Dorks are cool
Dorks for Google, Shodan and BinaryEdge
Only for use on bug bounty programs or in cordination with a legal security assesment.
I am in no way responsible for the usage of these search queries.
Be responsible thanks - https://www.bugcrowd.com/resource/what-is-responsible-disclosure/
This repository is "under construction" feel free to make pull requests :-)
Example of how to fingerprint services with the different search engines:
|Pulse VPN (RCE VULN)||
|Horde Webamil (RCE VULN)||
NOTE: Some services have already been fingerprinted by Shodan and BinaryEdge and you can use the
product:"Pulse Secure VPN gateway http config"
inurl:%3Dhttps%3A%2F%2F - Open redirect/SSRF/Local File Disclosure
Read ahrefs blog post to see all search operators for Google - https://ahrefs.com/blog/google-advanced-search-operators/
Some of these dorks are old as fuck just FYI :-)
hacked-router-help-sos - Hacked routers :D
NETSurveillance uc-httpd - user:admin no passwords most likely
IPC$ all storage devices - Home routers' storage or attached USB Storage (Many with no PW)
port:23 console gateway -password - Open telnet no PW required
"polycom command shell" - Polycom Video conference system no-auth shell, most have open web config admin try for fun
NCR Port:"161" - ATM's :-)
HTTP/1.1 307 Temporary Redirect Location: /containers country:"US" - Container Advisor dork
html:"def_wirelesspassword" - HTML tag looking for passwords in source of brazillian routers
country:xx http.status:200 http.component:odoo port:8069 - After finding instances go to /web/database/manager most of the time there is either no password or it's "admin"
Model: PYNG-HUB Crestron - IoT
x-jenkins 200 - Internet facing Jenkins servers, some unauthenticated. :O
Read the full list of filters for Shodan here - https://beta.shodan.io/search/filters
ssl.cert.subject.commonName:*vpn.* - Find SSL certs with vpn in sub-domain name - Uses Asteriks(*) for wildcard.
Fortinet security device httpd - Finds fortinet SSL VPN installations - Some vulnerable to CVE-2018-13379
product:"Exim smtpd" version:<4.92 - Finds vulnerable Exim smtp servers - Vulnerable to multiple CVE's but mainly CVE-2019-15846
Read the search Docs to find even more tags to use! - https://docs.binaryedge.io/search/
SQL Injection Google Dorks
Some of these are probably shit and require tuning with other tags / dorks, experiment with them. :D
intext:"error in your SQL syntax" intext:"mysql_num_rows()" in****:"mysql_fetch_array()" in****:"Error Occurred While Processing Request" in****:"Server Error in '/' Application" in****:"Microsoft OLE DB Provider for ODBC Drivers error" in****:"InvalidQuerystring" in****:"OLE DB Provider for ODBC" in****:"VBScript Runtime" in****:"ADODB.Field" in****:"BOF or EOF" in****:"ADODB.Command" in****:"JET Database" in****:"mysql_fetch_row()" in****:"Syntax error" in****:"include()" in****:"mysql_fetch_assoc()" in****:"mysql_fetch_object()" in****:"mysql_numrows()" in****:"GetArray()" in****:"FetchRow()" in****:"Input string was not in a correct format" inurl:/id= intext:"You have an error in your SQL syntax" inurl:”main.php?t= inurl:”games.php?id= inurl:”guide.php?id= inurl:”index.php?cat= allinurl:”review.php?sid= inurl:”index2.php?id= inurl:”main.php?id= inurl:zoom.php?id=site:.il inurl:”details.php?id= inurl:”?came= inurl:”index.php?page= inurl:”home.php?cat= inurl:”index2.php?id=