Identifies Jenkins servers that may be publicly accessible, potentially exposing CI/CD pipelines.

Locates SQL dump files that might have been unintentionally exposed, containing sensitive data.

Finds Wordpress sites with directory listing enabled for uploads, potentially exposing sensitive files.

Identifies Apache Struts instances with developer mode enabled, which can lead to RCE.

Finds publicly accessible phpinfo() pages, revealing server configuration details.

Search for servers running a specific, potentially outdated and vulnerable, version of Apache.

Searches GitHub repositories for accidentally committed API keys or sensitive credentials.

Helps in discovering subdomains of a target domain (replace example.com with target).

Finds publicly accessible .env files which often contain sensitive credentials.

Discovers Swagger UI or OpenAPI definition files, which map out API endpoints.

Searches for GitLab CI/CD variables that might be exposed in public projects or logs.

Finds Kubernetes dashboards that might be accessible without authentication.

Looks for exposed configuration files related to AI/LLM models, potentially containing API keys.

Finds JavaScript source maps which can expose original source code of frontend applications.

Basic dork to find potential SQL injection points in URL parameters. Use with caution and ethically.

Finds exposed .git directories, potentially allowing attackers to download the entire source code.

General dork to find login pages of various web applications.

Searches for web pages with "admin" in the title and URL, often leading to administrative interfaces.

Locates various types of backup files which might contain sensitive information or old code versions.

Finds common configuration file types which might expose server settings, credentials, or API keys.

Searches for log files containing error messages, warnings, or exceptions, which can reveal system paths, vulnerabilities, or user data.

Identifies publicly listed Amazon S3 buckets, potentially exposing stored files.

Finds Postman collections or other API documentation that might be publicly exposed.

Searches for Trello boards, potentially exposing project plans, tasks, or sensitive information if not properly secured.

Finds exposed WordPress debug logs, which can contain sensitive information like database errors or plugin issues.

Locates Jira instances, which if misconfigured, can expose project details, issues, and user information.

Finds FTP servers that allow directory listing, potentially exposing files and directories.

Searches for plain text files or documents that might contain the word "password" or "credentials".

Identifies login pages for network devices like routers, firewalls, or switches.

Finds publicly accessible live CCTV camera feeds.

Identifies public Google Calendar events. Be cautious, as many are intentionally public.

Searches for files with the .pem extension containing "PRIVATE KEY", potentially exposing SSH private keys.

Locates phpMyAdmin installations, which are web-based database administration tools.

Finds Magento local.xml configuration files, which can contain database credentials.

Locates SWF (Flash) files. While Flash is deprecated, old files might still exist and could potentially be decompiled to reveal source code or logic.

Finds Zoom meeting links or pages mentioning Meeting IDs. Many are public, but some might be unintentionally exposed.

Identifies Microsoft SharePoint sites. Misconfigurations could lead to data exposure.

Finds Jenkins script consoles, which can allow arbitrary code execution if unprotected.

Finds login or registration pages for Drupal sites (replace example.com).

Finds RabbitMQ management consoles, which could be exposed without authentication.

Identifies open Elasticsearch instances, potentially exposing large amounts of data.

Locates MongoDB instances that might be publicly accessible without proper authentication.

A combination dork for finding various types of unsecured webcams.

Identifies Cisco VPN login portals.

Finds .DS_Store files. These macOS files can sometimes reveal directory structures or filenames.

Finds Apache or Nginx server status pages, which can reveal server information, traffic, and worker status.

Locates Adminer, a web-based database management tool. Exposed instances can be risky.

Finds exposed Subversion (SVN) directories, potentially allowing access to source code.

Searches for Google Workspace documents marked as public but containing keywords like "confidential" or "internal".

Searches Pastebin for accidentally leaked API keys or secret keys.

Searches for occurrences of all the keywords given. This operator ensures that all specified terms appear somewhere in the text of the page.

Searches for occurrences of specified keywords within the body text of web pages.

Searches for a URL matching one of the keywords. This helps find pages with specific terms in their web address.

Searches for a URL matching all the keywords in the query. This is more restrictive than 'inurl'.

Searches for occurrences of specified keywords within the title of a web page.

Searches for occurrences of keywords all at a time in the page title. Ensures all specified keywords are in the title.

Specifically searches that particular site and lists all the results for that site. Restricts results to a specific domain or subdomain.

Searches for a particular filetype mentioned in the query. For example, PDF, DOC, TXT, etc.

Searches for pages that link to a specified URL. For example, using 'link:www.example.com' will find pages linking to that specific domain.

Used to locate specific numbers or a range of numbers in your searches. Can be useful for finding version numbers, product IDs, etc.

Locates Remote Desktop Protocol (.rdp) files that may be publicly exposed, potentially revealing connection details to remote servers.

Finds public spaces in Atlassian Confluence instances, which might unintentionally expose internal documentation or sensitive information.

Looks for exposed `credentials.xml` files from Jenkins, which store encrypted credentials but can still pose a risk if accessible.

Identifies publicly listable Google Cloud Storage buckets, potentially exposing stored files.

Helps enumerate WordPress usernames by looking for author archive pages (replace example.com).

Locates LogMeIn Hamachi VPN gateway login pages.

Finds publicly accessible Jupyter Notebook files (.ipynb), which might contain code, data, and potentially sensitive information.

Finds Grafana dashboards that might be accessible without authentication, exposing monitoring data.

Searches for publicly accessible Slack invitation links or webhook URLs.

Locates .htpasswd files, which are used for basic authentication on Apache web servers. If exposed, they can be cracked.

Searches for publicly accessible Cisco WebEx meeting recordings.

Finds publicly listable Azure Blob Storage containers. Replace CONTAINER_NAME or use keywords.

Locates phpPgAdmin (PostgreSQL web admin tool) installations.

Finds login pages for Sitecore CMS.

Locates .pem files containing public certificates. While not private keys, can reveal infrastructure details.

Identifies Jenkins instances with accessible userContent directories, which might contain build artifacts or other files.

Finds files related to Microsoft Visual SourceSafe, an older version control system. Exposure could leak source code.

Searches for Joomla configuration.php files, which contain database credentials and other sensitive settings.

Finds Adobe ColdFusion administrator login panels.

Searches for exposed web.config files used in .NET applications, which can contain connection strings and other sensitive data.

Finds Apache Tomcat Web Application Manager interfaces. Default credentials are a common risk.

Identifies Zabbix monitoring system frontends.

Searches for AWS access key IDs in various files, excluding common code repositories.

Finds VNC servers accessible via a Java viewer, often on port 5800.

Finds Google Forms that allow file uploads, which could be misused or reveal unintended information.

Finds ProFTPD server information pages, revealing version and other details.

Finds Drupal update manager pages, which can reveal module versions and update status.

Identifies Microsoft Exchange OWA login pages.

Locates login portals for Palo Alto Networks devices (e.g., GlobalProtect).

Attempts to find devices (like routers) exposing TR-069 management interfaces.

Finds admin login pages for Cisco Unity Connection (voicemail and messaging).

Searches for publicly shared Dropbox links, excluding common image shares.

Finds login pages for SonicWall Scrutinizer network traffic analysis tool.

Identifies F5 BIG-IP load balancer login pages.

Finds WordPress sites with XML-RPC enabled, which can be a vector for brute-force or DDoS attacks.

Finds Laravel Telescope debug dashboards if left publicly accessible.

Locates Jenkins instances exposing their JSON API, which can reveal job names, build status, and other information.

Finds publicly accessible bash history files, which can contain sensitive commands and credentials.

Searches for backup files created by the Drupal Backup and Migrate module.

Finds login pages for Microsoft Remote Desktop Web Access.

Finds Spring Boot applications exposing sensitive Actuator endpoints like /env, /health, /mappings.

Locates phpLiteAdmin, a web-based SQLite database administration tool.

Finds login portals for pgAdmin, a PostgreSQL administration and development platform.

Finds pages revealing errors from Server-Side Includes, which might indicate misconfigurations or injection points.

Searches for files containing RSA private key markers.

Finds Kibana dashboards that might be accessible without authentication, exposing log data and visualizations.

Identifies Fortinet SSL VPN login portals.

Finds WebDAV enabled directories that might be publicly listable or accessible.

Finds login pages for Oracle WebLogic Server Administration Console.

Searches GitHub for patterns matching personal access tokens, which are often accidentally committed.

Locates MDM enrollment or login pages, which if unsecured could lead to device compromise.

Identifies devices with ADB open on port 5555, potentially allowing unauthorized access.

Finds MQTT brokers, often used in IoT, which might be unsecured and expose sensitive data streams.

Locates common IP camera interfaces that might still use default credentials.

Discovers CoAP resources, often used in IoT, which may list accessible endpoints.

Searches GitHub for Stripe live secret API keys (sk_live_) inadvertently committed.

Finds PayPal Instant Payment Notification (IPN) listener scripts, which if misconfigured, could be exploited.

Locates QuickBooks company files (.qbw) or backup files (.qbb) that may be exposed.

Attempts to find PDF documents containing sensitive financial keywords.

Finds vBulletin forum administration login pages.

Finds phpBB forum administration login pages.

Finds Discord server invite links publicly posted on websites.

Example dork to find LinkedIn profiles of 'security researchers' associated with 'example.com'. Useful for OSINT.

Locates Moodle Learning Management System login pages.

Finds Blackboard Learn course content directories or pages that might be publicly accessible.

Identifies login portals for Student Information Systems or parent portals.

Finds PDF syllabi or course outlines, often hosted on educational institution domains.

Locates academic research papers, often in PDF format, that are marked for open access or hosted by universities.

Identifies login pages for patient portals of healthcare providers.

Looks for directories or web interfaces exposing DICOM (medical imaging) files. Highly sensitive.

Attempts to find web interfaces for managing medical devices.

Finds login pages for telemedicine or virtual health platforms.

Locates HL7 FHIR (Fast Healthcare Interoperability Resources) server endpoints, potentially exposing patient data APIs.

Highly sensitive search for spreadsheets that might contain anonymized or (more dangerously) identifiable patient data. Use with extreme caution and ethical considerations.

General dork to find login pages on .gov domains.

Locates PDF application or registration forms on government websites.

Finds PDF documents related to government meetings, potentially marked confidential but still public.

Finds Geographic Information System (GIS) data portals for cities or counties.

Identifies publicly accessible employee or staff directories on government websites.

Finds Salesforce login pages, including those on custom domains.

Locates login pages for SAP NetWeaver Portals.

Finds HubSpot login pages or sites using HubSpot tracking scripts.

Finds login pages for Wowza Streaming Engine Manager.

Searches for log files containing FFmpeg commands, which might reveal media processing workflows or file paths.

Looks for URLs using the RTSP protocol, often used for streaming video from IP cameras or media servers.

Finds JavaScript files or pages setting up JW Player, potentially revealing configurations or media sources.

Finds publicly accessible Burp Suite scan reports in HTML format.

Searches for Nessus vulnerability scan reports in .nessus or HTML format.

Finds Selenium test scripts or logs which might contain test data, credentials, or internal application details.

Searches GitHub for Postman collection JSON files, which describe API requests and can reveal endpoints.

Finds login pages for Veeam Backup & Replication consoles.

Identifies rsync server directories that might be listable, potentially exposing backup data.

Attempts to find Disaster Recovery Plan documents, which might be marked confidential but exposed.

Locates Bacula (network backup solution) web management interface login pages.

Finds exposed Asterisk Manager Interfaces, potentially allowing control over VoIP systems.

Identifies login pages for FreePBX, a web-based GUI for Asterisk.

Searches for open SIP ports (5060/5061), which are used for VoIP signaling and could be targeted.

Finds SMS gateway interfaces or documentation that might reveal API keys or allow message sending.

Attempts to find network diagrams (Visio or PDF) or infrastructure documents marked as internal.

Looks for common SQL error messages directly visible in URLs or page content, indicating potential SQL injection.

Finds Microsoft SQL Server Reporting Services instances, which might be misconfigured for public access.

Searches configuration files for Oracle TNSnames entries or JDBC driver strings, potentially revealing connection details.

Locates PostgreSQL backup files created with pg_dump or pg_dumpall.

Targets login forms (especially PHP-based admin logins) for potential SQL injection. Add typical SQLi payloads to search terms.

Finds SQL Server trace files (.trc) or execution plan files (.sqlplan) that might have been exposed.

Identifies devices with an open Telnet port (23), which transmits data in cleartext.

Finds open Redis instances. Unauthenticated Redis servers can lead to data exposure or remote code execution.

Searches GitHub for Twilio Account SIDs, often found alongside API keys.

Finds files served through Drupal's private file system URL structure, which may be misconfigured.

Searches for Amazon SES SMTP credentials exposed in files or code.

Locates TeamCity continuous integration server login pages.

Finds login portals for Citrix Gateway or NetScaler devices.

Searches public Trello boards for accidentally pasted private keys.

Identifies Nagios network monitoring system login pages.

Finds login pages for the GlassFish Application Server admin console.

Searches for .npmrc files which may contain authentication tokens for private npm registries.

Finds Jenkins instances where the /whoAmI API endpoint is accessible, confirming an open API.

Locates login pages for Adobe Experience Manager (AEM).

Finds logs or outputs from Google Cloud Functions that may have been indexed.

Identifies JFrog Artifactory repository manager instances.

Locates Apache Solr admin panels, which if unauthenticated can expose data and allow modification.

Finds GraphQL Voyager instances, which visualize GraphQL APIs and expose their schema.

Locates GoCD (continuous delivery server) dashboards.

Identifies login pages for Portainer, a web UI for managing Docker and Kubernetes.

Finds login forms for CA SiteMinder single sign-on agents.

Locates login pages for Splunk, a popular log analysis and monitoring platform.

Searches for Heroku application logs that may have been committed to GitHub.

Searches for exposed Kubernetes configuration files (kubeconfig), which contain credentials for clusters.

Finds PHP files where source code might be exposed due to a php-cgi misconfiguration (add site:example.com).

Searches for Ansible Vault files. While encrypted, their exposure is still a risk.

Identifies login pages for Rancher, a Kubernetes management platform.

Finds JBoss Application Server admin consoles, which could be misconfigured for public access.

Searches for files in Google Firebase Storage that are publicly accessible via download tokens.

Finds login pages for the Umbraco CMS.

Finds web servers with directory listing enabled for a "/backup" folder.

Finds Next.js build manifests, which can reveal information about the application build and structure.

Searches GitHub for SendGrid API keys, often prefixed with "SG." or found in sendgrid.env files.

Finds docker-compose.yml files, which define multi-container Docker applications and can expose service configurations and sometimes secrets.

Identifies Liferay Portal instances.

Finds Node-RED instances that may be unprotected, allowing access to the flow editor.

Finds login portals for Check Point Mobile Access VPNs.

Finds MailChimp signup forms, revealing user and list IDs.

Locates login pages for the Graylog log management platform.

Searches for publicly shared Airtable bases, which might contain sensitive data.

Identifies login pages for IBM WebSphere Portal.

Finds the Fauxton web UI for CouchDB. Unauthenticated instances expose database access.

Finds Terraform state files (.tfstate), which contain detailed information about infrastructure and potentially sensitive data.

Locates login pages for OpenAM (now ForgeRock Access Management), an identity and access management solution.

Searches public CircleCI projects for build logs, which might contain secrets or infrastructure details.

Finds log files from WS_FTP clients or servers, potentially revealing connection details and transferred files.

Locates the admin login page for Shopify stores.

Finds .git-credentials files, which store usernames and passwords for Git HTTPS authentication in plaintext.

Searches for Netlify serverless functions or logs that might be publicly accessible.

Finds login pages for Matomo (formerly Piwik), an open-source web analytics platform.

Searches for links to files or channels in Microsoft Teams that may be publicly accessible.

Finds PostgreSQL database dumps created with the pg_dump utility.

Locates the administration login page for Kentico CMS.

Searches for MediaWiki debug logs that contain exceptions, potentially revealing internal paths or query details.

Identifies FileZilla FTP server administration interfaces.

Finds Magento 2 stores running in developer mode, which may expose verbose error messages and other debug info in headers.

Finds Citrix StoreFront web access portals.

Searches for publicly shared Notion pages that may contain keywords indicating they were intended to be private.

Finds resumes (CVs) in PDF format for a specific person or from a specific company domain.

Locates login pages for Home Assistant, a popular home automation platform. Unsecured instances can expose control over smart homes.

Searches public Travis CI API responses (build logs) for sensitive environment variable names.

Finds OpenVPN client configuration files (.ovpn), which contain server addresses and certificate details.

Identifies login pages for Webmin, a web-based system administration tool for Unix.

Searches GitHub for Shopify private app credentials which are often hardcoded.

Finds data exported by Drupal Views in JSON or XML format, which might expose more data than intended.

Locates the login page for VMware vSphere Web Client for managing virtual infrastructure.

Finds local history directories from Visual Studio Code if they are accidentally uploaded and directory listing is enabled.

Searches for publicly accessible Figma prototypes, which may expose UI/UX designs and internal comments.

Finds the install tool for Typo3 CMS. If not password protected after installation, it can lead to full server compromise.

Locates login pages for the IBM Tivoli Integrated Portal.

Finds SonarQube dashboards. Unauthenticated instances can expose code quality metrics and vulnerabilities.

Finds ASP.NET trace information (trace.axd), which contains session details, request data, and other debug info.

Locates build artifacts from Jenkins jobs, which might include binaries, packages, or sensitive files.

Finds login pages for Red Hat OpenShift Container Platform.

Searches GitHub for the common pattern of Google Cloud Platform API keys.

Locates Web Service Definition Language (WSDL) files, which describe the structure and methods of SOAP web services.

Finds admin login pages for the Ghost blogging platform.

Finds PostgreSQL command history files, which can contain sensitive queries and data.

Locates login pages for Dell Remote Access Controller (iDRAC) for server management.

Searches for public Miro boards, which can expose collaborative diagrams, plans, and sensitive information.

Finds the backend login for Sitefinity CMS.

Locates Prometheus monitoring dashboards that may be publicly accessible.

Finds the administrative console for IBM WebSphere Application Server.

Searches for the specific pattern of Slack webhook URLs on GitHub.

Locates instances of the Open edX learning management system.

Finds .netrc files, which store credentials for remote machines (like FTP) in plaintext.

Locates phpSysInfo pages, which provide detailed hardware and software information about the host server.

Finds default pages for Synology NAS Web Station, indicating a device is connected to the internet.

Searches for XML responses from Magento 2's REST API, potentially revealing endpoint structures.

Finds Laravel Ignition error pages. The "Share" feature can publicly expose detailed error reports.

Finds DigitalOcean Spaces with directory listing enabled.

Locates Munin monitoring nodes, which can reveal detailed server performance metrics.

Searches for JupyterLab instances. Unauthenticated instances can allow code execution and file access.

Finds URLs for running Drupal's cron tasks. If the key is weak or exposed, it could be triggered maliciously.

Finds phpMoAdmin, a web-based administration tool for MongoDB.

Identifies open Docker Registry APIs, which can list all available Docker images.

Locates remaining phpBB installation directories, which should be removed post-setup.

Finds data from the Jenkins Performance Plugin, revealing test results and performance metrics.

Searches for TeamViewer log files that may have been publicly exposed.

Finds login pages for the Concrete5 CMS.

Finds Node.js applications with the debug port open to the internet, potentially allowing remote code execution.