# Google Dorks
[](https://ko-fi.com/Y8Y41FQ2GA)
{% embed url="" %}
{% embed url="" %}
dork.py:
```python
# 1 - Select all the results from https://taksec.github.io/google-dorks-bug-bounty/ by pressing Ctrl+A.
# 2 - Paste them into a file named result.txt.
# 3 - Run the script.
# 4 - Copy and paste the generated URLs into https://dnschecker.org/url-opener.php to open them all at once.
import re
# Path to the file containing the Google Dorks
file_path = "result.txt"
# Function to read the file content and generate URLs
def generate_google_dork_urls(file_path):
try:
# Read the file
with open(file_path, "r") as file:
content = file.read()
# Extract Google Dorks (expressions containing "site:", "inurl:", "intitle:", etc.)
pattern = r'(site:[^\n]+|inurl:[^\n]+|intitle:[^\n]+|ext:[^\n]+|".+?")'
dorks = re.findall(pattern, content)
# Remove extra spaces and unnecessary characters
dorks = [dork.strip() for dork in dorks]
# Generate Google Search URLs
urls = [f"https://www.google.com/search?q={dork.replace(' ', '+')}" for dork in dorks]
return urls
except FileNotFoundError:
print(f"Error: The file {file_path} was not found.")
return []
# Call the function
urls = generate_google_dork_urls(file_path)
# Write the results to a file
output_file = "google_dork_urls.txt"
with open(output_file, "w") as file:
file.write("\n".join(urls))
print(f"URLs generated and saved in the file '{output_file}'.")
```
```
inurl:conf | inurl:env | inurl:cgi | inurl:bin | inurl:etc | inurl:root | inurl:sql | inurl:backup | inurl:admin | inurl:php site:example[.]com
```
```
inurl:http://example.com intitle:"index of"
inurl:http://example.com intitle:"index of" "database.sql"
inurl:http://example.com intitle:"index of /" "*key.pem"
inurl:http://example.com ext:log
inurl:http://example.com intitle:"index of" ext:sql|xls|xml|json|csv
inurl:http://example.com "MYSQL_ROOT_PASSWORD:" ext:env OR ext:yml -git
inurl:http://example.com intitle:"index of" "config.db"
inurl:http://example.com allintext:"API_SECRET*" ext:env | ext:yml
inurl:http://example.com intext:admin ext:sql inurl:admin
inurl:http://example.com allintext:username,password filetype:log site:http://example.com "-----BEGIN RSA PRIVATE KEY-----" - inurl:id_rsa
site:http://codepad.co "keyword"
site:http://scribd.com "keyword"
site:http://npmjs.com "keyword"
site:http://npm-runkit.com "keyword"
site:http://libraries.io "keyword"
site:http://ycombinator.io "keyword"
site:http://coggle.it "keyword"
site:http://papaly.com "keyword"
site:http://google.com "keyword"
site:http://trello.com "keyword"
site:http://prezi.com "keyword"
site:http://jsdelivr.net "keyword"
site:http://codepen.io "keyword"
site:http://codeshare.io "keyword"
site:http://sharecode.io "keyword"
site:http://pastebin.com "keyword"
site:http://repl.it "keyword"
site:http://productforums.google.com "keyword"
site:http://gitter.im "keyword"
site:http://bitbucket.org "keyword"
site:*http://atlassian.net "keyword"
inurl:gitlab "keyword"
inurl:github "keyword"
```
## Xnldorker
{% embed url="" %}
{% embed url="" %}
## Grab a cofee and wait
{% embed url="" %}
{% embed url="" %}
{% embed url="" %}
```
python3 google_dorking_automatization.py -i file_with_scope
```
{% embed url="" %}
## DorkSearch
{% embed url="" %}
## Find Subdomains
```
site:.example.com -site:www.example.com
```
Return indexed results linked to `*.example.com` but exclude `www.example.com`.
## Cloud - All in One
```
site:.s3.amazonaws.com OR site:.blob.core.windows.net OR site:.storage.googleapis.com OR:.r2.cloudflarestorage.com OR site:.r2.dev "company"
```
## Google Search for AWS
` intext:cie_name inurl:amazonaws.com`` `
{% content-ref url="/pages/yF3gRLtIPmAWfVxyFu7i" %}
[AWS](/0xss0rz/cloud/aws.md)
{% endcontent-ref %}
### S3 Buckets
```
site:.s3.amazonaws.com "company"
```
Public bucket ? Search for credentials and secrets:
{% embed url="" %}
Permissions ?
{% content-ref url="/pages/yF3gRLtIPmAWfVxyFu7i" %}
[AWS](/0xss0rz/cloud/aws.md)
{% endcontent-ref %}
### R2 Storage Bucket
If your target is making use of R2 storage buckets, check if R2 .dev is enabled - R2 .dev is a feature to make buckets public for development purposes and is recommended to be turned off when the storage bucket is used for production
```
site:.r2.dev "company"
```
## Google Search for Azure
`intext:cie_name inurl:core.windows.net`
{% content-ref url="/pages/9B0sgnQLMKw4O81wJMOT" %}
[Azure](/0xss0rz/cloud/azure.md)
{% endcontent-ref %}
## Google Search for GCP
{% content-ref url="/pages/E9R1h7lSR43Ei0GXLhGq" %}
[GCP](/0xss0rz/cloud/gcp.md)
{% endcontent-ref %}
### Bucket
```
site:storage.googleapis.com
```
```
site:console.cloud.google.com/storage/browser/_details
site:console.cloud.google.com/storage/browser
```
### BigQuery DB
```
site:cloud.google.com "BigQuery dataset"
site:*.cloud.google.com inurl:bigquery "dataset"
```
### KMS
```
inurl:"keyRing" inurl:"cryptoKey" intext:"Google Cloud"
site:cloud.google.com "KMS" "keys"
filetype:pdf "kms" "keyRing" "cryptoKey"
filetype:pdf "bindings" "role" "serviceAccount" "kms"
```
### VM Instances
```
intitle:"Google Cloud" inurl:"compute" "vm image"
site:github.com "google cloud" "vm image" filetype:yaml OR filetype:json
inurl:"compute/docs/images" intitle:"Google Cloud"
```
```
filename:*.yaml "image:" "gce-vm-image"
filename:*.tf "source_image" "google_compute_instance"
filename:*.yml "hosts:" "tasks:" "google_compute"
```
### SQL DB
```
intitle:"Google Cloud SQL" inurl:docs "instance"
site:*.com filetype:sql "google_cloud_sql"
site:github.com "google cloud sql" filename:*.tf
```
```
filename:.env "sql_password" OR "db_password"
filename:credentials.json "type":"service_account" "sqladmin.googleapis.com"
filename:*.json "databaseVersion" "google_sql_database_instance"
```
## Cloudflare R2 Buckets
**Search for private CF R2 buckets:**
```
site:.r2.cloudflarestorage.com "company"
```
**Search for public CF R2 buckets (with R2.dev enabled):**
```
site:.r2.dev "company"
```
{% embed url="" %}
## Finding Login Pages
`site:example.com inurl:login`
`site:example.com (inurl:login OR inurl:admin)`
## Identifying Exposed Files
`site:example.com filetype:pdf`
`site:example.com (filetype:xls OR filetype:docx)`
## Uncovering Configuration Files
`site:example.com inurl:config.php`
`site:example.com (ext:conf OR ext:cnf)` (searches for extensions commonly used for configuration files)
## Locating Database Backups
`site:example.com inurl:backup`
`site:example.com filetype:sql`
| Operator | Operator Description | Example | Example Description |
| ----------------------- | ------------------------------------------------------------ | --------------------------------------------------- | --------------------------------------------------------------------------------------- |
| `site:` | Limits results to a specific website or domain. | `site:example.com` | Find all publicly accessible pages on example.com. |
| `inurl:` | Finds pages with a specific term in the URL. | `inurl:login` | Search for login pages on any website. |
| `filetype:` | Searches for files of a particular type. | `filetype:pdf` | Find downloadable PDF documents. |
| `intitle:` | Finds pages with a specific term in the title. | `intitle:"confidential report"` | Look for documents titled "confidential report" or similar variations. |
| `intext:` or `inbody:` | Searches for a term within the body text of pages. | `intext:"password reset"` | Identify webpages containing the term “password reset”. |
| `cache:` | Displays the cached version of a webpage (if available). | `cache:example.com` | View the cached version of example.com to see its previous content. |
| `link:` | Finds pages that link to a specific webpage. | `link:example.com` | Identify websites linking to example.com. |
| `related:` | Finds websites related to a specific webpage. | `related:example.com` | Discover websites similar to example.com. |
| `info:` | Provides a summary of information about a webpage. | `info:example.com` | Get basic details about example.com, such as its title and description. |
| `define:` | Provides definitions of a word or phrase. | `define:phishing` | Get a definition of "phishing" from various sources. |
| `numrange:` | Searches for numbers within a specific range. | `site:example.com numrange:1000-2000` | Find pages on example.com containing numbers between 1000 and 2000. |
| `allintext:` | Finds pages containing all specified words in the body text. | `allintext:admin password reset` | Search for pages containing both "admin" and "password reset" in the body text. |
| `allinurl:` | Finds pages containing all specified words in the URL. | `allinurl:admin panel` | Look for pages with "admin" and "panel" in the URL. |
| `allintitle:` | Finds pages containing all specified words in the title. | `allintitle:confidential report 2023` | Search for pages with "confidential," "report," and "2023" in the title. |
| `AND` | Narrows results by requiring all terms to be present. | `site:example.com AND (inurl:admin OR inurl:login)` | Find admin or login pages specifically on example.com. |
| `OR` | Broadens results by including pages with any of the terms. | `"linux" OR "ubuntu" OR "debian"` | Search for webpages mentioning Linux, Ubuntu, or Debian. |
| `NOT` | Excludes results containing the specified term. | `site:bank.com NOT inurl:login` | Find pages on bank.com excluding login pages. |
| `*` (wildcard) | Represents any character or word. | `site:socialnetwork.com filetype:pdf user* manual` | Search for user manuals (user guide, user handbook) in PDF format on socialnetwork.com. |
| `..` (range search) | Finds results within a specified numerical range. | `site:ecommerce.com "price" 100..500` | Look for products priced between 100 and 500 on an e-commerce website. |
| `" "` (quotation marks) | Searches for exact phrases. | `"information security policy"` | Find documents mentioning the exact phrase "information security policy". |
| `-` (minus sign) | Excludes terms from the search results. | `site:news.com -inurl:sports` | Search for news articles on news.com excluding sports-related content. |
***
## Online Tools
{% embed url="" %}
{% embed url="" %}
{% embed url="" %}
{% embed url="" %}
{% embed url="" %}
{% embed url="" %}
## Database
{% embed url="" %}
## Resources
{% embed url="" %}
## [Earn Free Crypto / BTC with Cointiply](https://cointiply.com/r/pkZxp)
[**Play Games Earn Cash Rewards**](https://cointiply.com/r/pkZxp)
## Interesting Books
{% content-ref url="/pages/VVT5FQq9z62bWoNAWCUS" %}
[Interesting Books](/0xss0rz/interesting-books.md)
{% endcontent-ref %}
{% hint style="info" %}
**Disclaimer**: As an Amazon Associate, I earn from qualifying purchases. This helps support this GitBook project at no extra cost to you.
{% endhint %}
* [**Open Source Intelligence Techniques**](https://www.amazon.fr/dp/169903530X?tag=0xss0rz-21)\
Learn how to gather data using OSINT tools and strategies.
## Support this Gitbook
I hope it helps you as much as it has helped me. If you can support me in any way, I would deeply appreciate it.
[](https://ko-fi.com/Y8Y41FQ2GA)
[](https://buymeacoffee.com/0xss0rz)
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://0xss0rz.gitbook.io/0xss0rz/pentest/recon/google-dorks.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.