OP 20 October, 2024 - 03:11 PM
(This post was last modified: 20 October, 2024 - 03:12 PM by fireworks.)
You are in the system, the game begins, DedSec is on the line!
What are dorks, what principles help to master independent writing of dorks, what can be obtained with their help and how to extract information from the found sites? This article will answer all these questions.
What are dorks ?
The etymology of the word, as far as I understand, comes from the English "dork", which is translated as something ruder than "moron". In the context of Google, dorks are a way of discovering sensitive information using so-called search operators. Dorks also refer to administrators or programmers who have leaked data. Surprisingly, there seems to be no official documentation on search operators, but the topic is partially covered here . In general, this is the first topic worth reading.
How to write your own dorks ?
In fact, the algorithm is surprisingly simple: study existing dorks created by someone before us, analyze their value and the information they provide, find out why vulnerabilities appear, and then create your own dorks by changing components or asking yourself in what situations you can get similar data. After repeating this process a few thousand times, you will probably start generating unique dorks, especially if you have a deep understanding of how web applications work and how they work. This is the best way I have found. At this stage, you can move on to practice.
Where can I get a database of existing dorks? The most popular database is exploit database: Google Hacking Database (GHDB) . You can also find lists on forums or social media channels. For example, you can take a list from GitHub: SQL-Injection-Google-Dork-List .
Now let's move on to practice!
Scope of application
In the example, I used dorks targeting SQL injections. You can read more about what SQLi is in this article , but you can search for almost any information using dorks. For example, let's take the open redirect vulnerability. It occurs when an application does not check the correctness of data and allows users to be redirected to third-party URLs without sufficient checking or filtering. This vulnerability is common, since even large bug bounty programs do not always pay for finding it. I once read that it can be used to turn an application into a free proxy, but in practice it does not work as it seems. However, it is possible to detect it using dorks - here is an example of Open Redirect Dorks . Thus, with dorks you can search for different types of vulnerabilities.
How to work with dorks ?
Once a dork is found, it is important to be able to work with it and extract information. Let's take the dork shop intitle:"index of" docker-compose.yml , for example . What to do with it? First, you need to understand what docker-compose.yml is. It is a configuration file used to define and manage multi-container Docker applications. After studying it, you can understand that it can store environment variables, and if they are incorrectly configured (for example, not put in the .env file), this can lead to data leakage, such as database access.
Now the question is - how to connect to the database? First of all, you need to find out its address. If it is already disclosed in the configuration file - great, but if an address like 127.0.0.1 is specified, you will have to look for it. To do this, you can use Shodan, pasting the URL for the search, and get the desired address (where the port corresponds to the standard port of the database; the standard port can be found using, for example, ChatGPT). After that, connect to the server. For this, use, say, Visual Studio Code and install an extension for connecting to the DBMS, for example, the Database extension, and connect to the database.
This process can be adapted for each dork found.
The Great "Index of "
When a server does not have an index.html file or other default page to display the contents of a directory, the server may return a page with a simple list of the files in that directory. This is called "directory indexing." The "Index of" query in Google Dorking is used to find public directories on websites that display the contents of server folders. These pages may contain files that should not normally be publicly available, such as backups, confidential documents, or even software scripts.
Since dorks can provide a lot of information, let's try to find cryptocurrency wallets. Let's modify the index of dork from the examples and try to find wallets: intitle:"index of" .wallet . As far as I understand, such a dork mainly finds servers running nodes of the Bitcoin blockchain network, where the dot is interpreted as a directory (folder). By removing the dot, you can expand the search criteria. Let's try the query without the dot: intitle:"index of" wallet . After several sites, I managed to find the seed phrase in a text file, but after checking another dozen sites, nothing similar was found. I think that there are only a few dozen servers on the entire Internet where someone thought of saving the seed phrase in an open form. Any sensitive information should be carefully checked, so let's check this seed phrase. Judging by its appearance, one can assume that it was used either for USDT or for the Tron blockchain (or so it seemed to me). You can check the seed phrase using checkers or several applications that support importing wallets by seed phrases. After downloading several applications (TronLink, Phantom, and others), it turned out that there are no balances or transactions on these blockchains.
After that, I got the idea to check the access files. Perhaps someone will call the file "access.txt". After all, if people save seed phrases in an open form on the server, then anything is possible. Let's try the dork i ntitle:"index of" access.txt . It turned out that someone had come up with this dork before me, as a link to the exploit database appeared in the search results. However, not all is lost, because words in the search bar can be combined. After several unsuccessful attempts with inurl and domains, Google offered me a request: intitle:"index of" inurl:shop access (without .txt at the end). This dork reveals the directory of the Download Monitor plugin for WordPress. After learning more about the plugin, I found that there is CVE-2021-24786 for it. Having carefully studied the exploit code on exploit-db, it becomes clear how it works: access to the admin panel and the plugin version are required - WordPress Plugin Download Monitor V 4.4.4 - SQL Injection (Authenticated). You can find out the version of the plugin using wpscan with the command wpscan --url example.com --enumerate p, or there may be a package-lock.json file in the root directory of the plugin, which will also reveal the version. Unfortunately, I did not have access to the admin panel, the server did not allow reading PHP files, and I could not go to the directory above. I plan to dedicate a separate article to hacking WordPress, so let's put this topic aside for now.
Let's get back to the dorks. They can be modified in different ways. For example, I got the idea to use the dork intitle:"index of" 访问.txt , where "访问" means "access" in Chinese. This dork finds specific sites, mainly Taiwanese. I did not study it in more detail, but this is an example of how dorks can be modified, even if they are already known and described.
If the server is configured incorrectly, this will allow you to freely navigate through the directories. This way, you can, for example, find a directory with sessions. The session file may contain data such as tokens. Although this will not always bring results, you can try to use these sessions with the StorageAce extension for Google Chrome to replace the tokens (they can be stored both in local storage and in cookies, and this extension allows you to replace data in both).
filetype
The filetype:sql query in Google Dorking is used to find files with the .sql extension. SQL files usually contain commands for working with databases, including creating, modifying, or retrieving data. For example, let's take the filetype:sql "insert into" (pass|passwd|password) query from the list and change it to something else, such as filetype:sql "account" . I assumed that this dork had already been found before me, but unexpectedly, it opened not SQL files, but public GitLab repositories. Many dorks target GitHub, but in my opinion, it is more interesting to search for vulnerabilities on GitLab. The main difference between GitLab and GitHub is that GitLab is often used for private repositories, and the code found there can be more valuable. You can test several thousand more dorks using this principle.
Thus, you can change the file type in the query. For example, to find databases, you can use the query inurl:shop index of .db , where .db is the extension of database files. But do all databases have the extension .db? Let's take the MongoDB database as an example. I was unable to develop this hypothesis further, and I have not seen such a dork anywhere, so perhaps it is still not used. The point is that older versions of MongoDB (from 3.2 to 4.xx) used the .wt extension. .wt are data files used by the WiredTiger engine. The dork intitle:"index of" wt mongo allows us to discover such servers.
We can find instructions on how to open these files on Stack Overflow - Restoring MongoDB using only .wt files . Download MongoDB from here: MongoDB Community . Following the instructions, I encountered an error indicating an incompatibility of versions. As far as I understand, to open such files you need MongoDB version 4, which is no longer available for download from the official site. The database sites found for this request did not seem particularly interesting to me, so I put this idea aside. However, this principle can be used to test various NoSQL DBMS.
.php
Returning to SQL dorks, I noticed that many of them target .php files (I described the points of occurrence in more detail in the previous article ). However, modern sites actively use JavaScript frameworks. To understand where vulnerabilities may occur, you can study the repositories on GitHub and see how applications are built on certain frameworks. Or simply remove .php from the dork, since the .js extension will not be present in the string, but the logic of the page can be preserved.
To summarize, dorks are like gambling addiction: a very interesting story, full of unexpected findings and opportunities. They open the door to a world where you can find vulnerabilities and confidential information, as well as much more. Hi! Bye!
leaving a like is much appreciated and help me to keep publishing threads.
![[Image: NxqG1qp.gif]](https://i.imgur.com/NxqG1qp.gif)
NIGERIA, TURKEY, ARGENTINA, PAKISTAN BANKS
PERSONAL UPGRADES
SPOTIFY DISCORD YOUTUBE CHATGPT TINDER
@Komplexe
START : 23/05/2025
END : 02/07/2025
What are dorks, what principles help to master independent writing of dorks, what can be obtained with their help and how to extract information from the found sites? This article will answer all these questions.
What are dorks ?
The etymology of the word, as far as I understand, comes from the English "dork", which is translated as something ruder than "moron". In the context of Google, dorks are a way of discovering sensitive information using so-called search operators. Dorks also refer to administrators or programmers who have leaked data. Surprisingly, there seems to be no official documentation on search operators, but the topic is partially covered here . In general, this is the first topic worth reading.
How to write your own dorks ?
In fact, the algorithm is surprisingly simple: study existing dorks created by someone before us, analyze their value and the information they provide, find out why vulnerabilities appear, and then create your own dorks by changing components or asking yourself in what situations you can get similar data. After repeating this process a few thousand times, you will probably start generating unique dorks, especially if you have a deep understanding of how web applications work and how they work. This is the best way I have found. At this stage, you can move on to practice.
Where can I get a database of existing dorks? The most popular database is exploit database: Google Hacking Database (GHDB) . You can also find lists on forums or social media channels. For example, you can take a list from GitHub: SQL-Injection-Google-Dork-List .
Now let's move on to practice!
Scope of application
In the example, I used dorks targeting SQL injections. You can read more about what SQLi is in this article , but you can search for almost any information using dorks. For example, let's take the open redirect vulnerability. It occurs when an application does not check the correctness of data and allows users to be redirected to third-party URLs without sufficient checking or filtering. This vulnerability is common, since even large bug bounty programs do not always pay for finding it. I once read that it can be used to turn an application into a free proxy, but in practice it does not work as it seems. However, it is possible to detect it using dorks - here is an example of Open Redirect Dorks . Thus, with dorks you can search for different types of vulnerabilities.
How to work with dorks ?
Once a dork is found, it is important to be able to work with it and extract information. Let's take the dork shop intitle:"index of" docker-compose.yml , for example . What to do with it? First, you need to understand what docker-compose.yml is. It is a configuration file used to define and manage multi-container Docker applications. After studying it, you can understand that it can store environment variables, and if they are incorrectly configured (for example, not put in the .env file), this can lead to data leakage, such as database access.
Now the question is - how to connect to the database? First of all, you need to find out its address. If it is already disclosed in the configuration file - great, but if an address like 127.0.0.1 is specified, you will have to look for it. To do this, you can use Shodan, pasting the URL for the search, and get the desired address (where the port corresponds to the standard port of the database; the standard port can be found using, for example, ChatGPT). After that, connect to the server. For this, use, say, Visual Studio Code and install an extension for connecting to the DBMS, for example, the Database extension, and connect to the database.
This process can be adapted for each dork found.
The Great "Index of "
When a server does not have an index.html file or other default page to display the contents of a directory, the server may return a page with a simple list of the files in that directory. This is called "directory indexing." The "Index of" query in Google Dorking is used to find public directories on websites that display the contents of server folders. These pages may contain files that should not normally be publicly available, such as backups, confidential documents, or even software scripts.
Since dorks can provide a lot of information, let's try to find cryptocurrency wallets. Let's modify the index of dork from the examples and try to find wallets: intitle:"index of" .wallet . As far as I understand, such a dork mainly finds servers running nodes of the Bitcoin blockchain network, where the dot is interpreted as a directory (folder). By removing the dot, you can expand the search criteria. Let's try the query without the dot: intitle:"index of" wallet . After several sites, I managed to find the seed phrase in a text file, but after checking another dozen sites, nothing similar was found. I think that there are only a few dozen servers on the entire Internet where someone thought of saving the seed phrase in an open form. Any sensitive information should be carefully checked, so let's check this seed phrase. Judging by its appearance, one can assume that it was used either for USDT or for the Tron blockchain (or so it seemed to me). You can check the seed phrase using checkers or several applications that support importing wallets by seed phrases. After downloading several applications (TronLink, Phantom, and others), it turned out that there are no balances or transactions on these blockchains.
After that, I got the idea to check the access files. Perhaps someone will call the file "access.txt". After all, if people save seed phrases in an open form on the server, then anything is possible. Let's try the dork i ntitle:"index of" access.txt . It turned out that someone had come up with this dork before me, as a link to the exploit database appeared in the search results. However, not all is lost, because words in the search bar can be combined. After several unsuccessful attempts with inurl and domains, Google offered me a request: intitle:"index of" inurl:shop access (without .txt at the end). This dork reveals the directory of the Download Monitor plugin for WordPress. After learning more about the plugin, I found that there is CVE-2021-24786 for it. Having carefully studied the exploit code on exploit-db, it becomes clear how it works: access to the admin panel and the plugin version are required - WordPress Plugin Download Monitor V 4.4.4 - SQL Injection (Authenticated). You can find out the version of the plugin using wpscan with the command wpscan --url example.com --enumerate p, or there may be a package-lock.json file in the root directory of the plugin, which will also reveal the version. Unfortunately, I did not have access to the admin panel, the server did not allow reading PHP files, and I could not go to the directory above. I plan to dedicate a separate article to hacking WordPress, so let's put this topic aside for now.
Let's get back to the dorks. They can be modified in different ways. For example, I got the idea to use the dork intitle:"index of" 访问.txt , where "访问" means "access" in Chinese. This dork finds specific sites, mainly Taiwanese. I did not study it in more detail, but this is an example of how dorks can be modified, even if they are already known and described.
If the server is configured incorrectly, this will allow you to freely navigate through the directories. This way, you can, for example, find a directory with sessions. The session file may contain data such as tokens. Although this will not always bring results, you can try to use these sessions with the StorageAce extension for Google Chrome to replace the tokens (they can be stored both in local storage and in cookies, and this extension allows you to replace data in both).
filetype
The filetype:sql query in Google Dorking is used to find files with the .sql extension. SQL files usually contain commands for working with databases, including creating, modifying, or retrieving data. For example, let's take the filetype:sql "insert into" (pass|passwd|password) query from the list and change it to something else, such as filetype:sql "account" . I assumed that this dork had already been found before me, but unexpectedly, it opened not SQL files, but public GitLab repositories. Many dorks target GitHub, but in my opinion, it is more interesting to search for vulnerabilities on GitLab. The main difference between GitLab and GitHub is that GitLab is often used for private repositories, and the code found there can be more valuable. You can test several thousand more dorks using this principle.
Thus, you can change the file type in the query. For example, to find databases, you can use the query inurl:shop index of .db , where .db is the extension of database files. But do all databases have the extension .db? Let's take the MongoDB database as an example. I was unable to develop this hypothesis further, and I have not seen such a dork anywhere, so perhaps it is still not used. The point is that older versions of MongoDB (from 3.2 to 4.xx) used the .wt extension. .wt are data files used by the WiredTiger engine. The dork intitle:"index of" wt mongo allows us to discover such servers.
We can find instructions on how to open these files on Stack Overflow - Restoring MongoDB using only .wt files . Download MongoDB from here: MongoDB Community . Following the instructions, I encountered an error indicating an incompatibility of versions. As far as I understand, to open such files you need MongoDB version 4, which is no longer available for download from the official site. The database sites found for this request did not seem particularly interesting to me, so I put this idea aside. However, this principle can be used to test various NoSQL DBMS.
.php
Returning to SQL dorks, I noticed that many of them target .php files (I described the points of occurrence in more detail in the previous article ). However, modern sites actively use JavaScript frameworks. To understand where vulnerabilities may occur, you can study the repositories on GitHub and see how applications are built on certain frameworks. Or simply remove .php from the dork, since the .js extension will not be present in the string, but the logic of the page can be preserved.
To summarize, dorks are like gambling addiction: a very interesting story, full of unexpected findings and opportunities. They open the door to a world where you can find vulnerabilities and confidential information, as well as much more. Hi! Bye!
leaving a like is much appreciated and help me to keep publishing threads.
NIGERIA, TURKEY, ARGENTINA, PAKISTAN BANKS
PERSONAL UPGRADES
SPOTIFY DISCORD YOUTUBE CHATGPT TINDER
@Komplexe
START : 23/05/2025
END : 02/07/2025
