gs = GoogleSplogger.GoogleSplogger('username', 'password') feed = feedparser.parse('http://www.gnucitizen.org/feed') # we are going to import this feed into our blog for e in feed.entries: gs.post('my blog name', e.title, e.content[0].value, 'author') Figure 10.18 - Import Blog Entries This script, entered as shown in Figure 10.18, will import all feed entries from GNUCITIZEN’s blog into your blog, effectively creating a spam blog as shown in Figure 10.19. Hacking Google Services • Chapter 10 401 452_Google_2e_10.qxd 10/5/07 1:13 PM Page 401 Figure 10.19 The new Splog Notice how quickly we created a new blog with content. There are completely different set of strategies that can be undertaken to make the splog achieve its purposes however due to the size of this topic we can’t really cover all of them in this book. It is important to understand the security and ethical implications that are related to splogging. Again, remember that spamming Google or any other service is totally prohib- ited by the terms of service.You can potentially damage your account and all data that it holds. Signaling Alerts Very often we need to track changes in Google’s result set. For example, let’s say that we want to monitor a certain site for vulnerabilities. How can we do that? We can simply run scanners every once in a while but this is a noisy exercise and will definitely take loads of time. Instead, being dedicated Google hackers, we can use Google itself and use a few pow- erful Google dorks to locate the things that we are interested in without the need for auto- mated scanning software.Then we can setup a cron task to monitor the results returned by Google and when a change is detected email us the result. Then again, we could simply use Google Alerts as shown in see Figure 10.20. 402 Chapter 10 • Hacking Google Services 452_Google_2e_10.qxd 10/5/07 1:13 PM Page 402 Figure 10.20 Google Alerts Google Alerts is a powerful system that detects when a query’s result set changes.The system can be modified to send updates once a day, once a week, or as they happen. Keep in mind that only the first 10 entries (the first page) are taken into consideration. Nevertheless, the Alert system does a good job when optimized. This is a great tool, but it can be used for more interesting purposes. Let’s say that we know that a target is using MsSQL as database backend. We could use Google alerts to poll the target, searching for error messages as they pop up.That search might look something like this: "[SQL Server Driver][SQL Server]Line 1: Incorrect syntax near" -forum -thread - showthread site:example.com For the type of alert select We b, usually default option. Select the frequency of the alert, and your email address and click Create Alert. Notice that the query that we use for this alert is domain restricted (site:example.com). Also pay attention to the actual Google dork. Obviously we look for messages that look like being generated failures in the SQL queries sent to backend.These types of messages are sign for SQL Injection vulnerable resources. A malicious user can use this service to alert whenever a vulnerability or interesting message appears on a target site.This is very low-profile, and does not alert the target; the Hacking Google Services • Chapter 10 403 452_Google_2e_10.qxd 10/5/07 1:13 PM Page 403 transaction happens between the user and Google. An attacker could even enter alerts for every entry in the Google Hacking Database. Although this would be overkill, some of the entries in the database reveal extremely sensitive information, which could be harvested with very little further effort. Google Co-op Google Co-op (www.google.com/coop) is a powerful service that allows you to create pow- erful custom search engines.You do not need to be registered Google user in order to use the service but if you want to create an engine, it is required. In the following section, we’ll guide you through some of the most interesting features of this service and we’ll show you how to create your own search engines. Let’s start with the simplest of search engines. Browse the Google Go-op page and click Create a Custom Search Engine, or simply browse to www.google.com/coop/cse. From the Custom Engine configuration page (Figure 10.21), we need define the characteristics we need. Figure 10.21 Google Custom Search Engine Creation page 404 Chapter 10 • Hacking Google Services 452_Google_2e_10.qxd 10/5/07 1:13 PM Page 404 First enter a search engine name. We’ll call ours the “Google Hacking Database Search”. Enter a description and some basic search keywords, both of which are optional.The key- words are primary used by Google to find the most relevant results.This means that our query will be mingled with these keywords. For now, we’ll leave this alone. Moving forward, to the field titled What do you want to search, we will define the scope of the search queries. For this example, we are going to use the default option entitled Only sites that I select. Now, the interesting part- we need to supply the URLs Google will look into when performing the queries. Since our search engine will do stuff around the Google Hacking Database located at http://johnny.ihackstuff.com/ghdb.php, we’ll simply drop that URL into this field. We’ll customize this entry option further with the use of wildcards, in order to search URLs that match a specific syntax. Here are a few examples taken from Cop-op’s documentation: www.mysite.com/mypage.html - look for information within mypage.html part of the www.mysite.com domain www.mysite.com/* - look for information within the entire context of www.mysite.com www.mysite.com/*about* - look for information within URLs from www.mysite.com that has the about keyword *.mydomain.com - look for information within sub-domains of mysite.com. For our example, the main page is located at http://johnny.ihackstuff.com/ghdb.php,but in order to make Co-op go a couple of levels down from that location, we must change the site URL to http://johnny.ihackstuff.com/ghdb.php* (note the star at the end).This is because the URL for an individual database entry contains parameters tacked onto the data after the name of the ghdb.php script the following format: http://johnny.ihackstuff.com/ghdb.php?function=detail&id=64 The rest of the options from the Go-op Custom engine creation page are irrelevant at this point. Agree to Google’s terms of service and click on the next button.You must see something similar to Figure 10.22. Hacking Google Services • Chapter 10 405 452_Google_2e_10.qxd 10/5/07 1:13 PM Page 405 Figure 10.22 2nd Stage of Google’s Custom Engine Creation Process No we’ll test how the search engine works.Type a few queries like “index” or “secret”, and you’ll see some sample results. If everything works as expected, click finish, and the custom search engine will be displayed as shown in Figure 10.234. Figure 10.23 GHDB Custom Search Engine 406 Chapter 10 • Hacking Google Services 452_Google_2e_10.qxd 10/5/07 1:13 PM Page 406 The purpose of our search engine is find interesting queries within Johnny Long’s excel- lent Google dorks collection which does not (at the time of this writing) support searching. For example, a query for passwd will return results similar to those in Figure 10.24. Figure 10.24 Search Results It’s simple to create other customized search engines as well. For example, we could search Phenoelit’s database of default passwords found at www.phenoelit- us.org/dpl/dpl.html. It normally takes ages to load the file and most browsers cannot handle its enormous size. Let’s create a custom search engine to search this excellent page. Following the same process as before, we will use a site restriction of www.phenoelit- us.org/dpl/dpl.htmlinstead of http://johnny.ihackstuff.com/ghdb.php*. Bake the engine and give it a try. Figure 10.25 shows the result of query for cisco. Hacking Google Services • Chapter 10 407 452_Google_2e_10.qxd 10/5/07 1:13 PM Page 407 Figure 10.25 Default Password List Search Engine Notice that the resulting page contains all the details that we need, including the default username and password. We can improve this engine by adding more default password lists. Notes from the Underground… Google’s Custom Search Engine The GNUCITIZEN group http://www.gnucitizen.org has discovered that Google’s Custom Search Engine platform can be used for many other useful things such as fin- gerprinting and enumerating hidden web servers. It is well known fact that not all Web resources are exposed to the Internet. We call that part of the network the Hidden Web. By using Custom Search Engines we can recover them and enumerate their content. Among the gathered information, we may find Intranet interfaces, Administrative panels and other types of sensitive information. 408 Chapter 10 • Hacking Google Services 452_Google_2e_10.qxd 10/5/07 1:13 PM Page 408 Google AJAX Search API Integration Earlier in this chapter we discussed how to use the AJAX API to embed search engine facili- ties in your own applications and even do automated queries. Here we will do the same but this time we are going to use the Google Hacking Database custom search engine that we have created. The first most important thing is to locate the unique identifier of your search engine. Just access the engine page and have a look at the URL bar. It should be similar to the following: http://www.google.com/coop/cse?cx=016629205230705557969%3Assouol31jqq The cx parameter is the unique identifier for that engine. Remember that value and substitute it for the placeholder in the following example: <html> <head> <title>Hacking AJAX API</title> </head> <body> <script> function our_callback(a, b, c, d, e) { for (var i = 0; i < b.results.length; i++) { var link = document.createElement('a'); link.href = b.results[i].url; link.innerHTML = b.results[i].url; document.body.appendChild(link); var br = document.createElement('br'); document.body.appendChild(br); } } </script> <script type="text/javascript" &q=test&key=internal&v=1.0&cx=016629205230705557969%3Assouol31jqq"></script> </body> </html> Hacking Google Services • Chapter 10 409 452_Google_2e_10.qxd 10/5/07 1:13 PM Page 409 There are tones of interesting and quite valuable things that can be accomplished with the AJAX Search API and Google Co-op. It is just a matter of imagination, something that hackers and computer security experts has quite a lot. Google Code Google Code is an offering to the open source community allowing for free-for-all project hosting. Feature-wise, the service is very much like the well the known Sourceforge. Developers are provided with a Wiki for hosting the project documentation, Bug tracking system and version control through SVN. At the time of this writing, each user is restricted by the number of projects they can spawn. However, this logical restriction can be easily bypassed. Google Code is more then just a development environment - it is a free hosting provider. We can use the system to stash all sorts of stuff in there. In order to open a Google Code project, you’ll first need a Google account. Simply visit http://code.google.com/hosting/createProject, fill in the necessary details and you are ready to upload your content as shown in Figure 10.26. Figure 10.26 Google Code Project Registration As we mentioned earlier, Google Code operates on the top of SVN (Subversion). In order to upload content, you will need the svn client which comes bundled with most Linux/Unix distributions. Windows users can obtain the svn client from 410 Chapter 10 • Hacking Google Services 452_Google_2e_10.qxd 10/5/07 1:13 PM Page 410 . examples taken from Cop-op’s documentation: www.mysite.com/mypage.html - look for information within mypage.html part of the www.mysite.com domain www.mysite.com/* - look for information within the. www.mysite.com www.mysite.com/*about* - look for information within URLs from www.mysite.com that has the about keyword *.mydomain.com - look for information within sub-domains of mysite.com. For our example, the. further effort. Google Co-op Google Co-op (www .google. com/coop) is a powerful service that allows you to create pow- erful custom search engines.You do not need to be registered Google user in