The search engine is the most commonly used tool in daily work. The commonly used search engines in China include Baidu, Sogou, Bing, and several network search engines that are essential for information security practitioners.
Google Search Engine
The reason why Google search engine is introduced here is because it is different from Baidu, Sogou, and other content search engines. It has a unique position in the security field, and there is even a term called "Google hacking" to describe the extraordinary relationship between Google and security.
https://www.exploit-db.com/google-hacking-database (requires a VPN)
There are many uses of Google hacking here, and interested friends can study them slowly.
Here, I mainly introduce its basic syntax:
Basic Google Syntax#
Index of/ - It can directly enter all files and folders under the website homepage.
intext: - It will return all web pages that contain keywords in the body of the webpage.
intitle: - It will return all web pages that contain keywords in the title of the webpage.
cache: - Search for the cache of certain content in Google.
define: - Search for the definition of a certain word.
filetype: - Search for specified file types, such as .bak, .mdb, .inc, etc.
info: - Find some basic information about a specific website.
inurl: - Search for whether the specified characters exist in the URL.
Link: - link.one can return all URLs that have a link to thief.one.
site: - site.one will return all URLs related to this website.
-
- Include words that Google may ignore in the query scope.
-
- Ignore a certain word, for example: Singapore - added.
~ - Synonymous words.
. - Single wildcard.
-
- Wildcard, can represent multiple letters.
"" - Exact query.
Search for Different Regional Websites#
inurl - Taiwan
inurl - Japan
Using Google to Find Exposed Databases#
Using Google, you can search for database files that can be directly downloaded from the Internet. The syntax is as follows:
inurl/db/inurl/db/inurl/data/inurl/inurl/data/inurl:\boke\datainurl/database/inurl.aspinc/conn.aspServer.mapPath(".mdb")allinurl datafiletype inurl:databasefiletype conninurl filetype:mdbintitle:"index of" data
Using Google to Search for Sensitive Information#
Using Google, you can search for sensitive information on certain websites. The syntax is as follows:
intitle:"index of" etcintitle:"Index of" .sh_historyintitle:"Index of" .bash_historyintitle:"index of" passwdintitle:"index of" people.lstintitle:"index of" pwd.dbintitle:"index of" etc/shadowintitle:"index of" spwdintitle:"index of" master.passwdintitle:"index of" htpasswdinurl.pwd
Using Google to Search for C-Class Server Information#
site:218.87.21.*
You can use Google to obtain service information for the 218.87.21.0/24 network.
Shodan Search Engine#
Shodan is a network search engine that focuses on searching for network devices and servers. For specific content, please refer to the website. Here is the advanced search syntax.
For example, to search for the chatgpt website, the syntax is: title=="chatgpt web "
This can search for many mirror websites of chatgpt.Search Syntax
hostname: - Search for specific hosts or domains, for example hostname:"google"
port: - Search for specific ports or services, for example port:"21"
country: - Search for specific countries, for example country:"CN"
city: - Search for specific cities, for example city:"Hefei"
org: - Search for specific organizations or companies, for example org:"google"
isp: - Search for specific ISP providers, for example isp:"China Telecom"
product: - Search for specific operating systems/software/platforms, for example product:"Apache httpd"
version: - Search for specific software versions, for example version:"1.6.2"
geo: - Search for specific geographical locations, for example vgeo:"31.8639, 117.2808"
before/after: - Search for data before/after a specific date, format: dd-mm-yy, for example before:"11-11-15"v
net: - Search for specific IP addresses or subnets, for example net:"210.45.240.0/24"
Censys Search Engine#
Censys search engine has similar functions to Shodan. Here are a few document information.
Help Document:
https://www.censys.io/certificates/help
Note: After opening the link, add q= followed by the IP you want to query.
IP Query
Domain Query, usage is the same as above
https://www.censys.io/domain?q=
Certificate Query, usage is the same as above
https://www.censys.io/certificates?q=
Search Syntax#
By default, Censys supports full-text search.
23.0.0.0/8 or 8.8.8.0/24 - Can use "and", "or", "not"
80.http.get.status_code: 200 - Specify status code
80.http.get.status_code:[200 TO 300] - Status codes between 200 and 300
location.country_code: DE - Country
protocols: ("23/telnet" or "21/ftp") - Protocol
tags: scada - Tags
80.http.get.headers.server: nginx - Server type and version
autonomous_system.description: University - System description
Regular expression
ZoomEye (Chinese)#
ZoomEye search engine focuses on searching at the web application layer.
Search Syntax
app - Component name
ver:1.0 - Version
os - Operating system
country:"China" - Country
city:"hangzhou" - City
port:80 - Port
vhostname - Hostname
site.onev - Website domain
desc - Description
keywords'blog - Keywords
service - Service type
ip:8.8.8.8 - IP address
cidr:8.8.8.8/24 - IP address range
FoFa Search Engine (Chinese)#
FoFa search engine focuses on asset search.
Search Syntax
title="abc" - Search for "abc" in the title. For example, search for websites with "Beijing" in the title.
header="abc" - Search for "abc" in the HTTP header. For example, search for JBoss servers.
body="abc" - Search for "abc" in the HTML body. For example, search for "Hacked by" in the body.
domain="qq.com" - Search for websites with the root domain of qq.com. For example, search for websites with the root domain of qq.com.
host=".gov.cn" - Search for URLs with .gov.cn. Note that the search should use host as the name.
port="443" - Search for assets with the corresponding port 443. For example, search for assets with port 443.
ip="1.1.1.1" - Search for websites that contain 1.1.1.1 in the IP. Note that the search should use ip as the name.
protocol="https" - Search for assets with the specified protocol (valid when port scanning is enabled). For example, search for assets with the HTTPS protocol.
city="Beijing" - Search for assets in the specified city. For example, search for assets in Beijing.
region="Zhejiang" - Search for assets in the specified administrative region. For example, search for assets in Zhejiang.
country="CN" - Search for assets in the specified country (code). For example, search for assets in China (CN).
cert="google.com" - Search for assets with certificates (HTTPS or IMAPS) containing google.com.
Advanced search:
title="powered by" && title!=discuz
title!="powered by" && body=discuz
(body="content="WordPress" || (header="X-Pingback" && header="/xmlrpc.php" && body="/wp-includes/")) && host="gov.cn"
Dnsdb Search Engine#
Dnsdb search engine is a query platform for dbs resolution.
Search Syntax
The DnsDB query syntax structure is condition1 condition2 condition3 ..., each condition is separated by a space, and DnsDB will return the results that meet all query conditions to the user.
Domain Query Conditions
Domain query refers to querying all DNS records of the top-level private domain. The query syntax is domain:.
For example, query all DNS records of google.com: domain.com.
Domain query can omit domain:.
Host Query Conditions
The query syntax is host:
For example, query the DNS records of the host address http://mp3.example.com: host:http://map3.example.com
The difference between host query conditions and domain query conditions is that host query matches the Host value of DNS records.
Query by DNS Record Type
The query syntax is type:.
For example, only query A records: type
Conditions must exist domain: or host: conditions to use type: query syntax
IP Limitation
The query syntax is ip:
Query specific IP: ip:8.8.8.8, this query is equivalent to directly entering 8.8.8.8 for query
Query specific IP range: ip:8.8.8.8-8.8.255.255
CIDR: ip:8.8.0.0/24
IP maximum range limitation is 65536.