Although Google Hacking Techniques are against Google Terms of Service and Google Blocks well-known Google Hacking Queries, nothing can stop Hackers from Crawling Websites and Launching Google Queries.
I am going to Explain Some Operators used in Google Hacking.
This will return all the pages that have word entered after the intitle (as we used operator here) in the title of the page. If you want to check for multiple keywords in title use allintitle in place of intitle.
This will return all the pages that have word entered after the inurl in the url of a page. If you want to check for multiple keywords in url use allinurl in place of inurl
allinurl:operator1 operator2 ....
This will return all the pages that have certain keywords in that particular site or domain.
This will list down webpages that have links to the specified webpage.
This will return all the pages that have word entered after the intext in the particular website. If you want to check for multiple keywords in website use allintext in place of intext.
allintext:operator1 operator2 ....
The “related:” will list web pages that are "similar" to a specified web page. For Example:
“related:www.ethicalhack4u.blogspot.com” will list web pages that are similar to the
Note: There can be no space between the "related:" and the web page url.
Syntax: cache:URL [highlight]
The cache operator will search through google’s cache and return the results based on those documents. You can alternatively tell cache to highlight a word or phrase by adding it after the operator and URL.
This tag will give you the information that Google has on the given URL.
This will restricts Google search for files on internet with particular extensions (i.e. doc, pdf or ppt etc).
Well, the Google’s query syntaxes discussed above can really help people to precise their search and get what they are exactly looking for.
Looking for Vulnerable Sites or Servers using “inurl:” or “allinurl:”
Using “allinurl:winnt/system32/” will list down all the links to the server which gives you access to those
restricted directories like “system32” through web. If you are lucky enough then you might get access to the cmd.exe in the “system32” directory. Once you have the access to “cmd.exe” and are able to execute it then you can go ahead in further escalating your privileges over the server and compromise it.
Using “inurl:.bash_history” will list down all the links to the server which gives access to “.bash_history” file through web. This is a command history file. This file includes the list of command executed by the administrator, and sometimes includes sensitive information such as password typed in by the administrator. If this file is compromised and if contains the encrypted unix (or *nix) password then it can be easily cracked using “John The Ripper”.
Using “inurl:config.txt” will list down all the links to the servers which gives access to “config.txt” file through web. This file contains sensitive information, including the hash value of the administrative password and database authentication credentials. For Example: Ingenium Learning Management System is a Web-based application for Windows based systems developed by Click2learn, Inc. Ingenium Learning Management System versions 5.1 and 6.1 stores sensitive information insecurely in the config.txt file.
Looking for vulnerable sites or servers using “intitle:” or “allintitle:”
Using allintitle: "index of /root” will list down the links to the web server which gives access to restricted directories like “root” through web. This directory sometimes contains sensitive information which can be easily retrieved through simple web requests.
Using allintitle: "index of /admin” will list down the links to the websites which has got index browsing enabled for restricted directories like “admin” through web. Most of the web application sometimes uses names like “admin” to store admin credentials in it. This directory sometimes contains sensitive information which can be easily retrieved through simple web requests.
intitle:"Index of" .sh_history
intitle:"Index of" .bash_history
intitle:"index of" passwd
intitle:"index of" people.lst
intitle:"index of" pwd.db
intitle:"index of" etc/shadow
intitle:"index of" spwd
intitle:"index of" master.passwd
intitle:"index of" htpasswd
intitle:"index of" members OR accounts
intitle:"index of" user_carts OR user_cart
allintitle: sensitive filetype:doc
allintitle: restricted filetype :mail
allintitle: restricted filetype:doc site:gov
To Search for Sites Vulnerable to Cross-Sites Scripting (XSS) Attacks:
To search for sites vulnerable to SQL Injection attacks:
Refer to Our Earlier Post: Find Vulnerable Websites Using Google for SQL Injection