.

Googlebot will do SQL Injection for you!

<<

Jhaddix

User avatar

Sr. Member
Sr. Member

Posts: 317

Joined: Wed Oct 29, 2008 10:25 pm

Post Tue Mar 03, 2009 4:55 am

Googlebot will do SQL Injection for you!

This is a crazy attack method, very scary and ingenious on the attackers part. I wonder if google can be held liable?

The Dark Side of Google

In the past months we were talking about Google Hacking as an effective tool for attack automation, attack targeting and attack proxying. Last week, while I was investigating an attack vector, I "bumped" into another real life example of Google's darker side.
The attack vector I was investigating was an SQLi attack on a specific PHP module. The fact that the attack vector was executed on a non PHP web application indicated that I am probably looking at some kind of automated attack and that it might be worthwhile to further investigate. Looking-up the targeted resource verified that it is part of an open source PHP ecommerce project and that a past version of this resource was found vulnerable to SQLi. Nothing interesting up to that point, but I asked myself why was the attack executed on a non PHP web application? My next step was to look-up this specific attack vector in Google search. Bingo! The search results were very interesting...

Image


Image

I was able to distinguish between two types of search results:

  1. Results that included the attack vector as part of the link (first example)
  2. Results that included the attack vector as part of the indexed content (second example)

Let's see what all this tells us...
The search results page actually tells the whole attack story. As a first step, the attackers cause Google to index web pages embedded with links that are actually SQLi attack vectors. This can be achieved by using various methods, for example:

  1. Embedding malicious links in a controlled domain and then asking Google to crawl
  2. Embedding malicious links in forums, blogs or any other content sharing platform

These pages are the ones to be expressed as the second type of search results I mentioned above.
Next, Google crawls the pages in which the malicious links were embedded and follows them. Since the links are actually attack vectors, this action is translated into an SQLi attack executed by the Google against the target web applications. When Google receives a response to the attack it indexes the data under the target application's domain name. This is illustrated by the first example of search results where the link (in green) is obviously an SQLi attack vector and the meta description is an SQL server error response. As the final step of the attack, the attacker extracts the results of the SQLi attack by sending specially crafted search queries to Google.
What is really disturbing in this attack scenario is that attackers can both execute an attack and get the results back without issuing a single request to the target application - Google does all of this for them. A lot has already been said regarding the gap between what Google should and can do and what Google actually does to prevent such issues. A new research conducted by the ADC shows that this is only the tip of the iceberg and it is definitely not the only or the major security issue associated with Google services. In fact, expect more on this topic in one of the coming security conferences where we take this to the next level by revealing a Google service that enables even more advanced attack techniques.

- Eldad
<<

timmedin

User avatar

Sr. Member
Sr. Member

Posts: 469

Joined: Thu Feb 05, 2009 11:18 pm

Post Tue Mar 03, 2009 9:48 am

Re: Googlebot will do SQL Injection for you!

Brilliant!
twitter.com/timmedin | http://blog.securitywhole.com
<<

Ketchup

User avatar

Hero Member
Hero Member

Posts: 1021

Joined: Fri Jul 04, 2008 7:44 pm

Location: Philadelphia, PA

Post Tue Mar 03, 2009 11:17 am

Re: Googlebot will do SQL Injection for you!

Wow, I had to read this a few times to grok it.  That's Heavy Duty!  It's an absolutely brilliant attack.  I am guessing this makes cops' work much more difficult to track the intruder. 
~~~~~~~~~~~~~~
Ketchup
<<

NickFnord

User avatar

Full Member
Full Member

Posts: 117

Joined: Fri Sep 05, 2008 5:25 am

Post Tue Mar 03, 2009 11:20 am

Re: Googlebot will do SQL Injection for you!

on the other hand, the evidence where the attack came from is in the google cache.  not that it's hard to set up an anonymous blog and have that indexed I guess.
<<

timmedin

User avatar

Sr. Member
Sr. Member

Posts: 469

Joined: Thu Feb 05, 2009 11:18 pm

Post Tue Mar 03, 2009 12:19 pm

Re: Googlebot will do SQL Injection for you!

NickFnord wrote:on the other hand, the evidence where the attack came from is in the google cache.  not that it's hard to set up an anonymous blog and have that indexed I guess.


You could trace it back to the blog, but to find the person who posted the funky link on the blog is another story.
twitter.com/timmedin | http://blog.securitywhole.com
<<

former33t

Full Member
Full Member

Posts: 226

Joined: Sat Feb 14, 2009 12:33 am

Post Tue Mar 03, 2009 10:20 pm

Re: Googlebot will do SQL Injection for you!

This is simply brilliant.  As has been pointed out, one could still work to trace this back (as with anything) but it would involve a simply massive amount of work considering that the attacker never even issues a request to the target site.  I would think the weak link would be the specially crafted web search to get the results.  Google must be caching its search query terms somewhere.

Of course if you think that your unique search terms will point back to you, you could always post the link to the search in a public place (blog, etc) and in minutes all sorts of folks who have no clue what they are looking at will click on the link.  You could then hide in the noise.

All in all, simply brilliant.
Certifications: CREA, MCSE: Security, CCNA, Security+, other junk
<<

Ketchup

User avatar

Hero Member
Hero Member

Posts: 1021

Joined: Fri Jul 04, 2008 7:44 pm

Location: Philadelphia, PA

Post Tue Mar 03, 2009 10:47 pm

Re: Googlebot will do SQL Injection for you!

My question is, in legal terms, is this an attack?  Or is it simply research your are conducting on google?  Who is hacking, is it you, or is it googlebot? 
~~~~~~~~~~~~~~
Ketchup
<<

timmedin

User avatar

Sr. Member
Sr. Member

Posts: 469

Joined: Thu Feb 05, 2009 11:18 pm

Post Wed Mar 04, 2009 9:15 am

Re: Googlebot will do SQL Injection for you!

Ketchup wrote:My question is, in legal terms, is this an attack?  Or is it simply research your are conducting on google?   Who is hacking, is it you, or is it googlebot?   


Clearly data is being "leaked" due to SQL injection. I don't think anyone would debate that SQL injection is an attack. As to the attacker, it is the original blog poster, and google is the proxy.

It is like Yosemite Sam tieing you up and placing you on the railroad tracks. Ultimately the train is what kills you but Sam's actions are what caused it.
Last edited by timmedin on Wed Mar 04, 2009 9:18 am, edited 1 time in total.
twitter.com/timmedin | http://blog.securitywhole.com

Return to Mass Media

Who is online

Users browsing this forum: No registered users and 0 guests

cron
.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software