Advanced Google Dorking: A Masterclass in Search and Cybersecurity

Google Dorking, often referred to as Google hacking, utilizes the advanced search capabilities of the Google search engine to uncover hidden or sensitive information that is publicly accessible but not meant to be exposed. By leveraging specific search operators, professionals can pinpoint files, configurations, or vulnerabilities indexed by Google. In this blog, we explore Google Dorking from its basics to advanced usage with detailed examples, tools, and ethical considerations.

Introduction

The internet is a vast repository of information, much of which is deliberately shared with the world. However, not all data indexed by search engines like Google is meant to be openly accessible. Misconfigurations, errors, or ignorance can lead to sensitive data being exposed to public scrutiny. Google Dorking is a technique that takes advantage of these oversights. Originally used for benign purposes, such as enhancing search precision, it has evolved into a potent tool in the fields of cybersecurity, penetration testing, and OSINT (Open Source Intelligence).

This blog is your gateway to mastering the art of Google Dorking. Whether you are a cybersecurity professional looking to strengthen your defensive strategies or an ethical hacker aiming to uncover vulnerabilities responsibly, understanding how to wield Google Dorking effectively is essential. Through this guide, we will:

• Demystify the key search operators that power Google Dorking.
• Explore advanced techniques with practical examples.
• Highlight the tools that enhance its efficiency.
• Discuss how to defend against Google Dorking as an organization.

As you delve into the following sections, remember that with great power comes great responsibility. Ethical considerations must always be at the forefront of your efforts, ensuring this knowledge is used constructively and within the bounds of the law.

 

📂 WordPress Directory Structure

Taking a look into above , we can pick following information.

Vulnerable plugins can be found in /wp-content/plugins/

Sensitive uploaded documents in /wp-content/uploads/

As well as in the root directory itself we can do fuzzing for backup files which developers create when they need to do changes to existing code, and for safety they will make a backup of the already existing things.

Backup files can be

/wp-config.php-bak
/wp-config.php.bak
/wp-config.php.new
/wp-config.php.old
/wp-config.php_Old
/wp-config.php_bak
/wp-config.php_new
/wp-config.php_old
/wp-config.bak

/wp-config.php_2024
/wp-config.php.bak_2024
/wp-config.php.2024_backup

There are already many fuzzing wordlists publicly available, but able to modify it by adding more variations of what might be the more possible names but are missing, in that way we can be one step ahead of the majority who don’t like to put in their own flavors.🤑

1️⃣ XLS & XLSX

inurl:wp-content/uploads/ ext:xlsx site:domain.com
inurl:wp-content/uploads/ ext:xls site:domain.com
inurl:wp-content/uploads/ ext:xls "@gmail.com" site:domain.com
inurl:wp-content/uploads/ ext:xlsx "@gmail.com" site:domain.com
inurl:wp-content/uploads/ ext:xls "date of birth" site:domain.com
inurl:wp-content/uploads/ ext:xlsx "date of birth" site:domain.com
inurl:wp-content/uploads/ ext:xls "INTERNAL USE ONLY" site:domain.com
inurl:wp-content/uploads/ ext:xlsx "INTERNAL USE ONLY" site:domain.com

Replace gmail.com with proton.me, hotmail.com, company official mail, and all possible email providers , etc…

Replace “INTERNAL USE ONLY” with “CONFIDENTIAL” , “HIGHLY CONFIDENTIAL”, “PRIVATE USE ONLY”, “NOT FOR PUBLIC RELEASE”

The point to note here is that this dork inurl:wp-content/uploads/ ext:xlsx site:domain.com and this site:domain.com ext:xlsx may lead to different results, the later might give no results, but when combined with inurl:wp-content/uploads/ , we can

2️⃣ PDF

inurl:wp-content/uploads/ ext:pdf site:domain.com
inurl:wp-content/uploads/ ext:pdf "@gmail.com" site:domain.com
inurl:wp-content/uploads/ ext:pdf "date of birth" site:domain.com
inurl:wp-content/uploads/ ext:pdf "INTERNAL USE ONLY" site:domain.com
inurl:wp-content/uploads/ ext:pdf "INTERNAL USE ONLY" site:domain.com

Try other extensions as well apart from xlsx,xls and pdf like:

• odt, odf
• doc, docx
• csv
• db
• sql
• ini
• config, conf
• ppt, pptx
• zip

Not possible to include every possible file extension, but point to note here is that information can be hidden in any type of file as well as which is crawled and indexed by search engines.

3️⃣ BACKUP FUZZING

inurl:/wp-content/backup-

Use this as part of custom fuzzing as well.

inurl:/wp-content/backup-FUZZ #hyphen
inurl:/wp-content/backup_FUZZ #underscore

First try with the wordlists included in seclists , then try with assetnotes wordlists, later build custom wordlists using cewl extracting the keywords from the webpages itself.Also gather possible names by looking at the official company’s github repo as well.

4️⃣ DIRECTORY LISTING

intitle:index of /wp-content
intitle:index of /wp-content/uploads
intitle:index of /wp-content/bak
intitle:index of /wp-content/backup
intitle:index of /wp-content/2024

Combine this with other sensitive dorks.

5️⃣ PRIVATE DIRECTORY

inurl:/wp-content/ inurl:private
inurl:/wp-content/ inurl:internal

Pro Tip: If no results found using google, always try dorking with bing, duckduckgo , yahoo, yandex, etc..

🐞How to pick endpoints for it?

subfinder -d domain.com > subs.txt
cat subs.txt | httpx -title -ip -sc -td > httpx_subs.txt
cat httpx_subs.txt | grep -i "wordpress" > wordpress_endpoints_domain.txt

waymore -i domain.com -mode U -oU waymore_domain.txt
cat waymore_domain.txt | grep -i "wp-"

6. SPLASHMODAL API ENDPOINT

inurl:/api/v1/splashmodal site:domain.com
inurl:/api/v1/splashmodal site:*.domain.com
inurl:/api/v1/splashmodal site:*.gov
inurl:/api/v1/splashmodal site:*.gov.*
inurl:/api/v1/splashmodal site:*.ai
inurl:/api/v1/splashmodal site:*.edu
inurl:/api/v1/splashmodal site:*.edu.*
inurl:/api/v1/splashmodal site:*.org
inurl:/api/v1/splashmodal site:*.net
inurl:/api/v1/splashmodal site:*.nl
inurl:/api/v1/splashmodal site:*.com

#in general stuff
inurl:/api/v1/ site:domain.com
inurl:/api/v2/ site:domain.com
inurl:/api/v3/ site:domain.com
inurl:/api/v4/ site:domain.com

7. WEB RESOURCE

inurl:webresource
inurl:webresource inurl:.axd
inurl:webresource inurl:&
inurl:webresource inurl:?

8. SharePoint Web Services Exposed Endpoints

But nowadays, crowd-sourced platform don’t accept upto this, further exploitation is needed which I will come in another article if I am able to do so. 2–3 years ago, they were accepting however just based on the exposed endpoints, but for self hosted programs you can try reporting, they might accept, who knows.

inurl:_vti_bin inurl:asmx
inurl:asmx inurl:services
inurl:wsdl inurl:services
inurl:wsdl inurl:web
inurl:wsdl inurl:server

#also add inurl:? sometimes

9. .ASHX

ASP.NET Web Handler files

• To serve dynamically generated content : images or files.
• To process data from embedded forms or other requests.
• Endpoints for APIs or custom web based logic.

inurl:.ashx inurl:&
inurl:/Handlers/PdfHandler
inurl:.ashx? inurl:=

https://domain[.]com/Handlers/PdfHandler.ashx?id=numberhere

#combine them
inurl:print 
inurl:view 
inurl:export

10. ALIST

Just another storage provider.

"Powered by AList"

11. Potential Command Injection Endpoint

Regularly I am observing endpoint screenshots posted on X and Linkedin, but the researcher blur out the domain name, however if the path contains unique keywords, we can narrow down to that exact application sometimes.

Today I found these interesting keywords and the URL contains “cmd=” which is a potential area to test for command injection. Will update this dork section when I get more real world experience for command injection and more unique unknown keywords for this specific type of bug class.

inurl:e1cib inurl:oid2rp

Possibilities are endless, but that’s all for this post. There will be also a 3rd part.