Notice that many of the results point to .jpg, .gifor png images.There are quite a few going to the Ad Indicator service provided by Google, but the most interesting ones are those that
Trang 1Web section so we get the complete query Notice that many of the results point to jpg, gif
or png images.There are quite a few going to the Ad Indicator service provided by Google,
but the most interesting ones are those that point to GwebSearch service Figure 10.7 shows
what the live capture might look like.
Figure 10.6 Show all Results Button
Figure 10.7 LiveHTTP Headers Capture
Figure 10.7 shows the format of the URL that is used to retrieve the queries Here is an example:
Trang 2http://www.google.com/uds/GwebSearch?callback=GwebSearch.RawCompletion&context=0&ls tkp=0&rsz=large&hl=en&gss=.com&sig=51248261809d756101be2fa94e0ce277&q=VW%20Beetle&k ey=internal&v=1.0
Table 10.1 lists each of the GET parameters and describes what they do.
Table 10.1 GET Parameters
callback GwebSearch.RawCompletion the callback JavaScript
function the results
-sig 51248261809d756101be2fa94e0ce277
As an exercise, we can build a URL from these parameters, providing different values that we think are suitable for the task For example:
www.google.com/uds/GwebSearch?callback=our_callback&context=0&rsz=large&q=GHDB&key= internal&v=1.0
Notice that we have changed the callback parameter from “GwebSearch.Raw
Completion” to “our_callback”, and we are executing a search for GHDB Executing this
URL inside your browser will result in a JavaScript return call.This technique is also known
as JavaScript on Demand or JavaScript remoting, and the results of this are shown below. our_callback('0',{"results":[{"GsearchResultClass":"GwebSearch","unescapedUrl":"htt p://johnny.ihackstuff.com/index.php?module\u003Dprodreviews","url":"http://johnny.i hackstuff.com/index.php%3Fmodule%3Dprodreviews","visibleUrl":"johnny.ihackstuff.com
","cacheUrl":"http://www.google.com/search?q\u003Dcache:IS5G5YGJmHIJ:johnny.ihackst uff.com","title":"johnny.ihackstuff.com
-Home","titleNoFormatting":"johnny.ihackstuff.com - Home","content":"Latest
Downloads File Icon \u0026quot;No-Tech Hacking\u0026quot; Sample Chapter
\u0026middot; File Icon Yo Yo SKillz #1 \u0026middot; File Icon Aggressive
Network Self-Defense Sample Chapter
\u003Cb\u003E \u003C/b\u003E"},{"GsearchResultClass":"GwebSearch","unescapedUrl":
"http://johnny.ihackstuff.com/ghdb.php","url":"http://johnny.ihackstuff.com/ghdb.ph p","visibleUrl":"johnny.ihackstuff.com","cacheUrl":"http://www.google.com/search?q\
Trang 3Database","titleNoFormatting":"Google Hacking Database","content":"Welcome to the
Google Hacking Database (\u003Cb\u003EGHDB\u003C/b\u003E)! We call them
\u0026#39;googledorks\u0026#39;: Inept or foolish people as revealed by Google
Whatever you call these fools,
\u003Cb\u003E \u003C/b\u003E"},{"GsearchResultClass":"GwebSearch","unescapedUrl":
"http://ghh.sourceforge.net/","url":"http://ghh.sourceforge.net/","visibleUrl":"ghh sourceforge.net","cacheUrl":"http://www.google.com/search?q\u003Dcache:WbkSIUl0UtM J:ghh.sourceforge.net","title":"GHH - The \u0026quot;Google Hack\u0026quot;
Honeypot","titleNoFormatting":"GHH - The \u0026quot;Google Hack\u0026quot;
Honeypot","content":"\u003Cb\u003EGHDB\u003C/b\u003E Signature #734
(\u0026quot;File Upload Manager v1.3\u0026quot; \u0026quot;rename to\u0026quot;)
\u003Cb\u003E \u003C/b\u003E \u003Cb\u003EGHDB\u003C/b\u003E Signatures are
maintained by the johnny.ihackstuff.com community
\u003Cb\u003E \u003C/b\u003E"},{"GsearchResultClass":"GwebSearch","unescapedUrl":
"http://thebillygoatcurse.com/11/","url":"http://thebillygoatcurse.com/11/","visibl eUrl":"thebillygoatcurse.com","cacheUrl":"http://www.google.com/search?q\u003Dcache :O30uZ81QVCcJ:thebillygoatcurse.com","title":"TheBillyGoatCurse.com \u00BB Blog
Archive \u00BB Convert
\u003Cb\u003EGHDB\u003C/b\u003E","titleNoFormatting":"TheBillyGoatCurse.com \u00BB
Blog Archive \u00BB Convert GHDB","content":"The Google Hacking Database
(\u003Cb\u003EGHDB\u003C/b\u003E) has one problem\u2026 it only uses the Google
search index The trouble is that advanced search syntax can differ between
\u003Cb\u003E \u003C/b\u003E"},{"GsearchResultClass":"GwebSearch","unescapedUrl":
"http://www.ethicalhacker.net/index.php?option\u003Dcom_smf\u0026Itemid\u003D35\u00 26topic\u003D184.msg328;topicseen","url":"http://www.ethicalhacker.net/index.php%3F option%3Dcom_smf%26Itemid%3D35%26topic%3D184.msg328%3Btopicseen","visibleUrl":"www ethicalhacker.net","cacheUrl":"http://www.google.com/search?q\u003Dcache:EsO7aMyCR6 wJ:www.ethicalhacker.net","title":"The Ethical Hacker Network - Google Hacking
Database (\u003Cb\u003EGHDB\u003C/b\u003E)","titleNoFormatting":"The Ethical Hacker Network Google Hacking Database (GHDB)","content":"The Ethical Hacker Network
-Your educational authority on penetration testing and incident response., Google
Hacking Database
(\u003Cb\u003EGHDB\u003C/b\u003E)"},{"GsearchResultClass":"GwebSearch","unescapedUr l":"http://snakeoillabs.com/downloads/GHDB.xml","url":"http://snakeoillabs.com/down loads/GHDB.xml","visibleUrl":"snakeoillabs.com","cacheUrl":"http://www.google.com/s earch?q\u003Dcache:5nsf_DfjX4YJ:snakeoillabs.com","title":"\u003Cb\u003Eghdb\u003C/ b\u003E xml","titleNoFormatting":"ghdb xml","content":"PS: this vulnerability was
found early this year (search google for the full report), but was never added to
the \u003Cb\u003EGHDB\u003C/b\u003E for some reason
\u003Cb\u003E \u003C/b\u003E"},{"GsearchResultClass":"GwebSearch","unescapedUrl":
"http://www.gnucitizen.org/projects/ghdb","url":"http://www.gnucitizen.org/projects /ghdb","visibleUrl":"www.gnucitizen.org","cacheUrl":"http://www.google.com/search?q
\u003Dcache:dPVtU_3tmnMJ:www.gnucitizen.org","title":"\u003Cb\u003EGHDB\u003C/b\u00 3E | GNUCITIZEN","titleNoFormatting":"GHDB |
GNUCITIZEN","content":"\u003Cb\u003EGHDB\u003C/b\u003E (aka Google Hacking
Database) is HTML/JavaScript wrapper application that uses advance JavaScript
techniques to scrape information from Johnny\u0026#39;s Google
\u003Cb\u003E \u003C/b\u003E"},{"GsearchResultClass":"GwebSearch","unescapedUrl":
"http://www.ghdb.org/","url":"http://www.ghdb.org/","visibleUrl":"www.ghdb.org","ca cheUrl":"http://www.google.com/search?q\u003Dcache:Y6lwVyfCQw8J:www.ghdb.org","titl
Trang 4contact us for any reason, or maybe just leave a comment (good, bad or ugly, but not offensive) in our guestbook Best regards The team at
\u0026#39;\u003Cb\u003EGHDB\u003C/b\u003E\u0026#39;
\u003Cb\u003E \u003C/b\u003E"}],"adResults":[]}, 200, null, 200)
Hacking into the AJAX Search Engine
Now that we know how to query Google through their AJAX interface, let’s see how we can access the data We will begin with the following HTML, which can be pasted into a
blank html file and opened with a browser:
<html>
<head>
<title>Hacking AJAX API</title>
</head>
<body>
<script>
function our_callback(a, b, c, d, e) { for (var i = 0; i < b.results.length; i++) { var link = document.createElement('a');
link.href = b.results[i].url;
link.innerHTML = b.results[i].url;
document.body.appendChild(link);
var br = document.createElement('br');
document.body.appendChild(br);
} }
</script>
<script type="text/javascript"
src="http://www.google.com/uds/GwebSearch?callback=our_callback&context=0&rsz=large
&q=GHDB&key=internal&v=1.0"></script>
</body>
</html>
This code will make submit a request for GHDB to Google’s GwebSearch service Notice that the callback parameter points back to our_callback, which is defined early in the
code.The function simply grabs that data and presents it inside the page DOM (Document Object Model) in the form of links.
Trang 5Although this looks interesting, there is a lot more that we can do Let’s have a look at the following example which dynamically grabs all entries from a particular category from
the Google Hacking Database, performs test queries and lists the results within a single page:
<html>
<head>
<title>GHDB Lister</title>
</head>
<body>
<script>
function get_json(url, callback) { var name = ' json_' + (new Date).getTime();
var s = document.createElement('script');
s.src = url.replace('{callback}', name);
window[name] = callback;
document.body.appendChild(s);
}
get_json('http://www.dapper.net/transform.php?dappName=GoogleHackingDatabaseReader& transformer=JSON&extraArg_callbackFunctionWrapper={callback}&applyToUrl=http%3A//jo hnny.ihackstuff.com/ghdb.php%3Ffunction%3Dsummary%26cat%3D19',
function (data) { console.log(data);
for (var i = 0; i < data.groups.entry.length; i++) { var query = data.groups.entry[i].query[0].value;
var description = data.groups.entry[i].description[0].value;
get_json('http://www.google.com/uds/GwebSearch?callback={callback}&context=0&rsz=la rge&q=' + escape(query) + '&key=internal&v=1.0',
function (a, b, c, d, e) {
if (!b) { return;
}
for (var i = 0; i < b.results.length; i++)
{
Trang 6var link = document.createElement('a'); link.href = b.results[i].url;
link.innerHTML = b.results[i].url;
document.body.appendChild(link);
var br = document.createElement('br');
document.body.appendChild(br);
} });
} });
</script>
</body>
</html>
After running the example, you will be provided with a page similar to the one shown
on Figure 10.8.
Figure 10.8 Result Page
Trang 7Let’s examine the file As you can see the page has only one script block.This block is responsible for obtaining a list of queries from the GHDB via the Dapper
(http://dapper.net) screen scraping service We scrape the URL
http://johnny.ihackstuff.com/ghdb.php?function=summary&cat=19 which corresponds to
GHDB entry 19 also known as “Advisories and Vulnerabilities”.The scraper obtains several
other interesting things that we are not interested for now.
Notes from the Underground…
Screen Scraping with Dapper
Using Dapper to screen scrape various security related databases and using the infor-mation as part of a well planned client-side oriented attack vector was discussed for the first time in OWASP, Italy 2007 by the author, Petko D Petkov, also known as pdp (architect) For more information on the topic you can visit http://www.gnucitizen.org and http://www.gnucitizen.org/projects/6th-owasp-conference.
Once the list is retrieved, we enumerate each entry and build the custom Google AJAX API queries:
get_json('http://www.google.com/uds/GwebSearch?callback={callback}&context=0
&rsz=large&q=' + escape(query) + '&key=internal&v=1.0',
As you can see, instead of a static string, we actually supply a query that is taken from the information obtained from GHDB The subsequent request to Google AJAX Search API will retrieve the sample results and the callback functions will render them inside the page DOM.
It is important to understand the purpose of the function get_json This function
is just a helper that saves us a lot of time writing the same procedures over and over again The get_json function simply generates a unique name for the callback param-eter and assigns it at the global scope Then, it supplies the name to the callback field marked with the placeholder {callback} and calls the external script.
This technique was successfully implemented as part of the GHDB Proof of Concept application hosted at http://www.gnucitizen.org/ghdb (Figure 10.9).
Trang 8Figure 10.9 GNUCITIZEN GHDB
The application scrapes all the information from Johnny Long’s Google Hacking Database at http://johnny.ihackstuff.com, dynamically and presents it to the user in a nice graphical form.You can browse through each vector by selecting a category and then selecting the query that you are interested in Notice that the application provides a live feedback every time we select a query.The bottom part of the window contains the top searches, obtained by Google’s AJAX Search API interface.
Notes from the Underground…
XSS and AJAX Worms
This technique can be implemented by XSS/AJAX worms to locate targets and exploit them, thus ensuring future generations XSS/AJAX worms usually propagate within the domain of origin This is due to inability of JavaScript to perform cross-site requests The technique presented in this chapter allows worms to bypass the JavaScript restrictions and access other resources on-line For more information on the subject please check the following resources: http://www.gnucitizen.org/blog/google-search-api-worms, http://www.gnucitizen.org/projects/ghdb and http://www.gnucit-izen.org/blog/the-web-has-betrayed-us.
Trang 9Calendar
Google Calendar is powerful calendar management application which supports features like
calendar sharing, creation of invitations, search and calendar publishing.The service is also
integrated with Google Mail (GMail) and can be accessed via a Mobile device All in all,
Google Calendar is very useful addition to our day-to-day work.
Calendar sharing in particular is a very useful feature since individual users can maintain event lists and calendars to which others may be interested in as well Usually in order to
share a calendar you have to explicitly do so from the calendar management interface as
shown in Figure 10.10.
Figure 10.10 Calendar Management Interface
Once the calendar is shared, everyone will be able to look at it or even subscribe to the events that are inside.This can be done via the Calendar application or any RSS feed reader.
As a security expert, these shared calendars are especially interesting Very often, even when performing the most basic searches, it is entirely possible to stumble across sensitive
information that can be used for malicious purposes For example, logging into Calendar
and searching for the term “password” returns many results as shown in Figure 10.11.
Trang 10Figure 10.11 Calendar Search for “password”
As you can see, there are several calendar entries that meet our search criteria Among them, there are a few that are quite interesting and worth our attention Another interesting query that brings a lot of juicy information is “passcode”, as shown in Figure 10.12.
Figure 10.12 Calendar Search for “passcode”