They use a UNION SELECT statement to pull data from system tables.
index.php?id=-1 UNION SELECT 1, database(), user(), 4--
This reveals:
inurl:index.php%3Fid= filetype:php intext:"root:" | "bin/bash"
Looks for file inclusion of /etc/passwd. inurl index.php%3Fid=
Abstract
The Google Dork inurl:"index.php?id=" represents one of the most iconic and historically significant search queries in the field of cybersecurity. Originally popularized as a primary vector for locating SQL Injection (SQLi) vulnerabilities, the query targets a specific, outdated web development paradigm: dynamic page rendering via unsanitized user input. This paper examines the technical mechanics of this URL structure, its historical exploitation by both malicious actors and ethical hackers, its effectiveness in the modern era of web frameworks, and its legal and ethical implications within Open-Source Intelligence (OSINT).
Using the Google dork inurl:index.php?id=, an attacker can find hundreds of potential targets in minutes. Here is the typical exploitation chain: They use a UNION SELECT statement to pull
ffuf -u "https://target.com/index.php?id=FUZZ" -w payloads/sqli.txt
Consider a vulnerable PHP code snippet:
// UNSAFE CODE - DO NOT USE
$id = $_GET['id'];
$query = "SELECT * FROM products WHERE id = " . $id;
$result = mysqli_query($conn, $query);
The developer expects $id to be 5. But what if an attacker changes the URL to: Looks for file inclusion of /etc/passwd
index.php?id=5 OR 1=1
The query becomes:
SELECT * FROM products WHERE id = 5 OR 1=1
Since 1=1 is always true, the database returns every product in the table.
Rules to block ', ", --, union, select, ../, %00.