the best exploits I have seen in a long time, when I did it there were about 20 vulnerable computers, just recently there was 4 so I hope whitehats got to this before anyone else. really nice !!
=============================
Unauthorized Access to Frontpage Websites and Password Theft
• "#-FrontPage-" inurl:service.pwd
• inurl:service.pwd
Using this dork, their is possible to gain unauthorized access to websites designed using "Frontpage" by stealing or discovering their passwords. If the password file is encrypted, it may be possible to decrypt it using a Tool such as "John the Ripper".
=============================
Dork for finding Websites with Default auto-generated passwords
"AutoCreate=TRUE password=*"
This searches the password for "Website Access Analyzer", a Japanese software that creates webstatistics.
=============================
Fetch inline passwords from Search Engines
• "http://*:*@www" domainname
• http://admin:*@www
This is a query to get admin login & inline passwords from search engines (not just Google), you must type in the query followed with the the domain name without the .com or .net.
=============================
WS_FTP Configuration File Search Dork
• filetype:ini ws_ftp pwd
• "index of/" "ws_ftp.ini" "parent directory"
This "dork" is a used to search for files with the ".ini" file extension that are related to the "ws_ftp" program and may contain passwords. The ".ini" file extension is commonly used for configuration files, and some programs, including ws_ftp, store login credentials in these files. By using this search query, someone may attempt to find vulnerable or exposed login credentials for the ws_ftp program.
=============================
Dork for locating password files
• filetype:pwd service
Microsoft Frontpage extensions appear on virtually every type of scanner. In the late 90's people thought they where hardcore by defacing sites with Frontpage. Today, there are still vulnerable servers found with Google.
An attacker can simply take advantage from administrators who 'forget' to set up the policies for Frontpage extensions. An attacker can also search for 'filetype:pwd users'.
=============================
Dork for Accessing Admin Account Data in Microsoft Access Databases (admin.mdb)
• allinurl: admin mdb
Not all of these pages are administrator’s access databases containing usernames, passwords and other sensitive information, but many are! And much adminstrated passwords and user passwords, a lot of emails and the such too…
=============================
Reveal potentially login credentials
allinurl:auth_user_file.txt
This file gives a list of (crackable) passwords, usernames and email addresses for DCForum and for DCShop (a shopping cart program(!!!). Some lists are bigger than others, all are fun.
=============================
Expose database credentials or website settings
intitle:index.of config.php
This search brings up sites with "config.php" files. To skip the technical discussion, this configuration file contains both a username and a password for an SQL database. Most sites with forums run a PHP message base. This file gives you the keys to that forum, including FULL ADMIN access to the database. To see view the PHP files; there in lies the catch. Browsers are made to process the commands of PHP before display, so if no commands, nothing to show. You can't use that persay to get into the config file, but it would show potential threats if someone got into server anyway. (If that happens you're basically boned anyway, not much around that.
By the way, to know how to view the PHP file contents, you can use this code:
intitle:"Index of" phpinfo.php
=============================
Reveal login credentials for a ColdFusion application
filetype:cfm "cfapplication name" password
These files contain ColdFusion source code. In some cases, the pages are examples that are found in discussion forums. However, in many cases these pages contain live sourcecode with usernames, database names or passwords in plaintext.
=============================
Reveal FTP server credentials, IP addresses, and other sensitive information
filetype:ini inurl:flashFXP.iniFlashFXP offers the easiest and fastest way to transfer any file using FTP, providing an exceptionally stable and robust program that you can always count on to get your job done quickly and efficiently. There are many, many features available in FlashFXP.
The flashFXP.ini file is its configuration file and may contain usernames/passwords and everything else that is needed to use FTP.
=============================
Reveal FTP server credentials and other sensitive information such as FTP server addresses and directory structures
filetype:ini ws_ftp pwd
The encryption method used in WS_FTP is _extremely_ weak. These files can be found with the "index of" keyword or by searching directly for the PWD= value inside the configuration file.
=============================
Reveal login credentials, usernames, and passwords
filetype:log inurl:"password.log"
These files contain cleartext usernames and passwords, as well as the sites associated with those credentials. Attackers can use this information to log on to that site as that user.
=============================
Reveal information about the server’s configuration and running processes
"index of" / lck
These lock files often contain usernames of the user that has locked the file. Username harvesting can be done using this technique.
=============================
Reveal FTP server credentials and other sensitive information such as IP addresses and server directories
filetype:conf inurl:proftpd.conf -sample
A standard FTP configuration file that provides far too many details about how the server is setup, including installation paths, location of logfiles, generic username and associated group, etc.
=============================
Reveal usernames and other information related to the current user of a Windows computer
filetype:reg reg HKEY_CURRENT_USER username
This search finds registry files from the Windows Operating system. Considered the "soul" of the system, these files, and snippets from these files contain sensitive information, in this case usernames and/or passwords.
=============================
Reveal FTP server credentials and other sensitive information
+htpasswd +WS_FTP.LOG filetype:log
WS_FTP.LOG can be used in many ways to find more information about a server. This query is very flexible, just substitute "+htpasswd" for "+FILENAME" and you may get several hits that you hadn't seen with the 'normal' search.
Filenames suggested by the forum to explore are: phpinfo, admin, MySQL, password, htdocs, root, Cisco, Oracle, IIS, resume, inc, sql, users, mdb, frontpage, CMS, backend, https, editor, intranet . The list goes on and on…
A different approach might be "allinurl: "some.host.com" WS_FTP.LOG filetype:log" which tells you more about who's uploading files to a specific site.
=============================
intitle:"Web Data Administrator - Login"
The Web Data Administrator is a utility program implemented in ASP.NET that enables you to easily manage your SQL Server data wherever you are. Using its built-in features, you can do the following from your favorite Web browser.
Create and edit databases in Microsoft SQL Server 2000 or Microsoft SQL Server 2000 Desktop Engine (MSDE) Perform ad-hoc queries against databases and save them to your file system Export and import database schema and data.
=============================
Intitle:index.of/admin
No one can deny that the directory listings can be a source of great information.
This could potentially reveal sensitive information such as configuration files, backup files, and other administrative-related files that could be used by attackers to gain unauthorized access to the server.
=============================
Using special search string to find vulnerable websites:
Following search strings in Google will come up with bunch of results. You can try one at a time and run SQLmap to hack a vulnerable website.
• inurl:php?=id1
• inurl:index.php?id=
• inurl:trainers.php?id=
• inurl:buy.php?category=
• inurl:article.php?ID=
• inurl:play_old.php?id=
• inurl:declaration_more.php?decl_id=
• inurl:pageid=
• inurl:games.php?id=
• inurl:page.php?file=
• inurl:newsDetail.php?id=
• inurl:gallery.php?id=
• inurl:article.php?id=
• inurl:show.php?id=
• inurl:staff_id=
• inurl:newsitem.php?num=
• inurl:index.php?id=
• inurl:trainers.php?id=
• inurl:buy.php?category=
• inurl:article.php?ID=
• inurl:play_old.php?id=
• inurl:declaration_more.php?decl_id=
• inurl:pageid=
• inurl:games.php?id=
• inurl:page.php?file=
• inurl:newsDetail.php?id=
• inurl:gallery.php?id=
• inurl:article.php?id=
• inurl:show.php?id=
• inurl:staff_id=
• inurl:newsitem.php?num==============================
Passwords and Backups
• intitle:"Index of passwords modified
• allinurl:auth_user_file.txt"access denied for user" "using password"
• "A syntax error has occurred" filetype:ihtml
• allinurl: admin mdb
• "ORA-00921: unexpected end of SQL command"
• inurl-passlist.txt
• "Index of /backup"
• "Chatologica MetaSearch" "stack tracking:"=============================
Grab Passwords from Config Files
intitle:"Index of" config.phpConfig.php files ideally contain usernames and passwords for SQL databases. WordPress is a good example of a system that uses config.php files. Gaining access to this file gives you full access to the database itself along with its secret
keys.
=============================
Accessing Backups
• filetype:bak inurl:"’htaccess|passwdjshadow|htusers"This is a Google search operator that looks for backup files (*.bak) created by website admins before updating to newer systems, which could potentially contain sensitive information such as database credentials, API keys, and other settings that are crucial for the functioning of the application. If you want to retrieve some hidden information from the backup file, you can download and save it locally. However, if you want to disrupt their backup, you could simply change the file extension, making the backup unusable and potentially causing data loss.
=============================
Google Dorks Updated Database for Files Containing Passwords:
• inurl:"cpanel username" "cpanel password" ext:txt
• "insert into users" "VALUES" ext:sql | ext:txt | ext:log | ext:env
• "password 7" ext:txt | ext:log | ext:cfg
• intitle:"index of" "idx_config"
• "mailer_password:" + "mailer_host:" + "mailer_user:" + "secret:" ext:yml
• intext:construct('mysql:host
• "keystorePass=" ext:xml | ext:txt -git -gitlab
• "define('SECURE_AUTH_KEY'" + "define('LOGGED_IN_KEY'" + "define('NONCE_KEY'" ext:txt | ext:cfg | ext:env | ext:ini
• intitle:"index of" "anaconda-ks.cfg" | "anaconda-ks-new.cfg"
• "define('DB_USER'," + "define('DB_PASSWORD'," ext:txt
• intitle:"index of" "config.exs" | "dev.exs" | "test.exs" | "prod.secret.exs"
• jdbc:oracle://localhost: + username + password ext:yml | ext:java -git -gitlab
• jdbc:postgresql://localhost: + username + password ext:yml | ext:java -git -gitlab
• jdbc:mysql://localhost:3306/ + username + password ext:yml | ext:javascript -git -gitlab
• "spring.datasource.password=" + "spring.datasource.username=" ext:properties -git -gitlab
• ext:log password END_FILE
• site:pastebin.com intext:admin.password
• "db.username" + "db.password" ext:properties
• ext:cfg "g_password" | "sv_privatepassword" | "rcon_password" -git -gitlab
• "server.cfg" ext:cfg intext:"rcon_password" -git -gitlab
• "anaconda-ks.cfg" | "ks.cfg" ext:cfg -git -gitlab
• rootpw --iscrypted ext:cfg
• "admin_password" ext:txt | ext:log | ext:cfg
• intitle:"index of" "password.ini"
• filetype:log intext:password after:2015 intext:@gmail.com | @yahoo.com | @hotmail.com
• "'username' =>" + "'password' =>" ext:log
• ext:txt intext:@yahoo.com intext:password
• intitle:"database.php" inurl:"database.php" intext:"db_password" -git -gitlab
• ext:xls intext:@gmail.com intext:password
• "POSTGRES_PASSWORD=" ext:txt | ext:cfg | ext:env | ext:ini | ext:yml | ext:sql -git -gitlab
• "/** MySQL database password */" ext:txt
=============================
For Bug Hunters:
intext:bounty inurl:/security
inurl:"bug bounty" and intext:"€" and inurl:/security
inurl:"bug bounty" and intext:"$" and inurl:/security
inurl:"bug bounty" and intext:"INR" and inurl:/security=============================
A good point to start is the Google Hacking Database. https://www.exploit-db.com/google-hacking-database. If you are not sure about the query strings and how to frame them. Go to this site and search for it. Several people have done it before so you can use their search queries.
=============================
One of the key elements of Google Dorking is the use of advanced search operators. These are special commands that can be used within Google's search bar to refine the search results and narrow down the focus of the search. For example, the "site:" operator can be used to search for pages that are hosted on a specific website or domain. The "filetype:" operator can be used to search for files of a specific type, such as PDFs or Excel spreadsheets.
Of course, it's worth noting that not all uses of Google Dorking are ethical or legal. While the technique can be used for legitimate purposes, such as finding publicly accessible information about a company or organization, it can also be used for more nefarious purposes, such as searching for vulnerable servers or exploiting security vulnerabilities. As with any technology or technique, it's important to use Google Dorking responsibly and ethically, and to be mindful of the potential consequences of its use.
With this we come to the end of this write-up. Thank you for taking the time to read it. If you found this article unique and helpful, please feel free to give feedback and suggestions. I will continue to post more like this in the future, so please stay tuned for updates. Take care ☺️
