Only for use on bug bounty programs or in cordination with a legal security assesment.
I am in no way responsible for the usage of these search queries.
Be responsible thanks - https://www.bugcrowd.com/resource/what-is-responsible-disclosure/
This repository is "under construction" feel free to make pull requests :-)
Example of how to fingerprint services with the different search engines:
| Service | Shodan | BinaryEdge | CVE/Exploit | |
|---|---|---|---|---|
| Pulse VPN (RCE VULN) | inurl:"/dana-na/" |
http.html:/dana-na/ |
http.body:dana-na |
CVE-2019-11510 |
| Horde Webamil (RCE VULN) | inurl:/imp/login.php |
html:"horde_login" |
http.body:horde_login |
CVE 2018-19518 |
NOTE: Some services have already been fingerprinted by Shodan and BinaryEdge and you can use the product: tag
Examples:
BinaryEdge - product:"Pulse Secure VPN gateway http config"
Shodan - product:"Pulse Secure"
inurl:%3Dhttps%3A%2F%2F - Open redirect/SSRF/Local File Disclosure
Read ahrefs blog post to see all search operators for Google - https://ahrefs.com/blog/google-advanced-search-operators/
Some of these dorks are old as fuck just FYI :-)
hacked-router-help-sos - Hacked routers :D
NETSurveillance uc-httpd - user:admin no passwords most likely
IPC$ all storage devices - Home routers' storage or attached USB Storage (Many with no PW)
port:23 console gateway -password - Open telnet no PW required
"polycom command shell" - Polycom Video conference system no-auth shell, most have open web config admin try for fun
NCR Port:"161" - ATM's :-)
HTTP/1.1 307 Temporary Redirect Location: /containers country:"US" - Container Advisor dork
html:"def_wirelesspassword" - HTML tag looking for passwords in source of brazillian routers
country:xx http.status:200 http.component:odoo port:8069 - After finding instances go to /web/database/manager most of the time there is either no password or it's "admin"
Model: PYNG-HUB Crestron - IoT
x-jenkins 200 - Internet facing Jenkins servers, some unauthenticated. :O
Read the full list of filters for Shodan here - https://beta.shodan.io/search/filters
ssl.cert.subject.commonName:*vpn.* - Find SSL certs with vpn in sub-domain name - Uses Asteriks(*) for wildcard.
Fortinet security device httpd - Finds fortinet SSL VPN installations - Some vulnerable to CVE-2018-13379
product:"Exim smtpd" version:<4.92 - Finds vulnerable Exim smtp servers - Vulnerable to multiple CVE's but mainly CVE-2019-15846
Read the search Docs to find even more tags to use! - https://docs.binaryedge.io/search/
Some of these are probably shit and require tuning with other tags / dorks, experiment with them. :D
intext:"error in your SQL syntax"
intext:"mysql_num_rows()"
in****:"mysql_fetch_array()"
in****:"Error Occurred While Processing Request"
in****:"Server Error in '/' Application"
in****:"Microsoft OLE DB Provider for ODBC Drivers error"
in****:"InvalidQuerystring"
in****:"OLE DB Provider for ODBC"
in****:"VBScript Runtime"
in****:"ADODB.Field"
in****:"BOF or EOF"
in****:"ADODB.Command"
in****:"JET Database"
in****:"mysql_fetch_row()"
in****:"Syntax error"
in****:"include()"
in****:"mysql_fetch_assoc()"
in****:"mysql_fetch_object()"
in****:"mysql_numrows()"
in****:"GetArray()"
in****:"FetchRow()"
in****:"Input string was not in a correct format"
inurl:/id= intext:"You have an error in your SQL syntax"
inurl:”main.php?t=
inurl:”games.php?id=
inurl:”guide.php?id=
inurl:”index.php?cat=
allinurl:”review.php?sid=
inurl:”index2.php?id=
inurl:”main.php?id=
inurl:zoom.php?id=site:.il
inurl:”details.php?id=
inurl:”?came=
inurl:”index.php?page=
inurl:”home.php?cat=
inurl:”index2.php?id=
React
Typescript
Django
Laravel
Facebook
Microsoft
Google
Alibaba
D3
Tencent