Google Dorks

Lyse

28 July 2025

Awareness and resources, Not classified

Introduction to dorks

Did you know that Google can be much more than just a search engine? Used for reconnaissance purposes, Google Dorks allow access to sensitive information that has been inadvertently left accessible online: a powerful tool for attackers, but also for defenders!

Google dorks are Google queries that allow you to find information more accurately by using search operators. These operators can help you find documents or pages that are not usually displayed in the results of a standard Google query, or simply refine your search.

During the reconnaissance phase of a pentest, you can use the Google Hacking Database to find specific queries that are tailored to finding certain configuration flaws or sensitive files.

On the other hand, for a red team mission or phishing campaign, you can use more common dorks with keywords related to the target. This can help you find the specific type of information you are looking for, such as photos of badges, building plans, and the names and job titles of certain employees.

Main operators

Operator	Function
`site:`	Allows you to limit your search to specific areas
`filetype:` `ext:`	Allows you to search for a specific file type (pdf, xls, xml, etc.)
`inurl:`	Searches for pages containing the keyword in the URL
`intitle:`	Search for pages containing the keyword in the title
`intext:`	Searches for pages containing the keyword in the page

Logical operators	Function
`""`	Displays results containing the keyword
`-`	Allows you to exclude results containing the keyword
`*`	Acts as a wildcard that can be replaced by any element, as long as the rest of the query is respected
`OR`, `\|`	Search for results containing a keyword OR another keyword
`AND`, `&`, `+`	Searches for pages containing one keyword AND another keyword

Dorks on other search engines

Google is not the only search engine with search operators; some are common to several sites, while others may differ.

For example, the filetype:/ext: operator on Google corresponds to the mime: operator on Yandex, while Duckduckgo uses filetype: but not ext:. Although the operator works in the same way on different engines, it does not support all the same extensions.

Since the indexing of different search engines is not necessarily the same, searching on several of them allows for greater comprehensiveness and minimises the number of results missed.

Of course, many sites also use the principle of dorks, among the most useful of which are Shodan, X (formerly Twitter) and Github.

Examples

To find a PDF file on the algolighthouse.fr website containing the keyword blog, we could use the following query on Google -> site:algolighthouse.fr filetype:pdf “blog”

To find a doc file containing the keywords blog and algolighthouse but not the keyword example, we could use the following query on Yandex -> mime:doc ‘blog’ AND ‘algolighthouse’ -example

To find a page on a website named algolighthouse with any TLD and containing the keyword blog or algolighthouse, we could use the following query on Google -> site:algolighthouse.* “blog” OR “algolighthouse”

To find phpinfo pages on a site named algolighthouse.fr, we could use the following query on Google -> site:algolighthouse.fr ext:php intitle:phpinfo ‘published by the PHP Group’

In a more specific case, to find a server vulnerable to CVE-2023-50164, we could use the following query on Google -> intitle:‘Apache Struts 2.5’ ‘index of /’ -git

Conclusion

Dorking can be useful for finding documents and other items posted on the Internet in order to remove them and de-index them if necessary. However, be sure to obtain authorisation from the relevant systems when downloading data (Article 323-3, Bluetouff case law).

Share this article