The right way to hand write dorks by DonJuji

1. The right way to make dorks by hand by DonJuji...
2.  
3.  
4.  
5. The dorks I see people making with tools are just...disgusting. This is a quick tutorial on how to write decent dorks.
6. First of all its important to understand what a dork is. Most people do not even seem to know what the fuck they are.
7. They are google searches. Thats all they are. Google allows for special syntax for advanced searching and most dorks utilize
8. that syntax. However, not all dorks have special syntax. Some of the best dorks I have found are simply plaintext.
9.  
10. Example: "All times are GMT" "This page was generated at"
11.  
12. This is a dork that will give you vbulletin 5 message boards.
13. The reason it works is because almost all vB 5.X message boards contain that on every page.
14. It is also unique to 5.x because the wording is slightly different for that message in previous versions.
15. Dorking is simply the process of identifying "constants" or words/numbers that DO NOT CHANGE from webpage to webpage.
16. Dorking can be used to find many things, not just vulnerable websites.
17.  
18. Example: intile:"index of" "slimshady LP" mp3
19.  
20. This will return index pages full of eminem mp3s. Personally i use dorking to find all sorts of things.
21.  
22. To dork well you must understand what the different parameters google gives us to use are.
23.  
24. Here is a basic explaination of those:
25.  
26.  
27. cache:[url] -- Shows the version of the web page from the search engine’s cache.
28.  
29. related:[url] -- Finds web pages that are similar to the specified web page.
30.  
31. info:[url] -- Presents some information that Google has about a web page, including similar pages, the cached version of the page, and sites linking to the page.
32.  
33. site:[url] -- Finds pages only within a particular domain and all its subdomains.
34.  
35. intitle:[text] or allintitle:[text] -- Finds pages that include a specific keyword as part of the indexed title tag. You must include a space between the colon and the query for the operator to work in Bing.
36.  
37. inurl:[text] or allinurl:[text] -- Finds pages that include a specific keyword as part of their indexed URLs.
38.  
39. meta:[text] -- Finds pages that contain the specific keyword in the meta tags.
40.  
41. filetype:[file extension] -- Searches for specific file types.
42.  
43. intext:[text], allintext:[text], inbody:[text] -- Searches text of page. For Bing and Yahoo the query is inbody:[text]. For DuckDuckGo the query is intext:[text]. For Google either intext:[text] or allintext:[text] can be used.
44.  
45. inanchor:[text] -- Search link anchor text
46.  
47. location:[iso code] or loc:[iso code] region:[region code] -- Search for specific region. For Bing use location:[iso code] or loc:[iso code] and for DuckDuckGo use region:[region code].
48.  
49. contains:[text] -- Identifies sites that contain links to filetypes specified (i.e. contains:pdf)
50.  
51. altloc:[iso code] -- Searches for location in addition to one specified by language of site (i.e. pt-us or en-us)
52.  
53. domain:[url] -- Wider than the site: operator, locates any subdomain containing the “suffix” of the main website's url
54.  
55. feed:[feed type, i.e. rss] -- Find RSS feed related to search term
56.  
57. hasfeed:[url] -- Finds webpages that contain both the term or terms for which you are querying and one or more RSS or Atom feeds.
58.  
59. imagesize:[digit, i.e. 600] -- Constrains the size of returned images.
60.  
61. ip:[ip address] -- Find sites hosted by a specific ip address
62.  
63. keyword:[text] -- Metaoperator; that is, an operator that is used with other operators. Takes a simple list as a parameter. All the elements in the list are searched as and/or pairs together. keyword:(intitle inbody)software. This example is equivalent to intitle:software OR inbody:software.
64.  
65. language:[language code] -- Returns websites that match the search term in a specified language
66.  
67. book:[title] -- Searches for book titles related to keywords
68.  
69. maps:[location] -- Searches for maps related to keywords
70.  
71. linkfromdomain:[url] -- Shows websites that link to the specified url (with errors)
72.  
73. OK now you prolly arent going to need to use all of those. Here are the ones that i used most:
74.  
75. filetype:
76. intitle:
77. intext:
78. inurl:
79. site:
80.  
81.  
82. OK so on top of those you have modifiers like "-"
83.  
84. if you put - in front of one these like this..... -intitle:cats
85.  
86. you will get returned no results that have "cats" in title because the - in front means "remove this" without that you will get
87. ONLY results with "cats" in the title
88.  
89. so as a practical example i will show you how to find some sql databases that bad admins have accidentally exposed and became indexed
90. by google.
91.  
92. the filetype for sql database backups is of course ".sql" so we can start with
93.  
94. filetype:sql
95.  
96. type that in and you will get mostly example databases and a lot of them from github
97.  
98. to filter those out lets use the - modifier on site:github.com and add it to our dork
99.  
100. filetype:sql -site:github.com
101.  
102. still looks like a bunch of bullshit so lets narrow it down even more by adding something we know is a CONSTANT in sql databases
103. if you look through sql databases you will notice that a lot of them have
104.  
105. "Table structure for table `tablenamehere`"
106. or something similar for each table
107.  
108. so im going to take this and do "Table structure for table `users`" because i want to make sure my sql database results have users tables
109.  
110. so now throwing it all together we have
111.  
112. filetype:sql -site:github.com "Table structure for table `users`"
113.  
114. enter that into google and you get several public facing databases with users, emails, passwords and more
115.  
116. example: https://www.bioinformatics.org/phplabware/sourceer/OrderSys/ordersys.sql
117.  
118. which contains
119. INSERT INTO `users` (`ID_user`, `name`, `md5_password`, `status`, `group`, `comment`, `username`) VALUES (1, 'Common Lab', 'c833584a58d05124ca69af49805e6c20', 'Current', 'Administrator', '', 'root');
120.  
121. this is the administrator password for the site. if it hasnt been changed since that dump it can be dehashed, used to log in, and the site can be fully owned.
122.  
123. and none of this so far required any tools. this is simply google we are using. no scanners, no sqli dumper, nothing but google.
124.  
125. THIS is real dorking.
126.  
127. Now you can take these principals and apply them in bulk to scanners like the one included in sqli dumper to get sqli results if you like.
128.  
129. Here are some practical examples for that:
130.  
131. Now first of all the main issue i see with peoples dorks is that they are entirely too specific with way too many parameters, many of which
132.  
133. are totally contradicting eachother.
134.  
135. For sqli you usually want php files so filetype:php goes a long ways.
136.  
137. In fact i have gotten many of the more high quality sqli's in the past simply by taking lists in my niche from wikipedia like
138.  
139. LIST OF ALL PS4 VIDEO GAMES
140.  
141. LIST OF ALL ANIME
142.  
143. etc, and just addming filetype:php next to each entry in the list
144.  
145. simple as that.
146.  
147. The constant you are looking for with sqli is pretty much php with paramaters
148.  
149. to ensure the results have params you can add something like
150.  
151. inurl:?id=
152. or inurl:game_id=
153. you dont need 12 diff complex paramters and random as fuck extentions defined. KEEP IT SIMPLE OR YOU WILL GET LESS RESULTS
154.  
155. MORE PARAMETERS IS NOT MORE HQ!!!
156.  
157. example of a good dork:
158.  
159. inurl:".php?id=1" "ocarina of time"
160.  
161. thats gonna give you 5k fucking results or something and all of them will be potentially vuln
162.  
163. example of a shit dork: allintext:csgo + intitle:leagueofegends + inurl:gamingwebsite.aspx site:com
164.  
165. thats gonna give you 1-2 results if any and probably not even vuln