======================================== ===========files and directories======== ======================================== //manually site:codepad.co "||z||" site:scribd.com "||z||" site:npmjs.com "||z||" site:npm.runkit.com "||z||" site:libraries.io "||z||" site:coggle.it "||z||" site:papaly.com "||z||" site:trello.com "||z||" site:prezi.com "||z||" site:jsdelivr.net "||z||" site:codepen.io "||z||" site:pastebin.com "||z||" site:repl.it "||z||" site:gitter.im "||z||" site:bitbucket.org "||z||" site:*.atlassian.net "||z||" Inurl:gitlab "||z||" //indicate haw huge is google has links for the website site:|$| site:*.|$| -www site:*.*.|$| -www site:*.*.*.|$| -www // Back link link:X -site:|$| //logs site:|$| inurl:logs*. //Finding passwords password filetype:docx OR filetype:doc OR filetype:pdf OR filetype:xls site:|$| //all subdomain site:|$| -inurl:www //just http scheme inurl:http:// site:|$| -inurl:https //get all not http&https scheme -inurl:http: -inurl:https site:|$| -filetype:pdf // sensitive files may contain vulns site:|$| inurl:*id* | inurl:*category* | inurl:*file* | inurl:*f* | inurl:*page* | inurl:id | inurl:id //sensitive admin panel site:|$| inurl:admin OR intext:logged OR "dashboard" OR "administrator" OR "user" -intext:visitor -filetype:pdf //directory listing @ dangerious files site:|$| intext:"Index of /" +.htaccess site:|$| intext:"Index of" /"chat/logs" site:|$| intext:"Index of /" +.htaccess site:|$| intext:"Index of /" +passwd site:|$| intext:"Index of /" +password.txt site:|$| intext:"Index of /admin" site:|$| intext:"Index of /backup" site:|$| intext:"Index of /mail" site:|$| intitle:"index of" AND password OR passwd OR pwd intext:"last modified" site:|$| intext:"Index of /password" site:|$| intext:"The following report contains confidential information" vulnerability -search site:|$| intext:"phpMyAdmin" "running on" inurl:"main.php" site:|$| intitle:"index of" etc/shadow site:|$| intitle:"index of" htpasswd site:|$| intitle:"index of" master.passwd site:|$| intitle:"index of" mysql.conf OR mysql_config site:|$| intitle:"index of" passwd site:|$| intext: account details filetype: txt =========================================================== ========== FILES DIRECTORIES ▐ sesitive info ============== =========================================================== //directory listing site:|$| intitle:"index of" //less result filetype:bak | filetype:db | filetype:sql | filetype:eml | filetype:old | filetype:inc | filetype:config | filetype:conf | filetype:pem | ext:mdb | filetype:ds_store | inurl:ws_ftp.ini | filetype:git | inurl:.git/config & site:|$| & -filetype:pdf //more results filetype:bak | inurl:.db | inurl:.sql | inurl:.eml | inurl:old| inurl:inc | inurl:.config | inurl:pem | inurl:.ds_store | inurl:ws_ftp.ini | inurl:.git | inurl:.git/config & site:|$| & -filetype:pdf //less impact filetypes site:|$| filetype:svn | filetype:idea | filetype:swp | filetype:stpasswd | filetype:coredump | filetype:winscp | filetype:filezilla.xml | filetype:xml | filetype:csv | filetype:txt | filetype:doc //more result site:|$| AND inurl:zip | inurl:tar | inurl:gz | inurl:tgz | inurl:rar AND -inurl:pdf //less result site:|$| AND filetype:zip | filetype:tar | filetype:gz | filetype:tgz | filetype:rar AND -inurl:pdf //all asp or php //get all asp | php scripts //for fun identity crisis :D site:|$| & inurl:php & inurl:asp //sql inj inurl:= inurl:= intext:"Warning: mysql_fetch_assoc()" site:|$| //show all robots.txt site:|$| ext:txt robot ================== ====get params==== ================== //links has at least 1 parameter site:|$| AND (inurl:= & inurl:?) site:|$| (inurl:= & inurl:?) //get links have parameters [why get ?id or ?file although you can get all params ] - 2 params @ least site:|$| -filetype:pdf AND inurl:& inurl:= //id param site:|$| -filetype:pdf inurl:*id* ======================== =====sensitive info===== ======================== ===▐ best ▐=== //good info [use allinurl] inurl:= inurl:& "illegal"|"invalid"| "account" | "details" |"fail"|"not found"|"unknown"|"sql"|"access"|"file" site:|$| inurl:= inurl:& "access"|"log"| "account" | "root" |"include"|"private"|"attach"|"upload"|"access"|"cmd" site:|$| inurl:= inurl:& "default"|"mail"| "bin" | "etc" |"shadow"|"boor"site:*.mil //error pages - content spoofing -filetype:pdf site:|$| inurl:error inurl:? site:|$| "error" "404" -filetype:pdf -filetype:doc -filetype:pdf site:|$| inurl:text +inurl:? //xss [no more ideas :D ] site:|$| (inurl:= & inurl:?) & inurl:text | inurl:title | inurl:message| inurl:body //ssrf , open redirect site:|$| (inurl:= & inurl:?) & inurl:url | inurl:site | inurl:next | inurl:view | inurl:to | inurl:r | inurl:redirect | inurl:out | inurl:target | inurl:domain | inurl:fetch //warning & error in page contain parameters inurl:|$| inurl:& intext:"Warning" | intext:"error" site:*.mil //wordpress site:|$| intext:"powered by wordpress" // email site:|$| "*@*" -www.X -------------------------------- # Backlinks link:X -site:|$| # Documents / Key / Cert site:|$| filetype:crt || filetype:pem || filetype:der || filetype:cert || filetype:pdf || filetype:doc || filetype:xml || filetype:txt || filetype:xls || filetype:ppt || filetype:pps || filetype:docx || filetype:wps || filetype:rtf || filetype:csv || filetype:pptx || filetype:xlsx || filetype:xlr || filetype:sxw || filetype:psw # Configuration files site:|$| filetype:pwl || filetype:pol || filetype:pl || filetype:sh ||filetype:ini || filetype:ht || filetype:exe || filetype:cgi || filetype:api || filetype:pdb || filetype:sql || filetype:ins || filetype:cfg || filetype:keychain || filetype:prf || filetype:conf # Configuration files by extention site:|$| ext:xml | ext:conf | ext:cnf | ext:reg | ext:inf | ext:rdp | ext:ora | ext:log | ext:dbf | ext:mdb | ext:bkf | ext:bkp | ext:bak | ext:old | ext:backup # Archives site:|$| filetype:zip || filetype:rar || filetype:jar || filetype:tar.gz || filetype:7z || filetype:tar.b2z || filetype:tar.7z || filetype:tar # Error / SQL / Complete site:|$| inurl:"id=" intext:"sql syntax near" | intext:"syntax error has occurred" | intext:"incorrect syntax near" | intext:"unexpected end of SQL command" | intext:"Warning: mysql_connect()" | intext:"Warning: mysql_query()" | intext:"Warning: pg_connect()" | intext:"Warning: mysql_num_rows()" | intext:"Warning: ilesize()" | intext:"Warning: filesize()" | intext:"Warning: require()" | intext:"Warning: mysql_fetch_assoc()" | intext:"Warning: mysql_fetch_array()" | intext:"Warning: session_start()" | intext:"Warning: Unknown()" | intext:"Warning: getimagesize()" | intext:"Warning: is_writable()" | intext:"Warning: session_start()" | intext:"Warning: mysql_result()" | intext:"Warning: Warning: pg_exec()" # Keywords in url site:|$| inurl:admin||administrator||administrateur||login||l0gin||log||user||id||back||wso # Misc / other keywords in url site:|$| inurl:history||access||acces||log||license||readme||meta||root||sql||source||include||private||src||cgi||conf||account||asset||attach||audit||upload||auth||backup||bkup||build||cmd||demo||sample||default||defaut||mail||bin||etc||shadow||passwd||boot # ID site:|$| inurl:"id=" site:|$| inurl:"php?id=" # Index of site:|$| intitle:index.of (site:|$| inurl:s3) # search some how leaked data here #=============================== site:trello.com "company name" site:scribd.com "|$|" site:npmjs.com "|$|" site:npm.runkit.com "|$|" site:libraries.io "|$|" site:coggle.it "|$|" site:papaly.com "|$|" site:prezi.com "|$|" site:jsdelivr.net "|$|" site:codepen.io "|$|" site:pastebin.com "|$|" site:repl.it "|$|" site:gitter.im "|$|" site:bitbucket.org "|$|" site:*.atlassian.net "|$|" Inurl:gitlab "|$|" # Some resources for specific research / exploits / systems https://cxsecurity.com/dorks/ https://www.exploit-db.com/google-hacking-database/ ============================================================ #draft ============================================================ allinurl -vs- inurl site -vs- link intitle -vs- allintitle -vs- title allintitle:login page allintitle:login page lol allintitle:"login page lol" //get fb user&pass accounts - do it for scoped site filetype:txt intext:@ymail.com intext:facebook intext:password filetype:xls intext:@ymail.com intext:facebook intext:password filetype:doc intext:@ymail.com intext:facebook intext:password filetype:doc intext:@gmail.com intext:facebook intext:password filetype:doc intext:@yahoo.com intext:facebook intext:password ===============# TIPS #================== -use custom time & get hidden result by remove some result like =>> -unurl:sub.site.com note: inurl:*id* get more result than inurl:id //figure is dir has information disclusre link:ftp://tycho.usno.navy.mil/pub/ enumerate subdomain by search step by step by site: -site: inurl:& is maybe wrong - use inurl:? instead Remove Multiple Subdomains Example use: site:domainname.com -inurl:stage -inurl:dev -inurl:staging site:fayoum.edu.eg AND (inurl:= & inurl:?) is different than site:fayoum.edu.eg AND (inurl:= AND inurl:?) between intitle: , allintitle , inurl , intext , allintext , filetype etc no (AND , &) //not respond to my operator site:www.fayoum.edu.eg inurl:*id* -allinurl:"showCV.aspx Courses/CDetails.aspx" & -allinurl:showCV site:www.fayoum.edu.eg inurl:*id* -allinurl:"showCV.aspx -inurl:Courses/CDetails.aspx *showCV*" i want to get this link as result http://www.fayoum.edu.eg/AdDetails.aspx?adsId=7303 //this work but don't want to do this site:fayoum.edu.eg inurl:*id* inurl:AdDetails AND operator is not necessary to specify it, because it is automatically implied. So don’t bother with it. //rest api custom search ☻☻☻☻☻☻☻☻☻☻ https://developers.google.com/custom-search/json-api/v1/using_rest //later subdomian takover search engine =====# resources #===== https://apollonsky.me/growth-hacking-google-dork/ https://moz.com/blog/mastering-google-search-operators-in-67-steps https://moz.com/blog/25-killer-combos-for-googles-site-operator https://moz.com/learn/seo/search-operators http://www.googleguide.com/advanced_operators_reference.html#allinurl https://productforums.google.com/forum/#!topic/websearch/9q6vrgAAYyY https://moz.com/learn/seo/search-operators