Google Dorking: Search Engine Techniques
Google is more powerful than you think; here you will learn to harness that power with Google Dorking: A means of uncovering information hidden from most
We all know how useful google can be. It's the most widely used search engine on the planet.
Google crawls nearly every web page on every website and collects them as entries into it's database. The vast majority of our searches are no more than a few keypresses and clicks away.
However, few know how to use the true potential of Google. The art of using specialised queries and operators to extract precise information from Googles vast database is know as "Google Dorking", probably one of the dumbest names I've ever heard.
Regardless of my feelings, this technique can help you narrow down your searches, help uncover "hidden" information - it's still technically publicly available, otherwise Google wouldn't index it - target specific file types, and maybe even uncover some vulnerabilities.
Basic Operators
Some of these may seem like the logical operations that you use in programming, such AND or OR operations. If you're OK with these then learning this will be much easier because they work basically the same way.
AND
-Keyword1 AND Keyword2
shows the results of both keywords in a single searchOR
- Can search forKeyword1 OR Keyword2
. If you're more of a programmer, or you can't use caps,|
(pipe) will do the same thing" "
- Exact match, this forces search engines to search for the exact value inside the quotes.()
- Can be used to group operators-
- Negation operator, excludes any term that comes after it.apple -"steve jobs"
*
- wildcard operator represents any possible character, used the same way as regex.#..#
- Search using a range2020..2023
Advanced Operators
site:
- This operator restricts results to a specific domain.site:nullslashdev.com
shows results only from nullslashdev.com.filetype:
- If you're looking for a specific type of file, this operator is invaluable.filetype:pdf
will search only for PDF files.intitle:
- Searches for a specific phrase within the titles of web pages.intitle:"login page"
will find pages with login page in their title.allintitle:
- Functionally the same as intitle but key difference being that all specified words appear in the title.inurl:
- Finds URLs that contain a specific word or phrase.inurl:admin
will show results that have the word "admin" in their URL.cache:
- This operator shows the cached version of a specific webpage.cache:nullslashdev.com
displays the cached version of nullslashdev.com.intext:
Searches for a specific phrase within the content of web pages.intext:"password"
may reveal pages containing the word "password."related:
- Finds websites related to a specified domain.related:nullslashdev.com
will show websites related to nullslashdev.com.link:
- Searches for web pages linking to a specific URL.link:nullslashdev.com
finds sites that link to nullslashdev.com.inanchor:
- Find web pages that have hyperlinks with the text specified.inanchor:"sign up"
to find the sign up link in nullslashdev.com
Lets take a moment to clarify the distinction between these two: intitle:
and allintitle:
.
Query: intitle:apple pie recipe
This will return web pages with the word 'apple' in the title but also contain 'pie' and 'recipe' in the content (not necessarily the title).
Query: allintitle: apple pie recipe
When using allintitle:
, all words after the operator must appear in the title of the returned pages.
Some of you might be wondering what the difference is between
intitle:"apple pie recipe"
and allintitle:apple pie recipe
There is a very important destinction that you need to understand between these two.
As mentioned before, anything with " "
operator looks for exact matches.
Meaning intitle:"apple pie recipe"
will return all pages with this exact phrase in the title.
On the other hand, allintitle:apple pie recipe
, will return pages that must have 'apple', 'pie', and 'recipe' in the title, but it doesn't have to be that exact phrase.
It could return "Pie recipe that will make you love an apple!" (just go with it...).
Have some fun combining a few of these operators together and see what you can find.
filetype:xls site:*.com inurl:*.xls
Another clever trick is the finding PHP applications online. Many of which are vulnerable to SQL injections.
inurl:index.php?id=
filetype:sql intext:password | pass | passwd
IP webcams are a thing. Some places may setup webcam that connect to their network and are openly available to view on the internet.
inurl:webcam.html
You can learn and practice more here: