DorkFinder
Explore security exposures with categorized Google Dorks. Discover real-world examples for bug bounty, OSINT, and ethical hacking.
Filter by Category
intitle:"Dashboard [Jenkins]"
Identifies Jenkins servers that may be publicly accessible, potentially exposing CI/CD pipelines.
filetype:sql sql dump
Locates SQL dump files that might have been unintentionally exposed, containing sensitive data.
inurl:/wp-content/uploads/ "index of"
Finds Wordpress sites with directory listing enabled for uploads, potentially exposing sensitive files.
inurl:struts/webconsole.html OR inurl:action:devmode
Identifies Apache Struts instances with developer mode enabled, which can lead to RCE.
ext:php intitle:phpinfo "published by the PHP Group"
Finds publicly accessible phpinfo() pages, revealing server configuration details.
intitle:"index of" "server at" "Apache/2.2.3"
Search for servers running a specific, potentially outdated and vulnerable, version of Apache.
site:github.com "public_key" OR "private_key" OR "api_key"
Searches GitHub repositories for accidentally committed API keys or sensitive credentials.
site:*.example.com -www.example.com
Helps in discovering subdomains of a target domain (replace example.com with target).
inurl:.env -intext:env "DB_PASSWORD" ext:env
Finds publicly accessible .env files which often contain sensitive credentials.
inurl:/swagger/index.html OR inurl:/api-docs OR intitle:"Swagger UI"
Discovers Swagger UI or OpenAPI definition files, which map out API endpoints.
inurl:gitlab.com intext:"CI_JOB_TOKEN" OR intext:"CI_REGISTRY_PASSWORD"
Searches for GitLab CI/CD variables that might be exposed in public projects or logs.
intitle:"Kubernetes Dashboard" -intitle:"Login"
Finds Kubernetes dashboards that might be accessible without authentication.
filetype:yaml "model_name" "api_key" "openai"
Looks for exposed configuration files related to AI/LLM models, potentially containing API keys.
filetype:map inurl:js "webpackChunk"
Finds JavaScript source maps which can expose original source code of frontend applications.
inurl:".php?id=" OR inurl:".asp?id=" OR inurl:".jsp?id="
Basic dork to find potential SQL injection points in URL parameters. Use with caution and ethically.
inurl:/.git "Index of /.git"
Finds exposed .git directories, potentially allowing attackers to download the entire source code.
intitle:"login" | intitle:"signin" | inurl:login | inurl:signin
General dork to find login pages of various web applications.
intitle:"admin" inurl:admin
Searches for web pages with "admin" in the title and URL, often leading to administrative interfaces.
filetype:bak | filetype:backup | filetype:old | filetype:zip | filetype:rar "backup"
Locates various types of backup files which might contain sensitive information or old code versions.
filetype:config | filetype:cfg | filetype:conf | filetype:ini | filetype:yml | filetype:yaml
Finds common configuration file types which might expose server settings, credentials, or API keys.
filetype:log "Error" | "Warning" | "Exception"
Searches for log files containing error messages, warnings, or exceptions, which can reveal system paths, vulnerabilities, or user data.
site:s3.amazonaws.com "index of" OR "bucket name"
Identifies publicly listed Amazon S3 buckets, potentially exposing stored files.
inurl:/postman/collections/ OR intitle:"Postman API Documentation"
Finds Postman collections or other API documentation that might be publicly exposed.
site:trello.com "Project Name" confidential | internal
Searches for Trello boards, potentially exposing project plans, tasks, or sensitive information if not properly secured.
inurl:wp-content/debug.log
Finds exposed WordPress debug logs, which can contain sensitive information like database errors or plugin issues.
intitle:"System Dashboard - JIRA" OR inurl:/secure/Dashboard.jspa
Locates Jira instances, which if misconfigured, can expose project details, issues, and user information.
intitle:"index of /" "ftp"
Finds FTP servers that allow directory listing, potentially exposing files and directories.
filetype:txt | filetype:csv | filetype:doc "password" | "credentials"
Searches for plain text files or documents that might contain the word "password" or "credentials".
intitle:"Login" "Router" | "Firewall" | "Switch"
Identifies login pages for network devices like routers, firewalls, or switches.
inurl:view/view.shtml OR intitle:"Live View / - AXIS"
Finds publicly accessible live CCTV camera feeds.
site:calendar.google.com inurl:event?eid=
Identifies public Google Calendar events. Be cautious, as many are intentionally public.
filetype:pem "PRIVATE KEY"
Searches for files with the .pem extension containing "PRIVATE KEY", potentially exposing SSH private keys.
intitle:"phpMyAdmin" "Server:"
Locates phpMyAdmin installations, which are web-based database administration tools.
inurl:/app/etc/local.xml filetype:xml
Finds Magento local.xml configuration files, which can contain database credentials.
filetype:swf inurl:flash
Locates SWF (Flash) files. While Flash is deprecated, old files might still exist and could potentially be decompiled to reveal source code or logic.
site:zoom.us inurl:/j/ intext:"Meeting ID"
Finds Zoom meeting links or pages mentioning Meeting IDs. Many are public, but some might be unintentionally exposed.
inurl:"_layouts/15/start.aspx" OR intitle:"SharePoint Home"
Identifies Microsoft SharePoint sites. Misconfigurations could lead to data exposure.
inurl:/script OR inurl:/scriptApproval OR intitle:"Script Console"
Finds Jenkins script consoles, which can allow arbitrary code execution if unprotected.
inurl:/user/login OR inurl:/user/register site:example.com
Finds login or registration pages for Drupal sites (replace example.com).
intitle:"RabbitMQ Management" "Overview"
Finds RabbitMQ management consoles, which could be exposed without authentication.
port:9200 "You Know, for Search"
Identifies open Elasticsearch instances, potentially exposing large amounts of data.
port:27017 "MongoDB Server Information" OR " ड्राइवर के लिए सहायता और उपकरण"
Locates MongoDB instances that might be publicly accessible without proper authentication.
intitle:"webcamXP 5" | intitle:"Live View / - AXIS" | inurl:view/view.shtml
A combination dork for finding various types of unsecured webcams.
inurl:/+CSCOE+/logon.html
Identifies Cisco VPN login portals.
intext:"Directory Services Store File" ext:DS_Store
Finds .DS_Store files. These macOS files can sometimes reveal directory structures or filenames.
inurl:/server-status intitle:"Apache Status" OR intitle:"nginx status"
Finds Apache or Nginx server status pages, which can reveal server information, traffic, and worker status.
intitle:"Adminer" "Username" "Password" "Database"
Locates Adminer, a web-based database management tool. Exposed instances can be risky.
inurl:/.svn/ "Index of /.svn/"
Finds exposed Subversion (SVN) directories, potentially allowing access to source code.
site:docs.google.com "public" "confidential" OR "internal"
Searches for Google Workspace documents marked as public but containing keywords like "confidential" or "internal".
site:pastebin.com "API_KEY" OR "SECRET_KEY"
Searches Pastebin for accidentally leaked API keys or secret keys.
allintext:"keyword"
Searches for occurrences of all the keywords given. This operator ensures that all specified terms appear somewhere in the text of the page.
intext:"keyword"
Searches for occurrences of specified keywords within the body text of web pages.
inurl:"keyword"
Searches for a URL matching one of the keywords. This helps find pages with specific terms in their web address.
allinurl:"keyword"
Searches for a URL matching all the keywords in the query. This is more restrictive than 'inurl'.
intitle:"keyword"
Searches for occurrences of specified keywords within the title of a web page.
allintitle:"keyword"
Searches for occurrences of keywords all at a time in the page title. Ensures all specified keywords are in the title.
site:"www.example.com"
Specifically searches that particular site and lists all the results for that site. Restricts results to a specific domain or subdomain.
filetype:"pdf"
Searches for a particular filetype mentioned in the query. For example, PDF, DOC, TXT, etc.
link:"www.example.com"
Searches for pages that link to a specified URL. For example, using 'link:www.example.com' will find pages linking to that specific domain.
numrange:321-325
Used to locate specific numbers or a range of numbers in your searches. Can be useful for finding version numbers, product IDs, etc.
filetype:rdp intext:"full address:s:"
Locates Remote Desktop Protocol (.rdp) files that may be publicly exposed, potentially revealing connection details to remote servers.
site:confluence.*.*/display/PUBLIC/*
Finds public spaces in Atlassian Confluence instances, which might unintentionally expose internal documentation or sensitive information.
intitle:"Index of" credentials.xml jenkins
Looks for exposed `credentials.xml` files from Jenkins, which store encrypted credentials but can still pose a risk if accessible.
site:storage.googleapis.com intitle:"index of"
Identifies publicly listable Google Cloud Storage buckets, potentially exposing stored files.
inurl:/author/ site:example.com
Helps enumerate WordPress usernames by looking for author archive pages (replace example.com).
intitle:"LogMeIn Hamachi" inurl:gateway.exe
Locates LogMeIn Hamachi VPN gateway login pages.
filetype:ipynb "index of" OR intitle:"Jupyter Notebook"
Finds publicly accessible Jupyter Notebook files (.ipynb), which might contain code, data, and potentially sensitive information.
intitle:"Grafana" inurl:"dashboard" -"Login"
Finds Grafana dashboards that might be accessible without authentication, exposing monitoring data.
site:hooks.slack.com/workflows/ OR site:join.slack.com
Searches for publicly accessible Slack invitation links or webhook URLs.
inurl:.htpasswd "Index of" OR filetype:htpasswd
Locates .htpasswd files, which are used for basic authentication on Apache web servers. If exposed, they can be cracked.
site:*.webex.com inurl:precording OR inurl:play_recording
Searches for publicly accessible Cisco WebEx meeting recordings.
site:blob.core.windows.net "CONTAINER_NAME" intitle:"index of"
Finds publicly listable Azure Blob Storage containers. Replace CONTAINER_NAME or use keywords.
intitle:"phpPgAdmin" "Login"
Locates phpPgAdmin (PostgreSQL web admin tool) installations.
inurl:/sitecore/login
Finds login pages for Sitecore CMS.
filetype:pem intext:"BEGIN CERTIFICATE"
Locates .pem files containing public certificates. While not private keys, can reveal infrastructure details.
inurl:/userContent/
Identifies Jenkins instances with accessible userContent directories, which might contain build artifacts or other files.
filetype:scc "SourceSafe" OR "VSSVER.SCC"
Finds files related to Microsoft Visual SourceSafe, an older version control system. Exposure could leak source code.
filetype:php intext:"JConfig" "public \$user"
Searches for Joomla configuration.php files, which contain database credentials and other sensitive settings.
inurl:/CFIDE/administrator/index.cfm
Finds Adobe ColdFusion administrator login panels.
filetype:config inurl:web.config
Searches for exposed web.config files used in .NET applications, which can contain connection strings and other sensitive data.
intitle:"Tomcat Web Application Manager" inurl:/manager/html
Finds Apache Tomcat Web Application Manager interfaces. Default credentials are a common risk.
intitle:"Zabbix" intext:"frontend php"
Identifies Zabbix monitoring system frontends.
intext:"AWS_ACCESS_KEY_ID" -git -gitlab -github
Searches for AWS access key IDs in various files, excluding common code repositories.
intitle:"VNC viewer for Java" port:5800
Finds VNC servers accessible via a Java viewer, often on port 5800.
site:docs.google.com/forms inurl:viewform intext:"File upload"
Finds Google Forms that allow file uploads, which could be misused or reveal unintended information.
intitle:"ProFTPD server information"
Finds ProFTPD server information pages, revealing version and other details.
inurl:update.php intitle:"Update manager" Drupal
Finds Drupal update manager pages, which can reveal module versions and update status.
inurl:/owa/auth/logon.aspx
Identifies Microsoft Exchange OWA login pages.
intitle:"GlobalProtect Portal" "Palo Alto Networks"
Locates login portals for Palo Alto Networks devices (e.g., GlobalProtect).
inurl:tr069 intext:"TR-069"
Attempts to find devices (like routers) exposing TR-069 management interfaces.
intitle:"Cisco Unity Connection Administration" inurl:/cuadmin/
Finds admin login pages for Cisco Unity Connection (voicemail and messaging).
site:dropbox.com/sh/ "shared link" -inurl:images
Searches for publicly shared Dropbox links, excluding common image shares.
intitle:"Scrutinizer Login" "SonicWall"
Finds login pages for SonicWall Scrutinizer network traffic analysis tool.
intitle:"BIG-IP" "logon" OR inurl:/my.logon.php3
Identifies F5 BIG-IP load balancer login pages.
inurl:xmlrpc.php "XML-RPC server accepts POST requests only"
Finds WordPress sites with XML-RPC enabled, which can be a vector for brute-force or DDoS attacks.
inurl:/telescope intitle:"Telescope"
Finds Laravel Telescope debug dashboards if left publicly accessible.
inurl:/api/json?pretty=true intitle:Jenkins
Locates Jenkins instances exposing their JSON API, which can reveal job names, build status, and other information.
filetype:bash_history "HISTFILESIZE="
Finds publicly accessible bash history files, which can contain sensitive commands and credentials.
inurl:"/backup_migrate/export/" filetype:mysql OR filetype:sql
Searches for backup files created by the Drupal Backup and Migrate module.
inurl:/RDWeb/Pages/en-US/login.aspx
Finds login pages for Microsoft Remote Desktop Web Access.
inurl:/actuator/health OR inurl:/actuator/env OR inurl:/actuator/mappings
Finds Spring Boot applications exposing sensitive Actuator endpoints like /env, /health, /mappings.
intitle:"phpLiteAdmin" "Username" "Password"
Locates phpLiteAdmin, a web-based SQLite database administration tool.
intitle:"pgAdmin" "Login to pgAdmin"
Finds login portals for pgAdmin, a PostgreSQL administration and development platform.
intext:"[an error occurred while processing this directive]"
Finds pages revealing errors from Server-Side Includes, which might indicate misconfigurations or injection points.
intext:"BEGIN RSA PRIVATE KEY" filetype:key OR filetype:pem
Searches for files containing RSA private key markers.
inurl:/app/kibana intitle:Kibana -login
Finds Kibana dashboards that might be accessible without authentication, exposing log data and visualizations.
inurl:/remote/login intitle:"FortiToken" OR intitle:"FortiGate"
Identifies Fortinet SSL VPN login portals.
intitle:"Index of" "WebDAV" OR intext:"WebDAV Server"
Finds WebDAV enabled directories that might be publicly listable or accessible.
inurl:/console/login/LoginForm.jsp intitle:"Oracle WebLogic Server Administration Console"
Finds login pages for Oracle WebLogic Server Administration Console.
site:github.com "ghp_" OR "gho_" OR "ghu_" OR "ghs_" OR "ghr_"
Searches GitHub for patterns matching personal access tokens, which are often accidentally committed.
intitle:"Mobile Device Management" OR inurl:/mdm/ enroll
Locates MDM enrollment or login pages, which if unsecured could lead to device compromise.
port:5555 "Android Debug Bridge"
Identifies devices with ADB open on port 5555, potentially allowing unauthorized access.
port:1883 "MQTT" OR port:8883 "MQTT"
Finds MQTT brokers, often used in IoT, which might be unsecured and expose sensitive data streams.
inurl:indexFrame.shtml "Network Camera" intitle:"Live View"
Locates common IP camera interfaces that might still use default credentials.
inurl:/.well-known/core "CoAP"
Discovers CoAP resources, often used in IoT, which may list accessible endpoints.
site:github.com "sk_live_"
Searches GitHub for Stripe live secret API keys (sk_live_) inadvertently committed.
inurl:ipn_listener.php "PayPal IPN"
Finds PayPal Instant Payment Notification (IPN) listener scripts, which if misconfigured, could be exploited.
filetype:qbw OR filetype:qbb "QuickBooks"
Locates QuickBooks company files (.qbw) or backup files (.qbb) that may be exposed.
filetype:pdf "confidential financial report" OR "internal budget"
Attempts to find PDF documents containing sensitive financial keywords.
inurl:/admincp/ intitle:"vBulletin Login"
Finds vBulletin forum administration login pages.
inurl:/adm/index.php intitle:"Administration Control Panel" phpBB
Finds phpBB forum administration login pages.
site:discord.gg intext:"Join us on Discord"
Finds Discord server invite links publicly posted on websites.
site:linkedin.com/in/ "security researcher" "example.com"
Example dork to find LinkedIn profiles of 'security researchers' associated with 'example.com'. Useful for OSINT.
intitle:"Moodle" inurl:/login/index.php
Locates Moodle Learning Management System login pages.
inurl:/courses/ OR inurl:/webapps/blackboard/content/listContent.jsp
Finds Blackboard Learn course content directories or pages that might be publicly accessible.
intitle:"Student Information System" OR intitle:"Parent Portal" login
Identifies login portals for Student Information Systems or parent portals.
filetype:pdf "course syllabus" OR "course outline" site:.edu
Finds PDF syllabi or course outlines, often hosted on educational institution domains.
filetype:pdf "research paper" "university" "creative commons"
Locates academic research papers, often in PDF format, that are marked for open access or hosted by universities.
intitle:"Patient Portal" login OR inurl:/patientportal/
Identifies login pages for patient portals of healthcare providers.
intitle:"index of" "dicom" OR inurl:/dicomweb/
Looks for directories or web interfaces exposing DICOM (medical imaging) files. Highly sensitive.
intitle:"Medical Device Management" OR inurl:/device/status
Attempts to find web interfaces for managing medical devices.
intitle:"Telehealth Login" OR intitle:"Virtual Visit" OR inurl:/telemedicine/
Finds login pages for telemedicine or virtual health platforms.
inurl:/FHIR/ OR inurl:/fhir/Patient intitle:"FHIR Server"
Locates HL7 FHIR (Fast Healthcare Interoperability Resources) server endpoints, potentially exposing patient data APIs.
filetype:csv "patient_id" "diagnosis" OR filetype:xls "medical_history"
Highly sensitive search for spreadsheets that might contain anonymized or (more dangerously) identifiable patient data. Use with extreme caution and ethical considerations.
site:.gov intitle:Login OR inurl:login.aspx
General dork to find login pages on .gov domains.
site:.gov filetype:pdf "application form" OR "registration form"
Locates PDF application or registration forms on government websites.
site:.gov filetype:pdf "meeting minutes" OR "agenda" "confidential"
Finds PDF documents related to government meetings, potentially marked confidential but still public.
intitle:"GIS Portal" OR inurl:/gis/data/ city OR county
Finds Geographic Information System (GIS) data portals for cities or counties.
site:.gov "employee directory" OR "staff directory"
Identifies publicly accessible employee or staff directories on government websites.
inurl:force.com login OR intitle:"Salesforce" "Login"
Finds Salesforce login pages, including those on custom domains.
inurl:/irj/portal intitle:"SAP NetWeaver Portal"
Locates login pages for SAP NetWeaver Portals.
inurl:app.hubspot.com/login OR intext:"hs-script-loader.js"
Finds HubSpot login pages or sites using HubSpot tracking scripts.
intitle:"Wowza Streaming Engine Manager" inurl:/enginemanager/
Finds login pages for Wowza Streaming Engine Manager.
filetype:log intext:ffmpeg intext:input intext:output
Searches for log files containing FFmpeg commands, which might reveal media processing workflows or file paths.
inurl:rtsp://
Looks for URLs using the RTSP protocol, often used for streaming video from IP cameras or media servers.
intext:"jwplayer.setup" filetype:js OR intext:"new JWPlayer"
Finds JavaScript files or pages setting up JW Player, potentially revealing configurations or media sources.
filetype:html intitle:"Burp Suite Professional Report" "Generated by"
Finds publicly accessible Burp Suite scan reports in HTML format.
filetype:nessus "policyName" OR filetype:html intitle:"Nessus Scan Report"
Searches for Nessus vulnerability scan reports in .nessus or HTML format.
filetype:log intext:"Starting ChromeDriver" OR filetype:java intext:"WebDriver driver = new"
Finds Selenium test scripts or logs which might contain test data, credentials, or internal application details.
site:github.com filetype:json "Postman Collection" "info.schema"
Searches GitHub for Postman collection JSON files, which describe API requests and can reveal endpoints.
intitle:"Veeam Backup & Replication Console" login
Finds login pages for Veeam Backup & Replication consoles.
intitle:"Index of /" "rsync"
Identifies rsync server directories that might be listable, potentially exposing backup data.
filetype:pdf OR filetype:docx "Disaster Recovery Plan" "confidential"
Attempts to find Disaster Recovery Plan documents, which might be marked confidential but exposed.
intitle:"Bacula-Web" "Login" OR inurl:/bacula-web/
Locates Bacula (network backup solution) web management interface login pages.
port:5038 "Asterisk Call Manager" OR intext:"Asterisk Manager Interface"
Finds exposed Asterisk Manager Interfaces, potentially allowing control over VoIP systems.
intitle:"FreePBX Administration" "Please login"
Identifies login pages for FreePBX, a web-based GUI for Asterisk.
port:5060 "SIP/2.0" OR port:5061 "SIP/2.0"
Searches for open SIP ports (5060/5061), which are used for VoIP signaling and could be targeted.
inurl:/sendsms OR intitle:"SMS Gateway" "API Key"
Finds SMS gateway interfaces or documentation that might reveal API keys or allow message sending.
filetype:vsd OR filetype:pdf "network diagram" "internal"
Attempts to find network diagrams (Visio or PDF) or infrastructure documents marked as internal.
inurl:".php?id=" "Warning: mysql_fetch_array()" OR "You have an error in your SQL syntax"
Looks for common SQL error messages directly visible in URLs or page content, indicating potential SQL injection.
intitle:"SQL Server Reporting Services" inurl:/reports/
Finds Microsoft SQL Server Reporting Services instances, which might be misconfigured for public access.
filetype:config intext:tnsnames.ora OR intext:"oracle.jdbc.driver.OracleDriver"
Searches configuration files for Oracle TNSnames entries or JDBC driver strings, potentially revealing connection details.
filetype:backup OR filetype:dump intext:pg_dumpall OR intext:"PostgreSQL database dump"
Locates PostgreSQL backup files created with pg_dump or pg_dumpall.
intitle:login "username" "password" inurl:.php "admin"
Targets login forms (especially PHP-based admin logins) for potential SQL injection. Add typical SQLi payloads to search terms.
filetype:trc intext:"SQL Server Profiler" OR filetype:sqlplan
Finds SQL Server trace files (.trc) or execution plan files (.sqlplan) that might have been exposed.