Identifies Jenkins servers that may be publicly accessible, potentially exposing CI/CD pipelines.

Locates SQL dump files that might have been unintentionally exposed, containing sensitive data.

Finds Wordpress sites with directory listing enabled for uploads, potentially exposing sensitive files.

Identifies Apache Struts instances with developer mode enabled, which can lead to RCE.

Finds publicly accessible phpinfo() pages, revealing server configuration details.

Search for servers running a specific, potentially outdated and vulnerable, version of Apache.

Searches GitHub repositories for accidentally committed API keys or sensitive credentials.

Helps in discovering subdomains of a target domain (replace example.com with target).

Finds publicly accessible .env files which often contain sensitive credentials.

Discovers Swagger UI or OpenAPI definition files, which map out API endpoints.

Searches for GitLab CI/CD variables that might be exposed in public projects or logs.

Finds Kubernetes dashboards that might be accessible without authentication.

Looks for exposed configuration files related to AI/LLM models, potentially containing API keys.

Finds JavaScript source maps which can expose original source code of frontend applications.

Basic dork to find potential SQL injection points in URL parameters. Use with caution and ethically.

Finds exposed .git directories, potentially allowing attackers to download the entire source code.

General dork to find login pages of various web applications.

Searches for web pages with "admin" in the title and URL, often leading to administrative interfaces.

Locates various types of backup files which might contain sensitive information or old code versions.

Finds common configuration file types which might expose server settings, credentials, or API keys.

Searches for log files containing error messages, warnings, or exceptions, which can reveal system paths, vulnerabilities, or user data.

Identifies publicly listed Amazon S3 buckets, potentially exposing stored files.

Finds Postman collections or other API documentation that might be publicly exposed.

Searches for Trello boards, potentially exposing project plans, tasks, or sensitive information if not properly secured.

Finds exposed WordPress debug logs, which can contain sensitive information like database errors or plugin issues.

Locates Jira instances, which if misconfigured, can expose project details, issues, and user information.

Finds FTP servers that allow directory listing, potentially exposing files and directories.

Searches for plain text files or documents that might contain the word "password" or "credentials".

Identifies login pages for network devices like routers, firewalls, or switches.

Finds publicly accessible live CCTV camera feeds.

Identifies public Google Calendar events. Be cautious, as many are intentionally public.

Searches for files with the .pem extension containing "PRIVATE KEY", potentially exposing SSH private keys.

Locates phpMyAdmin installations, which are web-based database administration tools.

Finds Magento local.xml configuration files, which can contain database credentials.

Locates SWF (Flash) files. While Flash is deprecated, old files might still exist and could potentially be decompiled to reveal source code or logic.

Finds Zoom meeting links or pages mentioning Meeting IDs. Many are public, but some might be unintentionally exposed.

Identifies Microsoft SharePoint sites. Misconfigurations could lead to data exposure.

Finds Jenkins script consoles, which can allow arbitrary code execution if unprotected.

Finds login or registration pages for Drupal sites (replace example.com).

Finds RabbitMQ management consoles, which could be exposed without authentication.

Identifies open Elasticsearch instances, potentially exposing large amounts of data.

Locates MongoDB instances that might be publicly accessible without proper authentication.

A combination dork for finding various types of unsecured webcams.

Identifies Cisco VPN login portals.

Finds .DS_Store files. These macOS files can sometimes reveal directory structures or filenames.

Finds Apache or Nginx server status pages, which can reveal server information, traffic, and worker status.

Locates Adminer, a web-based database management tool. Exposed instances can be risky.

Finds exposed Subversion (SVN) directories, potentially allowing access to source code.

Searches for Google Workspace documents marked as public but containing keywords like "confidential" or "internal".

Searches Pastebin for accidentally leaked API keys or secret keys.

Searches for occurrences of all the keywords given. This operator ensures that all specified terms appear somewhere in the text of the page.

Searches for occurrences of specified keywords within the body text of web pages.

Searches for a URL matching one of the keywords. This helps find pages with specific terms in their web address.

Searches for a URL matching all the keywords in the query. This is more restrictive than 'inurl'.

Searches for occurrences of specified keywords within the title of a web page.

Searches for occurrences of keywords all at a time in the page title. Ensures all specified keywords are in the title.

Specifically searches that particular site and lists all the results for that site. Restricts results to a specific domain or subdomain.

Searches for a particular filetype mentioned in the query. For example, PDF, DOC, TXT, etc.

Searches for pages that link to a specified URL. For example, using 'link:www.example.com' will find pages linking to that specific domain.

Used to locate specific numbers or a range of numbers in your searches. Can be useful for finding version numbers, product IDs, etc.

Locates Remote Desktop Protocol (.rdp) files that may be publicly exposed, potentially revealing connection details to remote servers.

Finds public spaces in Atlassian Confluence instances, which might unintentionally expose internal documentation or sensitive information.

Looks for exposed `credentials.xml` files from Jenkins, which store encrypted credentials but can still pose a risk if accessible.

Identifies publicly listable Google Cloud Storage buckets, potentially exposing stored files.

Helps enumerate WordPress usernames by looking for author archive pages (replace example.com).

Locates LogMeIn Hamachi VPN gateway login pages.

Finds publicly accessible Jupyter Notebook files (.ipynb), which might contain code, data, and potentially sensitive information.

Finds Grafana dashboards that might be accessible without authentication, exposing monitoring data.

Searches for publicly accessible Slack invitation links or webhook URLs.

Locates .htpasswd files, which are used for basic authentication on Apache web servers. If exposed, they can be cracked.

Searches for publicly accessible Cisco WebEx meeting recordings.

Finds publicly listable Azure Blob Storage containers. Replace CONTAINER_NAME or use keywords.

Locates phpPgAdmin (PostgreSQL web admin tool) installations.

Finds login pages for Sitecore CMS.

Locates .pem files containing public certificates. While not private keys, can reveal infrastructure details.

Identifies Jenkins instances with accessible userContent directories, which might contain build artifacts or other files.

Finds files related to Microsoft Visual SourceSafe, an older version control system. Exposure could leak source code.

Searches for Joomla configuration.php files, which contain database credentials and other sensitive settings.

Finds Adobe ColdFusion administrator login panels.

Searches for exposed web.config files used in .NET applications, which can contain connection strings and other sensitive data.

Finds Apache Tomcat Web Application Manager interfaces. Default credentials are a common risk.

Identifies Zabbix monitoring system frontends.

Searches for AWS access key IDs in various files, excluding common code repositories.

Finds VNC servers accessible via a Java viewer, often on port 5800.

Finds Google Forms that allow file uploads, which could be misused or reveal unintended information.

Finds ProFTPD server information pages, revealing version and other details.

Finds Drupal update manager pages, which can reveal module versions and update status.

Identifies Microsoft Exchange OWA login pages.

Locates login portals for Palo Alto Networks devices (e.g., GlobalProtect).

Attempts to find devices (like routers) exposing TR-069 management interfaces.

Finds admin login pages for Cisco Unity Connection (voicemail and messaging).

Searches for publicly shared Dropbox links, excluding common image shares.

Finds login pages for SonicWall Scrutinizer network traffic analysis tool.

Identifies F5 BIG-IP load balancer login pages.

Finds WordPress sites with XML-RPC enabled, which can be a vector for brute-force or DDoS attacks.

Finds Laravel Telescope debug dashboards if left publicly accessible.

Locates Jenkins instances exposing their JSON API, which can reveal job names, build status, and other information.

Finds publicly accessible bash history files, which can contain sensitive commands and credentials.

Searches for backup files created by the Drupal Backup and Migrate module.

Finds login pages for Microsoft Remote Desktop Web Access.

Finds Spring Boot applications exposing sensitive Actuator endpoints like /env, /health, /mappings.

Locates phpLiteAdmin, a web-based SQLite database administration tool.

Finds login portals for pgAdmin, a PostgreSQL administration and development platform.

Finds pages revealing errors from Server-Side Includes, which might indicate misconfigurations or injection points.

Searches for files containing RSA private key markers.

Finds Kibana dashboards that might be accessible without authentication, exposing log data and visualizations.

Identifies Fortinet SSL VPN login portals.

Finds WebDAV enabled directories that might be publicly listable or accessible.

Finds login pages for Oracle WebLogic Server Administration Console.

Searches GitHub for patterns matching personal access tokens, which are often accidentally committed.

Locates MDM enrollment or login pages, which if unsecured could lead to device compromise.

Identifies devices with ADB open on port 5555, potentially allowing unauthorized access.

Finds MQTT brokers, often used in IoT, which might be unsecured and expose sensitive data streams.

Locates common IP camera interfaces that might still use default credentials.

Discovers CoAP resources, often used in IoT, which may list accessible endpoints.

Searches GitHub for Stripe live secret API keys (sk_live_) inadvertently committed.

Finds PayPal Instant Payment Notification (IPN) listener scripts, which if misconfigured, could be exploited.

Locates QuickBooks company files (.qbw) or backup files (.qbb) that may be exposed.

Attempts to find PDF documents containing sensitive financial keywords.

Finds vBulletin forum administration login pages.

Finds phpBB forum administration login pages.

Finds Discord server invite links publicly posted on websites.

Example dork to find LinkedIn profiles of 'security researchers' associated with 'example.com'. Useful for OSINT.

Locates Moodle Learning Management System login pages.

Finds Blackboard Learn course content directories or pages that might be publicly accessible.

Identifies login portals for Student Information Systems or parent portals.

Finds PDF syllabi or course outlines, often hosted on educational institution domains.

Locates academic research papers, often in PDF format, that are marked for open access or hosted by universities.

Identifies login pages for patient portals of healthcare providers.

Looks for directories or web interfaces exposing DICOM (medical imaging) files. Highly sensitive.

Attempts to find web interfaces for managing medical devices.

Finds login pages for telemedicine or virtual health platforms.

Locates HL7 FHIR (Fast Healthcare Interoperability Resources) server endpoints, potentially exposing patient data APIs.

Highly sensitive search for spreadsheets that might contain anonymized or (more dangerously) identifiable patient data. Use with extreme caution and ethical considerations.

General dork to find login pages on .gov domains.

Locates PDF application or registration forms on government websites.

Finds PDF documents related to government meetings, potentially marked confidential but still public.

Finds Geographic Information System (GIS) data portals for cities or counties.

Identifies publicly accessible employee or staff directories on government websites.

Finds Salesforce login pages, including those on custom domains.

Locates login pages for SAP NetWeaver Portals.

Finds HubSpot login pages or sites using HubSpot tracking scripts.

Finds login pages for Wowza Streaming Engine Manager.

Searches for log files containing FFmpeg commands, which might reveal media processing workflows or file paths.

Looks for URLs using the RTSP protocol, often used for streaming video from IP cameras or media servers.

Finds JavaScript files or pages setting up JW Player, potentially revealing configurations or media sources.

Finds publicly accessible Burp Suite scan reports in HTML format.

Searches for Nessus vulnerability scan reports in .nessus or HTML format.

Finds Selenium test scripts or logs which might contain test data, credentials, or internal application details.

Searches GitHub for Postman collection JSON files, which describe API requests and can reveal endpoints.

Finds login pages for Veeam Backup & Replication consoles.

Identifies rsync server directories that might be listable, potentially exposing backup data.

Attempts to find Disaster Recovery Plan documents, which might be marked confidential but exposed.

Locates Bacula (network backup solution) web management interface login pages.

Finds exposed Asterisk Manager Interfaces, potentially allowing control over VoIP systems.

Identifies login pages for FreePBX, a web-based GUI for Asterisk.

Searches for open SIP ports (5060/5061), which are used for VoIP signaling and could be targeted.

Finds SMS gateway interfaces or documentation that might reveal API keys or allow message sending.

Attempts to find network diagrams (Visio or PDF) or infrastructure documents marked as internal.

Looks for common SQL error messages directly visible in URLs or page content, indicating potential SQL injection.

Finds Microsoft SQL Server Reporting Services instances, which might be misconfigured for public access.

Searches configuration files for Oracle TNSnames entries or JDBC driver strings, potentially revealing connection details.

Locates PostgreSQL backup files created with pg_dump or pg_dumpall.

Targets login forms (especially PHP-based admin logins) for potential SQL injection. Add typical SQLi payloads to search terms.

Finds SQL Server trace files (.trc) or execution plan files (.sqlplan) that might have been exposed.