Wed. Jan 22nd, 2020



Exploiting Sensitive directories with Google Dorks.

2 min read
google dorks

Exploiting directories with google dorks

Here are some of my favorite google dorks i made use of during penetration testing.

intitle:”Index of /“ inurl:passport – Find a lot of passports – Passwords and information on target’s employees/customers. awesome for spear phishing.

intext:”please find attached” “login” | password ext:pdf – Replace pdf extension with any other document extension like doc, docx,txt.

intitle:Login inurl:login.php intext:admin/admin – This Google Dork discovers login portals with weak default passwords.

*Google Search: *inurl:”/wp-json/” -wordpress – Google dork *description: * Sites running WordPress CMS and access to the wp-json API endpoint which *might* be vulnerable to content injection

intitle:”index of” inurl:documents backup

intitle:”index of” users.csv | credentials.csv | accounts.csv

intitle:”index of” $Recycle.bin – Windows trash bins with a lot of juicy info.

intitle:”index of” “/Windows/Recent” | “/Windows/History/” – This will give you the most recent used files and the history data. This is for Vista – Windows 10, it will not work against XP or Windows 2003

inurl:”/.Trash” intitle:”index of” ~


inurl:login.htm “access” database

++ All sorts of Websites (a lot of colleges)

intitle:”index of /” ssh

  • Data you find:
  •     – Webserver Version
  •     – SSH Version
  •     – SSH Keys
  •     – SSH Logins
  •     – SSH .exe files

I found a lot of servers using < SSH 1.4.* These are usually +5 years old and full of security holes . A search in Exploit DB for SSH 1. turns up +40.000 exploits for these some may work.

++ 55 500 results at the time of writing ++

DISCLAIMER: The vulnerabilities are suggestions, none of them have been tested by me, always request permission before testing anything on someone else system.

Dork for finding private directories inside wordpress popup plugin including admin data which are present in WordPress websites.

Note : To access more sensitive files locate to parent directory until

/admin or /conf etc.

Dork : allinurl:”wp-content/plugins/wordpress-popup/views/admin/”

Also Try : allinurl:”wp-content/plugins/wordpress-popup/”