The Power of Google Dorking
Today I am going to talk about Google Dorking and how I got my first bounty (500$) with it. First we have to know...
What is Google Dorking?
If I give a diplomatic answer it's: Google Dorking is the practice of using specific keywords and logical operators to refine google searches to return higher quality of results. But, we’re not here for a robotic answer so let’s get started with the practical use of it:
When we search something, let's say we’re searching for “facebook”.
As you can see from the picture below just searching for Facebook and we get over 25 billion results. But we don’t need this clutter of results.
So what can we do? We’re going to use a magic trick called “syntax”.
Now if I search for “site:facebook.com” what do I get?
It narrowed down the results to 700k.
Now let’s say we want the results that only contain “machinist” in the urls. How are we going to do that? There’s a syntax called “inurl”.
Here is an example using the site and inurl syntax.
site:facebook.com inurl:“machinist”
See? Now we’ll get only the result that contains “machinist” in the URL. So this is the power of google dorking. You can refine and clear clutters from your results by using various syntaxes.
You can find thousands and hundreds of “google dorks” available on the internet.
Some Important Dorks:
1.Finding Specific File Types:
filetype:pdf "annual report": Finds PDF files containing the phrase "annual report".
filetype:xls site:example.com: Finds Excel files on a specific website.
2.Index of Directories:
intitle:"index of" "parent directory" "backup": Searches for directory listings that might contain backup files.
3.Exposing Sensitive Information:
inurl:wp-content/uploads: Finds potentially sensitive uploads on WordPress sites.
inurl:admin filetype:log: Searches for log files that might contain admin information.
4.Finding Login Pages:
inurl:admin login: Locates admin login pages.
intitle:"login" "admin": Another way to find admin login pages.
5.Discovering Vulnerable Files:
filetype:sql "password": Searches for SQL files containing the word "password".
inurl:"phpinfo.php": Finds pages with PHP information, which can reveal server configuration details.
6.Email Harvesting:
intext:"@gmail.com": Searches for Gmail addresses.
site:example.com intext:"email": Finds email addresses on a specific website.
7.Finding Unprotected Database Information:
intitle:"phpMyAdmin" "Welcome to phpMyAdmin ***": Finds phpMyAdmin login pages.
inurl:"dbadmin": Searches for database administration panels.
8.Default Credentials:
inurl:"/cgi-bin/" intext:"default password": Searches for devices with default passwords in their configurations.
9.Finding Configuration Files:
filetype:conf intext:"password": Looks for configuration files that contain passwords.
filetype:env "DB_PASSWORD": Searches for environment files (.env) that might contain database passwords.
Some Examples:
Use Case - Operator - Example Usage
Finding a specific file on a specific website
`filetype:`
site:example.com filetype:xls
Search for directory listings containing backup files
`intitle:`
intitle:"index of" "parent directory" "backup"
Finding Pages that Link to a Specific URL
`link:`
link:example.com/uploads/89547
Search for log files containing admin information
`inurl:`
inurl:admin filetype:log
Search for Gmail addresses
`intext:`
intext:"@gmail.com"
How Dangerous Google Dorking is?
Google Dorking is a useful tool but it also can be harmful when misused. It finds information that is hidden by most engines and may have been mistakenly shared online leading to wrong disclosures of confidential data. For instance, an individual who wants to get what he does not have permission for can employ it in order to access unsecured databases, log-in credentials, or private files. Furthermore, this methodology could expose any loophole or weakness within a certain webpage thus making it susceptible or open for cybercriminals’ invasion.
Is Google Dorking Illegal?
No, It’s not illegal if you use it to find resources or for research purposes but if you use it to find sensitive information on a site that you don't have the permission to test and abuse that information it could lead to severe consequences.
How to Prevent Data Leakage by Google Dorking?
1. Secure Sensitive Areas: Defend your confidential information using measures like passwords and usernames Authentication as well as IP-based controls that regulate access.
2.Encrypt Data: Ensure data security by encrypting sensitive information like usernames, passwords, credit card numbers, emails, IP addresses, and phone numbers.
3.Regular scans: Run regular vulnerability scans on your website by employing typical Google dork search strings to point potential vulnerabilities.
4.Conduct Self-Dorking: Examine your website with dork queries to uncover any public data before attackers can. For common queries, check Exploit-DB.
5.Block with Robots.txt: Utilize a robots.txt file in your website's root directory to instruct search engines to avoid indexing sensitive content.
Some Popular Hacking Services Related to Google Dorking:
1. Exploit-DB
2. Dorki
Now comes the interesting part about how I got my first bounty by
using these dorks and a simple tool called “nuclei”.
So, I was surfing the internet as always and an idea came to my mind. I thought, why don’t I find all the sites that have “.nz”. Practically I was searching for all the New Zealand's sites that have a VDP (Vulnerability Disclosure Program) program.
So, I used a simple google dork:
site:*.nz "vulnerability disclosure"
In this search query, the asterisk (*) is a wildcard. It means the search will look for any website with a ".nz" domain that contains the phrase "vulnerability disclosure", regardless of what comes before the ".nz" in the domain name.
On the first page I found a site which looked pretty fresh to me. So I simply ran Nuclei and found three endpoints leaking very sensitive information.
Those three endpoints were:
Though the last two endpoints are low severity vulnerability the “config” endpoint had some pretty sensitive information disclosed publicly.
As they didn’t pay any bounty. I reported it and hoped for nothing. After a week I got an email saying I got a reward of 500$ .
So, this is how I got my first bounty just by using a simple dork and a tool that is popular to every noob hunter in the cybersec community. I’ll try to write about how you can find bugs using nuclei in the next blog. Till then stay hydrated and keep pushing your limit.
