Shulou(Shulou.com)05/31 Report--

This article introduces you how to use the loophole to change the Google search ranking, the content is very detailed, interested friends can use for reference, I hope you can help.

Leading concept

Sitemap: a site map (sitemap) is a file that you can use to list pages on your site to inform Google and other search engines about the organizational structure of your site's content. Search engine page crawling tools such as Googlebot will read this file to crawl your site more intelligently. Site map, which was first proposed by Google, is now supported in a variety of search engines. Its format is usually sitemap.xml, and there are certain writing specifications.

Submit the sitemap to the Google platform: after the website administrator has made the sitemap file, they can submit the sitemap file to the Google search management platform. After the Google platform verifies the management rights of the website, it will successfully parse the sitemap file and index its contents according to its back-end algorithm, so that users can use the Google search engine to better retrieve your website. This sitemap submission function of the search engine platform is open and free, such as Google submission interface, Yahoo submission interface and Baidu submission interface.

Sitemap file submission method: if you have the right to manage the registered website, in addition to the sitemap management interface mentioned above, you can also submit directly through the website 'ping', such as Google's http://www.google.com/ping?sitemap=http://www.example.com/ http://www.google.com/ping?sitemap=http://www.example.com/ live https://www.bing.com/webmaster/ping.aspx?sitemap=http://www.example.com/, and so on. In addition, there are traditional robots.txt file naming, can also achieve the site sitemap effective (see google-support for details).

Introduction of loopholes

Google provides an open URL function that you can use to 'ping' a XML sitemap (sitemap) that contains indexing instructions such as the hreflang attribute, which will be parsed by the backend. I found that if an attacker uploads a sitemap to Google, many websites can 'ping' it. In Google, it even trusts the malicious sitemap as the sitemap of the victim's client site.

After testing, I signed up for a personal website for $12, and finally I was able to put some high-value keywords from that website on the front page of the Google search engine.

XML site Map & Ping Mechanism

Google allows the webmaster of a website to upload sitemap files to the Google search platform, so that the Google search engine can intelligently search other websites according to the algorithm. For example, the hreflang language index contained in sitemap.xml will mark how many regional versions of the site exist, it will tell Google www.example.com/english/ that this is an English version, and this www.example.com/deutsch/ is a German version. However, the hreflang language index seems to have the situation of "mutual borrowing" of link weights (link equity). For example, the German version of the website will borrow the link weight of the highly clicked English version to increase its ranking in Google.de.

Google's statement seemed a bit confusing in the submission of sitemap files. In the first step of submitting the site map, it stated that sitemap files could be submitted through ping, but in the following steps, it issued the following warning:

However, according to experience, it is of course possible to submit a sitemap file through ping, and Google Crawler will read the sitemap file in more than 10 seconds, but crucially, Google has also mentioned many times on the statement page that sitemap files submitted through ping will not be displayed in the site map report of the search Management Interface (Search Console):

As a relevance test, I also tried to add some noindex and rel-canonical-like index instructions in sitemap's XML file, and also tested a set of XML exploits, but it seems that Google can't parse these instructions at all.

Site map file submission in Google Search Console

In the Google search Management Interface (Search Console), if you want to upload a sitemap.xml file submitted to a website, if you do not have administrative rights to the site and cannot be verified by Google's permission mechanism, then Google will reject the sitemap file. As follows:

We'll come back here and do some tests later.

Open redirection

Many websites use the URL parameter to control redirection:

For example, after logging in to a green website, I will be redirected to page.html, while some websites with poor filtering measures will use the "open redirect" parameter to redirect access actions to different site domains, such as:

In this "open redirect" parameter environment, user access is redirected immediately without the need for other interactive actions such as login:

Because open redirect applications are very common and do not pose too many security threats, Google does not include this issue in its vulnerability reward program. Although many companies filter malicious open redirects, ways can be found to bypass such filtering measures, such as open redirects for Tesco websites to bypass vulnerabilities:

Tesco is a British retailer with a profit of more than 50 billion pounds, with more than 1 billion pounds of revenue coming from its online sales channels. I reported the vulnerability to Tesco, and they have fixed it so far.

Through open redirect 'Ping' sitemap file

Now, you may guess what I want to do, it turns out that when using Google's website to 'ping' a XML sitemap file, if the URL you submit in it is a redirect link, Google will follow redirect, or even cross-domain site redirects. More importantly, it also seems to associate the XML site map file with the site domain that is being redirected, and treats the site map file found after the redirection as an authorized authentication file for that site domain, such as:

In this case, the malicious sitemap file evil.xml is hosted on the website blue.com, but Google mistook it for a verified file on the website green.com. In this way, you can upload and submit a sitemap file of a site that you do not have administrative rights to Google, and the site that does not have administrative rights will be retrieved and changed by Google at the back end.

Test: use the hreflang attribute to "steal" the link weight and ranking of a website for free

Now, after these attempts, I'm not sure whether Google will trust a cross-domain redirected site map file, so I have to do a test to prove it. In order to understand this mechanism, I have also done a series of tests on each part of the parameters in the redirection.

I created a fake domain name for a UK-based retail company and built an AWS server that simulates the site. The main purpose is to make some changes to the page of the site, such as changing funds / addresses and other information. I have named the company anonymously below, and let's call it the victim's website victim.com.

I first created a sitemap file and hosted it on the evil.com website, where the sitemap file contains only the URL information related to the victim.com website. These URL are different victim.com links to some hreflang attributes, which indicates that it is the English version of the victim.com website. Then, I submitted and uploaded the sitemap file to the Google search management interface through Google's' ping' way, using the open redirect URL method that jumped to the victim.com website.

Within two days, traffic to the victim.com site was slowly on the rise:

A few days later, it ranked the same as the keyword Amazon & Wal-Mart in Google search engine results:

Moreover, the information about the victim.com site in the Google search management interface can actually show that it has a pointing relationship with the evil.com site:

Also, now I find that I can also submit and upload sitemap files about victim.com sites in evil.com 's Google search management interface:

This seems to be because after the Google back-end points the two sites to the connection, it can indirectly control the changes to victim.com 's sitemap files through evil.com 's search management interface. You can do some index tracking for submitted sitemap files. Take a look at the figure below. There are already thousands of pages indexed, and Searchmetrics (Enterprise search engine Optimization and content Marketing platform) can also reflect its increasing traffic information:

In the Google search management interface, it shows that there have been more than a million search presentations and more than 10000 clicks from the Google search engine! I didn't pay millions of dollars for advertising. I just submitted a sitemap file.

In this way, you won't even notice my malicious website evil.com, so you can achieve search fraud, set up arbitrary ads, and what's more, I can cash in a steady stream of traffic. This malicious way, on the one hand, will bring fraud to Google search users, but also pose a risk to companies that rely on Google search traffic.

Vulnerability threat

This method victim website victim.com simply can not detect this kind of search-oriented change, and the sitemap files submitted by the attacker will not appear on its terminal, if you follow the above method, using the link weights of different language versions of the site, you can completely conceal and invisible, competitors may be confused about your site ranking and look confused.

On how to use vulnerabilities to change Google search rankings to share here, I hope the above content can be of some help to you, can learn more knowledge. If you think the article is good, you can share it for more people to see.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.