100 Google Dorks for Easy Bug Hunting

Are you looking to get started with bug bounty hunting and uncover some quick wins? Welcome to the world of Google Dorking — a powerful technique every ethical hacker and cybersecurity enthusiast should have in their toolkit.

In this blog, you’ll learn how to use Google dorks effectively to discover low-hanging security bugs, even if you’re just starting out. Let’s explore what Google dorking is, how it works, and why it’s one of the easiest ways to start spotting vulnerabilities online.

What Is Google Dorking?

Google dorking (also known as Google hacking) is the practice of using advanced search operators in Google to uncover hidden information that isn’t meant to be public. This could include exposed directories, sensitive documents, login portals, or configuration files.

By crafting precise search queries (called “dorks”), you can filter through Google’s massive index of websites to find pages that might expose security flaws. Think of it as using Google like a finely-tuned reconnaissance tool.

Some of the most common Google search operators include:

• site: – Restrict results to a specific domain.

• inurl: – Search for keywords within URLs.

• intitle: – Find pages with specific titles.

• filetype: – Look for particular file formats (e.g., PDF, DOCX, XLS).

• intext: – Search for specific words within a page’s content.

Why Use Google Dorks for Bug Hunting?

If you're participating in a bug bounty program or testing your own infrastructure, using Google dorks can help you discover:

• Publicly exposed files (like .env, .bak, or .sql files)

• Misconfigured web directories

• Admin panels and login portals

• Sensitive documents indexed by mistake

These types of issues are often referred to as low-hanging bugs because they’re relatively easy to find and don’t require deep technical skills or tools. A properly crafted dork can uncover valuable findings in seconds.

How to Use Google Dorks for Recon and Vulnerability Discovery

Let’s walk through the basics. Here's a simple example:

This query searches for .env files on example.com — files which often contain API keys, database credentials, and other sensitive configuration data.

Here’s what happens when you get comfortable with operators:

• intitle: index.of shows exposed directories

• filetype: sql may uncover exposed database dumps

• inurl: admin helps locate admin login pages

• site: gov filetype:xls might expose spreadsheets on government domains

Pro Tip: Combine multiple operators for more targeted results. For example:

Is Google Dorking Legal?

This is a common question — and a very important one.

Google dorking is legal. Accessing or exploiting discovered data without permission is not.

Simply put: using Google search features is fine. But interacting with sensitive content without authorization crosses the line into illegal activity.

If you're doing this as part of a bug bounty program or with permission from the site owner (like in a responsible disclosure program), you're good to go.

Ready to Start Hunting? Here’s What’s Next

In the full guide (linked below), we’ve compiled 100+ Google dorks that you can start using right away to test for vulnerabilities. Whether you’re a beginner or a seasoned bug hunter, these search strings can help uncover everything from exposed cameras to login pages, open directories, and more.

100 Google Dorks for Bug Hunting (with Descriptions)

These Google dorks are categorized and described to help you quickly understand their purpose in bug bounty recon and security testing.

Exposed Files & Directories:

1. site:example.com filetype:pdf – Finds PDF documents on a specific domain.

2. intitle:"index of" admin – Looks for directory listings with "admin" in the title.

3. inurl:"phpinfo.php" – Finds exposed PHP configuration pages.

4. intitle:"index of" /backup – Lists open backup directories.

5. inurl:"/backup" filetype:zip – Locates zipped backup files.

6. intitle:"Index of" "~ftp" – Finds exposed FTP directories.

7. intitle:"index of" /uploads – Lists file upload folders.

8. intitle:"index of" ~private – Finds directories marked as private.

9. intitle:"index of" /config – Locates exposed config folders.

10. intitle:"index of" ~backup – Searches for backup directories.

11. intitle:"index of" ~passwords – Lists folders potentially exposing passwords.

12. intitle:"index of" /scripts – Looks for script directories that may be vulnerable.

13. intitle:"index of" /docs – Exposes directories containing documents.

14. intitle:"index of" "~.htaccess" – Finds exposed .htaccess files.

15. intitle:"index of" "logs" – Shows directories storing log files.

16. intitle:"index of" "logins" – Locates login-related directories.

17. intitle:"index of" "~confidential" – Exposes directories labeled confidential.

18. intitle:"index of" "~config" – Finds configuration directories.

19. intitle:"index of" "~config" "~private" – Reveals private config folders.

20. intitle:"index of" /config ~backup – Lists config/backup folders accessible publicly.

Sensitive Data in Files:

21. filetype:xls inurl:"email" – Finds Excel sheets containing email addresses.

22. filetype:log inurl:"error" – Searches for log files with error traces.

23. intext:"confidential" filetype:pdf – Locates sensitive PDFs marked confidential.

24. filetype:sql inurl:"dump" – Exposes SQL dumps.

25. filetype:log inurl:"access" – Reveals access logs.

26. intext:"user: admin" filetype:txt – Searches for files with hardcoded usernames.

27. filetype:xml inurl:"config" – Finds exposed XML config files.

28. intext:"name" filetype:csv – Finds CSVs containing names.

29. intitle:"email list" filetype:csv – Lists emails from CSVs.

30. filetype:pdf intext:"password" – Finds PDFs with possible passwords.

31. filetype:sql inurl:"database" – SQL dumps from databases.

32. intext:"password" filetype:log – Locates logs containing passwords.

33. filetype:json inurl:"config" – JSON configuration files exposed online.

34. filetype:xml inurl:"user" – User data exposed in XML format.

35. intitle:"email" filetype:txt – Text files containing email addresses.

36. intitle:"list of users" filetype:xls – Excel sheets listing users.

37. intitle:"passwords" filetype:txt – Plain text password files.

38. filetype:csv "email list" – Email lists in CSV format.

39. filetype:log "admin login" – Logs revealing admin login attempts.

40. intext:"login: admin" filetype:txt – Text files with login information.

41. filetype:csv "credit card" – Possible card data in CSVs.

42. filetype:dbf "credit card" – DBF databases containing card info.

43. filetype:json "api key" – JSON files exposing API keys.

44. filetype:sql inurl:"password" – SQL dumps containing passwords.

45. filetype:json inurl:"token" – Files revealing tokens or session keys.

46. filetype:xls inurl:"contact list" – Excel-based contact directories.

47. filetype:xml inurl:"settings" – Application or server settings.

48. filetype:csv "credit card" – Credit card data in spreadsheets.

49. filetype:json inurl:"token" – API or session token exposures.

50. filetype:sql inurl:"users" – SQL files containing user credentials.

Admin & Login Panels:

51. inurl:"/wp-login.php" – WordPress login portals.

52. intitle:"powered by WordPress" – WordPress-based sites for plugin exploit hunting.

53. inurl:"/admin" intitle:"login" – Admin login pages.

54. site:example.com inurl:login – Login pages for a specific domain.

55. inurl:"login" filetype:php – PHP login forms.

56. intext:"user" inurl:"login" – Login forms referencing "user" in URL.

57. inurl:"/admin" filetype:html – HTML-based admin panels.

58. inurl:"/wp-admin/" intitle:"login" – WordPress admin login pages.

59. site:edu inurl:"login" – Login pages for .edu domains.

60. site:org intitle:"admin" inurl:"login" – Organizational admin portals.

61. inurl:"admin" intext:"login" filetype:html – Admin login in HTML format.

62. inurl:"/admin" intitle:"dashboard" – Admin dashboards.

63. inurl:"/admin_login" filetype:html – Exposed admin login pages.

64. inurl:"/admin" intitle:"configuration" – Admin config sections.

65. inurl:"/admin/configure" filetype:php – Configuration PHP files.

66. inurl:"/admin/config.php" filetype:php – Common PHP config file for admins.

67. inurl:"/admin/config" filetype:php – Variants of admin configuration files.

Recon on Specific Sites (.edu, .gov, .org):

68. site:gov filetype:xls – Government spreadsheets.

69. inurl:"/admin" site:edu – Admin sections of educational institutions.

70. site:com inurl:"password" – Password mentions on commercial domains.

71. inurl:"/admin" site:org – Organization admin pages.

72. site:example.com "email address" – Email data from a target site.

73. site:example.com inurl:"contact" – Contact forms or directories.

74. site:com inurl:"contact" – Contact pages on .com domains.

75. site:gov "employee" filetype:xls – Employee spreadsheets on .gov domains.

76. site:edu inurl:"directory" – Directory listings in .edu domains.

Web Application & Server Info:

77. intitle:"server-status" – Apache server status pages.

78. intitle:"Network Status" inurl:"admin" – Admin-level network info panels.

79. inurl:"/cgi-bin/" – Old, often vulnerable CGI directories.

80. inurl:"/cgi-bin/" filetype:pl – Perl CGI scripts.

81. inurl:"/wp-content/" intitle:"directory" – WordPress file directories.

82. inurl:"/wp-includes/" filetype:php – Internal WordPress scripts.

83. inurl:"/wp-config.php" – WordPress configuration files (usually sensitive).

84. inurl:"/debug" filetype:php – PHP debug pages exposed publicly.

85. inurl:"/config" filetype:json – JSON config files.

86. inurl:"/public_html" filetype:html – Public root folders containing HTML.

87. inurl:"/uploads/" filetype:jpg – Uploaded image files.

88. inurl:"/uploads/" filetype:docx – Exposed Word documents in upload folders.

89. inurl:"/db/" filetype:sql – SQL files in exposed DB directories.

90. inurl:"/private/backup" filetype:tar – TAR backup files in private folders.

Miscellaneous Recon & Info:

91. inurl:"/search" filetype:html – Exposed search forms or tools.

92. inurl:"/sensitive" filetype:txt – Sensitive notes or text data.

93. inurl:"/users" filetype:csv – User info in spreadsheet form.

94. inurl:"/backups" filetype:sql – Database backups in exposed folders.

95. inurl:"/config" filetype:json – Exposed JSON configs (repeat - intentional for emphasis).

96. intitle:"list of employees" filetype:xls – Company employee lists.

97. inurl:"/config" – Broad search for config folders.

98. inurl:"/admin" – General admin access points.

99. inurl:"/admin/config" – Config section inside admin folder.

100. **inurl:"/config" filetype:env– Exposed.env` files (bonus entry).

Conclusion

Google dorking is a powerful reconnaissance technique that, when used responsibly, can significantly enhance your bug hunting and cybersecurity skills. These 100 Google dorks serve as a practical toolkit to uncover publicly exposed files, misconfigurations, login portals, and sensitive information that may pose real-world risks to organizations.

Whether you’re a seasoned security researcher or just getting started in the world of bug bounty hunting, this curated list provides low-hanging fruit opportunities that are both educational and actionable. But with great power comes great responsibility:

• Always use dorks on systems you own or have explicit permission to test.

• Never exploit or download sensitive data — report it through the appropriate channels.

• Consider participating in bug bounty programs where ethical hacking is rewarded.

• Stay updated — new dorks and techniques appear all the time in the evolving security landscape.

By combining curiosity with ethics, you not only sharpen your skills but also help make the internet a safer place. So go ahead — start dorking smart, stay legal, and keep learning.

Related Stories