Introduction to Dorking - Definitions, Google Dorking & Basic Dork Creation

[Proship97]

I.) Introduction
Before we start, I'd like to give an introduction to dorks and why they are useful in the terms of SQLi dumping and subsequently, gathering data to run bruteforce attacks with.
The ideal process chain looks as follows:

• Make Dorks
• Scan Dorks
• Get URLs
• Scan for Exploitable URLs
• Scan for Injectable URLs
• Dump Databases
• Decrypt Hashes
• Check Data
• Filter Hits
• Sell Accounts

A dork is a combination of commands, keywords, parameters and symbols that instruct search engines to give us strictly filtered results from the World Wide Web. At the surface level, dorking involves using specific modifiers to search data. For example, instead of searching the entire Web, users can click on tags like "image" or "site" to collect images or find information about a specific site. Users can utilize other commands like "filetype" and "datarange" to get other specific search results.
A Google dork query, sometimes just referred to as a dork, is a search string that uses advanced search operators to find information that is not readily available on a website. Google dorking, also sometimes called Google hacking is a technique that uses Google Search and other Google applications to find security holes in the configuration and computer code that websites are using.
The primary objective of dorking is to find injectable/vulnerable URLs, which can be further to exploit any outdated/redundant code.
The basic composition or format of a dork includes three parts - keyword, pageType and pageParameter.
For example, within "Playstation game.php ?item="
'Playstation game' indicates the keyword
'.php?' indicates the pageType while;
'item=' indicates the pageParameter
Dorks are used to target & attack data-driven applications on any vulnerable website, allowing bad actors to identify technologies used on a website and read details from the a slew of target websites' database & infrastructure. While scanning for exploitable and vulnerable URLs you get a filtered list of websites whose databases can be dumped in full.
A vulnerable URL is a website that has a SQL error that can be exploited (eg. simple error, union error, SM error, Oracle error codes). Kindly refer to my thread that deals with an https://hackforums.net/showthread.php?tid=5164479 to learn more SQLi attacks and types of SQLi.
Within this tutorial suite we will be using a variety of tools including dork scanners, keyword builders, url to param extractors and SQL dumpers
II.) Understanding How Dorks Work
Since I've given a basic defintions regarding a dork and its sub-contents such as keywords, pageTypes, pageParameters, here is a rough example of a dork.

• Go to Google Search
• Type in a keyword, for this example I shall use "amazon games"
• Choose any URL from the results list (ignoring the Sponsored Ads)
• For this, I will select the following URL:
  

  Associer vos comptes Amazon et Twitch - Service client Amazon

  Pour profiter des avantages de Prime Gaming d’une souscription gratuite à un canal Twitch Premium, vous devez associer votre compte Amazon à un compte Twitch.

  www.amazon.fr
  Our objective is to create a basic dork from the provided URL such that we can pinpoint the exact URL through our next search
• Analyzing the existing URL we can see the following:
  https://www.amazon.fr/gp/help/customer/display.html?nodeId=GTCADSYDQFMD5DRS The keyword here is "amazon customer display"
  The pageType here is ".html?"
  The pageParameter here is "nodeId="
  The secondary keywords here is "GTCADSYDQFMD5DRS"
  There are multiple ways in which you can pinpoint this exact URL with different combinations.
  For this example, I shall use the following dork "amazon customer display display.html?nodeId=GTCADSYDQFMD5DRS"
• As you can see, the first result we have received here is exactly the URL we're trying to target.

To understand dorks further, we need to understand its sub-contents in depth, such as keywords and parameters.
III.) Introduction to Keywords
Keywords (also known as “SEO keywords," “keyphrases,” or “search queries”) are words and phrases that users type into search engines to find information on a particular topic.
The key to mastering keyword creation is understanding that all keywords are real words and hence are most likely to be used. Hence, there is no such terminology as "private keywords" but it is the parameters that help you in building HQ dorks. The only aim while making keywords is focusing upon your target, for example, let's continue with our example with Amazon.

• Select your target (we're proceeding with "Amazon" in this case). This shall be your primary keyword.
• Our keyword builders will add secondary keywords upon this targeted keyword. These will give you results such as eg. Amazon product, Amazon shop, Amazon games, Amazon electronics
• The trick here is to interchange the positions of the keywords. [Primary + Secondary] would turn into [Secondary + Primary]
  Quote:Amazon product -> Product Amazon
  Amazon shop -> Shop Amazon
  Amazon games -> Games Amazon
  Amazon Electronics -> Electronics Amazon
• This helps the dork scanner build better accuracy while searching for dorks. If you're targeting shopping related data, then this keyword switch will help you increase the quality of your results.

IV.) Introduction to Parameters
Page parameters plays a very key roles in dorking, because while creating targeted dorks, you will need to clean & filter your parameters accordingly by relevance.
For example, let's take our target as "Fortnite" and proceed with parameter creation.

• The first step of our process will be generating keywords. For this step, I shall be using https://wassname.github.io/keywordshitter2 which is an
  
  keyword generation tool.
• After keyword creation/generation, you should have a sample list of keywords to start with. They should look randomized, like this:
  Quote:b fortnite ✓
  c fortnite ✓
  d fortnite ✓
  e fortnite ✓
  fortnite except
  fortnite has
  fortnite tracker
  fortnite mobile
  fortnite skins
  fortnite game
  fortnite item shop
  fortnite meaning
  fortnite redeem
  fortnite system requirements
• To increase quality, we can discard a few irrelevant keywords like the ones at the start and begin interchanging the keyword positions. A quick way to do this would be using Notepad++ to quickly filter out keywords. You can also specify customization options within Keyword Shitter.
• Within your txt file, hit "Ctrl+F" and navigate to the "Mark" tab. Type the following field as your query.
  Code
  .* .* .*
• Select "Bookmark line" and "Regular expression" and hit "Mark All"
• Open the Search menu -> Bookmark -> Cut Bookmarked Lines. Save the these keywords in another .txt, they're to be used later.
• To quickly flip the keywords, use HashKiller's https://hashkiller.io/list_tools. Input your filtered list of keywords here as the input.
• Specify a blankspace as the separator under "Split by Separator" and split the list. Then proceed to "Combine Right:Left" with a blankspace separator. You should now have a list of high quality keywords to begin with.
• To fetch URLs from these keywords, we will require a dork scanning tool. Now, due to search engines picking up on dorks & automation in 2022, it is rather hard to refer a reliable tool that's free here. I would recommend Bing-O however that's paid so I suggest looking up Github for some good code (there's always new actors posting resources there); with the assurance of legitimacy that comes with open-source applications. In my tutorial, I shall use a private scanner. Proxies are also highly recommended.
• After we get around 3000-5000 URLs, we shall stop scanning and move onto parameter extraction. We will require a tool that can extract parameters from URLs, which again is available freely online. For this tutorial, we shall take an example with one such tool.
• We're ideally looking to extract "PageTypes" here. You should get a very elaborate list including both short and large parameters and unparsed URLs. Here we're looking to remove large characters so I will include a quick shortcut to filter these out.
• Within your txt file, hit "Ctrl+F" and navigate to the "Mark" tab. Type the following field as your query.
  Code
  ^(.){20,9999999}
• Select "Bookmark line" and "Regular expression" and hit "Mark All"
• Open the Search menu -> Bookmark -> Cut Bookmarked Lines. There's no need to save these params, you can delete them.
• You should now have a list of high quality parameters ready to go.

V.) Basic Dorks
For creating starter & base-level dorks, we shall just be using a mix of keywords, parameters and pageTypes to show how you can mix & match an existing set of params, pagetypes and keywords to create multiple dorks.
For this tutorial, we shall take the example of "Fortnite game.php?item=". This is a dork in the format (keyword + pageType + pageParameter). Since Fortnite is a very popular game, there is a high chance someone else may have searched the same combination, so you wouldn't really be getting quality results by running it. However, you can work past this roadblock by re-arranging the dork structure to get different results every time.
With our basic dork, I shall demonstrate multiple possible formats and results:

• Fortnite game.php?item= (Target keyword + Secondary keyword + Pagetype + Parameter)
• Fortnite.php?item= game (Target keyword + Pagetype + Parameter + Secondary keyword)
• game.php?item= Fortnite (Secondary keyword + Pagetype + Parameter + Target keyword)
• .php?item= Fortnite game (Pagetype + Parameter + Target keyword + Secondary keyword)
• .php?item= Game fortnite (Pagetype + Parameter + Secondary keyword + Target keyword)
• .php Game ?item= Fortnite (Pagetype + Secondary keyword + Parameter + Target keyword)
• Fortnite.php Game ?item= (Target keyword + Pagetype + Secondary keyword + Parameter)

To demonstrate the difference in results, let's take two of these examples:
Code
Fortnite.php Game ?item=