top of page
©
Search

Dorking your way in!

Google Hacking is evergreen topic in Cyber Security. They said if you can’t use google at his best you are not really a hacker.

Before we go in depth on this topic, let me clear some basic things about “Google Hacking.”

Google hacking is a term defined by Jonny Long, the maintainer of the Google hacking database.

Google hacking is best known as “Google Dorking”. It’s not a hacking of a google infrastructure and google products or their subsidiaries.

Google hacking is an Information Gathering technique which is helpful to find sensitive files or sensitive information exposed on the internet.

So, if you are wondering that, “is dorking works on other search engines?” The answer would be “yes”!

It doesn’t matter if you use google.com or duckduckgo.com, you will get results according to your queries.

Basically, using dorking you can find Vulnerabilities on web applications and on servers with the help of almost any search engines.

Well, you can’t hack sites directly using Google, but as it has tremendous web-crawling capabilities, it can index almost anything within your website, including sensitive information. This means you could be exposing too much information about your web technologies, usernames, passwords, and general vulnerabilities without even knowing it.

Apart from the search engines you can do some dorking in GitHub for sensitive information. We will see dorks for that later in this blog.

Be aware that Google also knows who you are when you perform this kind of query for this reason and many others, it’s advised to use it only with good intentions.

Also Google will start blocking your connection if you connect from a single static IP. It will ask for captcha challenges to prevent automated queries.

To take a note, GitHub dorks works differently than google dorks.




Operators and How to use them!

There are number of google dorks available which you can use to get juicy information.

Here’s how you put your query in search box

Operator: Search Term

· Inurl: It will search the specified keyword in URL.

Ex: target.com inurl:admin

· Allinurl: This is similar to above with a difference of multiple keywords you can use in a single query.

Ex: target.com allinurl:wp-content/plugins/wptf-image-gallery/

· Intext: It will search for specific text on a webpage.

Ex: target.com intext:Table structure for table `wp_users`

· Allintext: searches for multiple specific text contained on web page

Ex: target.com allintext: /iissamples/default/

· Intitle: It will search for various keywords inside the title of the HTML page.

Ex: target.com intitle:Index of /__MACOSX ...

· Filetype: It will query for certain file type

Ex: target.com filetype:csv

· Ext: it is similar to filetype.

Ex: target.com ext:sql

· Site: It will show you results just for mentioned website

Ex: site:target.com

· Cache: This will show you cached version of any website.

Ex: cache:target.com

· Link: This will show the list of web pages that have links to the specified URL.

Ex: link: facebook.com

· *: This works as a wildcard, which can be used to find the pages that contains anything before your word.

Ex: How to * a cake.


· |: This is a logical operator which works like a “or”.

Ex: intitle:"NetCamSC*" | intitle:"NetCamXL*" inurl:index.html

· +: this is used to concatenate two words.

Ex: inurl:8080 intext:"httpfileserver 2.3"

· –: This is used to query a negative search.

Ex: jdbc:mysql://localhost:3306/ username password ext:yml | ext:java -git –gitlab


Using above dorks for better results


  • Let's say you want to find a log file of a firewall system which has a title “firewall.log” on page. The following dork will be useful for finding such files.


intitle:"index of" "firewall.log" | "firewall.logs"


Some of the “intitle” and “allintitle” dorks which worth of looking

intitle:"Index of /" .htaccess.old

intitle:"Wing FTP Server - Web"

allintitle: \"index of/admin\"


  • Another example of a great dork, to find exposed git directory is following

inurl: /.git

"Reflector Dashboard" inurl:/db/index.php/

allinurl:index.php?db=information_schema


Combining dorks for better results.


  • Let’s say you want to find passwords in a log file

allintext:password filetype:log


Some other dorks which combined with other operators to make it more powerful.

filetype:env "DB_PASSWORD"

allintext:username,password filetype:log

intext:"wordpress" filetype:xls login


Finding live webcams

intitle:"webcamXP 5" inurl:8080 'Live'

intitle:"WEBCAM 7 " -inurl:/admin.html

intitle:"EvoCam" inurl:"webcam.html"


Using ext operator with other operators,

"spring.datasource.password=" "spring.datasource.username=" ext:properties -git -gitlab

"db.username" "db.password" ext:properties

GitLab ssh.log ext:log

Database:phpmyadmin intext:mysql ext:sql inurl:phpmyadmin


Using filetype operator with other operators,

intitle:"index of" inurl:/*sql* filetype:log

s3 site:amazonaws.com filetype:xls password

filetype:svn -gitlab -github inurl:"/.svn"

inurl:/php-errors.log filetype:log


GitHub Dorking:

GitHub dorking is similar to google dorking with a difference of,

Google dorks searches on whole internet which also includes GitHub whereas GitHub dorks only searches on publicly available GitHub repositories. You can also search for code within a particular repository or organization.

You can normally find sensitive files, API keys, Passwords, Customer data, subdomains, sensitive urls while doing GitHub Dorking.

The format is similar to the google dork

Operator keyword

Let’s say you want to find a specific file on GitHub. You can use following dork for that.

Filename .bash_profile

The above dork will find all “.bash_profile” files available on GitHub. Now you want to reduce your searches to specific things. Say you want to find passwords in “.bash_profile” so you can use,

Filename .bash_profile password

There are couple of things you can do with “filename”,

filename:.env DB_USERNAME

filename:.esmtprc password

filename:credentials aws_access_key_id

There is one option which you can use to search a term in specific programming language file,

language:sql username

language:java api key

language:shell secret


You can also find data using specific extensions,

extension:sql mysql dump

extension:json api.segment.io

extension:yaml mailchimp.com


Disclaimer:

This blogspot is written for those who have no idea and/or new to the information security. The information shared in this blog are only for educational purpose.

Author and Secure Logic aren't in charge of any and have/has no responsibility for any kind of:

· Malicious act, capable of causing damage to any organizations using above information.


References:

All dorks are taken from exploit-db and credit goes to the original authors.

https://www.bugcrowd.com/resources/webinars/github-recon-and-sensitive-data-exposure/

368 views1 comment

Recent Posts

See All

802.11 Wi-Fi Architecture

Introduction Wireless networks often extend an existing wired infrastructure. The wired infrastructure may be quite complex to begin with, especially if it spans several buildings in a campus setting.

1 comentario


Every cloud provider has their own claim, AWS says if you don't know to use Amazon cloud services, you are not an IT professional or a cybersecurity guy, it's good to know major CSP platforms & their services, best practices around the same as cybersecurity person.

Me gusta
bottom of page