Wednesday, June 10, 2009

An Accidental Google Hack

Whilst looking at the security of a web application today I was able to extract the usernames and passwords using SQL Injection, which was nice. Well being a bit of a newbie after I got the passwords I was confused about the encoding/encryption. I managed to figure it out by using the encoding page on Clez.net and by encoding/decoding one of the password that I knew the cleartext of (my test account). It was using Base64 reversed. I also noticed that many of the passwords were =Qmcvd3czFGc which decoded to password (after reversing it).


Now the accidental bit.

My friend Bob got to hear of this and decided to Google the reverse Base64 string "=Qmcvd3czFGc". He got a few hits, but the first result was real interesting.



It seems his fist hit returned email addresses, login names, weird strings that might be base64 reverse encoded passwords (he'll look into that later I imagine).

Then Bob put his Google Fu to work. Seeing that the site had some interesting details available to just about anyone he wondered just how much Google had indexed.

site:yimwhan.com filetype:txt intext:password



Oh dear...within seconds Bob found a password. Surely it was old and probably not active anymore?



Well we all know Bob, his curiosity gets the better of him.




Bob just couldn't help himself could he!

I think this clearly demonstrates that anything you send can and probably will be picked up by Google and someone like Bob might just stumble across it at some time in the future. It might be an idea to think before you post!


UPDATE:

I have also posted this on the Bob Stories Site.

9 comments:

Stephen Northcutt said...

Very nice! And I agree with your conclusion. Google is working hard to index all of the information posted on the Internet and make it useful. You can test your site with Google dorks ( and should ), but that leaves the *cough* zero day Google search to be concerned about.

Rob Fuller (mubix) said...

Would you be willing to repost this on Bobstories.com?

SynJunkie said...

Stephen - Google Dorks is one of the first extensions I install. The GHD is pretty awesome too, the guys who contribute to it are pretty smart.

P.S.- Loved the PDC interview you did recently. It was quite different from most interviews they have. Very much along the Schneier or Ranum lines. I'm currently re-reading "Beyond Fear" and a few things you mentioned made a some concepts click into place.



Mubix - I thought of your Bob Stories site but didn't think this story worthy. But as you have asked though I'll definately get it up there over the next couple of days. Cheers.

~Ben said...

I have accidentally found google hacks as well. I was reading up on pidgin when i discovered that googled spidered a few stored password files. And just a few days ago, found that google retains xss when it caches pages. This for the article.

SynJunkie said...

Ben, Sound really interesting. You should maybe think about contributing to BobStories.com and give Mubix a shout.

Matt said...

I know this is old, but I came across this post and decided I'd comment.

There are a lot of websites that I've found that use this encoding.. if you're interested in a simple method of deciphering these passwords, this is what I use..


#!/usr/bin/perl

use MIME::Base64;
use LWP::UserAgent;

$ua=LWP::UserAgent->new;
$ua->agent("Internet Explorer 6.0");
$req = HTTP::Request->new(GET=>"");

@data=$ua->request($req)->as_string;

while(<@data>) {
($user, $email, $rb64) = (split /\|/)[0,2,6];
$password = reverse $rb64;
$decoded = decode_base64($password);
if($decoded eq "") { next; }
print "USER: $user EMAIL: $email PASSWORD: $decoded\n";
}

It's not perfect, but it does the trick.. ;-)

Awesome blog, by the way.

SynJunkie said...

Hey cheers Matt, I'll definitely give your script a try.

Oh, and congratulations.

Lee

neddy said...

lol NIIICE work :)

A great place to run hashes of passwords is the w3dt.net hash test...

http://w3dt.net/tools/hash/

SynJunkie said...

Thanks Neddy, clez.net is pretty cool for hashes too.

http://clez.net/string.hash

And lets not forget about Serversniff.net either.

Cheers

Lee