How To Find Unprotected Website Directories & Get “Interesting” Files

Mark O'Neill 13-04-2009

How To Find Unprotected Website Directories & Get "Interesting" Files googleclassicWith all the risks involved in using file sharing networks, browsing unprotected website directories is probably a lot easier and safer.  Only when you start doing that do you realise half the stuff that people keep in their website folders (Sports Illustrated magazines!)


Then you start to realise how silly they are for not password protecting those folders and leaving them wide open for the whole world to walk in and take a look!

This might be really old news for a lot of people but I thought I would just quickly jot down the search parameters for finding files in unprotected website directories.

In case you don’t know, an unprotected website directory is a website that doesn’t have an “index” file created for it – index.htm, index.html, index.php.  So if you try to access a website directory which doesn’t have a password controlling it or which doesn’t have an index page, you will be able to see a list of all the files and folders that are inside that directory. If you can see that, you can then click on the files and both download them and open them.

Here’s what a typical unprotected directory looks like :

How To Find Unprotected Website Directories & Get "Interesting" Files unprotec


Directories like these will have all kinds of files. Things like pictures, music, video files, documents, you name it.

Now you can do a general search and go through literally hundreds of thousands of these directories. But to do that sort of search is both time consuming and a bit mind numbing. But if you want to do it, just put into the search box (be it Google, Yahoo, whatever) the following search string :

-inurl(html|htm|php) intitle:”index of” +”last modified” +”parent directory” +description +size

This will bring up EVERYTHING and you can go hunting for whatever you can find.  Good luck.


But don’t you want to be selective?  Don’t you want to look for something in particular?  Well, if so, you can change the search string to look for ONLY pictures or ONLY music or ONLY video.  So….

-inurl:(htm|html|php) intitle:”index of” +”last modified” +”parent directory” +description +size +(wmv|avi)

This will only look for wmv and avi video files.  You can easily alter it if you don’t want “wmv” or “avi” or if you want “mpg” instead.   You get the idea.

-inurl:(htm|html|php) intitle:”index of” +”last modified” +”parent directory” +description +size +(jpg|gif)


This will only look for jpg and gif files. Again, you can alter the file formats to suit yourself.

-inurl:(htm|html|php) intitle:”index of” +”last modified” +”parent directory” +description +size +(wma|mp3)

This will only look for wma and mp3 music files.  Again you can easily change the file formats to suit yourself.

Just put the search string you need into the search engine box.   Then hit the ‘enter’ button and your results will come up.   I guarantee you’ll be hooked for ages trying to see what you can find!   You can also put a certain search term after your file format so :


[-inurl:(htm|html|php) intitle:”index of” +”last modified” +”parent directory” +description +size +(jpg|gif) “britney spears”]

Obviously you are not going to get perfect results.   You are going to have to wade through a lot of irrelevant and useless stuff some of the time but quite often you do find a lot of good stuff too.   It’s quite fun peeking into people’s unprotected folders seeing what they have stashed away.   Stuff like embarrassing photos, drunken videos, “provocative” material, and much more.

Some people have embedded these search algorithims into software which makes it easier to search for files.  One of them is Clickster which I reviewed last May. It searches for MP3’s in peoples unprotected directories and it has a very nice simple GUI.

Some of you might say what right do we have to go browsing through people’s website folders?   But look at it this way – these people posted this stuff online – in an unprotected unsecure website folder. It’s as if they are asking for it to be found. They are making no effort to keep it hidden or secure and putting it out on the World Wide Web is the most stupidest thing in the world to do if you want to keep something private and hidden.

So go out there, find it and enjoy it. Oh and let us know in the comments some of the stuff you managed to find in your searches.

Image Credit : dullhunk

Affiliate Disclosure: By buying the products we recommend, you help keep the site alive. Read more.

Whatsapp Pinterest

Leave a Reply

Your email address will not be published. Required fields are marked *

  1. scriptgurus
    November 12, 2018 at 10:26 pm : does this for you. Find any file to download

  2. vamsi krishna
    January 14, 2017 at 2:27 pm

    can i share them on my blog?

  3. John
    April 23, 2016 at 5:25 pm

    So what would the command be if you wanted to do this for a specific website?

    • Anonymous
      April 14, 2018 at 3:12 pm

      Append with or inurl also works

  4. Anonymous
    June 24, 2015 at 9:27 am

    How can I run these commands for specific website?


    • Poop
      November 16, 2015 at 1:51 am

      Good question

  5. Aswath
    April 19, 2015 at 2:47 am

    hi i need a video demo on this . pls anyone share a link

  6. Peter
    March 1, 2015 at 11:07 am

    So, in fact, is this still a valid procedure? Thanks for your update.

    • Minato Namikaze
      March 14, 2015 at 4:37 pm

      yeah it's always work for me for everything

  7. Peter
    March 1, 2015 at 11:00 am

    Just noticed that these comments were posted before snowden... hm sorry guys... you may have changed your point of view since then..

  8. Peter
    March 1, 2015 at 10:59 am

    So you guys hate Snowden too? You consider that knowledge should be limited to a group of privileged people?

  9. LG
    September 17, 2009 at 3:39 pm

    I stumbled on this article looking for something else, and IMO it's good 'need-to-know' info for any admin wanting to protect their directories. Thanks for this heads-up.

  10. Eslopy Franklin
    August 11, 2009 at 9:46 am

    Nice Work Bro Continue The Good Work...

  11. kmc212
    April 19, 2009 at 10:21 am
  12. kmc212
    April 19, 2009 at 10:19 am

    You can take it a step further by using the "site:" Web site search.

    Type the following into the Google search field: index of

    look at the results. cool

  13. wut
    April 16, 2009 at 5:28 pm

    I do not think this kind of open access is stealing- The parallel that was mentioned regarding stealing from an unlocked car is invalid.

    I actually DID have something taken from my car before. That's something entirely different because well- I don't have that thing anymore- It was TAKEN.

    If someone looks at a file, the owner would still have it. The more accurate parallel would be that if you leave your living room drapes WIDE OPEN (which a lot of people actually do) and someone driving past in a car on the street takes a brief look out of idle curiosity (hey, to see what the house owners are watching on TV... since the drapes are WIDE OPEN)

    Even if this touches a gray area I think people are making it a bigger deal then it is. For example, would ANYONE leave their bank records in their own websites, even if they did bother put in an index.htm?

  14. Willblogforfood
    April 14, 2009 at 11:44 pm

    If they didn't want people in their directories they would protect them. This is a great article and it allows people to use Google to search for types of files they would be intersted in. It is perfectly acceptable to look at these files and teach people how to access them. For all you nay sayers you might not want to visit websites anymore on Google because the site owner might not want you on it. Files in directories are no different than websites and are out on the net for the public to view

  15. Guy McDowell
    April 14, 2009 at 7:31 pm

    Anybody with unprotected directories might want to look into .htaccess and how to use it to protect those directories. Just Google .htaccess.

    • flink
      April 16, 2009 at 5:18 am

      It's much easier for most users to simply drop an index.htm or index.html file in that directory.

      Alternatively, Apache's config allows you to forbid directory scans.

  16. penetrarthur
    April 14, 2009 at 2:05 pm

    This article would be okey if it wasn't about "HOW TO HAX THE INTERNETS", but about "how to improve your searching skills" or "how to google for more results". You don't have to change the body of the article, just the title.

  17. JK the Fifth
    April 14, 2009 at 11:57 am

    Well I must say that this article was interesting and I am definitely going to try it ( just to test it ;) ).

    But this article should have been more like "how to protect your website directories by not being stupid and making an index file" ,or something like that.

    And to all the other "commenters" : Its not that big of an issue, and I think most of MUO readers are smart and sensible enough to not use this trick to breach others' privacy just for fun.

    And unless this article reaches digg ( which seems very unlikely :D ), it is virtually harmless.

  18. geekamongus
    April 14, 2009 at 10:04 am

    Wow...this article seems to have upset a lot of people, and I'm not sure why (none of them take time to explain why they are upset, rather, they just say some mean things about the owners of this web site). Perhaps it is because the article is about "hacking", a word which has a much maligned stigma about it. Clearly, these upset people are off base in their assumptions about what this article really means.

    It is true that people have open directories they are unaware of, but just because you choose to peruse through them doesn't make you a "hacker" or a criminal or put your moral integrity into question. There are many valid reasons for having open directories and for letting Google index them.

    If anything, this article should help make people aware of such things, and that they need to close their directories if they don't want their data to be discovered through such means. The bad guys are out there, and they *will* be looking through your open directories, so if you are so concerned about this, close them up!

    Why are people not upset at Google for making this all possible in the first place? (Not that I think they should be...they should be aiming their displeasure at people who don't know how to secure their web sites/servers).

  19. Scott
    April 14, 2009 at 9:54 am

    There is nothing wrong with showing people how to find information using Google. This not hacking or cracking. This is a way to find publicly accessible files. There is nothing to suggest that these sites weren't intentionally made public. For those of you thinking otherwise, I suggest you spend your time "warning" the owners of these sites that their directories are public.

  20. flink
    April 14, 2009 at 8:59 am

    Quite the BS whining.

    Just drop an blank index.html or index.htm file in the directory. Problem solved. Get a life, whiners.

  21. Mark O'Neill
    April 14, 2009 at 8:59 am

    Oh for God's sake, shut up. If you're going to unsubscribe over one post then just do it and go read the Disney website. Stop getting on your pulpit and getting all holier-than-thou.

    • flink
      April 14, 2009 at 9:03 am

      Most of the whiners don't realize that Google's search keywords are available for all to use and are very powerful.

      Besides that, the majority of them don't understand how the net works and think it is just a series of tubes.


    • Joan
      April 14, 2009 at 9:26 am

      Forget holier-than-thou and learn to turn the other cheek. These are the comments after all, and so far they are expressing dismay in a more than polite way than most flame-bait trolls tend to do.

      Look, it's an interesting article/read for those who don't know how in-depth a search engine Google is, but the way the article was written felt more like a 'rummaging files for dummies' than the normal insightful reads this site usually had. You had a good idea, but the presentation was off.

      You probably would have been better off touting the value of securing all types of files when creating websites and presenting this as a way of showing how these files can be accessed without the proper passwords or protocols when there's no security in place. Cite how to secure said files, or at least allude that there'll be another article to address it, and then MAYBE you wouldn't have had the blowup in dismayed comments like you did.

  22. PatrickI
    April 14, 2009 at 8:45 am

    Must agree this was a poor choice for a topic. Trying to justify yourself in the post means you know what you are doing/suggesting in wrong. Look how your readers are reacting. I wonder what your sponsors will think when we start complaining to them.

    Please be responsible, censor yourself, and remove this post. Don't turn into another one of "those" sites.

  23. riiiiiiight
    April 14, 2009 at 8:39 am

    I'll bite. I object to the faux morality and holier-than-thou attitude illustrated by some of the comments to this post. Better to be educated as to how to use technological tools than to throw the baby out with the bathwater by presuming nefarious use and acting "disgusted". What disgusts me is people who don't respect the value of understanding how technology works, and instead turn up their noses as if they've never thrown a stone. Maybe if website owners were intelligent enough to educate themselves on security, they wouldn't leave out in the open whatever it is you all are so intent on protecting. I.e., read the post and begin to learn how to secure your site. [/rant]

    • yepriiiiiight
      April 14, 2009 at 8:48 am

      Sure you can learn something positive from the article. But the article isn't about how to secure your site or "understanding how technology works" - it is about how to take other people's items with the understanding that they probably didn't want you to.
      It's your blame the victim mentality that disgusts me. Yep, leave your front door unlocked and it's ok to take your tv set because you weren't intelligent enough to educate yourself. Riiiiiiight.

  24. Phil
    April 14, 2009 at 7:51 am

    Agreed with all the comments. This was not a proper article to publish. Just because you can, doesn't mean you should...or teach others how to either.

  25. conditionalmorality
    April 14, 2009 at 7:07 am

    This is by the makeuseof editor? Yeah I have to agree, this takes the blog in a direction you probably don't want it to go.

    So Mark, next time you leave your car door unlocked remember everything inside is fair game for whoever walks by and looks in the window :)

  26. boooooo!
    April 14, 2009 at 2:52 am

    I like a lot of what you have to say but more junk like this and I'm unsubscribing.

  27. Yeti
    April 14, 2009 at 2:46 am

    Some of you might say what right do we have to go browsing through people’s website folders? But look at it this way - these people posted this stuff online - in an unprotected unsecure website folder. It’s as if they are asking for it to be found. They are making no effort to keep it hidden or secure and putting it out on the World Wide Web is the most stupidest thing in the world to do if you want to keep something private and hidden.

    Whatever helps you justify your actions eh? I must say makeuseof has been going downhill lately and this just shows it.

  28. sean
    April 13, 2009 at 9:01 pm

    You dont need to do this kind of crap, you know

  29. sean
    April 13, 2009 at 9:01 pm

    What were you thinking? This and your article on how to spy on your spouse between them are as low as I am willing to go. You used to have a fantastic reputation, now you're another bottom feeder.

  30. Simon
    April 13, 2009 at 6:02 pm

    Thanks, this is actually very cool :)

  31. Disappointed
    April 13, 2009 at 4:40 pm

    I have to say this article is very beneath your site. Yes, some people know about this but now you just let everyone know...guess you ran out of decent things to write about and ask people to post it here. I'll be unsubscribing from your RSS and let's see if this post gets deleted or not.

    • rb
      March 31, 2015 at 3:18 pm

      Dude whatever.

  32. penetrarthur
    April 13, 2009 at 2:56 pm

    Your next step will be something like hacking pentagon or the white house. true hax

    • Walker
      April 14, 2009 at 9:59 am

      That’s exactly what we need;)