Google Dorks

Google Dorking in Cybersecurity - Netlas Blog

Google Dorks for Bug Bounty

dork.py:

# 1 - Select all the results from https://taksec.github.io/google-dorks-bug-bounty/ by pressing Ctrl+A.
# 2 - Paste them into a file named result.txt.
# 3 - Run the script.
# 4 - Copy and paste the generated URLs into https://dnschecker.org/url-opener.php to open them all at once.

import re

# Path to the file containing the Google Dorks
file_path = "result.txt"

# Function to read the file content and generate URLs
def generate_google_dork_urls(file_path):
    try:
        # Read the file
        with open(file_path, "r") as file:
            content = file.read()
        
        # Extract Google Dorks (expressions containing "site:", "inurl:", "intitle:", etc.)
        pattern = r'(site:[^\n]+|inurl:[^\n]+|intitle:[^\n]+|ext:[^\n]+|".+?")'
        dorks = re.findall(pattern, content)
        
        # Remove extra spaces and unnecessary characters
        dorks = [dork.strip() for dork in dorks]
        
        # Generate Google Search URLs
        urls = [f"https://www.google.com/search?q={dork.replace(' ', '+')}" for dork in dorks]
        
        return urls
    except FileNotFoundError:
        print(f"Error: The file {file_path} was not found.")
        return []

# Call the function
urls = generate_google_dork_urls(file_path)

# Write the results to a file
output_file = "google_dork_urls.txt"
with open(output_file, "w") as file:
    file.write("\n".join(urls))

print(f"URLs generated and saved in the file '{output_file}'.")

inurl:conf | inurl:env | inurl:cgi | inurl:bin | inurl:etc | inurl:root | inurl:sql | inurl:backup | inurl:admin | inurl:php site:example[.]com

inurl:http://example.com intitle:"index of"
inurl:http://example.com intitle:"index of" "database.sql"
inurl:http://example.com intitle:"index of /" "*key.pem"
inurl:http://example.com ext:log
inurl:http://example.com intitle:"index of" ext:sql|xls|xml|json|csv
inurl:http://example.com "MYSQL_ROOT_PASSWORD:" ext:env OR ext:yml -git
inurl:http://example.com intitle:"index of" "config.db"
inurl:http://example.com allintext:"API_SECRET*" ext:env | ext:yml
inurl:http://example.com intext:admin ext:sql inurl:admin
inurl:http://example.com allintext:username,password filetype:log site:http://example.com "-----BEGIN RSA PRIVATE KEY-----" - inurl:id_rsa
site:http://codepad.co "keyword"
site:http://scribd.com "keyword"
site:http://npmjs.com "keyword"
site:http://npm-runkit.com "keyword"
site:http://libraries.io "keyword"
site:http://ycombinator.io "keyword"
site:http://coggle.it "keyword"
site:http://papaly.com "keyword"
site:http://google.com "keyword"
site:http://trello.com "keyword"
site:http://prezi.com "keyword"
site:http://jsdelivr.net "keyword"
site:http://codepen.io "keyword"
site:http://codeshare.io "keyword"
site:http://sharecode.io "keyword"
site:http://pastebin.com "keyword"
site:http://repl.it "keyword"
site:http://productforums.google.com "keyword"
site:http://gitter.im "keyword"
site:http://bitbucket.org "keyword"
site:*http://atlassian.net "keyword"
inurl:gitlab "keyword"
inurl:github "keyword"

Grab a cofee and wait

GitHub - IvanGlinkin/Fast-Google-Dorks-Scan: The OSINT project, the main idea of which is to collect all the possible Google dorks search combinations and to find the information about the specific web-site: common admin panels, the widespread file types and path traversal. The 100% automated.GitHub

https://raw.githubusercontent.com/netlas-io/netlas-scripts/refs/heads/main/google_dorking_automatization.py

python3 google_dorking_automatization.py -i file_with_scope

Find Subdomains

site:.example.com -site:www.example.com

Return indexed results linked to *.example.com but exclude www.example.com.

Google Search for AWS

intext:cie_name inurl:amazonaws.com``

AWS

S3 Buckets

site:.s3.amazonaws.com "company"

Public bucket ? Search for credentials and secrets:

GitHub - saw-your-packet/CloudShovel: A tool for scanning public or private AMIs for sensitive files and secrets. The tool follows the research made on AWS CloudQuarry where we scanned 20k+ public AMIs.GitHub

Permissions ?

AWS

R2 Storage Bucket

If your target is making use of R2 storage buckets, check if R2 .dev is enabled - R2 .dev is a feature to make buckets public for development purposes and is recommended to be turned off when the storage bucket is used for production

site:.r2.dev "company"

Google Search for Azure

intext:cie_name inurl:core.windows.net

Azure

Google Search for GCP

GCP

Bucket

site:storage.googleapis.com

site:console.cloud.google.com/storage/browser/_details
site:console.cloud.google.com/storage/browser

BigQuery DB

site:cloud.google.com "BigQuery dataset"
site:*.cloud.google.com inurl:bigquery "dataset"

KMS

inurl:"keyRing" inurl:"cryptoKey" intext:"Google Cloud"
site:cloud.google.com "KMS" "keys"
filetype:pdf "kms" "keyRing" "cryptoKey"
filetype:pdf "bindings" "role" "serviceAccount" "kms"

VM Instances

intitle:"Google Cloud" inurl:"compute" "vm image"
site:github.com "google cloud" "vm image" filetype:yaml OR filetype:json
inurl:"compute/docs/images" intitle:"Google Cloud"

filename:*.yaml "image:" "gce-vm-image"
filename:*.tf "source_image" "google_compute_instance"
filename:*.yml "hosts:" "tasks:" "google_compute"

SQL DB

intitle:"Google Cloud SQL" inurl:docs "instance"
site:*.com filetype:sql "google_cloud_sql"
site:github.com "google cloud sql" filename:*.tf

filename:.env "sql_password" OR "db_password"
filename:credentials.json "type":"service_account" "sqladmin.googleapis.com"
filename:*.json "databaseVersion" "google_sql_database_instance"

Cloudflare R2 Buckets

Search for private CF R2 buckets:

site:.r2.cloudflarestorage.com "company"

Search for public CF R2 buckets (with R2.dev enabled):

site:.r2.dev "company"

Hacking misconfigured Cloudflare R2 buckets: a complete guideIntigriti

Finding Login Pages

site:example.com inurl:login

site:example.com (inurl:login OR inurl:admin)

Identifying Exposed Files

site:example.com filetype:pdf

site:example.com (filetype:xls OR filetype:docx)

Uncovering Configuration Files:

site:example.com inurl:config.php

site:example.com (ext:conf OR ext:cnf) (searches for extensions commonly used for configuration files)

Locating Database Backups

site:example.com inurl:backup

site:example.com filetype:sql

Operator	Operator Description	Example	Example Description
site:	Limits results to a specific website or domain.	site:example.com	Find all publicly accessible pages on example.com.
inurl:	Finds pages with a specific term in the URL.	inurl:login	Search for login pages on any website.
filetype:	Searches for files of a particular type.	filetype:pdf	Find downloadable PDF documents.
intitle:	Finds pages with a specific term in the title.	intitle:"confidential report"	Look for documents titled "confidential report" or similar variations.
intext: or inbody:	Searches for a term within the body text of pages.	intext:"password reset"	Identify webpages containing the term “password reset”.
cache:	Displays the cached version of a webpage (if available).	cache:example.com	View the cached version of example.com to see its previous content.
link:	Finds pages that link to a specific webpage.	link:example.com	Identify websites linking to example.com.
related:	Finds websites related to a specific webpage.	related:example.com	Discover websites similar to example.com.
info:	Provides a summary of information about a webpage.	info:example.com	Get basic details about example.com, such as its title and description.
define:	Provides definitions of a word or phrase.	define:phishing	Get a definition of "phishing" from various sources.
numrange:	Searches for numbers within a specific range.	site:example.com numrange:1000-2000	Find pages on example.com containing numbers between 1000 and 2000.
allintext:	Finds pages containing all specified words in the body text.	allintext:admin password reset	Search for pages containing both "admin" and "password reset" in the body text.
allinurl:	Finds pages containing all specified words in the URL.	allinurl:admin panel	Look for pages with "admin" and "panel" in the URL.
allintitle:	Finds pages containing all specified words in the title.	allintitle:confidential report 2023	Search for pages with "confidential," "report," and "2023" in the title.
AND	Narrows results by requiring all terms to be present.	site:example.com AND (inurl:admin OR inurl:login)	Find admin or login pages specifically on example.com.
OR	Broadens results by including pages with any of the terms.	"linux" OR "ubuntu" OR "debian"	Search for webpages mentioning Linux, Ubuntu, or Debian.
NOT	Excludes results containing the specified term.	site:bank.com NOT inurl:login	Find pages on bank.com excluding login pages.
* (wildcard)	Represents any character or word.	site:socialnetwork.com filetype:pdf user* manual	Search for user manuals (user guide, user handbook) in PDF format on socialnetwork.com.
.. (range search)	Finds results within a specified numerical range.	site:ecommerce.com "price" 100..500	Look for products priced between 100 and 500 on an e-commerce website.
" " (quotation marks)	Searches for exact phrases.	"information security policy"	Find documents mentioning the exact phrase "information security policy".
- (minus sign)	Excludes terms from the search results.	site:news.com -inurl:sports	Search for news articles on news.com excluding sports-related content.

---

Online Tools

Google Dorks for Bug Bounty

Investigator

Dork King

Google Hacking - Free Google Dorks for ReconPentest-Tools.com

Database

https://www.exploit-db.com/google-hacking-databasewww.exploit-db.com

Resources

Google dorking for beginners: how to find more vulnerabilities using Google searchIntigriti