Google Dorking Cheat Sheet

Copy-ready Google search operators and dorks for authorized recon, plus equivalents for GitHub code search, Shodan, and Censys. (30 payloads)

Try it interactively with the Search Dork Generator

Core Google Operators

(7)

site:example.com

Restrict results to a single domain (and its subdomains). The foundation of scoped recon — always anchor dorks to a target you are authorized to test.Combine with any other operator

site:*.example.com -site:www.example.com

Enumerate subdomains by matching the wildcard host while excluding the main www site, surfacing dev, staging, and API hosts.Subdomain discovery

inurl:admin site:example.com

Match a substring in the URL path or query string. Useful for finding admin paths, API endpoints, and parameterized pages.URL/path matching

intitle:"index of" site:example.com

Match text in the page <title>. Classic for spotting Apache/nginx directory-listing pages whose title begins with 'Index of'.Directory listings

filetype:pdf site:example.com

Filter by file extension (alias: ext:). Surfaces documents, spreadsheets, configs, and archives Google has indexed. Combine extensions with OR.filetype: and ext: are interchangeable

intext:"password" site:example.com

Match a term in the page body. Combine with allintext: to require every word, narrowing to pages that mention sensitive content.Body-text search

("confidential" OR "internal use only") site:example.com

Boolean OR plus exact-phrase quoting and grouping. Use | as a shorthand for OR and minus (-) to exclude noise terms.Operator combination

Exposed Files, Configs & Backups

(6)

intitle:"index of" ("backup" OR "bak" OR "old") site:example.com

Find open directory listings that expose backup folders or stale copies left on the web root.Directory listing + backups

site:example.com ext:sql | ext:dbf | ext:mdb

Hunt for indexed database dumps and exports that may contain schema or live data.Exposed database files

site:example.com ext:env | ext:ini | ext:conf | ext:cfg | ext:yml

Locate configuration files (.env, .ini, .conf, .yml) that commonly hold credentials, hostnames, and tokens.Config exposure

site:example.com ext:log | ext:bak | ext:old | ext:swp | ext:~

Surface logs, editor backups, and temp/swap files that often leak source code, paths, or secrets.Stray backup/temp artifacts

site:example.com ext:xls | ext:xlsx | ext:csv intext:email

Find spreadsheets and CSVs containing contact lists or PII left publicly indexed.Document/PII leakage

intitle:"index of" ".git" site:example.com

Identify exposed .git directories whose listing or HEAD/config files allow source reconstruction.Exposed VCS metadata

Login Panels & Dashboards

(5)

site:example.com inurl:login | inurl:signin | inurl:admin | inurl:portal

Enumerate authentication entry points and admin portals across the target scope.Auth surface mapping

intitle:"phpMyAdmin" "Welcome to phpMyAdmin" site:example.com

Find exposed phpMyAdmin database administration interfaces.DB admin panels

intitle:"Grafana" inurl:/login site:example.com

Locate Grafana dashboards, which sometimes allow anonymous access or default credentials.Monitoring dashboards

intitle:"Dashboard [Jenkins]" site:example.com

Discover Jenkins CI servers; misconfigured instances may expose build logs, scripts, or the script console.CI/CD interfaces

inurl:"/wp-login.php" | inurl:"/wp-admin" site:example.com

Identify WordPress admin login pages as a precursor to version and plugin fingerprinting.CMS login discovery

Exposed Credentials & Keys

(4)

site:example.com ext:env intext:DB_PASSWORD

Find indexed .env files leaking database credentials and other secrets.Leaked .env secrets

intext:"-----BEGIN RSA PRIVATE KEY-----" site:example.com

Surface exposed private key material accidentally published on the target's pages or files.Private key exposure

site:example.com intext:"AKIA" ext:txt | ext:log | ext:env

Hunt for AWS access key IDs (which begin with the AKIA prefix) leaked in text, logs, or configs.Cloud credential leakage

filetype:json intext:"api_key" | intext:"client_secret" site:example.com

Locate JSON files (service-account or app config) that embed API keys or OAuth client secrets.Token/secret in JSON

GitHub Code Search Equivalents

(4)

org:exampleorg AWS_SECRET_ACCESS_KEY

Search an authorized organization's repositories for hardcoded AWS secret keys. Scope to org: or repo: you are permitted to assess.GitHub code search

filename:.env DB_PASSWORD

Find committed .env files containing database passwords by combining filename: with a body term.GitHub filename filter

org:exampleorg path:**/config language:yaml "password:"

Use the modern GitHub code-search syntax (path:, language:) to scope to YAML config files that embed passwords.GitHub new search syntax

org:exampleorg "-----BEGIN PRIVATE KEY-----"

Locate committed private keys across an org's repos; pair with GitHub secret-scanning alerts when available.Committed private keys

Shodan & Censys Equivalents

(4)

hostname:example.com http.title:"Login"

Shodan query mapping internet-exposed hosts of a domain that serve a login page in the HTTP title.Shodan host/title filter

ssl.cert.subject.cn:example.com port:443 http.status:200

Shodan: pivot on the TLS certificate common name to find assets serving live HTTPS on a target's cert.Shodan cert pivot

product:"Apache httpd" country:US http.title:"Index of"

Shodan: combine product fingerprint, geo, and title to find open directory listings on a software/region.Shodan service fingerprinting

services.tls.certificates.leaf_data.subject.common_name=example.com and services.service_name=HTTP

Censys Search query that finds hosts presenting a certificate for the target CN and exposing an HTTP service.Censys host query

ShareX LinkedIn Reddit

Level up your security testing

Install the CLI

npx payload-playground

Explore All Tools

Encoding, hashing, JWT & more

Browse Cheat Sheets

Quick-reference payload guides

Related Tools

Search Dork Generator

Related Cheat Sheets

API Security Cheat Sheet Subdomain Enumeration Cheat Sheet

Frequently asked questions

What is the Google Dorking Cheat Sheet?+

It's a quick-reference collection of 30 Google Dorks payloads for testing Google Dorking vulnerabilities during authorized penetration testing, bug bounties, and CTFs. Every payload is copy-ready and grouped by attack context.

How do I use these Google Dorks payloads?+

Copy any payload straight into your authorized test, or use the Search Dork Generator to apply them interactively. Only test systems you have explicit permission to assess.

Are these Google Dorks payloads free to use?+

Yes — this cheat sheet and all Google Dorks payloads are completely free, with no account required. Everything runs in your browser.

$loading...