Categories: Cyber CrimeHackingSecurity

Google Bot activity abused doing SQL Injection Attacks

Google Bot activity abused doing SQL Injection AttacksGoogle Bot activity abused doing SQL Injection Attacks

Security experts at Securi firm have recently detected a series of SQL Injection attacks conducted abusing of the Google Bot activity.

The exploitation of search engines like Google and Bing to conduct an attack represents an optimal choice for hackers that intend to stay hidden during the offensive. No IT administrator would block traffic from the popular search engines, but it must be considered that a legitimate search engine bot could also be abused to attack a targeted site.
It’s not a paranoid hypotesys on a possible attack scenario, it is exactly what happened a few days ago to a website of a client of Securi security firm. Securi experts began blocking Google’s IP addresses because of the requests originated from them were crafted to perform a SQLi attacks.
The situation appeared paradoxical, Google was conducting a SQL Injection attack against a website, following the logs that demonstrates what happened. To protect the victim’s identity the log has been modified.
66.249.66.138 - - [05/Nov/2013:00:28:40 -0500] "GET /url.php?variable=")%20declare%20@q%
20varchar(8000(%20select%20@q%20=%200x527%20exec(@q)%20-- HTTP/1.1" 403 4439 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"

The analysis of origin IPs revealed that the source if the attack was the legitimate Google bot, following the report on one of them:

$ host 66.249.66.138
138.66.249.66.in-addr.arpa domain name pointer crawl-66-249-66-138.googlebot.com.

NetRange:       66.249.64.0 - 66.249.95.255
CIDR:           66.249.64.0/19
OriginAS:       
NetName:        GOOGLE
Which is the attacks schema?
It’s well known the use of Google bot to crawl the Internet and to index the content of the visited websites, every single link embedded in the website is inspected by the crawler independently of its forms and target.
In this scenario, the bot was crawling Site A. Site A had a number of links embedded that had the SQLi requests to the target site, Site B. Google Bot then following links and executes the malicious requests against the Site B starting to inadvertently attack it.
Under these assumptions an hacker could create malicious links on a vulnerable website waiting that Google Bot crawler will inspect them to run malicious strings against another website. The principal advantage of the technique is to conduct an attack totally in a stealthy way, Google Bot will be apparently the unique responsible!
“John goes to his site, Site A, he adds all this awesome content about kittens and cupcakes, but in the process he adds a number of what appear to be benign links that are unsuspecting to the user reading, but very effective to the bot crawling the site. Those links are riddled with RFI and SQLi attacks that allow John to plead ignorance, also allowing him to stay two arms lengths away from Site B. This doesn’t mean he can’t verify success, it just means he doesn’t open himself to early detection by more active scanning and attacks.” the post states.

The security experts at Securi have already advised Google about the possible abuse of its Bot activity, site admin are advised, before to trust any source it is necessary a further level of inspection.

Pierluigi Paganini

(Security Affairs – Google Bot, hacking)

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Published by
Pierluigi Paganini
Tags: CybercrimeGoogleGoogle botHackingRFIsearch engineSQL injectionweb application security
12 years ago

Recent Posts

U.S. CISA adds a Fortinet flaw to its Known Exploited Vulnerabilities catalog

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds a Fortinet vulnerability to its Known Exploited Vulnerabilities…

3 hours ago

Kosovo authorities extradited admin of the cybercrime marketplace BlackDB.cc

Kosovar citizen extradited to the US for running the cybercrime marketplace BlackDB.cc appeared in federal…

4 hours ago

U.S. CISA adds Microsoft Windows flaws to its Known Exploited Vulnerabilities catalog

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds Microsoft Windows flaws to its Known Exploited…

16 hours ago

Ivanti fixed two EPMM flaws exploited in limited attacks

Ivanti addressed two Endpoint Manager Mobile (EPMM) software vulnerabilities that have been exploited in limited…

18 hours ago

Microsoft Patch Tuesday security updates for May 2025 fixed 5 actively exploited zero-days

Microsoft Patch Tuesday security updates for May 2025 addressed 75 security flaws across multiple products, including…

1 day ago

Fortinet fixed actively exploited FortiVoice zero-day<gwmw style="display:none;"></gwmw><gwmw style="display:none;"></gwmw>

Fortinet fixed a critical remote code execution zero-day vulnerability actively exploited in attacks targeting FortiVoice…

1 day ago