Google Mediapartners crawlers replaying web attacks

Various, ,

In the use case analysis SUC001, we have discovered that Google Mediapartners crawlers seems to replay web attacks under certain conditions :

  • Your website need to be a member of the AdSense network.
  • Your robots.txt file should not exclude the indexing of the “Mediapartners-Google”.
  • Your website targeted web page should contain a AdSense banner.
  • The “Mediapartners-Google” crawler should come frequently visit your website, better each time per web page display.

I have create a fake MySQL database named “injection“, you can find here under the fake content of this database.

CREATE TABLE IF NOT EXISTS `injection` (
  `id` int(11) NOT NULL auto_increment,
  `password` varchar(255) NOT NULL,
  PRIMARY KEY  (`id`)
) ENGINE=MyISAM  DEFAULT CHARSET=latin1 AUTO_INCREMENT=3 ;

INSERT INTO `injection` (`id`, `password`) VALUES
(1, 'testtest'),
(2, 'testtesttest');

I grant the MySQL user “injection” only to SELECT on the “injection” table and this locale.

After the creation of all SQL requirements, we need to create a PHP test page with a “id” parameter how is vulnerable to an SQL Injection attack, for example “test2.php?id=2“.

$sql = "SELECT password FROM injection WHERE id=" . $_REQUEST['id'];

We also insert into this web page some good keywords (just copy and past your favorite web article), and the required AdSense banner. Now every thing is configured, we can play to see if the Google Mediapartners crawlers will replay the SQL Injection attack.

The SQL Injection how will be played is the following :

SELECT password FROM injection WHERE id=2 AND ORD(MID((SELECT 4 FROM information_schema.TABLES LIMIT 0, 1), 70, 1)) > 51 AND 4454=4454

The web query result into the apache log file is returning this entry :

80.90.60.93 - - [20/Apr/2010:22:48:45 +0200] "GET //test2.php?id=2%20AND%20ORD%28MID%28%28SELECT%204%20FROM%20information_schema.TABLES%20LIMIT%200%2C%201%29%2C%2070%2C%201%29%29%20%3E%2051%20AND%204454=4454 HTTP/1.1" 200 1280 "-" "Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_3; fr-fr) AppleWebKit/531.22.7 (KHTML, like Gecko) Version/4.0.5 Safari/531.22.7"

The MySQL log file is returning this entry :

100420 22:48:45
419 Connect     injection@localhost on
1419 Init DB     injection
1419 Query       SELECT password FROM injection WHERE id=2 AND ORD(MID((SELECT 4 FROM information_schema.TABLES LIMIT 0, 1), 70, 1)) > 51 AND 4454=4454

This HTTP query is followed a few seconds later by the Google Mediapartners crawler.

66.249.71.1 - - [20/Apr/2010:22:48:48 +0200] "GET //test2.php?id=2%20AND%20ORD(MID((SELECT%204%20FROM%20information_schema.TABLES%20LIMIT%200%2C%201)%2C%2070%2C%201))%20%3E%2051%20AND%204454=4454 HTTP/1.1" 200 1280 "-" "Mediapartners-Google"

And with no suprise we can see into the MySQL log file that the crawler is replaying the SQL Injection.

100420 22:48:48
1432 Connect     injection@localhost on
1432 Init DB     injection
1432 Query       SELECT password FROM injection WHERE id=2 AND ORD(MID((SELECT 4 FROM information_schema.TABLES LIMIT 0, 1), 70, 1)) > 51 AND 4454=4454

So, in conclusion, if you website is a member of the Google AdSense network, displaying some AdSense banners, vulnerable and targeted by an SQL Injection, you will not be only owned by the bad guys, but also by Google 🙂