How to find security holes with Google Code search

Yesterday, I read a blog post in my RSS reader that explains that hacking groups such as Lulzsec and Anonymous are using Google Code to find  vulnerabilities.

The source of this information is a security consultancy called Stach & Lui. Doing some google search I found the original report.

I did some tests and I found out that in fact, it is so easy to find them. For instance:

• We can seek SQL Injection flaws in PHP apps by searching a query that contains a user controllable parameter appended without escaping possible malicious characters. We get 9,700 results as the following ones:

$req = $db->query("select * from tvl_questions where status=0 and id=" . $_GET['id']);

$klassen_result=mysql_query("select * from content where id='$_GET[id]'");

$getPostID = $wpdb->get_results("SELECT id, type FROM ". MF_TABLE_PANELS ." WHERE id='".$_GET['custom-write-panel-id']."'");

$query = $_SGLOBAL['db']->query("SELECT * FROM ".tname('userapp')." WHERE appid='$_GET[app]'");

$query = "select name from $object_sections_table where value = '". $_GET['section_value'] ."'";

$q = mysql_query("SELECT * FROM fid_files WHERE deleted='N' AND studyid='".$_GET["studyid"]."' ORDER BY filename ASC");

• We can also seek reflected XSS vulnerabilities the same way we did in the SQLI example. The previous query string returned 10,859 resutls.

<input type="hidden" name="MM_recordId" value="<?php echo $_GET["id"]; ?>">

echo "unknown messId:{$_GET['messId']}";

echo "Couldn't open file " . $_GET['log'] . ".\n";

<?php if($_GET['inView']) echo 'tg(\''.$_GET['inView'].'\');'; ?>

echo "Path set to: {$_GET['q']}\n";

<h2>Produits dans '<?php echo $_GET['nom'];?>'</h2>

echo("parameter = {$_GET['parameter']}\n");

• I also found it easy to find command injection vulnerabilities, which would be very attractive for malicious users that want to create a botnet. Some examples below:

eval( "test" . $_GET['eval'] );

eval("Process_".$_GET['process']."();");

eval("\$return = ".$_GET['f']."(".$arg_str.");");

eval('Ajax_Admin::' . $_GET['ajax'] . '();');

if (isset($_GET['did'])) eval($_GET['did']);

eval( "test" . $_GET['eval'] );

eval("\$_GET[".$campo."]='".$valor."';");

This were just a PoC, people with economic motivations that spend a lot of time with this effort can craft very precise and accurate query strings.