Search Operators (Google Dorking) Cheatsheet#
Type: Passive reconnaissance using advanced search-engine operators to surface exposed files, directories, credentials, subdomains, and metadata without touching the target
Core Operators#
| Operator |
Description |
Example |
site: |
Restrict results to a domain |
site:example.com |
inurl: |
Term appears in the URL |
inurl:admin |
intitle: |
Term appears in the page title |
intitle:"index of" |
intext: |
Term appears in the body text |
intext:password |
filetype: / ext: |
Restrict to a file extension |
filetype:pdf |
cache: |
Show Google’s cached copy |
cache:example.com |
related: |
Find similar sites |
related:example.com |
link: |
Pages linking to a URL (deprecated/limited) |
link:example.com |
define: |
Dictionary definition |
define:reconnaissance |
AROUND(n) |
Terms within n words of each other |
admin AROUND(3) password |
Operator Modifiers#
| Modifier |
Description |
Example |
"..." |
Exact phrase match |
"confidential" |
- |
Exclude a term |
site:example.com -www |
OR / | |
Logical OR |
site:example.com (filetype:pdf OR filetype:docx) |
AND |
Logical AND (implicit) |
intitle:login AND inurl:admin |
* |
Wildcard / placeholder |
"username * password" |
( ) |
Group terms |
site:example.com (admin OR login) |
.. |
Number range |
"budget 2020..2024" |
“all” Variants#
| Operator |
Description |
allintitle: |
All following words must be in the title |
allinurl: |
All following words must be in the URL |
allintext: |
All following words must be in the body |
allinanchor: |
All following words must be in anchor text |
Note: all* operators don’t mix well with other operators — use the single-term versions (intitle:, inurl:) when combining.
Finding Exposed Files & Directories#
# Open directory listings
site:example.com intitle:"index of"
intitle:"index of" "parent directory"
# Backup and config files
site:example.com ext:bak OR ext:old OR ext:backup
site:example.com filetype:env
site:example.com inurl:wp-config.php
# Database dumps
site:example.com ext:sql OR ext:db OR ext:dbf
intext:"-- phpMyAdmin SQL Dump"
# Log files
site:example.com ext:log
# Office documents and PDFs (good for metadata harvesting)
site:example.com filetype:pdf
site:example.com (filetype:doc OR filetype:docx OR filetype:xls OR filetype:xlsx)
# Configuration / credentials in text
site:example.com ext:txt intext:password
site:example.com filetype:xml inurl:config
Finding Login Portals & Admin Panels#
site:example.com inurl:admin
site:example.com (inurl:login OR inurl:signin OR intitle:login)
site:example.com inurl:portal
intitle:"Dashboard" inurl:admin
Subdomain & Asset Discovery#
# Enumerate indexed subdomains (exclude main www)
site:*.example.com -www
# Find specific tech / paths
site:example.com inurl:api
site:example.com inurl:dev OR inurl:staging OR inurl:test
# Credentials and keys
intext:"BEGIN RSA PRIVATE KEY"
site:example.com intext:"password" filetype:log
"index of" "id_rsa"
# Exposed environment / secrets
site:example.com ext:env "DB_PASSWORD"
intitle:"index of" ".git"
# Error messages leaking info
site:example.com intext:"sql syntax near" OR intext:"Warning: mysql_"
Other Search Engines#
| Engine |
Notable Operators / Notes |
| Bing |
Supports site:, filetype:, inbody:, intitle:, ip:<addr> (find sites on an IP) |
| DuckDuckGo |
Supports site:, filetype:, intitle:, inurl:; !bang shortcuts |
| Yandex |
Strong operator support; often indexes content others miss |
| Shodan |
Device/banner search — hostname:, port:, org:, ssl: (not a web dork engine but pairs well) |
Resources#
# Google Hacking Database (GHDB) — huge curated dork collection
https://www.exploit-db.com/google-hacking-database
# DorkSearch / pre-built dork generators
https://dorksearch.com
Notes#
- Passive — queries hit the search engine, not the target; nothing is sent to the victim’s infrastructure.
- Results reflect what’s been indexed — combine with crawling tools like [[scrapy]] / [[reconspider]] for live, unindexed content.
- Aggressive automated dorking can trigger Google CAPTCHAs / rate limits — throttle and rotate where needed.
- Always validate findings; cached or stale results may not reflect the current site state.
- Use only against assets you’re authorised to test — exposed data is still owned by the target.