Question

When hunting for bugs, you’ll often need to research the details of a vulnerability. If you’re exploiting a potential cross-site scripting (XSS) vulnerability, you might want to find a particular payload you saw on GitHub. Advanced search-engine skills will help you find the resources you need quickly and accurately.

寻找漏洞时，你经常需要研究漏洞的具体细节。如果你正在利用一个可能存在的跨站脚本漏洞，你可能希望在 GitHub 上找到一个特定的有效载荷。高级搜索引擎技巧将帮助你快速准确地找到所需的资源。

In fact, advanced Google searches are a powerful technique that hackers often use to perform recon. Hackers call this Google dorking . For the average Joe, Google is just a text search tool for finding images, videos, and web pages. But for the hacker, Google can be a means of discovering valuable information such as hidden admin portals, unlocked password files, and leaked authentication keys.

实际上，高级的谷歌搜索是黑客经常用来进行侦查的强大技术。黑客称之为谷歌搜索。对于普通人来说，谷歌只是一个文本搜索工具，用于查找图像、视频和网页。但对于黑客来说，谷歌可以成为一种发现有价值信息的手段，比如隐藏的管理员门户、解锁的密码文件和泄露的认证密钥。

Google’s search engine has its own built-in query language that helps you filter your searches. Here are some of the most useful operators that can be used with any Google search:

谷歌搜索引擎拥有自己的内置查询语言，可帮助您过滤搜索结果。以下是一些可与任何谷歌搜索一起使用的最有用的运算符：

site

网站

1. Tells Google to show you results from a certain site only. This will help you quickly find the most reputable source on the topic that you are researching. For example, if you wanted to search for the syntax of Python’s print() function, you could limit your results to the official Python documentation with this search: print site:python.org .

inurl

inurl: 在网址中包含指定关键词

1. Searches for pages with a URL that match the search string. It’s a powerful way to search for vulnerable pages on a particular website. Let’s say you’ve read a blog post about how the existence of a page called /course/jumpto.php on a website could indicate that it’s vulnerable to remote code execution. You can check if the vulnerability exists on your target by searching inurl:"/course/jumpto.php" site:example.com .

intitle

标题

1. Finds specific strings in a page’s title. This is useful because it allows you to find pages that contain a particular type of content. For example, file-listing pages on web servers often have index of in their titles. You can use this query to search for directory pages on a website: intitle:"index of" site:example.com .

link

链接

1. Searches for web pages that contain links to a specified URL. You can use this to find documentation about obscure technologies or vulnerabilities. For example, let’s say you’re researching the uncommon regular expression denial-of-service (ReDoS) vulnerability. You’ll easily pull up its definition online but might have a hard time finding examples. The link operator can discover pages that reference the vulnerability’s Wikipedia page to locate discussions of the same topic: link:"https://en.wikipedia.org/wiki/ReDoS" .

filetype

文件类型

1. Searches for pages with a specific file extension. This is an incredible tool for hacking; hackers often use it to locate files on their target sites that might be sensitive, such as log and password files. For example, this query searches for log files, which often have the .log file extension, on the target site: filetype:log site:example.com .

Wildcard ( * )

通配符 (*)

1. You can use the wildcard operator ( * ) within searches to mean any character or series of characters . For example, the following query will return any string that starts with how to hack and ends with using Google . It will match with strings like how to hack websites using Google , how to hack applications using Google , and so on: "how to hack * using Google" .

Quotes ( " " )

“Quotes” → “引号”

1. Adding quotation marks around your search terms forces an exact match. For example, this query will search for pages that contain the phrase how to hack : "how to hack" . And this query will search for pages with the terms how , to , and hack , although not necessarily together: how to hack .

Or ( | )

或 (|)

1. The or operator is denoted with the pipe character ( | ) and can be used to search for one search term or the other, or both at the same time. The pipe character must be surrounded by spaces. For example, this query will search for how to hack on either Reddit or Stack Overflow: "how to hack" site:(reddit.com | stackoverflow.com) . And this query will search for web pages that mention either SQL Injection or SQLi : (SQL Injection | SQLi) . SQLi is an acronym often used to refer to SQL injection attacks, which we’ll talk about in Chapter 11 .

Minus ( - )

减号 (-)

1. The minus operator ( - ) excludes certain search results. For example, let’s say you’re interested in learning about websites that discuss hacking, but not those that discuss hacking PHP. This query will search for pages that contain how to hack websites but not php : "how to hack websites" -php .

You can use advanced search engine options in many more ways to make your work more efficient. You can even search for the term Google search operators to discover more. These operators can be more useful than you’d expect. For example, look for all of a company’s subdomains by searching as follows:

您可以利用搜索引擎的高级选项来更加高效地完成工作。您甚至可以搜索“Google 搜索运算符”等术语，从而发现更多有用的选项。这些运算符可能比您预期的更加有用。例如，您可以通过以下方式搜索所有公司子域名：

site:*.example.com

You can also look for special endpoints that can lead to vulnerabilities. Kibana is a data visualization tool that displays server operation data such as server logs, debug messages, and server status. A compromised Kibana instance can allow attackers to collect extensive information about a site’s operation. Many Kibana dashboards run under the path app/kibana , so this query will reveal whether the target has a Kibana dashboard. You can then try to access the dashboard to see if it’s unprotected:

您还可以寻找可以导致漏洞的特殊终端点。Kibana 是一款数据可视化工具，可以显示服务器操作数据，例如服务器日志、调试信息和服务器状态。被攻击的 Kibana 实例可以允许攻击者收集关于网站运营的广泛信息。许多 Kibana 仪表板运行在路径 app / kibana 下，因此此查询将揭示目标是否具有 Kibana 仪表板。然后，您可以尝试访问仪表板，以查看它是否未受保护：

site:example.com inurl:app/kibana

Google can find company resources hosted by a third party online, such as Amazon S3 buckets (we’ll talk about these in more detail in “Third-Party Hosting” on page 74 ):

谷歌可以找到由第三方在网上托管的公司资源，例如 Amazon S3 存储桶（我们将在第 74 页的“第三方托管”中更详细地介绍这些）。

site:s3.amazonaws.com COMPANY_NAME

Look for special extensions that could indicate a sensitive file. In addition to .log , which often indicates log files, search for .php , cfm , asp , .jsp , and .pl , the extensions often used for script files:

寻找能指示敏感文件的特殊扩展名。除了常见的.log 表示日志文件外，还要搜索.php、cfm、asp、.jsp 和.pl 等扩展名，它们通常用于脚本文件。

site:example.com ext:php
site:example.com ext:log

Finally, you can also combine search terms for a more accurate search. For example, this query searches the site example.com for text files that contain password :

最后，您也可以将搜索词组合起来以获得更准确的搜索结果。例如，以下查询在 example.com 网站中搜索包含密码的文本文件：

site:example.com ext:txt password

In addition to constructing your own queries, check out the Google Hacking Database ( https://www.exploit-db.com/google-hacking-database/ ), a website that hackers and security practitioners use to share Google search queries for finding security-related information. It contains many search queries that could be helpful to you during the recon process. For example, you can find queries that look for files containing passwords, common URLs of admin portals, or pages built using vulnerable software.

除了构建自己的查询之外，你还可以查看 Google 黑客数据库（https://www.exploit-db.com/google-hacking-database/），这是黑客和安全从业人员用来共享查找安全相关信息的 Google 搜索查询的网站。它包含许多在侦察过程中对你有用的搜索查询。例如，你可以找到查找包含密码的文件、管理员门户的常见 URL 或使用易受攻击软件构建的页面的查询。

While you are performing recon using Google search, keep in mind that if you’re sending a lot of search queries, Google will start requiring CAPTCHA challenges for visitors from your network before they can perform more searches. This could be annoying to others on your network, so I don’t recommend Google dorking on a corporate or shared network.

当你使用 Google 搜索进行侦察时，请记住，如果你发送了大量的搜索查询，Google 将开始要求来自你的网络的访问者进行 CAPTCHA 挑战，然后才能执行更多的搜索。这可能会对你的网络上的其他人造成麻烦，所以我不建议在公司或共享网络上进行 Google dorking。