Sunday, February 5, 2012

TinKode-NASA website security issues


NASA website security issues

Posted by isrtinkode on February 19, 2010
     _   _           _____
    | \ | |   /\    / ____|  /\
    |  \| |  /  \  | (___   /  \
    | . ` | / /\ \  \___ \ / /\ \
    | |\  |/ ____ \ ____) / ____ \
    |_| \_/_/    \_\_____/_/    \_\
      #TinKode@Romania

            The Center for Aerosol Research at NASA's Goddard Space Flight Center

                                    
The Goddard Space Flight Center (GSFC) is a major NASA space research laboratory established on May 1, 1959 as NASA’s first space flight center. GSFC employs approximately 10,000 civil servants and contractors, and is located approximately 6.5 miles (10.5 km) northeast of Washington, D.C. in Greenbelt, Maryland, USA. GSFC, one of ten major NASA field centers, is named in recognition of Dr. Robert H. Goddard (1882-1945), the pioneer of modern rocket propulsion in the United States.
Vulnerable website: http://aerocenter.gsfc.nasa.gov
I want to say that it was very hard to make this injection
The webserver had good protection but wasn’t fully secured.
This kind only works manually , you can’t do it with apps.
In this picture you can see the visible columns:
Main informations:
#Version:5.0.82-log
#User:carwww@localhost
#Database:aerocenter
#Datadir:/var/mysql/
Here we can see all databases:
[1] information_schema
[2] aerocenter
[3] car
[4] test
In this screenshot are all tables from all databases:
I don’t know exactly from which database are the tables… so I think I have not split them very well
Tables from “aerocenter” database:
[1] files
[2] milagro_users
[3] modis_wshop
[4] news
[5] news_files
[6] personnel
[7] siteupdate
[8] test
[9] users
[10] workshop_files
[11] yoram2007
[12] yoram2007_agenda
Tables from “car” database:
[1] car_content
[2] car_data_info
[3] car_data_missions
[4] car_data_overview
[5] car_data_quicklooks
[6] car_files
[7] car_homefeature
[8] car_homefeature_title
[9] car_homeimage
[10] car_homemission
[11] car_images
[12] car_news
[13] car_news_files
[14] car_pers_ordering
[15] car_personal_pages
[16] car_personnel
[17] car_publications,
[18] car_publications_authors
[19] car_publications_coauthors
[20] car_sections
[21] car_siteupdate
[22] car_subsections
[23] car_users
Tables from “test” database:
[1] content
[2] homeimage
[3] hometext
[4] images
[5] news
[6] news_files
[7] personnel
[8] publications
[9] publications_authors
[10] publications_coauthors
[11] sections
[12] siteupdate
[13] subsections
[14] users
Columns from all databases:
Here we have the same situation like with tables…
[1] filename
[2] title
[3] user
[4] actualname
[5] firstname
[6] lastname
[7] username
[8] userpassword
[9] userlevel
[10] status
[11] email
[12] phone
[13] affiliation
[14] focusgroup
[15] flag
[16] date_entered
[17] event_date
[18] time
[19] location
[20] art_title
[21] talk_title
[22] art_content
[23] article_id
[24] rank
[25] cal_lastname
[26] cal_firstname
[27] cal_middlename
[28] cal_email
[29] fax
[30] su_content
[31] last_updated
[32] badge
[33] citizen
[34] country
[35] content
[36] ordering
[37] section_title
[38] subsection_title
[39] header
[40] link_text_before
[41] linked_text
[42] link_url
[43] link_text_after
[44] html
[45] mission_id
[46] flight_number
[47] date
[48] time_flight
[49] time_data
[50] aircraft_type
[51] flight_scientist
[52] lat_long
[53] flight_map_lg
[54] modis_img_lg
[55] goes_img
[56] details
[57] flight_schedule
[58] anim_img_type
[59] static_img_type
[60] modis_credit
[61] flight_track_credit
[62] quicklook_credit
[63] details_credit
[64] modis_anim
[65] modis_aqua
[66] modis_terra
[67] goes_utc
[68] kmz_file
[69] mission_name
[70] year
[71] objective
[72] logo
[73] logo_width
[74] logo_height
[75] table_number
[76] data
[77] flight_num
[78] img_sm
[79] img_lg
[80] content_id
[81] image
[82] image_alt
[83] image_align
[84] active
[85] feature_title
[86] image_caption
[87] image_large
[88] id_ordering
[89] order_id
[90] page_id
[91] pers_id
[92] middlename
[93] profile_active
[94] profile_img
[95] class
[96] onlinestatus
[97] classification
[98] monthdays
[99] found_in
[101] eds
[102] publication
[103] volume
[104] issue
[105] pages
[106] pub_id
[107] author
[108] lab_member_auth
[109] coauthors
[110] lab_member_coauth
[111] sectionTitile
[112] parentSection
[113] cal_login
[114] cal_passwd
[115] profile
[116] profile_img1
[117] profile_img2
Admins accounts:
g****sa:****bb*******8418dfce03f42193***:ghalusa@climate.gsfc.nasa.gov
m***gro:****a4343e0f1c5************0be96:ghalusa@climate.gsfc.nasa.gov
g***usa:ee***81bd*****2baa934eb571c*****:Goran.N.Halusa@gsfc.nasa.gov
kl***man:34a9dbef0*****86d1b71f6662c*****:Richard.Kleidman@nasa.gov
lr***er:******76c7041eae26695ec259aa*****1:Lorraine.A.Remer@nasa.gov
p***ul:**********3f3529e02ff313dcaf49ce*****:paul.d.przyborski@nasa.gov
l****y:*************1fb629d312948e9642f95df*****:Robert.C.Levy@nasa.gov
These hashes are md5() and they can be easily cracked.
Bye, TinKode! :)

TinKode-US Army full disclosure


US Army full disclosure

Posted by isrtinkode on February 19, 2010
                                                                         _
                                /\                                    (_) |
                               /  \   _ __ _ __ ___  _   _   _ __ ___  _| |
                              / /\ \ | '__| '_ ` _ \| | | | | '_ ` _ \| | |
                             / ____ \| |  | | | | | | |_| |_| | | | | | | |
                            /_/    \_\_|  |_| |_| |_|\__, (_)_| |_| |_|_|_|
                                                      __/ |
                                                     |___/
                                              #full disclosure@c0de.breaker
#Informations:
First Army was established on August 10, 1918 as a field army when sufficient American military manpower had arrived in France during World War I. As an element of the American Expeditionary Force (AEF) in the latter stages of World War I it was the first of three field armies established under the AEF. Serving in its ranks were many figures who later played important roles in World War II. First Army was inactivated in April 1919.
Few time ago I found a website vulnerable to MSSQL Injection (www.onestop.army.mil)… But today I tested another website, and in 2 minutes i found a vulnerable parameter.
Vulnerable link: www.first.army.mil
Testing:


Main Informations:
#Version: Microsoft SQL Server 2005 - 9.00.4035.00 (Intel X86) Nov 24 2008 13:01:59 Copyright (c) 1988-2005 Microsoft Corporation Enterprise Edition on Windows NT 5.2 (Build 3790: Service Pack 2)
#User: Vacancyuser
#Principal Database: FirstArmyVacancies
#Server Name: GIcensoredL02
#Server: Microsoft-IIS/6.0
Version:
All databases from webserver:
[1] FirstArmyVacancies
[2] master
[3] tempdb
[4] model
[5] msdb
[6] ReportServer
[7] ReportServerTempDB
[8] gis_production
[9] 1st_Army_East
[10] FirstArmy_ATLevel_Training
[11] BESMgmt3
[12] 68W
[13] FirstArmy_Common
[14] G5MOB
[15] SpotlightManagementFramework
[16] HQ_Apps
[17] SurgeonsCTT
[18] TrainingOperationsPlanner
[19] UnitMilestone
[20] WheelsUpDown
[21] GFI
[22] CommandersTrainingTool
[23] NetPerfMon
[24] fsweb
Tables from “fsweb” database:
[1] Categories
[2] BuddyList
[3] ApptTypes
[4] DistanceList
[5] AppointmentBook_Properties
[6] AppointmentBook_Locations
[7] Appointmentbook_Holidays
[8] AppointmentBook
[9] AliasChart
[10] Abreviations
[11] UserActivityLog
[12] websafeFONTS
[13] PortalPageContent
[14] ValidFileTypes
[15] VerificationQuestions
[16] websafeFontSize
[17] Ziplist
[18] TimeSchedule
[19] POC
[20] SystemClearance
[21] CELL_CONFTABLE
[22] Messages
[23] States
[24] PortalPageData
[25] portalMENUS
[26] PortalGroups
Columns from table_name “POC
[1] UserName
[2] ClientID
[3] PortalWebsite
[4] Prefix
[5] FirstName
[6] MiddleName
[7] LastName
[8] Suffix
[9] Email
[10] regEmail
[11] Expertise
[12] Fax
[13] City
[14] State
[15] Zip
[16] DisplayZip
[16] Address1
[17] Address2
[18] Phone
[19] Cell
[20] Author
[21] Password
[22] ClearanceLevel
[23] Notes
[24] BranchofService
[25] Ext
[26] RegistrationNumber
[27] LastLogin
[28] FailedLogins
[29] ActiveLogins
[30] VerificationQuestion1
[31] VerificationResponse1
[32] VerificationQuestion2
I want to say, i didn’t extract anything from any database like username,passwords,adresses,etc

WinRAR


Download WinRAR 4.20 
Arabic (32 bit, 64 bit),
Armenian (32 bit, 64 bit),
Azerbaijani (32 bit, 64 bit),
Belarusian (32 bit, 64 bit), 
Bulgarian (32 bit, 64 bit),
Catalan (32 bit, 64 bit),
Chinese Simplified (32 bit64 bit),
Chinese Traditional (32 bit, 64 bit),
Croatian (32 bit, 64 bit),
Czech (32 bit, 64 bit),
Danish (32 bit, 64 bit),
Dutch (32 bit, 64 bit),
English (32 bit, 64 bit),
Estonian (32 bit, 64 bit),
Finnish (32 bit, 64 bit),
French (32 bit, 64 bit),
Georgian (32 bit, 64 bit),
German (32 bit, 64 bit),
Greek (32 bit, 64 bit),
Hebrew (32 bit, 64 bit),
Hungarian (32 bit, 64 bit),
Indonesian (32 bit, 64 bit),
Italian (32 bit, 64 bit),
Japanese (32 bit, 64 bit),
Lithuanian (32 bit, 64 bit),
Macedonian (32 bit, 64 bit),
Norwegian (32 bit, 64 bit),
Persian (32 bit, 64 bit),
Polish (32 bit, 64 bit),
Portuguese (32 bit, 64 bit),
Portuguese Brazilian (32 bit, 64 bit),
Romanian (32 bit, 64 bit),
Russian (32 bit, 64 bit),
Slovak (32 bit, 64 bit),
Slovenian (32 bit, 64 bit),
Spanish (32 bit, 64 bit),
Swedish (32 bit, 64 bit),
Thai (32 bit, 64 bit),
Turkish (32 bit, 64 bit),
Ukrainian (32 bit, 64 bit),
Uzbek (32 bit, 64 bit),
Valencian (32 bit, 64 bit),
Vietnamese (32 bit, 64 bit).

WinRAR is a powerful archive manager. It can backup your data and reduce the size of email attachments, decompress RAR, ZIP and other (CAB,ARJ,LZH,TAR,GZ and TAR.GZ,BZ2 and TAR.BZ2,ACE,UUE,JAR (Java Archive),ISO (ISO9660 - CD image),7Z,Z (Unix compress)) files downloaded from Internet and create new archives in RAR and ZIP file format. You can try WinRAR before buy, its trial version is available in downloads.
WinRAR_archiver_is_a_powerful_archive_manager


Keywords: Arhivatoare, Backup Data Software, Backup Software, Compression/decompression Software, Compression/decompression Tools, Downloads, Free to try software, Trial Software,Freeware Software.