index.html

<!DOCTYPE html>
<html lang="en">
<head>
  <meta charset="UTF-8">
  <meta name="viewport" content="width=device-width, initial-scale=1.0">
  <title>StingerSearch | Google Dorking Interface</title>
  <link rel="icon" href="data:image/svg+xml,<svg xmlns='http://www.w3.org/2000/svg' viewBox='0 0 100 100'><text y='.9em' font-size='90'>🐝</text></svg>">
  <style>
:root{--bg:#0b0b0c;--bg-card:#141416;--bg-hover:#1a1a1e;--bg-input:#111113;--amber:#ffb300;--amber-dim:#b37d00;--amber-glow:rgba(255,179,0,.12);--amber-grad:linear-gradient(135deg,#ffb300,#ff9500);--green:#10b981;--red:#ef4444;--blue:#3b82f6;--purple:#8b5cf6;--fg:#e9e9ea;--fg-dim:#8b8b8e;--fg-muted:#5a5a5d;--border:#2a2a2e;--r:12px;--rs:6px}
*{margin:0;padding:0;box-sizing:border-box}
@font-face{font-family:Geist;src:url('https://cdn.jsdelivr.net/npm/geist@1.3.1/dist/fonts/geist-sans/Geist-Regular.woff2') format('woff2');font-weight:400}
@font-face{font-family:Geist;src:url('https://cdn.jsdelivr.net/npm/geist@1.3.1/dist/fonts/geist-sans/Geist-Medium.woff2') format('woff2');font-weight:500}
@font-face{font-family:Geist;src:url('https://cdn.jsdelivr.net/npm/geist@1.3.1/dist/fonts/geist-sans/Geist-SemiBold.woff2') format('woff2');font-weight:600}
@font-face{font-family:Geist;src:url('https://cdn.jsdelivr.net/npm/geist@1.3.1/dist/fonts/geist-sans/Geist-Bold.woff2') format('woff2');font-weight:700}
@font-face{font-family:'Geist Mono';src:url('https://cdn.jsdelivr.net/npm/geist@1.3.1/dist/fonts/geist-mono/GeistMono-Regular.woff2') format('woff2');font-weight:400}
html,body{height:100%;background:var(--bg);color:var(--fg);font-family:Geist,sans-serif;font-size:14px;line-height:1.5}

.shell{display:flex;flex-direction:column;height:100vh;overflow:hidden}

.hdr{padding:16px 24px;border-bottom:1px solid var(--border);display:flex;align-items:center;gap:16px;flex-shrink:0}
.hdr .bee{font-size:28px}
.hdr h1{font-size:22px;font-weight:700;background:var(--amber-grad);-webkit-background-clip:text;-webkit-text-fill-color:transparent}
.hdr .sub{font-size:10px;color:var(--fg-muted);text-transform:uppercase;letter-spacing:.1em;margin-top:-2px}
.hdr-right{margin-left:auto;display:flex;gap:8px;align-items:center}
.hdr-right .target-wrap{display:flex;align-items:center;gap:8px;background:var(--bg-input);border:1px solid var(--border);border-radius:var(--rs);padding:4px 12px}
.hdr-right .target-wrap label{font-size:11px;color:var(--amber);font-weight:600;text-transform:uppercase;letter-spacing:.06em}
.hdr-right .target-wrap input{background:none;border:none;color:var(--fg);font-family:'Geist Mono',monospace;font-size:13px;width:180px;outline:none}
.hdr-right .target-wrap input::placeholder{color:var(--fg-muted)}
.hdr-right .hdr-btn{background:var(--bg-card);border:1px solid var(--border);color:var(--fg-dim);padding:6px 12px;border-radius:var(--rs);cursor:pointer;font-family:Geist,sans-serif;font-size:12px;font-weight:500;display:inline-flex;align-items:center;gap:6px;transition:all .15s}
.hdr-right .hdr-btn:hover{border-color:var(--amber);color:var(--amber);background:var(--amber-glow)}
.hdr-right .hdr-btn.ai{background:var(--amber-grad);color:#000;border-color:transparent;font-weight:600}
.hdr-right .hdr-btn.ai:hover{box-shadow:0 3px 12px rgba(255,179,0,.3);color:#000}

.main-layout{display:flex;flex:1;overflow:hidden}

.sidebar{width:220px;border-right:1px solid var(--border);display:flex;flex-direction:column;flex-shrink:0;overflow-y:auto}
.sidebar .sec-label{font-size:10px;font-weight:600;color:var(--fg-muted);text-transform:uppercase;letter-spacing:.1em;padding:14px 14px 6px}
.cat-item{display:flex;align-items:center;gap:8px;padding:8px 14px;cursor:pointer;font-size:13px;font-weight:500;color:var(--fg-dim);transition:all .12s;border-left:2px solid transparent}
.cat-item:hover{background:var(--bg-hover);color:var(--fg)}
.cat-item.active{background:var(--amber-glow);color:var(--amber);border-left-color:var(--amber)}
.cat-item .cnt{margin-left:auto;font-size:11px;color:var(--fg-muted);font-family:'Geist Mono',monospace}

.center{flex:1;display:flex;flex-direction:column;overflow:hidden}

.qb{padding:20px 24px;border-bottom:1px solid var(--border);background:rgba(20,20,22,.8);flex-shrink:0}
.qb-label{font-size:11px;font-weight:600;color:var(--fg-muted);text-transform:uppercase;letter-spacing:.06em;margin-bottom:8px;display:flex;align-items:center;gap:8px}
.qb-preview{background:var(--bg-input);border:1px solid var(--border);border-radius:var(--rs);padding:12px 14px;font-family:'Geist Mono',monospace;font-size:14px;color:var(--fg);min-height:48px;line-height:1.6;cursor:text;word-break:break-all;transition:border-color .15s}
.qb-preview:focus-within{border-color:var(--amber);box-shadow:0 0 0 2px var(--amber-glow)}
.qb-preview[contenteditable]{outline:none}

.op-bar{display:flex;flex-wrap:wrap;gap:4px;margin-top:10px}
.op-btn{padding:4px 10px;border-radius:var(--rs);background:var(--bg-card);border:1px solid var(--border);color:var(--fg-dim);font-family:'Geist Mono',monospace;font-size:11px;cursor:pointer;transition:all .12s;position:relative}
.op-btn:hover{border-color:var(--amber);color:var(--amber);background:var(--amber-glow)}
.op-btn .tip{display:none;position:absolute;bottom:calc(100% + 6px);left:50%;transform:translateX(-50%);background:#222;border:1px solid var(--border);border-radius:4px;padding:4px 8px;font-size:10px;color:var(--fg);white-space:nowrap;z-index:100;font-family:Geist,sans-serif}
.op-btn:hover .tip{display:block}

.hlA{color:var(--amber);font-weight:600}
.hlB{color:var(--blue);font-weight:600}
.hlP{color:var(--purple);font-weight:600}
.hlR{color:var(--red)}
.hlG{color:var(--green)}
.engine-selector{display:flex;gap:6px;margin-top:10px}
.eng-btn{display:inline-flex;align-items:center;gap:6px;padding:5px 12px;border-radius:var(--rs);background:var(--bg-card);border:1px solid var(--border);color:var(--fg-dim);font-family:Geist,sans-serif;font-size:12px;font-weight:500;cursor:pointer;transition:all .12s}
.eng-btn:hover{color:var(--fg);border-color:var(--fg-dim)}
.eng-btn.active{border-color:var(--amber);color:var(--amber);background:var(--amber-glow)}
.eng-badge{display:inline-flex;align-items:center;justify-content:center;width:16px;height:16px;border-radius:4px;font-family:'Geist Mono',monospace;font-size:10px;font-weight:700;color:#000}
.tpl-eng{margin-right:6px;vertical-align:middle}
.qb-actions{display:flex;gap:8px;margin-top:12px;align-items:center}
.btn{padding:8px 18px;border:none;border-radius:var(--rs);font-family:Geist,sans-serif;font-size:13px;font-weight:600;cursor:pointer;transition:all .15s;display:inline-flex;align-items:center;gap:6px}
.btn-primary{background:var(--amber-grad);color:#000}
.btn-primary:hover{box-shadow:0 4px 16px rgba(255,179,0,.3);transform:translateY(-1px)}
.btn-ghost{background:var(--bg-card);color:var(--fg-dim);border:1px solid var(--border)}
.btn-ghost:hover{border-color:var(--fg-dim);color:var(--fg)}
.btn-sm{padding:5px 10px;font-size:12px}
.btn-icon{padding:6px 8px;background:none;border:1px solid var(--border);border-radius:var(--rs);color:var(--fg-dim);cursor:pointer;font-size:14px;line-height:1}
.btn-icon:hover{border-color:var(--amber);color:var(--amber)}
.shortcut{font-size:10px;color:var(--fg-muted);margin-left:8px;font-family:'Geist Mono',monospace}

.tpl-area{flex:1;overflow-y:auto;padding:16px 24px}
.tpl-search{position:relative;margin-bottom:16px}
.tpl-search input{width:100%;padding:10px 14px 10px 36px;background:var(--bg-card);border:1px solid var(--border);border-radius:var(--rs);color:var(--fg);font-family:Geist,sans-serif;font-size:13px;outline:none}
.tpl-search input:focus{border-color:var(--amber);box-shadow:0 0 0 2px var(--amber-glow)}
.tpl-search input::placeholder{color:var(--fg-muted)}
.tpl-search .ico{position:absolute;left:12px;top:50%;transform:translateY(-50%);color:var(--fg-muted);font-size:14px}

.tpl-grid{display:flex;flex-direction:column;gap:6px}
.tpl-card{background:var(--bg-card);border:1px solid var(--border);border-radius:var(--r);padding:12px 16px;transition:all .15s;position:relative}
.tpl-card:hover{border-color:var(--amber);background:var(--bg-hover)}
.tpl-card-top{display:flex;align-items:center;justify-content:space-between;margin-bottom:4px;gap:8px}
.tpl-card-name{font-size:13px;font-weight:600;flex:1;cursor:pointer}
.tpl-card-cat{font-size:10px;color:var(--amber-dim);background:var(--amber-glow);padding:1px 6px;border-radius:3px;white-space:nowrap}
.tpl-card-dork{font-family:'Geist Mono',monospace;font-size:12px;color:var(--fg-dim);margin-bottom:4px;word-break:break-all;cursor:pointer}
.tpl-card-desc{font-size:11px;color:var(--fg-muted)}
.tpl-card-toggle{font-size:11px;color:var(--amber-dim);background:none;border:none;cursor:pointer;padding:4px 0;margin-top:4px;font-family:Geist,sans-serif}
.tpl-card-toggle:hover{color:var(--amber)}
.tpl-card-exp{display:none;margin-top:8px;padding:10px 12px;background:var(--bg-input);border-left:2px solid var(--amber);border-radius:4px;font-size:11px;color:var(--fg-dim);line-height:1.6}
.tpl-card-exp.open{display:block}
.tpl-card-exp strong{color:var(--amber);display:block;margin-top:6px;font-weight:600;font-size:10px;text-transform:uppercase;letter-spacing:.05em}
.tpl-card-exp strong:first-child{margin-top:0}

.export-bar{display:flex;gap:8px;padding:8px 14px;border-top:1px solid var(--border)}

.modal-overlay{position:fixed;inset:0;background:rgba(0,0,0,.75);display:none;align-items:center;justify-content:center;z-index:1000}
.modal-overlay.open{display:flex}
.modal{background:var(--bg-card);border:1px solid var(--border);border-radius:var(--r);width:min(560px,calc(100vw - 32px));max-height:calc(100vh - 64px);overflow-y:auto;box-shadow:0 20px 60px rgba(0,0,0,.6)}
.modal-hdr{padding:16px 20px;border-bottom:1px solid var(--border);display:flex;align-items:center;justify-content:space-between}
.modal-hdr h2{font-size:16px;font-weight:700;color:var(--amber)}
.modal-hdr .modal-close{background:none;border:none;color:var(--fg-dim);font-size:22px;cursor:pointer;line-height:1}
.modal-hdr .modal-close:hover{color:var(--red)}
.modal-body{padding:20px}
.modal-body label{font-size:11px;font-weight:600;color:var(--fg-muted);text-transform:uppercase;letter-spacing:.06em;display:block;margin-bottom:6px}
.modal-body .help{font-size:12px;color:var(--fg-dim);margin-bottom:12px;line-height:1.5}
.modal-body input[type=text],.modal-body input[type=password],.modal-body textarea{width:100%;padding:10px 12px;background:var(--bg-input);border:1px solid var(--border);border-radius:var(--rs);color:var(--fg);font-family:Geist,sans-serif;font-size:13px;outline:none;resize:vertical}
.modal-body input:focus,.modal-body textarea:focus{border-color:var(--amber);box-shadow:0 0 0 2px var(--amber-glow)}
.modal-body textarea{min-height:90px;font-family:Geist,sans-serif}
.modal-body .row{margin-bottom:14px}
.modal-footer{padding:14px 20px;border-top:1px solid var(--border);display:flex;gap:8px;justify-content:flex-end}
.ai-result{background:var(--bg-input);border:1px solid var(--border);border-radius:var(--rs);padding:14px;margin-top:14px}
.ai-result .ai-name{font-size:14px;font-weight:700;color:var(--amber);margin-bottom:6px}
.ai-result .ai-dork{font-family:'Geist Mono',monospace;font-size:13px;color:var(--fg);background:var(--bg);padding:8px 10px;border-radius:4px;margin-bottom:8px;word-break:break-all}
.ai-result .ai-exp{font-size:12px;color:var(--fg-dim);line-height:1.6;margin-bottom:10px}
.ai-result .ai-actions{display:flex;gap:8px}
.ai-refused{padding:12px 14px;background:rgba(239,68,68,.08);border:1px solid rgba(239,68,68,.3);border-radius:var(--rs);color:#fca5a5;font-size:12px;line-height:1.5;margin-top:14px}
.ai-loading{text-align:center;padding:20px;color:var(--fg-muted);font-size:12px}
.warn{font-size:11px;color:#fbbf24;background:rgba(251,191,36,.08);border:1px solid rgba(251,191,36,.25);border-radius:var(--rs);padding:8px 12px;margin-bottom:12px;line-height:1.5}

@media(max-width:900px){
  .sidebar{display:none}
  .hdr{flex-wrap:wrap;padding:12px 16px}
  .hdr-right{width:100%}
  .hdr-right .target-wrap{flex:1}
  .hdr-right .target-wrap input{width:100%}
  .qb{padding:16px}
  .tpl-area{padding:12px}
}
@media(max-width:600px){
  .op-bar{gap:2px}
  .op-btn{padding:3px 6px;font-size:10px}
}
  </style>
</head>
<body>
<div class="shell">
  <header class="hdr">
    <span class="bee">🐝</span>
    <div>
      <h1>StingerSearch</h1>
      <div class="sub">Google Dorking Interface</div>
    </div>
    <div class="hdr-right">
      <div class="target-wrap">
        <label>Target</label>
        <input type="text" id="target" placeholder="example.com" oninput="onTargetChange()">
      </div>
      <button class="hdr-btn ai" onclick="openAiModal()">✨ AI Dork</button>
      <button class="hdr-btn" onclick="openSettingsModal()" title="Settings">⚙</button>
    </div>
  </header>

  <div class="main-layout">
    <aside class="sidebar" id="sidebar"></aside>

    <div class="center">
      <div class="qb">
        <div class="qb-label">
          Query Builder
          <span class="shortcut">Ctrl+Enter to search</span>
        </div>
        <div class="qb-preview" id="query-preview" contenteditable="true" spellcheck="false" oninput="onQueryEdit()" onkeydown="onQueryKey(event)"></div>
        <div class="op-bar" id="op-bar"></div>
        <div class="engine-selector" id="engine-selector"></div>
        <div class="qb-actions">
          <button class="btn btn-primary" id="search-btn" onclick="executeSearch()">🐝 Search Google</button>
          <button class="btn btn-ghost btn-sm" onclick="copyQuery()">Copy</button>
          <button class="btn btn-ghost btn-sm" onclick="clearQuery()">Clear</button>
          <button class="btn btn-ghost btn-sm" onclick="exportTemplates()">Export All</button>
        </div>
      </div>

      <div class="tpl-area">
        <div class="tpl-search">
          <span class="ico">&#128269;</span>
          <input type="text" id="tpl-filter" placeholder="Search dork templates..." oninput="filterTemplates()">
        </div>
        <div class="tpl-grid" id="tpl-grid"></div>
      </div>
    </div>
  </div>
</div>

<div class="modal-overlay" id="ai-modal" onclick="if(event.target===this)closeAiModal()">
  <div class="modal">
    <div class="modal-hdr">
      <h2>✨ AI Dork Generator</h2>
      <button class="modal-close" onclick="closeAiModal()">&times;</button>
    </div>
    <div class="modal-body">
      <div id="ai-no-key" style="display:none">
        <div class="warn" id="ai-key-warning">Requires an AI provider key. Your key stays in this browser only (localStorage). Click the gear icon to set it.</div>
        <button class="btn btn-primary" onclick="closeAiModal();openSettingsModal()">Set API Key</button>
      </div>
      <div id="ai-with-key">
        <div class="row">
          <label for="ai-prompt">Describe what you are hunting for</label>
          <div class="help">Be specific. The model will construct a Google dork from standard operators. Refuses anything targeting specific people or obvious crimes.</div>
          <textarea id="ai-prompt" placeholder="e.g. find exposed .env files on .edu domains, or look for open-source projects with hardcoded AWS keys"></textarea>
        </div>
        <div id="ai-output"></div>
      </div>
    </div>
    <div class="modal-footer">
      <button class="btn btn-ghost btn-sm" onclick="closeAiModal()">Cancel</button>
      <button class="btn btn-primary btn-sm" id="ai-gen-btn" onclick="generateDork()">Generate</button>
    </div>
  </div>
</div>

<div class="modal-overlay" id="settings-modal" onclick="if(event.target===this)closeSettingsModal()">
  <div class="modal">
    <div class="modal-hdr">
      <h2>⚙ Settings</h2>
      <button class="modal-close" onclick="closeSettingsModal()">&times;</button>
    </div>
    <div class="modal-body">
      <div class="row">
        <label for="ai-provider">AI Provider</label>
        <div class="help">OpenRouter Free is the recommended free public option. Anthropic stays supported for users who already have Claude API keys.</div>
        <select id="ai-provider" onchange="onProviderChange()" style="width:100%;padding:10px 12px;background:var(--bg-input);border:1px solid var(--border);border-radius:var(--rs);color:var(--fg);font-family:Geist,sans-serif;font-size:13px;outline:none">
          <option value="openrouter">OpenRouter Free (BYO key)</option>
          <option value="anthropic">Anthropic Claude (BYO key)</option>
        </select>
      </div>
      <div class="row">
        <label for="ai-api-key" id="ai-key-label">API Key</label>
        <div class="help" id="ai-key-help">Used by the AI dork generator. Stored only in your browser localStorage. No CK42X backend sees the key.</div>
        <input type="password" id="ai-api-key" placeholder="API key" autocomplete="off">
      </div>
      <div class="row">
        <label for="ai-model">Model</label>
        <div class="help" id="ai-model-help">Free OpenRouter models are rate-limited by OpenRouter and may change over time.</div>
        <select id="ai-model" style="width:100%;padding:10px 12px;background:var(--bg-input);border:1px solid var(--border);border-radius:var(--rs);color:var(--fg);font-family:Geist,sans-serif;font-size:13px;outline:none"></select>
      </div>
      <div class="warn">No CK42X key is bundled. This app makes API calls from your browser. Keys in localStorage can be read by any script served from this origin. Use a scoped, low-limit key if you self-host anywhere public.</div>
    </div>
    <div class="modal-footer">
      <button class="btn btn-ghost btn-sm" onclick="clearKey()">Clear Key</button>
      <button class="btn btn-primary btn-sm" onclick="saveSettings()">Save</button>
    </div>
  </div>
</div>

<script>
let query = "";
let activeCat = "all";
let target = "";
let expandedExplanations = new Set();
let currentEngine = localStorage.getItem("stinger-engine") || "google";

const engines = {
  google: { name: "Google", url: q => `https://www.google.com/search?q=${encodeURIComponent(q)}`, badge: "G", color: "var(--amber)" },
  shodan: { name: "Shodan", url: q => `https://www.shodan.io/search?query=${encodeURIComponent(q)}`, badge: "S", color: "var(--blue)" },
};

const aiProviders = {
  openrouter: {
    name: "OpenRouter Free",
    keyStorage: "stinger-openrouter-key",
    modelStorage: "stinger-openrouter-model",
    defaultModel: "deepseek/deepseek-v4-flash:free",
    keyLabel: "OpenRouter API Key",
    keyHelp: 'Stored only in this browser. Get a key at <a href="https://openrouter.ai/keys" target="_blank" style="color:var(--amber)">openrouter.ai/keys</a>. Use a model ending in <code>:free</code> to stay on the free route.',
    keyPlaceholder: "sk-or-v1-...",
    modelHelp: "Free models are rate-limited by OpenRouter. If one is busy, try another free model.",
    models: [
      { value: "deepseek/deepseek-v4-flash:free", label: "DeepSeek V4 Flash (free, default)" },
      { value: "openai/gpt-oss-20b:free", label: "OpenAI gpt-oss-20b (free)" },
      { value: "meta-llama/llama-3.3-70b-instruct:free", label: "Llama 3.3 70B Instruct (free)" },
      { value: "google/gemma-4-26b-a4b-it:free", label: "Gemma 4 26B A4B IT (free)" }
    ]
  },
  anthropic: {
    name: "Anthropic Claude",
    keyStorage: "stinger-anthropic-key",
    modelStorage: "stinger-anthropic-model",
    defaultModel: "claude-haiku-4-5-20251001",
    keyLabel: "Anthropic API Key",
    keyHelp: 'Stored only in this browser. Get a key at <a href="https://console.anthropic.com/settings/keys" target="_blank" style="color:var(--amber)">console.anthropic.com</a>. Calls Claude directly from this page with Anthropic browser access enabled.',
    keyPlaceholder: "sk-ant-...",
    modelHelp: "Haiku is fast and lower-cost. Sonnet is smarter for complex hunts.",
    models: [
      { value: "claude-haiku-4-5-20251001", label: "claude-haiku-4-5 (default)" },
      { value: "claude-sonnet-4-6", label: "claude-sonnet-4-6" }
    ]
  }
};

const operators = [
  { op: "site:", tip: "Restrict to domain", ex: "site:example.com" },
  { op: "inurl:", tip: "URL contains keyword", ex: "inurl:admin" },
  { op: "intitle:", tip: "Page title contains", ex: 'intitle:"index of"' },
  { op: "intext:", tip: "Body text contains", ex: "intext:password" },
  { op: "filetype:", tip: "File extension", ex: "filetype:pdf" },
  { op: "ext:", tip: "File extension (alt)", ex: "ext:sql" },
  { op: "before:", tip: "Results before date", ex: "before:2025-01-01" },
  { op: "after:", tip: "Results after date", ex: "after:2024-01-01" },
  { op: "OR", tip: "Either term", ex: "admin OR administrator" },
  { op: "-", tip: "Exclude term", ex: "-site:youtube.com" },
  { op: '""', tip: "Exact phrase", ex: '"index of /"' },
  { op: "*", tip: "Wildcard", ex: '"admin * password"' },
];

// Shodan facets and filters that actually return results.
// Used by Shodan-routed templates and the AI generator.
const shodanFilters = [
  { op: "port:", tip: "Open port number", ex: "port:554" },
  { op: "App:", tip: "Application banner match", ex: 'App:"Hikvision IP Camera"' },
  { op: "product:", tip: "Detected product", ex: 'product:"OctoPrint"' },
  { op: "country:", tip: "ISO country code", ex: "country:US" },
  { op: "org:", tip: "Organization name", ex: 'org:"Comcast Cable"' },
  { op: "has_screenshot:", tip: "Devices with screenshots", ex: "has_screenshot:true" },
  { op: "title:", tip: "HTTP response title", ex: 'title:"Octoprint"' },
  { op: "http.html:", tip: "Substring in HTML body", ex: 'http.html:"login"' },
];

const templates = [
  { cat: "Files", name: "Exposed PDF Documents", dork: 'filetype:pdf', desc: "Find publicly accessible PDF files", exp: "The filetype: operator restricts results to pages whose URL ends in the given extension. Combine with intext: or site: to focus. Often surfaces old resumes, scanned contracts, internal reports, slide decks. Defender note: mark sensitive PDFs with X-Robots-Tag: noindex and require auth for restricted paths. robots.txt is NOT a security boundary." },
  { cat: "Files", name: "Excel Spreadsheets", dork: 'filetype:xlsx OR filetype:xls', desc: "Find exposed Excel spreadsheets", exp: "Targets both modern (xlsx) and legacy (xls) Excel workbooks. Spreadsheets are a goldmine because organizations dump employee rosters, finance data, and audit tracking into them without protecting the hosting location. Narrow with intext:email or site:target.com." },
  { cat: "Files", name: "Word Documents", dork: 'filetype:docx OR filetype:doc', desc: "Find exposed Word documents", exp: "Word docs often contain draft policies, internal memos, HR letters, and meeting notes. Legacy .doc hides interesting metadata (author, company, revision history) that modern OSINT extracts with exiftool." },
  { cat: "Files", name: "SQL Database Dumps", dork: 'filetype:sql "INSERT INTO" OR "CREATE TABLE"', desc: "Find exposed SQL database dumps", exp: "SQL dumps are often left in web-accessible backup folders. A full dump can include password hashes, PII, session tokens. Defender: never place .sql files under web root, even temporarily. Use object storage with auth." },
  { cat: "Files", name: "CSV Data Files", dork: 'filetype:csv "email" OR "password" OR "username"', desc: "CSV files with sensitive columns", exp: "CSVs often hold user exports from SaaS tools. The intext phrases target header rows. Legitimate uses: finding your own exposures during a red team engagement. Results are often stale dumps from prior incidents." },
  { cat: "Files", name: "Log Files", dork: 'filetype:log "error" OR "warning" OR "failed"', desc: "Exposed application log files", exp: "Log files leak stack traces, user IDs, IP addresses, file paths, tokens in URLs. Modern frameworks should log to stdout and ship to a SIEM. Defender: never serve /logs or /tmp from web root." },
  { cat: "Files", name: "Configuration Files", dork: 'filetype:conf OR filetype:cfg OR filetype:ini', desc: "Exposed config files", exp: "Generic config extensions reveal Apache, Nginx, ASP.NET, database, and application settings. Add intext:password or intext:connectionString to focus on high-value entries." },
  { cat: "Files", name: "XML Data Files", dork: 'filetype:xml "password" OR "secret" OR "key"', desc: "XML files with sensitive data", exp: "XML is the classic enterprise leak vector: Spring configs, Tomcat context.xml, WEB-INF/web.xml. May contain database credentials and embedded keystores. Add site:target.com to scope to a specific program." },
  { cat: "Files", name: "JSON Config Files", dork: 'filetype:json "api_key" OR "secret" OR "password"', desc: "JSON files with credentials", exp: "JSON configs are common for Node, Python, and cloud deployments (gcloud key files, Firebase admin creds). The filetype: operator plus intext keyword is tight. Many bug bounty reports start here." },
  { cat: "Files", name: "Environment Files", dork: 'filetype:env "DB_PASSWORD" OR "API_KEY" OR "SECRET"', desc: "Exposed .env files with secrets", exp: "dotenv files are the single most common credential leak. Developers push .env to web roots or forget to add it to .gitignore. The filetype:env filter plus a classic variable name catches live secrets. Rotate any discovered keys immediately and escalate to the owner." },
  { cat: "Files", name: "Backup Archives", dork: 'filetype:bak OR filetype:backup OR filetype:old', desc: "Backup files left on servers", exp: "Devs rename files like wp-config.php.bak to bypass deploy scripts or IDE sync. These are often indexed because web servers serve them as text/plain. Add site: to scope." },
  { cat: "Files", name: "SSH Private Keys", dork: 'filetype:pem "BEGIN RSA PRIVATE KEY" OR "BEGIN OPENSSH PRIVATE KEY"', desc: "Exposed SSH private keys", exp: "A leaked private key is game over for anything trusting it. The intext phrase matches the ASCII-armored PEM header. If you find one, report and rotate. Do not SSH in, even as a test." },
  { cat: "Files", name: "PGP Private Keys", dork: '"BEGIN PGP PRIVATE KEY BLOCK" filetype:asc', desc: "Exposed PGP private keys", exp: "Same idea as SSH keys but for PGP. Sometimes leaks the org's code-signing key. Private keys have no business on web servers." },
  { cat: "Files", name: "Password Files", dork: 'filetype:txt "password" "username" OR "login"', desc: "Text files containing credentials", exp: "Plaintext password.txt, creds.txt, and notes.txt are disturbingly common. The double-intext pattern catches README-style credential dumps left by admins." },
  { cat: "Files", name: "Database Connection Strings", dork: 'filetype:properties "jdbc" OR "connectionString" "password"', desc: "Java/DB connection strings", exp: "Java .properties files and connectionString entries expose DB hostnames, schemas, and passwords. Pairs well with an internal network pivot during pentests." },
  { cat: "Files", name: "Cryptocurrency Wallets", dork: 'filetype:dat "wallet" OR filetype:json "mnemonic"', desc: "Exposed crypto wallet files", exp: "wallet.dat files and mnemonic-bearing JSONs are theft candidates. Legitimate uses: checking your own exposure. Reporting channels vary by chain." },
  { cat: "Files", name: "Git Config", dork: 'filetype:txt "url = https://github.com" "password" OR "token"', desc: "Git configs with embedded creds", exp: "Older Git workflows embedded PATs directly in remote URLs. Pushing the .git/config to a web root exposes them. Defender: use Git credential helpers, not embedded URLs." },
  { cat: "Files", name: "Docker Compose", dork: 'filetype:yml "docker-compose" "password" OR "POSTGRES_PASSWORD"', desc: "Docker Compose with hardcoded passwords", exp: "docker-compose.yml files committed with hardcoded env values are an anti-pattern but common. Look for POSTGRES_PASSWORD, REDIS_PASSWORD, and SECRET_KEY_BASE (Rails)." },
  { cat: "Files", name: "Terraform State", dork: 'filetype:tfstate "aws_access_key" OR "secret_key"', desc: "Terraform state with cloud credentials", exp: "tfstate files contain post-plan resource state including provider credentials. They belong in a remote backend (S3 + DynamoDB lock), never in a web-served repo." },
  { cat: "Files", name: "Kubernetes Secrets", dork: 'filetype:yaml "kind: Secret" "data:"', desc: "Kubernetes secret manifests", exp: "Kubernetes Secret manifests base64-encode their data, which many people confuse with encryption. A leaked Secret manifest is a plaintext credential leak." },
  { cat: "Files", name: "AWS Credentials File", dork: 'filetype:txt "[default]" "aws_access_key_id" "aws_secret_access_key"', desc: "AWS CLI credential file leak", exp: "The ~/.aws/credentials file format is iconic. A leak gives an attacker a valid AWS CLI session. Defender: use IAM roles, not long-lived keys." },
  { cat: "Files", name: "GCP Service Account JSON", dork: '"type": "service_account" "private_key" filetype:json', desc: "GCP service account keys", exp: "GCP service-account JSONs grant the bearer full API access per the account's IAM bindings. A leaked file is immediate cloud compromise." },
  { cat: "Files", name: "npmrc Token", dork: 'filetype:npmrc "_authToken" OR "//registry.npmjs.org/:_authToken"', desc: ".npmrc files with publish tokens", exp: ".npmrc with _authToken allows publishing to the registry under that user. A supply-chain nightmare. Defender: use granular, expiring tokens scoped per CI pipeline." },
  { cat: "Files", name: "Postman Collection Exports", dork: 'filetype:json "info" "schema" "postman" "bearer"', desc: "Postman collections with tokens", exp: "Exported Postman collections often embed live bearer tokens, cookies, and environment secrets. Developers email these around or drop them into shared drives." },
  { cat: "Files", name: "Android Keystores", dork: 'filetype:jks OR filetype:keystore', desc: "Java keystores with signing keys", exp: "Android apps are signed with a keystore. A leaked keystore plus its password lets an attacker push malicious updates under the original signing identity. Replace immediately if compromised." },
  { cat: "Files", name: "iOS Provisioning Profiles", dork: 'filetype:mobileprovision', desc: "Apple provisioning profiles", exp: "Embedded-profile leaks may reveal team IDs, device UDIDs, entitlements, and push cert fingerprints. Not catastrophic alone but useful for targeted phishing and cert pinning recon." },
  { cat: "Files", name: "Jupyter Notebooks With Secrets", dork: 'filetype:ipynb "api_key" OR "password" OR "secret"', desc: "Jupyter notebooks with inline creds", exp: "Notebooks are a huge leak source: data scientists paste tokens into cells to quickly fetch data, then commit the notebook. The ipynb JSON embeds cell outputs too." },
  { cat: "Files", name: "WordPress wp-backup", dork: '"index of" "wp-content" ".tar.gz" OR ".zip"', desc: "WordPress site backups", exp: "Site-wide backups in wp-content include the database dump and wp-config.php. Backup plugins place archives under wp-content/backups by default and forget to restrict access." },

  { cat: "Logins", name: "Admin Login Pages", dork: 'intitle:"admin login" OR intitle:"admin panel"', desc: "Administrative login portals", exp: "Catches pages that literally title themselves 'Admin Login' or 'Admin Panel'. Low signal on its own. Add site: to scope. Useful as a starting point during a scope-authorized recon pass." },
  { cat: "Logins", name: "WordPress Login", dork: 'inurl:wp-login.php', desc: "WordPress admin login pages", exp: "Every WordPress site has /wp-login.php unless hardened. Knowing a target runs WP is useful for targeted patching checks or public-issue tracking." },
  { cat: "Logins", name: "phpMyAdmin", dork: 'intitle:"phpMyAdmin" "Welcome to phpMyAdmin"', desc: "Exposed phpMyAdmin instances", exp: "phpMyAdmin panels should never be internet-facing. Public instances suggest default credentials, weak passwords, or a forgotten dev box." },
  { cat: "Logins", name: "cPanel Login", dork: 'inurl:":2082" OR inurl:":2083" intitle:"cPanel"', desc: "cPanel hosting login pages", exp: "Shared hosting control panel. The explicit :2082 (HTTP) and :2083 (HTTPS) ports are the canonical entry. Useful for phishing research and password-spray scope enumeration." },
  { cat: "Logins", name: "Webmail Login", dork: 'intitle:"Roundcube Webmail" OR intitle:"Horde" inurl:login', desc: "Webmail login interfaces", exp: "Webmail portals are a classic credential-stuffing target. Knowing which product (Roundcube vs Horde) is running narrows known CVEs." },
  { cat: "Logins", name: "VPN Login Portals", dork: 'intitle:"SSL VPN" OR intitle:"GlobalProtect" inurl:login', desc: "VPN login portals", exp: "Palo Alto GlobalProtect, Pulse Secure, and generic SSL VPN portals have been hit by major CVEs repeatedly. A VPN with a weak patch cadence is a frequent initial-access vector." },
  { cat: "Logins", name: "Citrix Gateway", dork: 'intitle:"Citrix Gateway" OR intitle:"NetScaler" inurl:login', desc: "Citrix remote access login", exp: "Citrix NetScaler has faced CVE-2023-3519 (RCE) and CVE-2023-4966 (Citrix Bleed). Exposed instances are a constant patch-lag check." },
  { cat: "Logins", name: "Grafana Login", dork: 'intitle:"Grafana" inurl:login', desc: "Grafana dashboard login", exp: "Grafana panels often leak internal metric names, data source URLs, and sometimes enable anonymous viewing. CVE-2021-43798 (path traversal) is commonly unpatched in older versions." },
  { cat: "Logins", name: "Jenkins Dashboard", dork: 'intitle:"Dashboard [Jenkins]"', desc: "Unauthenticated Jenkins dashboards", exp: "A Jenkins dashboard visible without login is a red alert: anonymous users may trigger builds, read credentials, or run Groovy. CVE-2024-23897 made unauth file reads trivial." },
  { cat: "Logins", name: "Kibana Dashboard", dork: 'intitle:"Kibana" inurl:app/kibana', desc: "Open Kibana/Elasticsearch dashboards", exp: "Kibana without auth exposes the underlying Elasticsearch cluster. Search 'Discover' to browse indices. Historical CVEs include LFI and JavaScript prototype pollution." },
  { cat: "Logins", name: "Jira Login", dork: 'inurl:"/login.jsp" intitle:"Log in" "Jira"', desc: "Jira project management login", exp: "Jira credentials unlock project data, linked Confluence pages, and often connected Bitbucket/GitHub repos. Heavy target for credential-stuffing." },
  { cat: "Logins", name: "Default Credentials Page", dork: 'intitle:"default password" OR "factory password" filetype:html', desc: "Pages listing default credentials", exp: "Device documentation and vendor user manuals that publish default login pairs. Useful for deployed-device audits." },
  { cat: "Logins", name: "Router Login", dork: 'intitle:"Router Login" OR intitle:"NETGEAR" inurl:login', desc: "Router web interface logins", exp: "Consumer routers exposed to the WAN interface. Usually indicates ISP misconfiguration or a user flipping remote admin on. Many vendors still ship default admin/admin." },
  { cat: "Logins", name: "ServiceNow Portal", dork: 'inurl:"service-now.com" inurl:"login.do"', desc: "ServiceNow ITSM login", exp: "ServiceNow instances host ticketing, CMDB, and HR workflows. Recent CVE-2024-4879 (Jelly template injection) enables unauth data theft on older builds." },
  { cat: "Logins", name: "Splunk Login", dork: 'intitle:"Login - Splunk"', desc: "Splunk SIEM login portal", exp: "Access to a company's SIEM is worst-case: attackers can query logs for their own footprints, verify detection gaps, and extract sensitive content." },
  { cat: "Logins", name: "Okta Admin", dork: 'inurl:"okta.com/admin/" OR intitle:"Okta Sign-In"', desc: "Okta admin console", exp: "Okta is the identity provider for many orgs. The admin console is high-value. MFA and IP allowlists are the primary defense." },
  { cat: "Logins", name: "RDWeb / RDS Gateway", dork: 'intitle:"RD Web Access" inurl:"RDWeb/Pages"', desc: "Microsoft Remote Desktop Web portal", exp: "RD Web Access exposes a workforce's RDP entry. BlueKeep (CVE-2019-0708) and similar CVEs target these. Also a vector for NTLM relay and password spraying." },
  { cat: "Logins", name: "Exchange OWA", dork: 'inurl:"owa/auth/logon.aspx"', desc: "Exchange Outlook Web Access", exp: "OWA portals are phishing honeypots and CVE targets (ProxyLogon, ProxyShell). Version fingerprinting through HTTP headers tells you quickly if patches are current." },
  { cat: "Logins", name: "VMware vCenter", dork: 'intitle:"VMware vCenter" OR intitle:"VMware vSphere Web Client"', desc: "VMware vCenter web client", exp: "vCenter CVE-2021-21985 and CVE-2021-22005 were chained for unauth RCE and mass exploitation in the wild. Expose vCenter to the internet at your peril." },
  { cat: "Logins", name: "FortiGate SSL VPN", dork: 'intitle:"FortiGate" inurl:"/remote/login"', desc: "Fortinet FortiGate VPN portal", exp: "FortiGate has been hit by multiple credential-leak CVEs (CVE-2018-13379, CVE-2022-40684). Patching discipline is critical." },
  { cat: "Logins", name: "Cisco ASA / AnyConnect", dork: 'intitle:"Cisco Systems, Inc. VPN Service" OR intitle:"WebVPN Service"', desc: "Cisco ASA/AnyConnect portals", exp: "Cisco AnyConnect portals have historical and recent CVEs affecting auth. Arrange disclosure via the vendor's PSIRT process if you find something." },

  { cat: "Directories", name: "Open Directory Listings", dork: 'intitle:"index of /" -inurl:github', desc: "Apache/nginx directory listings", exp: "The most classic dork. Apache and Nginx generate auto-index pages when directory indexing is on AND no index file is present. Use -inurl:github to filter out package listings." },
  { cat: "Directories", name: "Parent Directory", dork: 'intitle:"index of" "parent directory"', desc: "Browseable parent directories", exp: "Refines the above. 'Parent Directory' is the link Apache places atop a listing. Useful when you already have a known file and want to climb one level." },
  { cat: "Directories", name: "FTP Directories", dork: 'intitle:"index of" inurl:ftp', desc: "Open FTP directory listings", exp: "Web-facing ftp/ directories are often leftover from legacy deployments. Often hold backups, legacy DB dumps, and scanned documents." },
  { cat: "Directories", name: "Backup Directories", dork: 'intitle:"index of" "backup" OR "bak" OR "old"', desc: "Directories containing backups", exp: "Find /backup/, /bak/, /old/ directories listing .tar.gz, .sql, or full-site archives. Always check for monthly/yearly archive naming." },
  { cat: "Directories", name: "Upload Directories", dork: 'intitle:"index of" "upload" OR "uploads"', desc: "Open upload directories", exp: "User-uploaded content directories. WordPress /wp-content/uploads/ is most common. Sometimes contains personal IDs, resumes, or confidential attachments." },
  { cat: "Directories", name: "Config Directories", dork: 'intitle:"index of" "config" OR "conf" OR "etc"', desc: "Exposed configuration directories", exp: "A listing of /config/ or /etc/ under web root is a security review finding on its own. Drill into the directory for .conf, .ini, .env files." },
  { cat: "Directories", name: "WordPress Uploads", dork: 'intitle:"index of" inurl:wp-content/uploads', desc: "WordPress upload directories", exp: "Client files, branding assets, and sometimes backup plugin artifacts. Common path: /wp-content/uploads/YYYY/MM/." },
  { cat: "Directories", name: "Git Repositories", dork: 'intitle:"index of" ".git"', desc: "Exposed .git directories", exp: "A web-readable .git directory lets an attacker reconstruct the full source code and history with git-dumper or similar tools. Many bug bounty payouts start here." },
  { cat: "Directories", name: "SVN Repositories", dork: 'intitle:"index of" ".svn"', desc: "Exposed .svn directories", exp: "Same idea as .git but for older Subversion workflows. Less common now but still found on legacy sites." },
  { cat: "Directories", name: "Media Directories", dork: 'intitle:"index of" "mp3" OR "mp4" OR "mkv" OR "avi"', desc: "Directories with media files", exp: "Open media directories are not always security-relevant but often accompany misconfigured webroots where more sensitive assets sit in neighbor folders." },
  { cat: "Directories", name: "node_modules Exposed", dork: 'intitle:"index of" "node_modules"', desc: "Deployed node_modules folders", exp: "A deployed node_modules directory is a massive surface. Attackers can fingerprint exact package versions for CVE targeting and sometimes find .env-like files mistakenly included." },
  { cat: "Directories", name: "Composer vendor Exposed", dork: 'intitle:"index of" "vendor/composer"', desc: "PHP composer vendor directories", exp: "PHP vendor/ directories expose third-party library versions. Identifies vulnerable dependency chains (CVE-2021-41125 HTTP smuggling in Werkzeug-like libs)." },
  { cat: "Directories", name: "Dist / Build Folders", dork: 'intitle:"index of" "/dist/" OR "/build/"', desc: "Frontend build output directories", exp: "Build output directories often include sourcemaps (.js.map) that decompile minified code, sometimes revealing internal API routes and hardcoded tokens." },
  { cat: "Directories", name: "__MACOSX Leftovers", dork: 'intitle:"index of" "__MACOSX"', desc: "Accidentally extracted Mac metadata", exp: "The __MACOSX folder is created when a Mac user zips a folder. Its presence means someone uploaded a zip via the web without extracting cleanly, often leaking the full archive's structure." },
  { cat: "Directories", name: ".vscode Leaked", dork: 'intitle:"index of" ".vscode"', desc: "VS Code settings folders", exp: "A committed .vscode/ directory may contain launch.json with embedded debugging credentials, database URLs, and custom task definitions." },

  { cat: "Configs", name: "wp-config.php", dork: 'inurl:wp-config.php -inurl:github', desc: "WordPress configuration with DB creds", exp: "wp-config.php holds DB credentials, auth salts, and table prefixes. If served as raw text (misconfigured PHP), it is an immediate DB takeover. Defender: ensure PHP files are executed, not served as text." },
  { cat: "Configs", name: ".htaccess Files", dork: 'inurl:.htaccess -inurl:github "AuthUserFile"', desc: "Apache .htaccess with auth rules", exp: "An .htaccess served as text reveals internal URL rewrites, auth mechanisms, and paths to .htpasswd files. Apache should never serve .ht* files (the default deny rule handles this)." },
  { cat: "Configs", name: "web.config", dork: 'filetype:config "connectionString" "password"', desc: "IIS/ASP.NET web.config with creds", exp: "web.config is IIS's equivalent of wp-config. It routinely holds DB connection strings with embedded passwords. Many exposures are due to IIS accidentally serving .config as text after broken handler mappings." },
  { cat: "Configs", name: "php.ini", dork: 'filetype:ini "php" "password" OR "mysql"', desc: "PHP configuration files", exp: "Global PHP settings. Sometimes misused to store per-app database credentials. Exposes error-reporting levels that inform exploitation." },
  { cat: "Configs", name: "Apache Config", dork: 'filetype:conf "ServerRoot" OR "DocumentRoot"', desc: "Apache server configuration", exp: "httpd.conf or apache2.conf leaks reveal virtual host layout, module configuration, and sometimes internal backend targets in mod_proxy rules." },
  { cat: "Configs", name: "Nginx Config", dork: 'filetype:conf "nginx" "server_name" "proxy_pass"', desc: "Nginx server configuration", exp: "Nginx configs disclose backend upstreams (proxy_pass), internal service topology, and caching rules. Useful for mapping the internal architecture behind a WAF." },
  { cat: "Configs", name: ".env Exposed", dork: 'intitle:"index of" ".env" -github', desc: "Exposed .env files in directory listings", exp: "Paired with the filetype:env dork above. This variant catches directory listings that include .env. Browsers usually refuse to render dotfiles inline so raw view is often available." },
  { cat: "Configs", name: "Firebase Config", dork: '"firebaseConfig" "apiKey" "authDomain" filetype:js', desc: "Firebase config with API keys", exp: "Firebase web SDKs require apiKey to be embedded client-side. This alone is not a vulnerability (Firebase expects it public), but combined with overly permissive Firestore or Realtime DB rules it becomes trivial data exfiltration." },
  { cat: "Configs", name: "AWS Credentials", dork: '"aws_access_key_id" "aws_secret_access_key" filetype:txt OR filetype:cfg', desc: "Exposed AWS credentials", exp: "Classic. If a key is live, report to the org via security.txt or their bug bounty program. Do not exercise the credential beyond the minimum required to prove control." },
  { cat: "Configs", name: "Ansible Vault", dork: '"$ANSIBLE_VAULT" filetype:yml', desc: "Ansible vault encrypted files (weak keys)", exp: "Ansible Vault encrypts secrets but can be brute-forced offline if the password is weak. Modern playbooks should use inventory-level secrets providers instead." },
  { cat: "Configs", name: "GitLab CI YAML", dork: 'filetype:yml "stages:" "image:" ".gitlab-ci"', desc: "GitLab CI pipeline configs", exp: ".gitlab-ci.yml files leak build logic, artifact paths, and sometimes inline secrets. GitLab supports CI/CD variables specifically so secrets do not live in YAML." },
  { cat: "Configs", name: "CircleCI Config", dork: 'filetype:yml "version: 2" "jobs:" "circleci"', desc: "CircleCI pipeline configs", exp: "Same risk profile as GitLab CI. Sometimes leaks deploy keys or webhook targets." },
  { cat: "Configs", name: "Jenkinsfile Leaks", dork: 'filetype:txt "pipeline {" "agent" "stages"', desc: "Jenkinsfile Groovy pipelines", exp: "Jenkinsfiles reveal build logic and occasionally embed credentialsId references. Combined with an exposed Jenkins instance, these are blueprint and lock in one place." },
  { cat: "Configs", name: "Serverless Framework", dork: 'filetype:yml "service:" "provider:" "functions:"', desc: "serverless.yml deployment specs", exp: "serverless.yml describes Lambda/Azure Functions deployments, including IAM permissions and environment variables. A leak maps the serverless architecture." },
  { cat: "Configs", name: "Netlify TOML", dork: 'filetype:toml "[build]" "publish" "command"', desc: "Netlify site configurations", exp: "netlify.toml reveals build command, publish directory, and sometimes context-based env var names. Useful for fingerprinting a static-site deployment." },
  { cat: "Configs", name: "crossdomain.xml", dork: 'filetype:xml "cross-domain-policy" "allow-access-from domain=\"*\""', desc: "Wildcard Flash crossdomain policies", exp: "A wildcard allow-access-from is a legacy Flash vulnerability but still valuable against SWF-backed upload forms on old apps." },
  { cat: "Configs", name: "Robots with Admin Paths", dork: 'filetype:txt "User-agent:" "Disallow: /admin" OR "Disallow: /api"', desc: "robots.txt revealing internal paths", exp: "robots.txt is security through obscurity at best. Attackers read it first. The Disallow entries act as a hit list of 'interesting' endpoints the site owner wanted hidden." },

  { cat: "Databases", name: "Exposed MySQL", dork: 'intitle:"phpMyAdmin" "Welcome to" -demo', desc: "Open phpMyAdmin databases", exp: "Public phpMyAdmin is almost always a misconfiguration. Check login page for version info (phpMyAdmin has had SQL injection CVEs as recently as 2023)." },
  { cat: "Databases", name: "Adminer Panels", dork: 'intitle:"Adminer" "Login" inurl:adminer', desc: "Exposed Adminer database tools", exp: "Adminer is a single-file PHP DB admin UI. Its simplicity makes it easy to drop into /public/ and forget. If exposed, treat as DB takeover risk." },
  { cat: "Databases", name: "MongoDB Express", dork: 'intitle:"Mongo Express" "Database"', desc: "Exposed MongoDB Express web UI", exp: "Mongo Express exposed without auth is a full DB dump away. Binding to 0.0.0.0 during dev and never walling it off is the typical root cause." },
  { cat: "Databases", name: "Elasticsearch Open", dork: 'intitle:"Elasticsearch Head" OR inurl:_cat/indices', desc: "Open Elasticsearch clusters", exp: "An ES cluster with _cat/indices reachable anonymously is a 'help yourself' data warehouse. The old Shodan staple. Defender: set xpack security and bind to loopback." },
  { cat: "Databases", name: "Redis Commander", dork: 'intitle:"Redis Commander"', desc: "Exposed Redis web management", exp: "Redis Commander UI over Redis that itself has no auth. Often seen in dev-flavor production. Can flush keys, read sessions, write arbitrary keys." },
  { cat: "Databases", name: "CouchDB Open", dork: 'inurl:":5984/_utils" intitle:"Futon"', desc: "Open CouchDB Futon interface", exp: "Port 5984 is CouchDB's HTTP API. Futon is the web UI. CVE-2017-12636 was a remote command execution via config changes accessible to authed admins." },
  { cat: "Databases", name: "PostgreSQL pgAdmin", dork: 'intitle:"pgAdmin" inurl:login', desc: "Exposed pgAdmin instances", exp: "pgAdmin instances on the public internet are a credential-stuffing target. Older versions have had SSRF and path-traversal issues." },
  { cat: "Databases", name: "SQL Dumps Online", dork: 'filetype:sql "INSERT INTO" "VALUES" -github', desc: "SQL dump files on web servers", exp: "Raw SQL dumps on web-reachable paths. Attackers Grep them for password columns, token tables, session storage." },
  { cat: "Databases", name: "SQLite Files", dork: 'filetype:db OR filetype:sqlite "CREATE TABLE"', desc: "Exposed SQLite database files", exp: "SQLite is portable. Leaks from mobile apps, Electron apps, or small tools. Download and open with the sqlite3 CLI to inspect." },
  { cat: "Databases", name: "Cassandra OpsCenter", dork: 'intitle:"OpsCenter" "Cassandra"', desc: "Exposed Cassandra management", exp: "Cassandra OpsCenter was DataStax's management UI. Exposed instances may allow keyspace enumeration and cluster management." },
  { cat: "Databases", name: "InfluxDB Open", dork: 'intitle:"InfluxDB" "Chronograf" OR inurl:":8086/query"', desc: "Open InfluxDB/Chronograf", exp: "Time-series DBs often back internal monitoring. Exposed instances leak metric names, hostnames, and sometimes application-level data piped into metrics." },
  { cat: "Databases", name: "Neo4j Browser", dork: 'intitle:"Neo4j Browser" OR inurl:":7474"', desc: "Neo4j graph database UI", exp: "Default Neo4j deployments use port 7474 and the 'neo4j' user with a default password until set. Exposed instances are often default-credential takeovers." },
  { cat: "Databases", name: "Supabase Anon Key Leak", dork: 'filetype:js "supabase.co" "anon" "eyJ"', desc: "Supabase anon keys in JS", exp: "Supabase anon keys are meant to be public but ONLY when row-level security is properly configured. Unconfigured RLS plus a leaked anon key equals full DB read." },

  { cat: "Cloud", name: "Open S3 Buckets", dork: 'site:s3.amazonaws.com "index of"', desc: "Open Amazon S3 bucket listings", exp: "An S3 bucket with ListObjects enabled anonymously. The AWS default is private but many orgs still flip to public. Check the bug bounty program's scope carefully before interacting." },
  { cat: "Cloud", name: "Azure Blob Storage", dork: 'site:blob.core.windows.net "index" OR "listing"', desc: "Open Azure Blob containers", exp: "Azure Blob containers with public-read access. List via ?restype=container&comp=list. Often contains old backups, IIS logs, and VM disk exports." },
  { cat: "Cloud", name: "GCP Storage", dork: 'site:storage.googleapis.com "index" OR "listing"', desc: "Open Google Cloud Storage buckets", exp: "GCS buckets flipped to allUsers reader. Same takeaway as S3 but with GCP IAM semantics." },
  { cat: "Cloud", name: "DigitalOcean Spaces", dork: 'site:digitaloceanspaces.com "index of"', desc: "Open DigitalOcean Spaces", exp: "DigitalOcean Spaces is S3-compatible. Public Spaces show the same 'index of' style when listing is enabled." },
  { cat: "Cloud", name: "Exposed Firebase DBs", dork: 'site:firebaseio.com "null" OR "true"', desc: "Firebase databases with public read", exp: "Realtime Database rules default to restricted but dev shortcuts of '.read': true leak entire trees. The '.json' suffix on any path returns raw data." },
  { cat: "Cloud", name: "Heroku Config Vars", dork: 'site:herokuapp.com "config" "password" OR "api_key"', desc: "Heroku apps leaking config", exp: "Heroku apps occasionally render their own env vars on debug pages. Rare but catastrophic when it happens." },
  { cat: "Cloud", name: "Travis CI Logs", dork: 'site:travis-ci.org "secure" "password" OR "token"', desc: "CI logs with leaked secrets", exp: "Public Travis logs sometimes include echoed secrets when users print env vars for debugging. Same pattern shows up on GitHub Actions logs." },
  { cat: "Cloud", name: "GitHub Secrets", dork: 'site:github.com "password" filetype:env OR "API_KEY" filetype:json', desc: "GitHub repos with hardcoded secrets", exp: "Scope appropriately. The GitHub secret-scanning team already auto-revokes some keys. Reporting is best done through the affected vendor (Stripe, AWS, etc.)." },
  { cat: "Cloud", name: "GitLab Snippets", dork: 'site:gitlab.com "password" OR "token" "snippet"', desc: "GitLab snippets with credentials", exp: "GitLab snippets are essentially public gists. People paste entire .env files to share with a colleague and forget the visibility." },
  { cat: "Cloud", name: "Trello Boards", dork: 'site:trello.com "password" OR "credentials" OR "api key"', desc: "Trello boards with sensitive data", exp: "Public Trello boards leak launch plans, roadmaps, support cases with PII, and occasionally infrastructure credentials. Defender: audit board visibility quarterly." },
  { cat: "Cloud", name: "Cloudflare R2 Public", dork: 'site:r2.cloudflarestorage.com', desc: "Public Cloudflare R2 buckets", exp: "Cloudflare R2 is S3-compatible with no egress fees. Public buckets are rarer by default than S3 but still appear when misconfigured." },
  { cat: "Cloud", name: "Backblaze B2 Public", dork: 'site:f000.backblazeb2.com', desc: "Public Backblaze B2 files", exp: "B2 buckets set to 'Public' expose all files on unpredictable but guessable paths. Check with rclone or boto3." },
  { cat: "Cloud", name: "AWS Lambda Function URLs", dork: 'site:lambda-url.us-east-1.on.aws OR site:lambda-url.eu-west-1.on.aws', desc: "Public AWS Lambda Function URLs", exp: "Lambda Function URLs provide a direct HTTPS endpoint to a function, bypassing API Gateway. Misconfigured auth types leave these wide open." },
  { cat: "Cloud", name: "Azure Functions", dork: 'site:azurewebsites.net "api/" intitle:"Function App"', desc: "Azure Function App endpoints", exp: "Azure Functions support anonymous or function-key auth. Misconfiguring auth to anonymous is common in POC deployments left running." },
  { cat: "Cloud", name: "Ngrok Tunnels", dork: 'site:ngrok.io OR site:ngrok-free.app', desc: "Active ngrok tunnels", exp: "ngrok exposes local dev services publicly. Frequently found with admin panels, debug endpoints, and local databases. Ephemeral but often left running for days." },

  { cat: "Cameras", name: "Webcam XP", dork: 'intitle:"webcamXP 5" OR intitle:"webcam 7"', desc: "WebcamXP streaming servers", exp: "Legacy Windows webcam streaming software. Predominantly home users who forgot they installed it. Ethical concerns significant. Limit interactions to fingerprinting." },
  { cat: "Cameras", engine: "shodan", name: "Hikvision IP Cameras", dork: 'App:"Hikvision IP Camera" has_screenshot:true', desc: "Hikvision cameras with live screenshots (Shodan)", exp: "Shodan banners Hikvision devices via the App tag, which is far more reliable than Google indexing of the web UI. has_screenshot:true filters to devices Shodan has captured a frame from. CVE-2021-36260 (command injection) and the more recent backdoor accounts remain widely unpatched. Defender note: never expose camera firmware web UIs to the public internet, period." },
  { cat: "Cameras", name: "IP Cameras (generic)", dork: 'inurl:"/view/view.shtml" OR inurl:"ViewerFrame?Mode="', desc: "Generic IP camera feeds", exp: "The ViewerFrame?Mode= parameter is used by many no-name ODM cameras that share firmware. Most ship with admin/admin defaults." },
  { cat: "Cameras", name: "Axis Cameras", dork: 'inurl:"/axis-cgi/" OR intitle:"AXIS" "Network Camera"', desc: "Axis network cameras", exp: "Axis-cgi is the control API path for Axis cameras. Well-built hardware but auth misconfigurations leak live feeds regularly." },
  { cat: "Cameras", engine: "shodan", name: "Dahua Cameras", dork: 'product:"Dahua DVR" OR product:"Dahua Web Service"', desc: "Dahua DVRs and IP cameras (Shodan)", exp: "Shodan fingerprints Dahua devices via product banner detection. CVE-2021-33044 and CVE-2021-33045 were auth bypasses affecting many SKUs and remain a real exposure on unpatched units. Always fingerprint firmware version before any further interaction." },
  { cat: "Cameras", name: "VLC Web Interface", dork: 'intitle:"VLC media player" "Web Interface"', desc: "VLC streaming web interfaces", exp: "VLC exposes an HTTP control interface on port 8080 when --extraintf=http is used. Surprisingly common in home NAS setups." },
  { cat: "Cameras", engine: "shodan", name: "Open RTSP Streams", dork: 'port:554 has_screenshot:true', desc: "Public RTSP cameras with live frames (Shodan)", exp: "Google does NOT index rtsp:// URLs because its crawler only fetches http/https. Asking Google for inurl:rtsp:// returns nothing useful. Shodan actively scans port 554, the canonical RTSP port, and renders a screenshot when the stream is unauthenticated. has_screenshot:true filters to devices currently leaking video. Use ffmpeg or VLC only on systems you own or have written authorization to test." },
  { cat: "Cameras", name: "IoT Dashboards", dork: 'intitle:"Node-RED" OR intitle:"ThingsBoard" inurl:login', desc: "IoT platform dashboards", exp: "Node-RED in particular runs on many Raspberry Pis. CVE-2021-3223 was an unauth access issue. Often tied to real-world automation." },
  { cat: "Cameras", name: "Printer Panels", dork: 'intitle:"HP" "LaserJet" inurl:info_configuration', desc: "Exposed network printer panels", exp: "Printers are networked computers. Their web UIs leak configuration, scan history, saved credentials (LDAP, SMB shares). PRET (Printer Exploitation Toolkit) is the canonical assessment tool." },
  { cat: "Cameras", engine: "shodan", name: "Modbus PLCs (SCADA)", dork: 'port:502 country:US', desc: "Internet-exposed Modbus PLCs (Shodan)", exp: "Modbus TCP listens on port 502 by default and ships with no authentication on the wire. Google indexes web pages, not industrial protocols, so SCADA recon belongs entirely on Shodan or Censys. NEVER send Modbus function codes to a device without explicit written authorization. Report exposed assets via CISA ICS-CERT or the vendor PSIRT. Drop the country filter to widen scope." },
  { cat: "Cameras", name: "Home Assistant", dork: 'intitle:"Home Assistant" inurl:"/auth/authorize"', desc: "Home Assistant dashboards", exp: "Home Assistant instances exposed to the internet. Recent CVEs affected the API. Typically home users who configured remote access without a VPN." },
  { cat: "Cameras", name: "Octoprint", dork: 'intitle:"OctoPrint" "Login" inurl:":5000"', desc: "OctoPrint 3D printer dashboards", exp: "OctoPrint controls 3D printers. Remote access without auth can cause physical damage (printer fires have been documented). Patch level matters." },
  { cat: "Cameras", engine: "shodan", name: "Foscam Cameras", dork: 'product:"Foscam IP Camera"', desc: "Foscam consumer IP cameras (Shodan)", exp: "Shodan banners Foscam cameras via the product field. Multiple auth bypass CVEs exist across the line. Consumer cameras often ship with admin/admin defaults and slow patch cycles. Check has_screenshot:true to see which leak video." },
  { cat: "Cameras", engine: "shodan", name: "Vivotek Cameras", dork: 'product:"VIVOTEK Network Camera httpd"', desc: "Vivotek network cameras (Shodan)", exp: "Vivotek devices announce themselves in HTTP server banners which Shodan parses into the product facet. Enterprise-grade hardware but still exposed when network ACLs are misconfigured. Add has_screenshot:true to see leaking units." },
  { cat: "Cameras", engine: "shodan", name: "Open MQTT Brokers", dork: 'port:1883 -product:"mosquitto"', desc: "Internet-exposed MQTT message brokers (Shodan)", exp: "MQTT runs on port 1883 (cleartext) and 8883 (TLS) and frequently ships with no auth. IoT message buses often leak telemetry, location data, and command channels. The mosquitto exclusion narrows to less-common implementations that also tend to be misconfigured. NEVER subscribe or publish without authorization." },
  { cat: "Cameras", engine: "shodan", name: "Open VNC No Auth", dork: 'port:5900 "authentication disabled"', desc: "VNC servers with no authentication (Shodan)", exp: "VNC banners reveal authentication state in the handshake. Shodan parses this into the banner string. Authentication-disabled VNC means anyone can take an interactive desktop session. This is one of the highest-impact exposed-service classes on the public internet." },
  { cat: "Cameras", engine: "shodan", name: "RDP With Screenshot", dork: 'port:3389 has_screenshot:true', desc: "Public RDP hosts with login screens captured (Shodan)", exp: "Port 3389 RDP is the dominant initial-access vector for ransomware affiliates. Shodan captures the Windows login screen via NLA negotiation, often revealing the local username and machine name. Pair with country: or org: facets for scope. NEVER attempt credentials." },
  { cat: "Cameras", engine: "shodan", name: "Default Password Banners", dork: '"default password" -title:"login"', desc: "Banners that literally say 'default password' (Shodan)", exp: "A surprising number of devices print 'default password' in their HTTP banner, telnet welcome, or login page text. Shodan indexes those banners. The title exclusion drops the obvious login portals so you see the embedded systems leaking the phrase via their boot screens or admin UIs." },

  { cat: "Admin", name: "Django Admin", dork: 'intitle:"Django" inurl:admin', desc: "Django admin panels", exp: "Django's /admin/ route is ubiquitous. Unpatched Django has had CVEs (CVE-2021-35042 SQLi). DEBUG=True leaks settings to every 500 page." },
  { cat: "Admin", name: "Laravel Debugbar", dork: 'intitle:"Debugbar" "Laravel" OR inurl:"_debugbar"', desc: "Laravel debug panels (info leak)", exp: "Debugbar exposes route info, session data, DB queries. Laravel's APP_DEBUG=true in prod is the root cause. It is a full reconnaissance source." },
  { cat: "Admin", name: "Spring Boot Actuator", dork: 'inurl:"/actuator" "env" OR "beans" OR "health"', desc: "Spring Boot actuator endpoints", exp: "Unauthenticated /actuator/env dumps environment variables including credentials. /actuator/heapdump downloads a full heap dump containing session data and tokens." },
  { cat: "Admin", name: "Swagger UI", dork: 'intitle:"Swagger UI" inurl:swagger', desc: "Exposed API documentation", exp: "Swagger/OpenAPI UIs map out every endpoint. In a bug-bounty scoped target, these are pure gold. In the wild, often reveal internal-only endpoints accidentally." },
  { cat: "Admin", name: "GraphQL Playground", dork: 'intitle:"GraphQL Playground" OR intitle:"GraphiQL"', desc: "Exposed GraphQL explorers", exp: "Playground/GraphiQL lets you introspect the entire schema. Introspection should be disabled in production. Enumeration reveals queries, mutations, and type relationships." },
  { cat: "Admin", name: "Docker Registry", dork: 'intitle:"Docker Registry" OR inurl:"/v2/_catalog"', desc: "Open Docker registries", exp: "The Docker Registry HTTP API v2 at /v2/_catalog lists all repos. Unauth exposure means an attacker can pull internal images, often containing embedded secrets." },
  { cat: "Admin", name: "Kubernetes Dashboard", dork: 'intitle:"Kubernetes Dashboard"', desc: "Exposed K8s dashboards", exp: "The classic K8s dashboard with anonymous access (CVE-2018-18264) was a common cluster takeover. Modern deployments require bearer tokens but misconfigurations persist." },
  { cat: "Admin", name: "Portainer", dork: 'intitle:"Portainer" inurl:login', desc: "Docker Portainer management", exp: "Portainer CVE-2022-34310 was a privilege escalation. Exposed instances with default admin/admin are still found in the wild." },
  { cat: "Admin", name: "Webmin", dork: 'intitle:"Webmin" inurl:10000', desc: "Webmin server admin panels", exp: "Webmin CVE-2019-15107 was a pre-auth backdoor shipped in the release. Many un-updated boxes still run that version." },
  { cat: "Admin", name: "Nagios Monitoring", dork: 'intitle:"Nagios" "Process Information"', desc: "Nagios monitoring dashboards", exp: "Nagios Core and XI have had multiple CVEs. Monitor configs reveal internal hostnames and service topology." },
  { cat: "Admin", name: "Zabbix", dork: 'intitle:"Zabbix" inurl:zabbix/index.php', desc: "Zabbix monitoring login", exp: "Zabbix CVE-2022-35229 and CVE-2022-24917 were SQL injection and XSS. Modern patched versions are well-hardened but exposure is still a security finding." },
  { cat: "Admin", name: "Prometheus", dork: 'intitle:"Prometheus" inurl:graph OR inurl:targets', desc: "Exposed Prometheus instances", exp: "Prometheus /targets and /config leak scrape targets, rule sets, and often authentication config for scraped services. It is a network topology disclosure." },
  { cat: "Admin", name: "Tomcat Manager", dork: 'intitle:"Apache Tomcat" "Manager App" inurl:manager', desc: "Tomcat manager panels", exp: "Tomcat Manager with weak credentials (tomcat/tomcat, admin/admin) allows WAR file upload, which equals RCE. Also watch for CVE-2020-1938 Ghostcat on AJP." },
  { cat: "Admin", name: "Solr Admin", dork: 'intitle:"Solr Admin" inurl:solr', desc: "Apache Solr admin interface", exp: "Solr CVE-2019-0193 (Velocity template injection) was widely exploited for crypto mining. Version fingerprinting matters." },
  { cat: "Admin", name: "HashiCorp Vault UI", dork: 'intitle:"Vault" "Sign in to Vault"', desc: "HashiCorp Vault unsealed UIs", exp: "A sealed Vault is not directly dangerous but an unsealed one with weak auth is a secrets dispensary. The UI login page itself reveals Vault presence for further recon." },
  { cat: "Admin", name: "HashiCorp Consul", dork: 'intitle:"Consul by HashiCorp" inurl:":8500"', desc: "Consul service mesh UIs", exp: "Consul's default HTTP API on port 8500 is often exposed. Without ACLs enabled, the KV store, service catalog, and node list are all readable." },
  { cat: "Admin", name: "Rundeck", dork: 'intitle:"Rundeck" "Login" inurl:rundeck', desc: "Rundeck job automation", exp: "Rundeck executes arbitrary SSH commands across infrastructure. Default-credential or weak-credential instances are full-fleet compromise." },
  { cat: "Admin", name: "AWX / Ansible Tower", dork: 'intitle:"Ansible Tower" OR intitle:"AWX" inurl:login', desc: "Ansible Tower/AWX consoles", exp: "AWX runs Ansible playbooks. Credentials and vault secrets live here. CVE-2023-5189 was an RCE via playbook injection." },
  { cat: "Admin", name: "Harbor Registry", dork: 'intitle:"Harbor" "Sign In" inurl:harbor', desc: "Harbor container registry", exp: "Harbor CVE-2022-31671 exposed registry credentials. Exposed public Harbor instances with weak auth leak entire internal image sets." },
  { cat: "Admin", name: "SonarQube", dork: 'intitle:"SonarQube" inurl:sonar', desc: "SonarQube code quality dashboards", exp: "SonarQube scans source code. Anonymous access reveals project structure, code issues, and sometimes the full source. Set force-auth=true." },
  { cat: "Admin", name: "Gitea Instances", dork: 'intitle:"Sign In - Gitea"', desc: "Self-hosted Gitea forges", exp: "Self-hosted Git forges often host private source. Default install allows public registration unless disabled. Historical CVEs include RCE via git hooks." },

  { cat: "Errors", name: "PHP Errors", dork: '"Fatal error" "on line" filetype:php', desc: "PHP fatal errors with path disclosure", exp: "PHP fatal errors reveal absolute filesystem paths, PHP versions, and sometimes framework versions. Disable display_errors in production php.ini." },
  { cat: "Errors", name: "ASP.NET Errors", dork: '"Server Error in" "Application" "Stack Trace"', desc: "ASP.NET detailed error pages", exp: "ASP.NET yellow-screen-of-death pages leak stack traces, assembly versions, and sometimes source code snippets. Set customErrors mode='On' in web.config." },
  { cat: "Errors", name: "Java Stack Traces", dork: '"java.lang" "Exception" "at org" -github', desc: "Java stack traces revealing internals", exp: "Java stack traces leak package structure, dependency versions, and runtime state. Combine with a known CVE to find vulnerable unpatched services." },
  { cat: "Errors", name: "Django Debug Mode", dork: 'intitle:"DisallowedHost" OR "DEBUG = True" "Django"', desc: "Django in debug mode", exp: "DEBUG=True on Django leaks everything: settings, SQL queries, template locals, installed apps, SECRET_KEY. Any 500 error is an enumeration windfall." },
  { cat: "Errors", name: "Laravel Errors", dork: '"Whoops!" "Laravel" "Stack trace"', desc: "Laravel debug error pages", exp: "Whoops is the 'friendly' Laravel debug page. It exposes environment variables inline. APP_DEBUG=false is mandatory for production." },
  { cat: "Errors", name: "WordPress Debug", dork: 'inurl:debug.log "PHP" "error" site:', desc: "WordPress debug log files", exp: "WP_DEBUG_LOG writes errors to wp-content/debug.log. Accidentally indexed, these leak plugin paths and error patterns useful for vulnerability research." },
  { cat: "Errors", name: "MySQL Errors", dork: '"You have an error in your SQL syntax" OR "mysql_fetch"', desc: "SQL error messages (SQL injection indicators)", exp: "These are smoking-gun SQLi indicators. If you control the input that produces the error, you likely have injection. Use with authorization." },
  { cat: "Errors", name: "Connection Strings Leaked", dork: '"ORA-" "TNS:" OR "connection string" "password"', desc: "Oracle/DB connection errors with creds", exp: "Oracle TNS errors often include the full connection string. Unusual but high-value." },
  { cat: "Errors", name: "500 Error Pages", dork: 'intitle:"500 Internal Server Error" "server at"', desc: "Internal server errors with info", exp: "The Apache 500 default page shows 'server at hostname port X' identifying the internal server. Cloud-fronted sites occasionally show origin hostnames here." },
  { cat: "Errors", name: "403 Listings", dork: 'intitle:"403 Forbidden" "Directory listing"', desc: "Forbidden pages revealing server info", exp: "403 pages confirm a path exists but is blocked. Useful for enumeration: combine with wordlists to find backend paths the server explicitly protects." },
  { cat: "Errors", name: "Ruby on Rails", dork: '"ActionController::RoutingError" "rails"', desc: "Rails routing error pages", exp: "Rails dev error pages in production leak routes and application structure. config.consider_all_requests_local should be false in production." },
  { cat: "Errors", name: "Python Tracebacks", dork: '"Traceback (most recent call last)" filetype:txt', desc: "Python exception tracebacks", exp: "Raw Python tracebacks disclose module paths, function names, and framework versions. Flask in debug mode also exposes an interactive shell." },
  { cat: "Errors", name: "Go Panic Traces", dork: '"goroutine" "panic:" "runtime error"', desc: "Go panic stack traces", exp: "Go panic traces reveal package paths, struct names, and often sensitive values in the frame dump. Use recover() and log externally." },
  { cat: "Errors", name: "Node.js Errors", dork: '"at Object.<anonymous>" "at Module._compile" "Error:"', desc: "Node.js stack traces", exp: "Node stack traces leak npm package versions, file paths, and dependency structure. Useful for known-CVE fingerprinting." },

  { cat: "Juicy", name: "Email Lists", dork: 'filetype:xls OR filetype:csv "email" "@" "phone"', desc: "Spreadsheets with email + phone data", exp: "Marketing exports, CRM dumps, event attendee lists. Widely indexed due to casual sharing. GDPR/CCPA territory for EU/US orgs." },
  { cat: "Juicy", name: "Financial Reports", dork: 'filetype:pdf "confidential" "financial" OR "revenue" OR "salary"', desc: "Confidential financial documents", exp: "Internal financial reports marked confidential yet indexed. Often the result of a cloud storage share being flipped from 'internal only' to 'anyone with link' then indexed." },
  { cat: "Juicy", name: "Employee Directories", dork: 'filetype:xlsx "employee" "phone" "email" "department"', desc: "Internal employee directories", exp: "Employee rosters with contact info. Phishing gold. Modern directories live in SSO systems but legacy Excel exports persist on internal shares that slip public." },
  { cat: "Juicy", name: "Network Diagrams", dork: 'filetype:pdf OR filetype:vsd "network diagram" OR "topology"', desc: "Network architecture documents", exp: "Visio diagrams and PDF network topologies reveal internal IP ranges, firewall rules, VLANs, and vendor equipment. Invaluable for adversary planning, hence invaluable for defenders to prevent leaking." },
  { cat: "Juicy", name: "Penetration Test Reports", dork: 'filetype:pdf "penetration test" "executive summary" "findings"', desc: "Published pentest reports", exp: "Pentest reports published publicly (sometimes intentionally for trust, sometimes not). Reveal attack paths, patched or unpatched findings, internal hostnames." },
  { cat: "Juicy", name: "Incident Response Plans", dork: 'filetype:pdf "incident response" "playbook" OR "procedure"', desc: "IR plans and playbooks", exp: "IR plans reveal detection gaps and response playbooks. Attackers use these to time actions below detection thresholds." },
  { cat: "Juicy", name: "Board Meeting Minutes", dork: 'filetype:pdf "board meeting" "minutes" "confidential"', desc: "Confidential board meeting notes", exp: "Board minutes discuss strategic direction, acquisitions, legal risks. Leaked minutes are material for insider-trading concerns and competitive intelligence." },
  { cat: "Juicy", name: "API Keys in Code", dork: '"api_key" OR "apikey" "AIza" OR "sk-" OR "ghp_" -site:github.com', desc: "Leaked API keys outside GitHub", exp: "AIza = Google API key prefix. sk- = Stripe or OpenAI secret key. ghp_ = GitHub personal access token. -site:github.com filters out the noisy source." },
  { cat: "Juicy", name: "Internal Wikis", dork: 'intitle:"Confluence" OR intitle:"MediaWiki" "internal" -site:atlassian.com', desc: "Exposed internal wikis", exp: "Confluence and MediaWiki instances set to public accidentally. Confluence CVE-2022-26134 and CVE-2023-22515 were widely exploited. Data mine plus active-CVE surface." },
  { cat: "Juicy", name: "Resumes with SSN", dork: 'filetype:pdf "social security" OR "SSN" "resume"', desc: "Resumes with social security numbers", exp: "Old-school resumes included SSN. Still found indexed on academic and personal sites. Reporting to the individual through the site owner is the right move." },
  { cat: "Juicy", name: "Medical Records", dork: 'filetype:pdf "patient" "diagnosis" "medical record" -example', desc: "Exposed medical records", exp: "HIPAA territory in the US. Reports via HHS OCR if the leaking entity is a covered entity. Do not retain the documents beyond what is needed to report." },
  { cat: "Juicy", name: "Legal Documents", dork: 'filetype:pdf "attorney-client" OR "privileged" "confidential"', desc: "Privileged legal documents", exp: "Privileged documents publicly indexed. Leakage often occurs via cloud shares or misconfigured document management systems. Report via the responsible counsel." },
  { cat: "Juicy", name: "Source Code", dork: 'filetype:py OR filetype:rb "password" "def " "import" -github', desc: "Source code with hardcoded passwords", exp: "Python and Ruby code with embedded credentials indexed outside GitHub. Often found on personal sites, university pages, and legacy hosting." },
  { cat: "Juicy", name: "Pastebin Dumps", dork: 'site:pastebin.com "password" "email" "@"', desc: "Pastebin credential dumps", exp: "Pastebin has been a primary credential-dump venue since 2009. Modern operators also use ghostbin, paste.ee, and rentry. Monitor your org's domain for leaked creds." },
  { cat: "Juicy", name: "Zoom Cloud Recordings", dork: 'site:zoom.us "Cloud Recording" OR "Meeting Recording"', desc: "Public Zoom cloud recordings", exp: "Public Zoom recordings with predictable or leaked links. Many early-pandemic recordings remain public indefinitely. Content ranges from benign to confidential all-hands." },
  { cat: "Juicy", name: "Slack Export JSON", dork: 'filetype:json "slack_export" OR "channels.json" "messages"', desc: "Slack workspace exports", exp: "Slack workspace exports dumped publicly. Rich context on org culture, inter-team communications, and linked credentials. Reporting via the company's security.txt." },
  { cat: "Juicy", name: "HR Policy Documents", dork: 'filetype:pdf "human resources" "confidential" "policy"', desc: "Internal HR policy documents", exp: "HR policy docs are not automatically sensitive but often leak org structure, salary bands, and grievance processes." },
  { cat: "Juicy", name: "Grant Applications", dork: 'filetype:pdf "grant application" "budget" "principal investigator"', desc: "Academic grant applications", exp: "Grant applications reveal PI names, budget projections, unpublished research directions, and internal strategy. Rare but high-signal." },

  { cat: "Vulns", name: "Apache Struts", dork: 'inurl:".action" "Struts Problem Report"', desc: "Apache Struts error pages (RCE risk)", exp: "Apache Struts had the CVE-2017-5638 OGNL RCE that contributed to the Equifax breach. Any exposed Struts-backed app should be patched urgently." },
  { cat: "Vulns", name: "Old IIS Servers", dork: '"Microsoft-IIS/6.0" OR "Microsoft-IIS/7.0"', desc: "Legacy IIS servers (known CVEs)", exp: "IIS 6.0 and 7.0 are out of support and have multiple RCEs (CVE-2017-7269 IIS 6.0 WebDAV). Exposed instances indicate severely dated infrastructure." },
  { cat: "Vulns", name: "PHP Info Pages", dork: 'intitle:"phpinfo()" "PHP Version"', desc: "phpinfo() pages leaking server config", exp: "phpinfo() output leaks every PHP setting, loaded modules, and environment variables. A debug tool accidentally left in production. Always a reportable finding." },
  { cat: "Vulns", name: "SharePoint", dork: 'inurl:"/_layouts/" "SharePoint"', desc: "Exposed SharePoint installations", exp: "SharePoint ToolShell (CVE-2025-53770 family) was mass-exploited in 2025. On-prem SharePoint requires aggressive patching." },
  { cat: "Vulns", name: "Telerik UI", dork: '"Telerik.Web.UI.WebResource.axd" OR "Telerik.Web.UI.DialogHandler.aspx"', desc: "Telerik UI (known deserialization vulns)", exp: "Telerik UI CVE-2019-18935 deserialization was added to CISA KEV and widely exploited. Any Telerik presence is a version-check priority." },
  { cat: "Vulns", name: "JBoss Console", dork: 'intitle:"JBoss Management" OR inurl:"/jmx-console/"', desc: "JBoss management console (RCE risk)", exp: "JBoss jmx-console has been exploited via MBean invocations to achieve RCE for over a decade. Legacy and still found." },
  { cat: "Vulns", name: "ColdFusion Admin", dork: 'inurl:"/CFIDE/administrator/"', desc: "Adobe ColdFusion admin panel", exp: "ColdFusion CVE-2023-26360 was a pre-auth RCE added to CISA KEV. The /CFIDE/administrator/ path is the canonical admin console." },
  { cat: "Vulns", name: "Exposed Git Repos", dork: 'inurl:"/.git/config" "repositoryformatversion"', desc: "Exposed .git/config (source code leak)", exp: "A web-readable .git/config confirms the full .git directory is served. Tools like git-dumper reconstruct the repo locally. Treat as source code disclosure." },
  { cat: "Vulns", name: "Server-Status", dork: 'inurl:"/server-status" "Apache Server Status"', desc: "Apache server-status page", exp: "Apache mod_status exposes active requests including URLs, IPs, and sometimes session tokens in query strings. Restrict to localhost-only in httpd.conf." },
  { cat: "Vulns", name: "Open Redirects", dork: 'inurl:"redirect=" OR inurl:"url=" OR inurl:"next=" "http"', desc: "Potential open redirect parameters", exp: "Open redirects are often the missing piece in phishing chains or OAuth attacks. The classic params are redirect=, url=, next=, return=." },
  { cat: "Vulns", name: "Log4Shell Indicators", dork: '"jndi:" OR "ldap://" "log4j"', desc: "Log4Shell exploitation leftovers", exp: "CVE-2021-44228 (Log4Shell) exploitation traces. Finding jndi:ldap:// patterns in logs or exposed sites indicates either an exploit attempt archive or a vulnerable app that echoed it back." },
  { cat: "Vulns", name: "Spring4Shell", dork: '"org.springframework" "ClassLoader" "runtime"', desc: "Spring Framework RCE indicators", exp: "CVE-2022-22965 (Spring4Shell) was a class-loader manipulation RCE. Look for stack traces showing the org.springframework.beans.BeanWrapperImpl path." },
  { cat: "Vulns", name: "Exchange ProxyShell", dork: 'inurl:"autodiscover.json" "Microsoft-Exchange"', desc: "Exchange ProxyShell footprint", exp: "CVE-2021-34473 and related ProxyShell chain. autodiscover.json PowerShell remoting is the exploitation entry. Any internet-facing on-prem Exchange needs aggressive hardening." },
  { cat: "Vulns", name: "Ivanti Connect Secure", dork: 'intitle:"Ivanti Connect Secure" OR intitle:"Pulse Secure"', desc: "Ivanti Connect Secure VPN", exp: "CVE-2023-46805 and CVE-2024-21887 were chained for unauth RCE with widespread exploitation. Patch cadence is critical." },
  { cat: "Vulns", name: "Jira RCE", dork: 'intitle:"Jira" "AtlassianRefResolver" "class"', desc: "Jira CVE-2022-26134 indicators", exp: "Jira CVE-2022-26134 Object-Graph Navigation Language (OGNL) injection was a pre-auth RCE. Version identification via the HTML footer is the first recon step." },
  { cat: "Vulns", name: "F5 BIG-IP iControl", dork: 'inurl:"/mgmt/tm/util/bash"', desc: "F5 BIG-IP iControl REST", exp: "F5 iControl REST CVE-2022-1388 was a pre-auth RCE. Any exposed /mgmt/tm/ path on F5 gear requires current patch level check." },

  { cat: "OSINT", name: "LinkedIn Profile by Role", dork: 'site:linkedin.com/in/ "current role" OR "currently working"', desc: "LinkedIn profiles by job", exp: "OSINT for people enumeration at a target org. Chain with site:target.com or a known employee name. Keep within lawful, authorized use." },
  { cat: "OSINT", name: "GitHub User by Company", dork: 'site:github.com "company": "example.com" OR "acme inc"', desc: "Finding engineers at a target", exp: "GitHub user profiles often list employer. Useful for recon leading to potential supply-chain or phishing vectors. Stay within authorized engagement scope." },
  { cat: "OSINT", name: "Resume with Full Name", dork: 'filetype:pdf "resume" OR "curriculum vitae" "phone" "email"', desc: "Public resumes/CVs", exp: "Public resumes surface employment history, contact info, and sometimes home addresses. OSINT for social engineering. Only use with proper authorization." },
  { cat: "OSINT", name: "Public Conference Decks", dork: 'filetype:pdf OR filetype:pptx "defcon" OR "black hat" "speaker"', desc: "Conference speaker slide decks", exp: "Conference talk slides reveal infrastructure details, attack chains, research-in-progress. Great for research continuity and keeping pace with a field." },
  { cat: "OSINT", name: "Academic Papers", dork: 'filetype:pdf "abstract" "keywords" "references" site:.edu', desc: "Academic research papers", exp: "Uses site:.edu to narrow to university domains. Useful for literature review and tracking research programs at specific institutions." },
  { cat: "OSINT", name: "Court Records", dork: 'filetype:pdf "case no" OR "docket" "plaintiff" "defendant"', desc: "Public court records", exp: "Many court systems publish filings online. Search by case number, party name, or legal topic. Know the jurisdiction and access rules before relying on findings." },
  { cat: "OSINT", name: "Government Tenders", dork: 'filetype:pdf "RFP" OR "tender" "contract" site:.gov', desc: "Government procurement documents", exp: "Request-for-proposal docs on .gov sites disclose upcoming tech purchases, incumbent vendors, and technical specifications. Business intelligence with legal boundaries." },
  { cat: "OSINT", name: "Press Releases by Company", dork: 'site:prnewswire.com OR site:businesswire.com "acme corp"', desc: "Corporate press releases", exp: "Aggregators index corporate press releases back years. Useful for tracking M&A activity, leadership changes, and technology announcements." },
  { cat: "OSINT", name: "Public Phone Directory", dork: 'filetype:pdf "phone directory" OR "staff directory" "ext."', desc: "Organizational phone directories", exp: "Internal phone directories leaked publicly. Rich for social engineering targeting but also useful for legitimate contact discovery." },
  { cat: "OSINT", name: "Shodan Honeypot Avoidance", dork: 'intitle:"Honeypot" OR "decoy" intext:"suspicious"', desc: "Marked honeypot systems", exp: "Some honeypot deployments self-identify (intentionally or not). Useful to filter out of recon targets when you want real systems." },

  { cat: "BugBounty", name: "Subdomain Takeover Candidates", dork: 'site:*.example.com -site:www.example.com', desc: "Subdomain enumeration via Google", exp: "The site:*.example.com pattern asks Google for all indexed subdomains. Combine with subzy or subjack to find takeover candidates pointing to dangling cloud resources." },
  { cat: "BugBounty", name: "Staging / Test Domains", dork: 'site:stage.example.com OR site:test.example.com OR site:dev.example.com', desc: "Staging environments", exp: "Pre-production environments often have weaker auth, unfinished features, and debug modes. In-scope bug bounty targets explicitly including *.example.com cover these." },
  { cat: "BugBounty", name: "API Documentation", dork: 'site:example.com "openapi" OR "swagger" OR "api documentation"', desc: "Hidden API docs", exp: "Internal-but-indexed API docs (Swagger, Redoc, ReadMe.io) reveal endpoints not in the public developer portal. Prime bug-bounty finding." },
  { cat: "BugBounty", name: "GraphQL Endpoints", dork: 'site:example.com inurl:"/graphql" OR inurl:"/api/graphql"', desc: "Exposed GraphQL endpoints", exp: "GraphQL endpoints often allow introspection even when the playground is disabled. Send __schema queries to enumerate types." },
  { cat: "BugBounty", name: "JavaScript Sourcemaps", dork: 'site:example.com filetype:map "sourceRoot"', desc: "JS sourcemap files", exp: "Sourcemaps reverse minified JS back to readable code with file paths. Reveals internal API endpoints, helper utility structure, and sometimes hardcoded tokens." },
  { cat: "BugBounty", name: "Exposed /debug or /test", dork: 'site:example.com inurl:debug OR inurl:test OR inurl:internal', desc: "Internal debug endpoints", exp: "Debug and test paths often bypass auth, expose stack traces, or enable privileged actions. Common in Spring, Rails, and Flask apps." },
  { cat: "BugBounty", name: "AWS Lambda Functions", dork: 'site:*.execute-api.us-east-1.amazonaws.com OR site:*.lambda-url.us-east-1.on.aws', desc: "Exposed AWS Lambda endpoints", exp: "API Gateway and Lambda Function URLs. Many are in scope for bug bounties targeting AWS-based apps. Watch for unauthenticated function paths." },
  { cat: "BugBounty", name: "WAF Bypass Candidates", dork: 'site:example.com inurl:"?debug=" OR inurl:"?admin=" OR inurl:"?secret="', desc: "Interesting URL parameters", exp: "Unusual query parameters discovered via Google indicate features most users never hit. Interesting for auth bypass research and parameter pollution." },
  { cat: "BugBounty", name: "Deprecated API Versions", dork: 'site:api.example.com inurl:"/v1/" OR inurl:"/v2/" OR inurl:"/api/v"', desc: "Old API version endpoints", exp: "Deprecated API versions often lack the security controls added in current versions. IDOR and weak auth are common." },
  { cat: "BugBounty", name: "Admin Subdomains", dork: 'site:admin.example.com OR site:portal.example.com OR site:internal.example.com', desc: "Admin-labeled subdomains", exp: "Subdomains with admin/portal/internal in the name signal privileged interfaces. Often the first target after initial recon." },

  { cat: "CVE", name: "Confluence CVE-2023-22515", dork: 'intitle:"Confluence" "Log In" inurl:setup', desc: "Atlassian Confluence privilege escalation", exp: "CVE-2023-22515 allowed unauth creation of admin users via /setup/*.action paths. On CISA KEV. Check version via footer or /rest/api/latest/serverInfo." },
  { cat: "CVE", name: "MOVEit Transfer CVE-2023-34362", dork: 'intitle:"MOVEit Transfer" inurl:"/human.aspx"', desc: "MOVEit Transfer SQL injection (Clop)", exp: "The Clop ransomware MOVEit campaign affected hundreds of orgs in 2023. Any internet-facing MOVEit instance requires current patch level and log review." },
  { cat: "CVE", name: "Fortinet SSL-VPN Creds", dork: 'inurl:"/remote/fgt_lang" OR inurl:"/remote/login?lang="', desc: "FortiGate CVE-2018-13379 credential leak", exp: "CVE-2018-13379 allowed unauth path traversal to read VPN credentials. Even years later, leaked credentials from this CVE still appear on dark-web markets." },
  { cat: "CVE", name: "Citrix Bleed CVE-2023-4966", dork: 'intitle:"Citrix Gateway" OR intitle:"NetScaler"', desc: "Citrix NetScaler session-token leak", exp: "CVE-2023-4966 (Citrix Bleed) allowed session-token extraction enabling MFA bypass. Mass-exploited by LockBit in late 2023." },
  { cat: "CVE", name: "Exchange ProxyNotShell", dork: 'inurl:"autodiscover/autodiscover.json" "Microsoft-Exchange"', desc: "Exchange CVE-2022-41040 / CVE-2022-41082", exp: "ProxyNotShell chain on-prem Exchange. CVE-2022-41040 SSRF + CVE-2022-41082 RCE. Patched in November 2022 but exposure remains in un-updated orgs." },
  { cat: "CVE", name: "ScreenConnect CVE-2024-1709", dork: 'intitle:"ScreenConnect" OR intitle:"ConnectWise Control"', desc: "ScreenConnect auth bypass", exp: "CVE-2024-1709 was an auth-bypass + path-traversal chain that gave unauth admin. Exploited within days by multiple ransomware crews." },

  { cat: "GovEdu", name: ".gov Exposed Documents", dork: 'site:.gov filetype:pdf "confidential" OR "for official use only"', desc: ".gov FOUO/confidential documents", exp: "Controlled unclassified information (CUI) marked FOUO sometimes appears on public-facing .gov sites. Report to the agency's OIG or via the NSA cybersecurity program." },
  { cat: "GovEdu", name: ".edu Database Dumps", dork: 'site:.edu filetype:sql OR filetype:db "INSERT INTO"', desc: "University DB dumps", exp: "University research groups and student-org sites often run their own infra with minimal oversight. SQL dumps appear in project archives and forgotten backup directories." },
  { cat: "GovEdu", name: ".mil Public Documents", dork: 'site:.mil filetype:pdf "training" OR "manual"', desc: ".mil public training docs", exp: "DoD and service branches publish unclassified training material openly. Useful reference for defender training and threat modeling." },
  { cat: "GovEdu", name: "University Research Data", dork: 'site:.edu "dataset" OR "research data" filetype:csv', desc: "University research datasets", exp: "Open research data is often legitimate but occasionally contains PII (survey data, medical records). Treat with care and consult the IRB when in doubt." },
  { cat: "GovEdu", name: "Government RFP/RFQ", dork: 'site:.gov filetype:pdf "RFP" OR "RFQ" "deadline"', desc: "Federal procurement documents", exp: "RFP and RFQ docs reveal upcoming federal tech investments. Useful for defense-industrial competitive intelligence and legitimate contracting research." },
  { cat: "GovEdu", name: "State Emergency Plans", dork: 'site:.gov filetype:pdf "emergency operations plan" OR "continuity"', desc: "State/local emergency plans", exp: "Emergency operations plans detail critical infrastructure dependencies. Usually intentionally public for transparency but reveal systemic weaknesses to sophisticated adversaries." },
];

const categories = [
  { id: "all", name: "All Templates", icon: "&#9733;" },
  { id: "Files", name: "Files & Documents", icon: "&#128196;" },
  { id: "Logins", name: "Login Pages", icon: "&#128274;" },
  { id: "Directories", name: "Directory Listings", icon: "&#128193;" },
  { id: "Configs", name: "Configurations", icon: "&#9881;" },
  { id: "Databases", name: "Databases", icon: "&#128451;" },
  { id: "Cloud", name: "Cloud Storage", icon: "&#9729;" },
  { id: "Cameras", name: "Cameras & IoT", icon: "&#128247;" },
  { id: "Admin", name: "Admin Panels", icon: "&#128736;" },
  { id: "Errors", name: "Error Pages", icon: "&#9888;" },
  { id: "Juicy", name: "Juicy Info", icon: "&#127855;" },
  { id: "Vulns", name: "Vulnerable Tech", icon: "&#128027;" },
  { id: "OSINT", name: "OSINT / Recon", icon: "&#128269;" },
  { id: "BugBounty", name: "Bug Bounty", icon: "&#128029;" },
  { id: "CVE", name: "CVE Fingerprints", icon: "&#128273;" },
  { id: "GovEdu", name: "Gov / Edu", icon: "&#127891;" },
  { id: "custom", name: "Custom (AI)", icon: "&#10024;" },
];

let customTemplates = JSON.parse(localStorage.getItem("stinger-custom") || "[]");

function allTemplates() { return [...templates, ...customTemplates]; }

function esc(s) { return s ? String(s).replace(/&/g,"&amp;").replace(/</g,"&lt;").replace(/>/g,"&gt;").replace(/"/g,"&quot;") : ""; }

function getTarget() {
  const el = document.getElementById("target");
  return (el?.value || target || "")
    .trim()
    .replace(/^https?:\/\//i, "")
    .replace(/^www\./i, "")
    .replace(/\/.*$/, "")
    .replace(/\s+/g, "");
}

function scopedDork(dork, engine = "google") {
  const raw = String(dork || "").trim();
  const isShodan = engine === "shodan";
  const t = isShodan ? "" : getTarget();
  if (!t || !raw) return raw;
  const site = `site:${t}`;
  const parts = raw.split(/\s+OR\s+/i).map(p => p.trim()).filter(Boolean);
  if (parts.length > 1) return parts.map(p => `(${site} ${p})`).join(" OR ");
  return `${site} ${raw}`;
}

function renderSidebar() {
  const el = document.getElementById("sidebar");
  let html = '<div class="sec-label">Categories</div>';
  for (const c of categories) {
    let count;
    if (c.id === "all") count = allTemplates().length;
    else if (c.id === "custom") count = customTemplates.length;
    else count = templates.filter(t => t.cat === c.id).length;
    html += `<div class="cat-item ${activeCat === c.id ? "active" : ""}" onclick="selectCat('${c.id}')">
      <span>${c.icon}</span> ${esc(c.name)} <span class="cnt">${count}</span>
    </div>`;
  }
  el.innerHTML = html;
}

function renderOperators() {
  const el = document.getElementById("op-bar");
  el.innerHTML = operators.map(o =>
    `<button class="op-btn" onclick="insertOp('${esc(o.op)}')" type="button">
      ${esc(o.op)}<span class="tip">${esc(o.tip)}<br><em>${esc(o.ex)}</em></span>
    </button>`
  ).join("");
}

function renderTemplates() {
  const filter = (document.getElementById("tpl-filter")?.value || "").toLowerCase();
  const el = document.getElementById("tpl-grid");
  let filtered;
  if (activeCat === "custom") filtered = customTemplates;
  else if (activeCat === "all") filtered = allTemplates();
  else filtered = templates.filter(t => t.cat === activeCat);

  if (filter) filtered = filtered.filter(t =>
    t.name.toLowerCase().includes(filter) ||
    t.dork.toLowerCase().includes(filter) ||
    t.desc.toLowerCase().includes(filter) ||
    (t.exp || "").toLowerCase().includes(filter)
  );

  if (filtered.length === 0) {
    el.innerHTML = '<div style="text-align:center;padding:32px;color:var(--fg-muted)">No templates match your search.</div>';
    document.getElementById("tpl-filter").placeholder = `Search ${allTemplates().length} dork templates...`;
    return;
  }
  document.getElementById("tpl-filter").placeholder = `Search ${allTemplates().length} dork templates...`;

  el.innerHTML = filtered.map((t, i) => {
    const idKey = `${t.cat}-${i}-${t.name}`.replace(/[^a-z0-9]/gi, "");
    const eng = t.engine || "google";
    const isShodan = eng === "shodan";
    // Shodan does not understand site:, so render preview without the target prefix.
    const dork = scopedDork(t.dork, eng);
    const expOpen = expandedExplanations.has(idKey);
    const engineBadge = engines[eng]
      ? `<span class="eng-badge tpl-eng" style="background:${engines[eng].color}" title="Routes to ${engines[eng].name}">${engines[eng].badge}</span>`
      : '';
    const expHtml = t.exp
      ? `<div class="tpl-card-exp ${expOpen ? 'open' : ''}" id="exp-${idKey}">
          <strong>How it works</strong>${esc(t.exp)}
        </div>`
      : '';
    const dorkArg = `\`${esc(t.dork).replace(/`/g,"\\`")}\`, '${eng}'`;
    return `<div class="tpl-card">
      <div class="tpl-card-top">
        <span class="tpl-card-name" onclick="loadTemplate(${dorkArg})">${engineBadge}${esc(t.name)}</span>
        <span class="tpl-card-cat">${esc(t.cat)}</span>
      </div>
      <div class="tpl-card-dork" onclick="loadTemplate(${dorkArg})">${highlightDork(esc(dork))}</div>
      <div class="tpl-card-desc">${esc(t.desc)}</div>
      ${t.exp ? `<button class="tpl-card-toggle" onclick="toggleExp('${idKey}')">${expOpen ? '▲ Hide' : '▼ Learn more'}</button>` : ''}
      ${expHtml}
    </div>`;
  }).join("");
}

function toggleExp(idKey) {
  if (expandedExplanations.has(idKey)) expandedExplanations.delete(idKey);
  else expandedExplanations.add(idKey);
  renderTemplates();
}

function highlightDork(text) {
  // Dashless CSS classes (hlA/hlB/hlP/hlR/hlG) keep injected spans free of -w
  // and -b sequences, so the exclusion-operator regex does not eat into them.
  // Word boundaries (\b) on every operator keep Shodan title: from matching
  // inside Google intitle:, etc.
  return text
    .replace(/\b(site:|inurl:|intitle:|intext:|filetype:|ext:|before:|after:)/g, '<span class="hlA">$1</span>')
    .replace(/\b(port:|App:|product:|country:|org:|has_screenshot:|title:|http\.html:|net:|hostname:|ssl\.cert\.subject\.cn:)/g, '<span class="hlB">$1</span>')
    .replace(/(\bOR\b|\bAND\b)/g, '<span class="hlP">$1</span>')
    .replace(/(?<![\w-])(-\w)/g, '<span class="hlR">$1</span>')
    .replace(/(&quot;[^&]*&quot;)/g, '<span class="hlG">$1</span>');
}

function selectCat(id) { activeCat = id; renderSidebar(); renderTemplates(); }

function insertOp(op) {
  const preview = document.getElementById("query-preview");
  const current = preview.textContent;
  if (op === '""') query = current + ' ""';
  else if (op === "AROUND()") query = current + " AROUND(3) ";
  else query = current + (current ? " " : "") + op;
  preview.textContent = query;
  preview.focus();
  const range = document.createRange();
  range.selectNodeContents(preview);
  range.collapse(false);
  const sel = window.getSelection();
  sel.removeAllRanges();
  sel.addRange(range);
}

function loadTemplate(dork, engine) {
  query = scopedDork(dork, engine);
  document.getElementById("query-preview").textContent = query;
  if (engine && engines[engine]) setEngine(engine);
}


function onQueryEdit() { query = document.getElementById("query-preview").textContent; }
function onQueryKey(e) { if (e.ctrlKey && e.key === "Enter") { e.preventDefault(); executeSearch(); } }
function onTargetChange() { target = getTarget(); renderTemplates(); }

function executeSearch() {
  const q = document.getElementById("query-preview").textContent.trim();
  if (!q) return;
  const eng = engines[currentEngine] || engines.google;
  window.open(eng.url(q), "_blank");
}

function setEngine(name) {
  if (!engines[name]) return;
  currentEngine = name;
  localStorage.setItem("stinger-engine", name);
  renderEngineSelector();
  const btn = document.getElementById("search-btn");
  if (btn) btn.textContent = `🐝 Search ${engines[name].name}`;
}

function renderEngineSelector() {
  const el = document.getElementById("engine-selector");
  if (!el) return;
  el.innerHTML = Object.entries(engines).map(([key, e]) =>
    `<button class="eng-btn ${currentEngine === key ? 'active' : ''}" onclick="setEngine('${key}')" type="button">
      <span class="eng-badge" style="background:${e.color}">${e.badge}</span>${e.name}
    </button>`
  ).join("");
}

function copyQuery() {
  const q = document.getElementById("query-preview").textContent.trim();
  if (q) navigator.clipboard.writeText(q);
}

function clearQuery() {
  query = "";
  document.getElementById("query-preview").textContent = "";
}

function exportTemplates() {
  let filtered;
  if (activeCat === "custom") filtered = customTemplates;
  else if (activeCat === "all") filtered = allTemplates();
  else filtered = templates.filter(t => t.cat === activeCat);

  const text = filtered.map(t => {
    const dork = scopedDork(t.dork, t.engine || "google");
    const exp = t.exp ? `\n# Explanation: ${t.exp}\n` : "\n";
    return `# ${t.name} [${t.cat}]\n${dork}\n# ${t.desc}${exp}`;
  }).join("\n");
  const blob = new Blob([text], { type: "text/plain" });
  const a = document.createElement("a");
  a.href = URL.createObjectURL(blob);
  a.download = `stingersearch-${activeCat}-dorks.txt`;
  a.click();
}

function filterTemplates() { renderTemplates(); }

function getAiProvider() {
  const stored = localStorage.getItem("stinger-ai-provider");
  if (aiProviders[stored]) return stored;
  if (localStorage.getItem("stinger-anthropic-key")) return "anthropic";
  return "openrouter";
}

function getProviderKey(provider = getAiProvider()) {
  const cfg = aiProviders[provider] || aiProviders.openrouter;
  return localStorage.getItem(cfg.keyStorage) || "";
}

function getProviderModel(provider = getAiProvider()) {
  const cfg = aiProviders[provider] || aiProviders.openrouter;
  const legacy = provider === "anthropic" ? localStorage.getItem("stinger-ai-model") : "";
  const stored = localStorage.getItem(cfg.modelStorage) || legacy || "";
  return cfg.models.some(m => m.value === stored) ? stored : cfg.defaultModel;
}

function renderProviderSettings(provider = getAiProvider()) {
  const cfg = aiProviders[provider] || aiProviders.openrouter;
  document.getElementById("ai-key-label").textContent = cfg.keyLabel;
  document.getElementById("ai-key-help").innerHTML = cfg.keyHelp;
  document.getElementById("ai-api-key").placeholder = cfg.keyPlaceholder;
  document.getElementById("ai-api-key").value = getProviderKey(provider);
  document.getElementById("ai-model-help").textContent = cfg.modelHelp;
  const model = document.getElementById("ai-model");
  model.innerHTML = cfg.models.map(m => `<option value="${esc(m.value)}">${esc(m.label)}</option>`).join("");
  model.value = getProviderModel(provider);
}

function onProviderChange() {
  const provider = document.getElementById("ai-provider").value;
  renderProviderSettings(provider);
}

function openAiModal() {
  const provider = getAiProvider();
  const cfg = aiProviders[provider] || aiProviders.openrouter;
  const key = getProviderKey(provider);
  document.getElementById("ai-key-warning").innerHTML = `Requires a ${esc(cfg.name)} key. Your key stays in this browser only (localStorage). Click the gear icon to set it.`;
  document.getElementById("ai-no-key").style.display = key ? "none" : "block";
  document.getElementById("ai-with-key").style.display = key ? "block" : "none";
  document.getElementById("ai-gen-btn").style.display = key ? "inline-flex" : "none";
  document.getElementById("ai-modal").classList.add("open");
  if (key) setTimeout(() => document.getElementById("ai-prompt").focus(), 80);
}

function closeAiModal() {
  document.getElementById("ai-modal").classList.remove("open");
  document.getElementById("ai-output").innerHTML = "";
}

function openSettingsModal() {
  const provider = getAiProvider();
  document.getElementById("ai-provider").value = provider;
  renderProviderSettings(provider);
  document.getElementById("settings-modal").classList.add("open");
}

function closeSettingsModal() {
  document.getElementById("settings-modal").classList.remove("open");
}

function saveSettings() {
  const provider = document.getElementById("ai-provider").value;
  const cfg = aiProviders[provider] || aiProviders.openrouter;
  const key = document.getElementById("ai-api-key").value.trim();
  const model = document.getElementById("ai-model").value;
  localStorage.setItem("stinger-ai-provider", provider);
  if (key) localStorage.setItem(cfg.keyStorage, key);
  else localStorage.removeItem(cfg.keyStorage);
  localStorage.setItem(cfg.modelStorage, model);
  if (provider === "anthropic") localStorage.setItem("stinger-ai-model", model);
  closeSettingsModal();
}

function clearKey() {
  const provider = document.getElementById("ai-provider").value;
  const cfg = aiProviders[provider] || aiProviders.openrouter;
  localStorage.removeItem(cfg.keyStorage);
  document.getElementById("ai-api-key").value = "";
}

function extractOpenRouterText(data) {
  const content = data?.choices?.[0]?.message?.content;
  if (Array.isArray(content)) return content.map(part => typeof part === "string" ? part : (part?.text || "")).join("").trim();
  return (content || "").trim();
}

async function callAiProvider(provider, key, model, system, prompt) {
  if (provider === "anthropic") {
    const res = await fetch("https://api.anthropic.com/v1/messages", {
      method: "POST",
      headers: {
        "Content-Type": "application/json",
        "x-api-key": key,
        "anthropic-version": "2023-06-01",
        "anthropic-dangerous-direct-browser-access": "true"
      },
      body: JSON.stringify({
        model,
        max_tokens: 600,
        system,
        messages: [{ role: "user", content: prompt }]
      })
    });
    if (!res.ok) throw new Error(`API error ${res.status}: ${(await res.text()).slice(0, 400)}`);
    const data = await res.json();
    return data?.content?.[0]?.text?.trim() || "";
  }

  const res = await fetch("https://openrouter.ai/api/v1/chat/completions", {
    method: "POST",
    headers: {
      "Content-Type": "application/json",
      "Authorization": `Bearer ${key}`,
      "HTTP-Referer": location.origin,
      "X-Title": "CK42X StingerSearch"
    },
    body: JSON.stringify({
      model,
      max_tokens: 600,
      temperature: 0.2,
      messages: [
        { role: "system", content: system },
        { role: "user", content: prompt }
      ]
    })
  });
  if (!res.ok) throw new Error(`OpenRouter error ${res.status}: ${(await res.text()).slice(0, 400)}`);
  const data = await res.json();
  return extractOpenRouterText(data);
}

async function generateDork() {
  const prompt = document.getElementById("ai-prompt").value.trim();
  if (!prompt) return;
  const provider = getAiProvider();
  const cfg = aiProviders[provider] || aiProviders.openrouter;
  const key = getProviderKey(provider);
  if (!key) return;
  const model = getProviderModel(provider);

  const out = document.getElementById("ai-output");
  const genBtn = document.getElementById("ai-gen-btn");
  out.innerHTML = '<div class="ai-loading">Thinking with ' + esc(cfg.name + ' / ' + model) + '...</div>';
  genBtn.disabled = true;

  const system = `You are a dorking assistant for defensive security, bug-bounty research, and OSINT. You route to the right search engine for the job.

Given a user's objective, output a SINGLE JSON object with exactly these fields:
{
  "engine": "google" | "shodan",
  "name": "short, descriptive name (6 words max)",
  "dork": "the query using operators valid for the chosen engine",
  "desc": "one-line description of what results will show",
  "explanation": "2-3 sentences: which engine and why, how the operators work, what you'll find, defender note"
}

ENGINE SELECTION:
- Use "google" for indexed web text: exposed config files, env files, login portals, document leaks, Swagger UIs, error pages, GitHub content, public PDFs, anything searchable via page body or URL.
- Use "shodan" for infrastructure: open ports, banners, IoT, IP cameras, RTSP/MQTT/Modbus/RDP/VNC, SCADA/ICS, anything keyed by service banner rather than indexed page text. If the user mentions rtsp, mqtt, modbus, vnc, rdp, port numbers, ICS, PLCs, cameras by brand, or any non-HTTP protocol, choose Shodan.

GOOGLE OPERATORS that work in 2026 (use ONLY these for engine=google):
site:, inurl:, intitle:, intext:, filetype:, ext:, before:, after:, OR, - (exclude), "" (exact phrase), * (wildcard)

DEAD GOOGLE OPERATORS (NEVER suggest these, they no longer return useful results):
cache: (Google killed it Jan 2024), info:, related:, allinurl:, allintitle:, allintext:, AROUND(), link:, phonebook:, daterange:, numrange:

Also do not use Google to search for non-http URL schemes. Google's crawler only fetches http and https, so inurl:"rtsp://" or inurl:"ftp://" return nothing useful. Route those to Shodan instead.

SHODAN FILTERS that work (use these for engine=shodan):
port:, App:, product:, country:, org:, has_screenshot:, title:, http.html:, net:, hostname:, ssl.cert.subject.cn:

Rules:
- Prefer precision over breadth; narrow with site: (Google) or country:/org:/product: (Shodan)
- Never target specific named individuals (people stalking is prohibited)
- Never craft queries intended to break into a specific named production system (that is not authorized research)
- Generic reconnaissance patterns (find exposed X, find Y on .edu, find open Z buckets) are fine

If the request asks for something clearly unethical (harassing a person, breaking into a named system you don't own, etc.), instead return:
{ "refused": true, "reason": "brief reason" }

Output ONLY the JSON. No markdown fences, no commentary.`;

  try {
    const text = await callAiProvider(provider, key, model, system, prompt);
    let parsed;
    try {
      const clean = text.replace(/^```(?:json)?\s*/i, "").replace(/```\s*$/, "").trim();
      parsed = JSON.parse(clean);
    } catch {
      out.innerHTML = `<div class="ai-refused"><strong>Could not parse model response.</strong><br><pre style="margin-top:8px;white-space:pre-wrap;font-size:11px">${esc(text)}</pre></div>`;
      return;
    }

    if (parsed.refused) {
      out.innerHTML = `<div class="ai-refused"><strong>Model refused.</strong> ${esc(parsed.reason || "No reason given.")}</div>`;
      return;
    }

    const safeName = esc(parsed.name || "AI Dork");
    const safeDork = esc(parsed.dork || "");
    const safeDesc = esc(parsed.desc || "");
    const safeExp = esc(parsed.explanation || "");
    const eng = engines[parsed.engine] ? parsed.engine : "google";
    const engBadge = `<span class="eng-badge" style="background:${engines[eng].color}">${engines[eng].badge}</span> ${engines[eng].name}`;

    out.innerHTML = `<div class="ai-result">
      <div class="ai-name">${engBadge} &nbsp; ${safeName}</div>
      <div class="ai-dork">${highlightDork(safeDork)}</div>
      <div class="ai-exp"><strong style="color:var(--amber)">What it does:</strong> ${safeDesc}<br><br><strong style="color:var(--amber)">How it works:</strong> ${safeExp}</div>
      <div class="ai-actions">
        <button class="btn btn-primary btn-sm" onclick='useAiDork(${JSON.stringify(parsed).replace(/'/g,"&apos;")})'>Use this dork</button>
        <button class="btn btn-ghost btn-sm" onclick='saveAiDork(${JSON.stringify(parsed).replace(/'/g,"&apos;")})'>Save to Custom</button>
      </div>
    </div>`;
  } catch (e) {
    out.innerHTML = `<div class="ai-refused"><strong>Request failed.</strong> ${esc(e.message)}. Check your provider, key, model, or network.</div>`;
  } finally {
    genBtn.disabled = false;
  }
}

function useAiDork(t) {
  const eng = engines[t.engine] ? t.engine : "google";
  loadTemplate(t.dork, eng);
  closeAiModal();
}

function saveAiDork(t) {
  const eng = engines[t.engine] ? t.engine : "google";
  customTemplates.unshift({
    cat: "custom",
    engine: eng,
    name: t.name || "AI Dork",
    dork: t.dork,
    desc: t.desc || "",
    exp: t.explanation || ""
  });
  customTemplates = customTemplates.slice(0, 50);
  localStorage.setItem("stinger-custom", JSON.stringify(customTemplates));
  renderSidebar();
  if (activeCat === "custom" || activeCat === "all") renderTemplates();
}

renderSidebar();
renderOperators();
renderTemplates();
renderEngineSelector();
setEngine(currentEngine);
document.addEventListener("keydown", e => {
  if (e.ctrlKey && e.key === "Enter") { e.preventDefault(); executeSearch(); }
  if (e.key === "Escape") { closeAiModal(); closeSettingsModal(); }
});
</script>
</body>
</html>