Google Hacking Tutorial + SQL Injection (Basic)

Google Hacking Tutorial + SQL Injection (Basic)


Type : Tutorial

Level : Easy

Purpose : As a website owner you can also aware with this kind of attack to your web server

Why I wrote this tutorial about Google Hacking is because there are some people keep messaging me about how to perform Google Hacking

A lot of people that learn about hacking they just think that hacking was going through a webserver or computer and make defacement or stealing data or erase the victim disk drive by running rm -rf, etc….but I told you that the purpose isn't that….because this method also can be used to secure your website from bad hackers (you can view the countermeasure part below).

If you just think that it's really cool if you have defaced some website and then put your name on its website such as "Hacked by v4L" and then put the screenshot as a profile picture of your facebook for pride(I've saw this kind of guys…ROFL ๐Ÿ™‚ ) I just suggest forget doing this kind of stupid things, before the interpol caught you ๐Ÿ™‚

Google hacking doesn't mean that you can hack into another system instantly(even sometimes you can get through it instantly ๐Ÿ˜› ), because Google Hacking is a trick to gain and reveal some sensitive information..

While you're in Google, it's impossible you find specifications about program that running by someone computer(except he/she wrote it on facebook status or he wrote it somewhere on the net ๐Ÿ˜› ), because Google is a Web Search Engine so Google will only listed a computer/server that act as web server.

Do not think too much about complex hacking steps….because before you move to a higher level you need to know the basic things. In this tutorial actually I will wrote the simple basic thing to perform a Google hacking and also perform a very really basic SQL injection like ' OR 1=1;–

I believe that some of you that read this tutorial even have a great skill in SQL scripting so you can fit it with your needs.

Okay let's start….

intitle : The intitle operator is used to search websites only within the <title></title> tags, or the actual page title as defined by the website’s author.

inurl : is used to search within a site’s URL itself. This is very useful if you are familiar with a URL string or with standard URL strings used by different content management systems. We will try to find the administrator log in page address by using some of Google parameter above. Usually the programmer will use word "Administrator Login" , "Admin Login", Super User", "Owner Login", etc…etc as the title of administrator page authentication. Google Hacking Tutorial + SQL Injection (Basic)

As you can see from picture above there's about 4,310 search result for that query, but you can narrowing your search result by change some parameter, such as change the .com into .nz ,,,, .sg, and many more….

While I'm searching about Google Hacking material on the internet, actually I found about more than 10 website that vulnerable with basic SQL injection above…

see example below

Before :

Google Hacking Tutorial + SQL Injection (Basic)

After :

Google Hacking Tutorial + SQL Injection (Basic)

Countermeasure :

1. For webmaster, put this script <meta name="robots" content="noindex, nofollow"> in your web page between <head></head> to prevent the search engine crawler indexing your private page

2. Still for webmaster, you also can create or modify a robots.txt file to disallow a user agent crawling some of your web server folder. example:

User-agent: *
Disallow: /administrator/
Disallow: /user/
Disallow: /modules/

FYI : If you want to know what folder was disallowed by a website, you can look into my simple tools here

3. Again for programmers, filter the user input and make sure the data was safe to execute by server.

Just that….hope it's useful ๐Ÿ™‚

Subscribe Now To Get Latest Hacking Tutorial on Your E-Mail

(Visited 3,837 times, 1 visits today)

Share this article if you found this post was useful:

Blogger at Love PHP, offensive security and web.
Contact him at me[-at-]

See all posts by || Visit Website :

  • Sid

    Hello Sir, can u tell me the websites vulnerale with basic SQL injection.

    • v4L

      I’ve already wrote the tutorial here…

  • Sid

    Sir,  how can we check which website is vulnerable with sql basic and XSS?

    • v4L

      later i’LL try to add new content about XSS
      for sql basic, you should check and google it by yourself…no other way..

  • Jayesh

    Sir, i tried sql inj. But by mistake i typed + in place of ‘or’ on a site name i dint got login instead a warning was displayed something like ‘…as per IT law…investigation …’ followed by some Ip adress. } i dint login or change anything
    plz help me@ am i in trouble * then what should i do.

    • v4L

      hmm…maybe it’s just the response of error message when you put the SQL injection command..something like a shock therapy ๐Ÿ™‚ it’s okay, but as I always remind that it’s better you build your own and try it on your own lab.

  • amit

    hello sir,nice tutorial but how to cover track

    • dark_soldier

      use any “VPN” to cover track…i use “Hotspot Shield”…

  • dark_soldier

    use “SQL Poizon” to check the vulnerable site of any country with all google dorks….

  • OneLegFastPaced

    v4L, Correct me if I am wrong; but even VPN’s are not a fail safe to keep anonymity. From what I understand; any ‘Nation State’ can walk right in the ‘back door’, sneak around, steal cookies from my jar, and leave without tracking in mud. VPN’s are only as safe as the server which hosts it, correct?

    • v4L


      Yes .

  • prashant

    i tried to do but getting error outdated so is there any other way

    The link you used is outdated

    The web address you entered is incorrect

    The page you want no longer exists