[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <BANLkTineCmb536ay5iVb9nAoP34qtqX8JA@mail.gmail.com>
Date: Sat, 9 Apr 2011 13:41:05 +0530
From: satyam pujari <satyamhax@...il.com>
To: full-disclosure@...ts.grok.org.uk
Subject: Google Search Feature Exploitation Scenario
Hello List,
Here is a simple Google's "I'm Feeling Lucky" search feature exploitation
scenario.
============================================================================================================================================
1. The attacker hosts a malicious page/Script (eg. an Exploit Kit) in a free
3rd party hosting provider. The Site is 0x.t35.com in this example.
2. The attacker creates a free blog in blogger.com and selects an 'odd' /
'Unique' name. Yes, by selecting an odd name the chances are more that your
blog will be listed in the first page of Google search when a visitor
queries the name of your blog. It also depends on hits & geographical
locations I believe .But Practically it's not very difficult to get your
blog listed on the first page/first link of the search results. There're
many ways to achieve this.
For Example: esploit.blogspot.com
3.Now, the attacker uses a feature of Google Search "I'm Feeling Lucky" to
redirect the Victim to his blog using the below URL.
http://www.google.com/search?q=esploit&btnI
OR
http://www.google.co.in/search?hl=en&source=hp&biw=&bih=&q=esploit&btnI=I%27m+Feeling+Lucky&aq=f&aqi=&aql=&oq=
So, the attacker confirms that he/she can successfully redirect the victim
to his/her blog by using the feature "I'm Feeling Lucky" which basically
does nothing but redirects the user to first page of the search results.
4. Now the attacker puts Iframe on the latest post of the blog linking to
the 3rd party site where the malicious page/script is hosted.
5. The attacker now makes the victim click the link (many ways of doing it)
It's very simple but can be effectively used in a real phishing attack
scenario .
============================================================================================================================================
Gr33tz @blackhatlinux @alchemist16
Regards,
satyamhax
http://esploit.blogspot.com
Content of type "text/html" skipped
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists