Is Google A Hacking Database(7 Free Tips)?
Google has become our daily essential need. We need it to reach StackOverflow’s code, to find what happens when we type our name(we all do this XD). Like every best friend is innocent in front of your parents, Google is the same. It seems to be innocent but is a way to do hacking too. Yes! it’s a potential way to do hacks and that’s why I call it a Hacking Database.
So, let’s get that started (PS: if you want to know more about information gathering, it’s here. Complete this first if you’re following the roadmap).
How Google became a hacking database?
Everyone wants to be in top results of the search query and that happens with SEO(Search Engine Optimization). To mark our presence in the online market, we let google go through the website, content, and all our digital presence. During this, most businesses miss that they need to stop Google to reach some sensitive data like logs, backups, envs, and much more. Such details when get indexed becomes trouble for that them by becoming potential security risks bringing severe damage to themselves at a later stage.
The reason for getting such content indexed can be many like the plugin you use did it by default and you didn’t check or maybe the security configuration of a website may not be set properly. Once you let the Google bot run, it’s over. The impact can range from no damage to a full account takeover. It just take 1 incident to shatter the image that took 10 years to build. If you want to know how indexing works, read this.
7 Advanced Searching Techniques
Once a website’s sensitive content gets indexed, all you need to do is search to the full potential to bring out the data. Let me show you how!
1. intitle:
This will show you pages that have the mentioned term in the HTML title.
Eg: intitle:”password” — this will search for password written in the title
2. inurl:
This will search for specific terms in the URL.
Eg: inurl :”password” — this will search for passwords written in URL
3. filetype:
This will search for the specific file types in websites.
Eg: filetype:pdf — this will search for pdf files on a website
4. ext:
This works similar to filetype
5. intext:
This will search the content of a webpage.
Eg: intext:”password” — this will search for passwords written in a webpage somewhere
6. site:
This will limit your search to the mentioned site.
Eg: site:site.com — this will search only on site.com
7. Cache:
This will show the cached version of a website
Eg: cache:site.com — this will show the cached version of site.com.
3 useful operators in this hacking database
1. *:
This is the wildcard operator.
Eg: how to learn * — this will show you content having how to learn hacking/testing/…/ etc
2. -:
This is to exclude something from your search.
Eg: — intext: “company” — this will show results which don’t have company written on their webpages
3. |:
This is used to search for this or that.
Eg: admin | password — this will show you content having admin or password
For more operators, refer to this.
What we just learned is called Google Dorking. It basically means to use advanced search strings to find information that is not easily available on the websites.
Examples of Google Dorking
Now, since we have learned about operators, it’s time to know how to use these.
Basic format:
[operator]:[your dork]
site:site.com filetype:log
2. Finding an index of something in a website that uses HTTP protocol
site:site.com intitle:"index of" inurl:http
Find more such examples here. Now, you can say your friends:
Google almost index everything connected to the internet which becomes harmful for misconfigured services. This is equally useful and harmful(if the target website is yours).CAUTION: You need to make sure that you will not use this information for any illegal purposes. If you find something sensitive while practicing this, do not use that information instead inform the website owner as soon as possible.
However, if you have something hosted online, use dorks and check what have you left exposed to a hacker.
That’s it for Google as a hacking database, it time for you to practice and get your hands dirty. Next, I’ll share how to find people online, till then keep practicing!
Originally published at https://haox.illued.space on September 30, 2021.