The way it works is devastatingly simple. Imagine that there's a site you want to perform an SQL injection attack on. You construct all your SQL injection URLs for the site, and stick them into a Web page that you control. Google spiders the Web page and attempts to follow all the URLs it comes across. Since each of those URLs is an SQL injection URL, Google's crawlers attempt to perform SQL injection on the victim.Source: ARS Technica
Obviously, this technique has some significant limitations: the attacker can't actually see the response to the SQL injection attacks, which limits his ability to use this technique to probe systems. However, it's also a difficult thing to prevent, because rejecting Google's crawlers is so undesirable. The only solution is to not be vulnerable to SQL injection attacks.
Hackers trick Google bot into performing SQL injection attacks
Posted on Thursday, November 07 2013 @ 11:56 CET by Thomas De Maesschalck