Using Google to detect payloads

2016-01-12, by Ruben van Vreeland
Vulnerability

Google is a well-known search engine, and in the security community also famous for the “google dorks” functionality: finding vulnerable websites using google queries. 

A google dork that can be used to find potentially vulnerable Joomla installations (see CVE-2015-7297) is “ inurl: “index.php?option=com_contenthistory” ”, resulting in the following:

Exploits in the Google URL database

Using google dorks is not new and has been discussed thoroughly, however while we were analyzing the Joomla SQL injection vulnerability on com_contenthistory, we found this URI in the results of the Google query:

If we decode the URL parameters, we get this:

com_contenthistory&view=history&list[ordering]=&item_id=1&type_id=1&list[select]=(select 1 from (select count(*),concat((select (select concat(password)) from

Please note that this specific URI is not complete, but the full request is potentially executed by Google web crawlers.

What is the issue?

This effect is interesting for three reasons:

  1. Abusing Google (or other search engines) to execute payloads
  2. Finding potentially zero days in the Google index.
  3. Getting results of exploits, such as passwords and private user data, which are cached in Google, even after the issue has been fixed
Abusing Google to execute payloads

The first technique is elaborated on in Phrack 57 (https://packetstormsecurity.com/files/25167/phrack57.tar.gz.html), 0x0a: Against the System: Rise of the Robots by Michal Zalewski. Michal uses an HTML document with links that contain payloads to potentially vulnerable webservers. When crawlers pick up on these links, they execute the payload on behalf of Michal. To quote the very founders of Google on this issue:

“[…] big difference between the web and traditional well controlled collections is that there is virtually no control over what people can put on the web. Couple this flexibility to publish anything with the enormous influence of search engines to route traffic and companies which deliberately manipulating search engines for profit become a serious problem.”

— Sergey Brin, Lawrence Page “The Anatomy of a Large-Scale Hypertextual Web Search Engine” Googlebot concept, Sergey Brin, Lawrence Page, Stanford University (http://www7.scu.edu.au/programme/fullpapers/1921/com1921.htm)
To expand a bit on the first issue, you could use of the Google Translate function as proxy. This allows you to skip the process of waiting for the crawlers to pick up your malicious links and execute them straight away:

Finding exploits in the Google index

The following script can be used to scrape Google, note that this script needs some fine-tuning:

pi@raspberrypi ~/bitsensor $ wget http://www.catonmat.net/downlo...

--2016-01-04 19:54:14--  http://www.catonmat.net/downlo...
Resolving www.catonmat.net (www.catonmat.net)... 50.22.83.242
Connecting to www.catonmat.net (www.catonmat.net)|50.22.83.242|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [application/zip]
Saving to: `xgoogle.zip'

    [   <=>                                                                                                                   ] 70,319       1121K/s   in 0.1s    

2016-01-04 19:54:20 (1121 KB/s) - `xgoogle.zip' saved [70319]
pi@raspberrypi ~/bitsensor $ unzip xgoogle.zip 
Archive:  xgoogle.zip
www.catonmat.net
   creating: examples/
  inflating: examples/example2.py    
  inflating: examples/example3.py    
  inflating: examples/example1.py    
   creating: programs/
  inflating: programs/google_fight2.py  
  inflating: programs/google_fight.py  
  inflating: programs/english.py     
   creating: xgoogle/
  inflating: xgoogle/browser.py      
  inflating: xgoogle/sponsoredlinks.py  
  inflating: xgoogle/__init__.pyc    
  inflating: xgoogle/search.py       
  inflating: xgoogle/BeautifulSoup.pyc  
  inflating: xgoogle/googlesets.py   
  inflating: xgoogle/BeautifulSoup.py  
  inflating: xgoogle/browser.pyc     
  inflating: xgoogle/search.pyc      
  inflating: xgoogle/translate.py    
  inflating: xgoogle/__init__.py     
  inflating: contributors.txt        
  inflating: projects-using-xgoogle.txt  
  inflating: readme.txt              
pi@raspberrypi ~/bitsensor $ ls
contributors.txt  examples  programs  projects-using-xgoogle.txt  readme.txt  xgoogle
pi@raspberrypi ~/bitsensor $ cat GoogleSearch.py 
from xgoogle.search import GoogleSearch, SearchError
from threading import Thread
from random import randint
import time

try:
  gs = GoogleSearch("inurl:'index.php?option=com_contenthistory'")
  gs.results_per_page = 50
  displayedResults = 0
  results = gs.get_results()
  while displayedResults < gs.num_results:
      for res in results:
        if res.url is not None:
            print res.url.encode('utf8')
        displayedResults += gs.results_per_page
        print
      time.sleep(randint(15,60))
      results = gs.get_results()
except SearchError, e:
  print "Search failed: %s" % e

pi@raspberrypi ~/bitsensor $ python GoogleSearch.py

http://hafelekar.com/en/index.php?option=com_contenthistory&view=history&list%5Bselect%5D=1+AND+extractvalue(rand()%2Cconcat(0x23%2C(SELECT+concat(session_id%2C0x23)+FROM+ugq2y_session+WHERE+userid%3D44+LIMIT+0%2C1)))--+-

Recommendation

All users of the Joomla website should be informed about the breach. Google should be contacted to get them to remove the cached page. This disables attackers’ use of Google Cache to retrieve information like username and passwords.

Using Google alert

Google Alert is a service which sends an email when a certain query is found. For example, if we add the above mentioned Google query here, we receive an email with which site is added, every time a new page is indexed. Using this methodology we are able to get a good view on which kind of payloads are used by cyber criminals.

In the screenshot an example email of Google Alerts. Please note in this case another dork is used: