This paper is a long time in coming, and I apologize for not getting it out sooner, but I’ve been very swamped. We all have known for a long time that we can force websites like Google to perform attacks on our behalf by getting them to surf random websites and perform RFI attacks, for instance. That’s bad. But what if we were to turn the concept around and instead use it to hack intranets? Herein lies the basis for intranet hacking using websites. I threw the paper up on SecTheory for anyone who wants to read it.
If you recall all our intranet-hacking-with-browsers conversations over the last two years, this will look really familiar, because it’s using all the same tactics, except instead it’s the webserver doing the attacking, rather than the web-browser. The paper draws on techniques and tactics we’ve all know and love so there shouldn’t be anything surprising in here. So the next question is how prevalent is this stuff? Well, I’ve seen it exactly one time. But I’ve only tried it a handful, so it’s really hard for me to estimate how often it happens. My guess is that it is somewhat rare, but using Google dorks to identify potentially vulnerable sites would prove to speed up non targeted attacks. Kinda nasty.