Google Dorking: Finding Security Issues On The Internet With Google Search

Google Dorking: Finding Security Issues On The Internet With Google Search

From time to time, I like to remind myself how insecure our systems are and check out the latest Google Dorks in the Exploit Database. If you ever wanted some usernames, passwords, key files, database backups, camera feeds and more from organisations all around the world, this is the place to go!

This article aims to raise awareness about how easily security flaws can be found in computer systems - not to be malicious with any results found.

Most people already use Google to do keyword-based searches, but many people do not know that you can perform advanced searches with Google using operators. For example, searching "site:learnsoftware.app security" will return all security-related posts from only this domain, learnsoftware.app. There are many other operators that can be used to apply special filters to the search results, which can be combined and exploited to reveal websites with significant security issues.

Exposed Laravel Secrets

Laravel is the most popular framework to create web applications for PHP developers. It uses a .env file to configure the application environment with relevant email provider credentials, database access credentials, keys for accessing third-party services, social media logins, and more. Check out this example configuration file provided by Laravel to see standard settings.

Unfortunately, when a Laravel application is deployed to the internet, this file is occasionally exposed where it is supposed to be unavailable to view. When it is detected, it often reveals sensitive information about how the application works.

The following Google searches will display multiple misconfigured systems:

APP_NAME filetype:env
MAIL_HOST filetype:env
Google searches to find exposed Laravel credentials

The most important part of these queries is the "filetype:env" part, which will tell Google to only return .env files - Laravel configuration files - with the rest of the query being any common .env configuration setting.

At the time of writing, there are 433 search results for this query, with many of the search results containing social media access keys, PayPal access keys, email system credentials and more.

Redacted .env file found online

The above screenshot shows a redacted .env file where the email username and password fields contain credentials for a Gmail account. For some organisations, an exposed email account could lead to a serious breach.

To avoid this situation, install your Laravel application with the .env file outside of the public webroot of the server.

Exposed WordPress Credentials

Another incredibly-popular platform for developing websites is WordPress, which comes with its own configuration file named wp-config.php. Notably, *.php files are executed by the server before any text is returned to the browser - compared to *.env files, *.txt files, and other filetypes which simply return the file contents directly to the browser. This means secret configuration options can be set in *.php files without risk of public exposure.

However, the wp-config.php file is often renamed to wp-config.php.bak, wp-config.php.txt, wp-config.php2, or a similar variant during a website migration, system maintenance or general updates. After the file is renamed, the change in filetype extension removes the execution step described above, and the configuration settings are therefore exposed.

We can use Google to find these configuration files:

inurl:wp-config.bak
inurl:wp-config.txt
inurl:wp-config.php.bak
inurl:wp-config.php.old
inurl:wp-config.php2
Google searches to find exposed WordPress credentials

The following shows an edited wp-config.php file that had been renamed to one of the above variants and made available to view in plain text on the internet:

Redacted wp-config.php file

The contents of the above file would allow a malicious person to access the database of the website, add or remove records and potentially pivot into other parts of the network.

To avoid this scenario, be sure to clean up after system maintenance, or to at least keep the *.php file extension when renaming sensitive files.

Exposed IP Cameras

Private video feeds are occasionally available to control and watch online from public areas, roads, shopping centres, cafes and more.

Different video feeds can be found by searching for various brands and website signatures:

intitle:webcam 7 inurl:8080 -intext:8080
inurl:"/control/userimage.html"
intitle:"Yawcam" inurl:8081
Google searches to find exposed video feeds

A signature is a unique set of characteristics that can identify a particular type of system. For example, Yawcam exposes a web interface for their cameras on port 8081 with "Yawcam" in the page title.

One of the camera feeds can be seen below:

A publicly exposed Mobotix webcam looking over a skate park

To avoid exposing your camera feed to the internet, you should configure your cameras and networking equipment properly.

Exposed Printers

Most printers have an admin interface to check statuses, print reports and manage configuration options. Many of these printers can be detected online with Google search queries like:

intitle:"LaserJet" "Device status" "Supplies summary"
Google searches to find exposed printers

See the following screenshot:

HP Color LaserJet with an admin interface on the internet (IP address redacted)

Depending on the make, model and firmware version of the printer, it may be possible to reconfigure this device, gain access to the internal network and pivot to other machines, so this is by no means a trivial issue.

Adequately configuring your printer and home network will avoid this issue.

Exposed Sensitive Database Exports

From time to time, an organisation will export a copy of its database for system maintenance, backup or analysis purposes. However, unaware admins will occasionally leave the sensitive database exports available on the internet for anyone to peruse.

Database dumps are found by searching Google with the "intext:" option, looking for standard pieces of text created by database export tools:

intext:"Dumping data for table `orders`"
intext:"Dumping data for table `accounts`"
intext:"Dumping data for table `users`"
Google searches to find exposed database exports

The below screenshot shows part of a file found online describing the schema of an "orders" table:

Database schema for an "orders" table from a publicly accessible database export

The next screenshot shows the data saved in the database, using the above schema:

Database records for the "orders" table from a publicly accessible database export

Note that in these screenshots, the data does not contain any important information. However, other organisations likely have similar files across the internet that do expose critical data.

To protect your organisation from this information leakage, perform periodic checks of your public filesystems and website. Also, you should have a policy in place so that any file containing important information is only shared internally in a secure manner, rather than unsecured over the internet.

Exposed Backup Directories

A personal favourite dork of mine is the following:

intitle:"Index of /backup"
intitle:"Index of /backups"
intitle:"Index of /admin"
intitle:"Index of /root"
Google searches to find exposed open directories

Apache servers with the directory listing option turned on will output all files and folders saved in a list. We can take advantage of this by searching for files and folders that usually contain a plethora of exciting files, such as any folder named "backups". For example, we can see the contents of a "backup" directory in the following screenshot:

Directory listing of a "backup" folder

Many of the files found in backup directories contain private information, credentials, access keys and more. Performing periodic checks of both server configurations and filesystems will help to avoid situations where information is leaked.

Exposed Office Documents With Usernames and Passwords

Usernames and passwords can be challenging to remember, so office staff tend to save credentials into Word and Excel files. Sometimes, these files end up on the internet, and we can find them with the following searches:

intext:"wordpress" filetype:xls login email password
intext:"paypal" filetype:xls login email password
intext:"gmail" filetype:docx login email password
Google searches to find office documents with usernames and passwords

In this case, there are better ways to handle password management, such as using LastPass or 1Password. If you do decide to use files for saving passwords, putting them on the internet is not advisable.

Summary

Google can be used quickly and effectively to find security issues, devices, credentials and vulnerabilities across the internet. These dorks affect individuals, companies and government websites equally, exposing problems without discrimination.

If you are worried about any of these issues affecting your organisation, you should periodically examine your own systems and use appropriate internal processes to proactively avoid security issues. For large organisations, arranging a third-party penetration test can be invaluable.

Show Comments

Get the latest posts delivered right to your inbox.