The Magic of Dorking

What is dorking?

I remember a friend who always joked that since Google indexes so many sites on the Internet (fyi: thats how search engines work) that he said “Google IS the Internet”.

This isn’t wrong for the purposes of Google Dorking! Google Dorking is an advanced method for looking up EXACTLY what you want.

However, everyone has their own technique and finesse in digging through the magic black box that is Google’s search engine…

dorking-meme

Background

One of my colleagues @HillsBrainDead was testing an application which returned the following error whilst doing an address lookup on the frontend.

dorking-response

While the other errors returned nothing in searches, the highlighted line in particular stood out:

Error -8956 (UPI: Unable to perform search)

First Dork

Doing an exact search of the UPI term in double-quotes "", he then found 1 hit which was an excel spreadsheet hosted on an NHS website…????

dorking-random-nhs

He was trying to figure out what the undelying software/framework was and got stuck there, I went to help him out and look further…

What’s in the document?

Looking at the full cell data, we have the following error messages in its entirety:

If the "Or use Keyfinder" search option is used when searching for an address the following error will be produced: ˜Error
1 com.qas.proweb.QasException@Error -8755 >> Error -8755 (UPI: Unable to perform search) (Error -8755 -8755) [1]

dorking-excel

Second Dork

The com.qas.proweb piqued my interest as this string is commonly found in Java-related stack traces and is highly likely to be posted online by someone somewhere on the Internet, a quick dork for it shows the following:

dorking-dork2

This revealed the underlying software as QuickAddress Pro by Experian. They even have a download link to a user guide/manual!
https://docs.experianaperture.io/address-validation/pro-web

Documentation ftw

From there, my colleague was able to read through the guide a bit better and found the following SystemPrefix page and interesting commands! dorking-guide

In the end, nothing too insecure was found, but a few details regarding the backend were exposed such as physical file paths: dorking-filepath

Takeaway

Sometimes when chasing a trail in OSINT-style searches like this, you can leverage small bits of data to get new or larger pieces of data.

These new data points allow you to try new searches from a different angle which may lead to different results!