Google Blogoscoped

Wednesday, September 27, 2006

Googling for SQL Injections

Security expert Michael Sutton of SPI Dynamics wrote a little tool which uses the Google web search API to locate SQL injections, opening another chapter in the big book of Google hacking.

For example, when you Google-search for [inurl:id=10] you find sites which accept a GET parameter with a numeric value. Now you can amend the URL to read “id=’10” – note the apostrophe, which can cause an SQL injection if the page’s developer doesn’t escape user input (allowing any stranger to tinker with the database) – and parse the resulting page for words like “SQL”, “query”, or “error”. If these words appear you might have found a site with an SQL injection vulnerability... this was true for around 11% of all pages in Michael’s test.

Now, a simple search like [inurl:id=10] already returns over 6 million results. However the query can be varied in near-infinite ways; you can add random keywords from a dictionary to grab more than the initial 1,000 results Google shows, and you can add keyphrases like “please login”, which returns hundreds of pages. You can also restrict your search to specific file extensions to find servers or programming languages known to be particularly vulnerable to SQL injections, like [inurl:date=01 filetype:asp].

Michael comments, “While I don’t find this result surprising, it certainly is sobering. This was a simple test. It was certainly not a comprehensive audit of the web servers which would no doubt have uncovered many more vulnerabilities.”

Also see more information on SQL injections.

[Thanks Peter Dawson!]


Blog  |  Forum     more >> Archive | Feed | Google's blogs | About


This site unofficially covers Google™ and more with some rights reserved. Join our forum!