Google Dorks are advanced search parameters that you can use with Google’s search engine to narrow down a search. Google Hacking is the art of using Google Dorks to find specific information on Google’s databases. For example finding a known vulnerable version of a web application.
The Basics
| intitle: | By placing this in the search field you are telling Google that you only want results that contain parts of the string you specified in the title. intitle:brown fox gives you results that contain brown or fox or both. |
| allintitle: | This acts like intitle: however it gives you results that contain the entire string you specify. allintitle:brown fox gives you the results that contain both brown and fox. |
| inurl: | When passing inurl: to Google you are specifying that you are searching for parts of that string in the url. inurl:install php will return results that contain the string install and/or php in the url. |
| allinurl: | This acts like inurl: however it gives you results that contain the entire string you specify. allinurl:install php will return results that contain both install and php. |
| filetype: | Using this allows you to specify the type of file you are looking for. filetype:txt will return all results that are text files. |
| intext: | Acts like a typical search. intext:brown fox will return all results contain either/or brown and fox. |
| allintext: | Acts like a typical search with quotes around it. allintext:brown fox returns results that contains both brown and fox. |
| site: | Specifying site: will limit your results to only that web site. site:lokisec.com brown fox will only contain results from lokisec.com that contain either/both brown and fox. |
| link: | Using this in a search will show all results that link to that url. link:www.lokisec.com returns all results that have links to www.lokisec.com. |
| cache: | Passing cache: will return results that link to cached versions of pages Google stores. cache:brown fox will return results that contain brown and/or fox in cached pages Google’s database contains. |
| related: | When related: is used it returns results that are similar to the url you specified. related:www.lokisec.com will return results that are similar to lokisec.com. |
The Potential
Let’s say that you are on a pen test and know that your client is using an WYSIWYG that allows the persons responsible for maintaining the company website to upload changes on the fly. You can use the site:<customer website> filetype:<config file extension> to find the config file that the WYSIWYG uses to track files on the server. Dreamweaver has/had this issue. By searching for filetype:ste you can get an xml file that contains the username and obfuscated password for the ftp server that the files reside on. With minimal effort you now own the website and potentially the entire server.
Not enough for you? The same client has a MySQL database that is backed up on the web server. Using site:<customer website> filetype:sql dump returns all dumps that Google’s spider was able to access. This file could potentially have database usernames and passwords along with unreleased information that is important to the company.
A list of potential dorks can be found at exploit-db.com specifically here. Check them out and see what you can get.
Remediation
To help protect yourself from this type of attack be mindful of what files are kept on your web server. Also keep pay attention to where your files are kept on the web server. If it has to be on the web server use a robots.txt file to prevent web spiders from indexing. If you use a CMS make sure you keep it up to date and follow the security guidelines that are recommended to minimize your exposure. Use what you have learned here to do an audit on your site. You might be surprised at what you find.