Google Bot activity abused doing SQL Injection Attacks

Security experts at Securi firm have recently detected a series of SQL Injection attacks conducted abusing of the Google Bot activity.

The exploitation of search engines like Google and Bing to conduct an attack represents an optimal choice for hackers that intend to stay hidden during the offensive. No IT administrator would block traffic from the popular search engines, but it must be considered that a legitimate search engine bot could also be abused to attack a targeted site.
It’s not a paranoid hypotesys on a possible attack scenario, it is exactly what happened a few days ago to a website of a client of Securi security firm. Securi experts began blocking Google’s IP addresses because of the requests originated from them were crafted to perform a SQLi attacks.
The situation appeared paradoxical, Google was conducting a SQL Injection attack against a website, following the logs that demonstrates what happened. To protect the victim’s identity the log has been modified.
66.249.66.138 - - [05/Nov/2013:00:28:40 -0500] "GET /url.php?variable=")%20declare%20@q%
20varchar(8000(%20select%20@q%20=%200x527%20exec(@q)%20-- HTTP/1.1" 403 4439 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"

The analysis of origin IPs revealed that the source if the attack was the legitimate Google bot, following the report on one of them:

$ host 66.249.66.138
138.66.249.66.in-addr.arpa domain name pointer crawl-66-249-66-138.googlebot.com.

NetRange:       66.249.64.0 - 66.249.95.255
CIDR:           66.249.64.0/19
OriginAS:       
NetName:        GOOGLE
Which is the attacks schema?
It’s well known the use of Google bot to crawl the Internet and to index the content of the visited websites, every single link embedded in the website is inspected by the crawler independently of its forms and target.
In this scenario, the bot was crawling Site A. Site A had a number of links embedded that had the SQLi requests to the target site, Site B. Google Bot then following links and executes the malicious requests against the Site B starting to inadvertently attack it.
Under these assumptions an hacker could create malicious links on a vulnerable website waiting that Google Bot crawler will inspect them to run malicious strings against another website. The principal advantage of the technique is to conduct an attack totally in a stealthy way, Google Bot will be apparently the unique responsible!
“John goes to his site, Site A, he adds all this awesome content about kittens and cupcakes, but in the process he adds a number of what appear to be benign links that are unsuspecting to the user reading, but very effective to the bot crawling the site. Those links are riddled with RFI and SQLi attacks that allow John to plead ignorance, also allowing him to stay two arms lengths away from Site B. This doesn’t mean he can’t verify success, it just means he doesn’t open himself to early detection by more active scanning and attacks.” the post states.

The security experts at Securi have already advised Google about the possible abuse of its Bot activity, site admin are advised, before to trust any source it is necessary a further level of inspection.

Pierluigi Paganini

(Security Affairs – Google Bot, hacking)

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

FBI unlocked the phone of the suspect in the assassination attempt on Donald Trump

The FBI gained access to the password-protected phone of the suspect in the assassination attempt…

4 hours ago

Ransomware groups target Veeam Backup & Replication bug

Multiple ransomware groups were spotted exploiting a vulnerability, tracked as CVE-2023-27532, in Veeam Backup &…

7 hours ago

AT&T paid a $370,000 ransom to prevent stolen data from being leaked

Wired attributes the recently disclosed AT&T data breach to a hacker living in Turkey and…

9 hours ago

HardBit ransomware version 4.0 supports new obfuscation techniques

Cybersecurity researchers detailed a new version of the HardBit ransomware that supports new obfuscation techniques…

17 hours ago

Dark Gate malware campaign uses Samba file shares

A Dark Gate malware campaign from March-April 2024 demonstrates how attackers exploit legitimate tools and…

1 day ago

Security Affairs Malware Newsletter – Round 2

Security Affairs Malware newsletter includes a collection of the best articles and research on malware…

1 day ago

This website uses cookies.