Skip to content

Vulnerability‐Dorking‐Guide

Jump to bottom
alzzdev edited this page Jun 12, 2026 · 1 revision

Vulnerability Dorking Guide

Overview

This guide provides practical techniques for discovering vulnerable web applications using AtDork's advanced search and filtering capabilities. Learn how to identify exposed WordPress installations, misconfigured servers, and other security vulnerabilities through targeted dorking.

Table of Contents

  1. Vulnerability Dorking Fundamentals
  2. WordPress Vulnerability Detection
  3. Common Vulnerable Patterns
  4. Using Vulnerability Filters
  5. Safe Dorking Practices
  6. Real-World Examples

Vulnerability Dorking Fundamentals {#fundamentals}

What is Vulnerability Dorking?

Vulnerability dorking is the practice of using advanced search queries (dorks) to find web applications that may contain security vulnerabilities or misconfigurations. This includes:

  • Exposed admin panels (wp-admin, /admin, etc.)
  • Outdated software versions (known vulnerable versions)
  • Misconfigured servers (directory listings, backup files)
  • Leaked credentials (in search indexes, git repos)
  • Default installations (unconfigured applications)

Ethical Responsibility ⚠️

Important: Use AtDork only on systems you own or have explicit written permission to test. Unauthorized vulnerability scanning or exploitation is illegal in most jurisdictions.

WordPress Vulnerability Detection {#wordpress}

Why Target WordPress?

WordPress powers ~43% of all websites. Common vulnerabilities include:

  • Outdated plugins (vulnerable versions indexed by search engines)
  • Misconfigured wp-admin (accessible, weak credentials)
  • XML-RPC exploitation (brute force attacks)
  • Exposed wp-config.php (database credentials)
  • Vulnerable themes (known security issues)

Basic WordPress Dorking Queries

1. Find Exposed WordPress Login Pages

python main.py -q "inurl:wp-admin inurl:wp-login.php" -r 50 --backend google --safesearch off --filter-vuln wordpress

What it finds: WordPress login pages indexed by search engines (may be exposed)

2. Find WordPress Version Numbers

python main.py -q "inurl:wp-content \"wp\" filetype:css" -r 30 --filter-vuln wordpress

What it finds: CSS files that may reveal WordPress version through query strings

3. Find Exposed wp-config.php Backups

python main.py -q "inurl:wp-config filetype:php OR filetype:txt OR filetype:bak" -r 40 --filter-vuln wordpress

What it finds: Backup files containing database credentials (DO NOT EXPLOIT)

4. Find Vulnerable WordPress Plugins

python main.py -q "inurl:/wp-content/plugins/ intitle:index.of" -r 50 --filter-vuln wordpress

What it finds: Directory listings exposing plugin structure (may indicate old versions)

5. Find XML-RPC Endpoints (Brute Force Risk)

python main.py -q "inurl:xmlrpc.php" -r 30 --filter-vuln wordpress

What it finds: XML-RPC endpoints commonly used for password brute-force attacks

Common Vulnerable Patterns {#patterns}

Pattern 1: Exposed Admin Panels

python main.py -q "inurl:admin inurl:index intitle:\"login\"" -r 50 --filter-vuln wordpress

Indicators of vulnerability:

  • Real WordPress login forms (not redirects)
  • Valid SSL certificates
  • Responsive HTTP responses
  • Active database connections

Pattern 2: Outdated Software Version Detection

python main.py -q "WordPress 4.9" -r 30 --filter-vuln wordpress

Why this matters: WordPress 4.9 is over 5 years old and contains many known CVEs

Pattern 3: Backup File Exposure

python main.py -q "site:example.com filetype:sql OR filetype:bak OR filetype:backup" -r 20

Risk Level: 🔴 CRITICAL – Database backups may contain credentials

Pattern 4: Git Repository Exposure

python main.py -q "inurl:.git filetype:config" -r 40 --filter-vuln wordpress

Risk Level: 🔴 CRITICAL – Can expose source code, credentials, secrets

Using Vulnerability Filters {#filters}

New Feature: --filter-vuln Flag

The --filter-vuln flag intelligently filters results to show only actual vulnerable instances, removing false positives and honeypots.

python main.py -q "inurl:wp-admin" -r 50 --filter-vuln wordpress -o vuln_wordpress.json

What the filter does:

  • ✅ Keeps: Active WordPress installations with login pages
  • ✅ Keeps: Potentially exploitable misconfigurations
  • ❌ Removes: Honeypots (intentionally exposed fake targets)
  • ❌ Removes: Decoy sites (deliberately misleading pages)
  • ❌ Removes: Parked domains
  • ❌ Removes: CDN/proxy pages
  • ❌ Removes: Non-WordPress pages matching keywords

Learn more: Using --filter-vuln Flag

Safe Dorking Practices {#safety}

1. Scope Limiting

Always limit your search to authorized targets:

# ✅ Good: Search only your company domain
python main.py -q "site:yourcompany.com inurl:wp-admin" -r 50 --filter-vuln wordpress

# ❌ Bad: Broad search without scope
python main.py -q "inurl:wp-admin" -r 1000

2. Use Privacy Protection

Always use proxies or Tor to protect your identity:

python main.py -q "inurl:wp-admin" -r 50 --tor --strict --filter-vuln wordpress

3. Rate Limiting & Delays

Avoid detection by implementing request delays:

python main.py -q "inurl:wp-admin" -r 50 --delay 3 --retries 2 --filter-vuln wordpress

Recommended delays:

  • --delay 2 – Moderate activity (safe)
  • --delay 5 – High stealth mode
  • --delay 0.5 – Quick reconnaissance (risky)

4. Output Validation

Always validate your results before acting:

# Strict filtering removes false positives
python main.py -q "inurl:wp-admin" -r 50 --strict-filter --filter-vuln wordpress

5. Documentation & Reporting

Document your findings for your security team:

python main.py -q "inurl:wp-admin" -r 50 \
  --filter-vuln wordpress \
  --format json \
  -o vulnerability_report_$(date +%Y%m%d).json \
  --strict-filter

Real-World Examples {#examples}

Example 1: Internal Network Assessment (Authorized)

Your company authorized you to find vulnerable WordPress installations on your company domains.

# Find all WordPress admin pages on company domains
python main.py -q "site:company.com OR site:subsidiary.com inurl:wp-admin" \
  -r 100 \
  --format json \
  --output-dir assessment_results \
  --filter-vuln wordpress \
  --strict-filter

Next Steps:

  1. Review the JSON results
  2. Verify each URL
  3. Check WordPress versions
  4. Document findings
  5. Report to security team

Example 2: Vulnerability Research (Ethical)

You're researching WordPress vulnerabilities for a security blog.

# Find WordPress instances with known vulnerable plugins
python main.py -q "\"WordPress\" intitle:index.of /wp-content/plugins" \
  -r 50 \
  --backend duckduckgogo \
  --safesearch off \
  --format json \
  -o research_data.json \
  --delay 2 \
  --filter-vuln wordpress

Example 3: Penetration Testing (Authorized)

Your client authorized a pen-test for their WordPress infrastructure.

# Multi-threaded batch testing against authorized targets
cat authorized_targets.txt | while read domain; do
  python main.py -q "site:$domain inurl:wp-admin" \
    -r 30 \
    --concurrency 3 \
    --filter-vuln wordpress \
    --proxy-file proxies.txt \
    --format json \
    -o pentest_${domain//./_}.json
done

Example 4: Quick Vulnerability Scan

For rapid assessment of a specific domain:

python main.py -q "site:example.com inurl:wp-admin OR inurl:xmlrpc.php OR inurl:.git" \
  -r 30 \
  --filter-vuln wordpress \
  --strict-filter \
  --format json \
  -o quick_scan.json

Recommended Dork Queries

For WordPress Reconnaissance

Query Purpose Risk
inurl:wp-admin Find login pages Low
inurl:wp-content filetype:plugin List plugins Low
inurl:xmlrpc.php Find brute-force targets High
inurl:wp-config filetype:bak Backup exposure Critical
"WordPress" "Version:" intitle:index Directory listings Medium
inurl:.git filetype:config Git exposure Critical
inurl:wp-admin intext:"lost password" Admin detection Low

Safe Scanning Guidelines

✅ DO

  • ✅ Use --filter-vuln wordpress with WordPress dorks
  • ✅ Combine with --strict-filter for highest quality
  • ✅ Use --delay to avoid detection
  • ✅ Document your findings
  • ✅ Only scan authorized targets
  • ✅ Report vulnerabilities responsibly

❌ DON'T

  • ❌ Don't scan without authorization
  • ❌ Don't attempt to exploit vulnerabilities
  • ❌ Don't publicly disclose findings without responsible disclosure
  • ❌ Don't hammer targets with rapid requests
  • ❌ Don't use for malicious purposes
  • ❌ Don't leak private data

Legal Considerations

Using vulnerability dorking is legal ONLY when:

  1. ✅ You have written authorization from the target
  2. ✅ It's part of authorized security research
  3. ✅ It's within bug bounty programs
  4. ✅ It's for authorized penetration testing

Unauthorized vulnerability scanning is illegal in most jurisdictions.

Responsible Disclosure

If you find actual vulnerabilities:

  1. DO NOT exploit them
  2. Document your findings with screenshots/evidence
  3. Contact site owner privately (look for security.txt)
  4. Report to HackerOne or Bugcrowd if available
  5. Give 90 days for patching before public disclosure
  6. Respect the owners' timeline

Resources:

Troubleshooting

Issue: Too Many False Positives

Solution: Enable strict filtering

python main.py -q "inurl:wp-admin" -r 50 --filter-vuln wordpress --strict-filter

Issue: Getting Rate-Limited

Solution: Increase delays and use proxies

python main.py -q "inurl:wp-admin" -r 50 --delay 5 --proxy-file proxies.txt --retries 1

Issue: Results Include Honeypots

Solution: Use the vulnerability filter with strict mode

python main.py -q "inurl:wp-admin" -r 50 --filter-vuln wordpress --strict-filter

Next Steps

  1. Review the WordPress Dork Queries Library
  2. Learn about Using --filter-vuln Flag
  3. Explore Advanced Filtering Guide
  4. Reference Proxy Configuration

Related Resources

Contributing

Have a useful dork query? Found an improvement? Contribute!

Please open an issue or pull request on the GitHub repository.

Version: 1.0
Last Updated: June 2026
Maintainer: amnottdevv
License: MIT

Clone this wiki locally