Sunday, February 5, 2012

TinKode-NASA vulnerable to MSSQL Injection

8:11 PM  Admin  No comments


NASA vulnerable to MSSQL Injection

Posted by isrtinkode on February 19, 2010
 _   _                   __  __  _____ _____  ____  _      _
| \ | |                 |  \/  |/ ____/ ____|/ __ \| |    (_)
|  \| | __ _ ___  __ _  | \  / | (___| (___ | |  | | |     _
| . ` |/ _` / __|/ _` | | |\/| |\___ \\___ \| |  | | |    | |
| |\  | (_| \__ \ (_| | | |  | |____) |___) | |__| | |____| |
|_| \_|\__,_|___/\__,_| |_|  |_|_____/_____/ \___\_\______|_|

   #Nasa vulnerable again (MSSQLi)@c0de.breaker
Hello, unfortunately I found another serious vulnerability in NASA, more precisely a MSSQL Injection .
I admit that, this time it was harder to make the injection.
It is the forth time this happens, but nothing can surprise me anymore. As always, I showed no interest in the content of the website.
I hope this is the last time I see these kinds of vulnerabilities.
Link: www.gltrs.grc.nasa.gov
Testing:


As you can see, this time I didn’t hide the vulnerable parameter, mainly because it can be easily found on google with filetype:aspx.
Main Informations:
#Version: Microsoft SQL Server
#Operating system: Windows
#Web application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 2.0.7
#Main Database: RDP
#Current User: RDP_Ext_RA
Tables from main database “RDP”:
#Abstract
#Author
#AuthorTypeLookup
#RDPLibrary
#RDPTemp
#ReportTemplateLookup
#ReportTypeLookup
#RptTempDistLookup
#RDP
All databases (92):
#AdventureWorks
#AppSecAdmin
#COD
#CODAppsAdmin
#CODSecurity
#Cont_999
#ContractMgmt
#CopierMDSTool
#CostRecovery
#DivAppSec
#DivisionInfo
#DivSurveys
#dnn-ltid
#dnn-metrology
#Eform
#EventSentry
#EventSentry_ext
#EventSentry_int
#FoodServices
#FormsMgmt
#FurnitureInventory
#Grants
#GRCHistory
#InstPool
#ITC
#ITCImagenet
#ITSInfo
#ITSProjectMgmt
#Library
#LibraryPatronReq
#Logistics
#LTIDLookup
#LTOCSecurity
#LVSS
#master
#metafldr
#Metcal
#Moc1Archives
#model
#msdb
#MTS
#nasath
#Northwind
#NPTRegistration
#PDOInventory
#Phone
#Projects
#PTF-HST-GHC
#PTF-HST-PSL
#PTF-ITC-AWT
#PTF-ITC-C_Archive
#PTF-ITC-CM_Archive
#PTF-ITC-Constellation
#PTF-ITC-Facilities
#PTF-ITC-ITC2_Rotocraft
#PTF-ITC-ITC4_GAGroundIcing
#PTF-ITC-ITC6_MarketingProject
#PTF-ITC-ITC0_CEV_Model
#PTF-ITC-NPTAssets
#PTF-ITC-Ohio_VIP
#PTF-ITC-Orion
#PTF-ITC-PBRF_RFP
#PTF-ITC-Template
#Publishing
#pubs
#pwots
#RDP
#RecordsMgmt
#ReportServer
#ReportServerTempDB
#RetireeReg
#RollCall
#ServerAdmin
#ServReqMgmt
#Sharepoint
#SPS
#SupplyMgmt
#tempdb
#TIALSPurchasing
#TMP2_MTS
#VTWinNASA
#WorkMgmt
#WSS-BRehab
#WSS-custodialservices
#WSS-ITC-MTPV
#WSS-ITS
#WSS-LTID
#WSS-LTIDWebAdmin
#WSS-PubsMgmt
#WSS-TIALS
#WSS-TIALSExecRpts
#WSS-webredesign
As a last remark:
I hope my findings aren’t all for nothing, and that NASA will do a complete inspection on all their websites.

Read More

TinKode-NASA website security issues

8:06 PM  Admin  No comments


NASA website security issues

Posted by isrtinkode on February 19, 2010
     _   _           _____
    | \ | |   /\    / ____|  /\
    |  \| |  /  \  | (___   /  \
    | . ` | / /\ \  \___ \ / /\ \
    | |\  |/ ____ \ ____) / ____ \
    |_| \_/_/    \_\_____/_/    \_\
      #TinKode@Romania

            The Center for Aerosol Research at NASA's Goddard Space Flight Center
The Goddard Space Flight Center (GSFC) is a major NASA space research laboratory established on May 1, 1959 as NASA’s first space flight center. GSFC employs approximately 10,000 civil servants and contractors, and is located approximately 6.5 miles (10.5 km) northeast of Washington, D.C. in Greenbelt, Maryland, USA. GSFC, one of ten major NASA field centers, is named in recognition of Dr. Robert H. Goddard (1882-1945), the pioneer of modern rocket propulsion in the United States.
Vulnerable website: http://aerocenter.gsfc.nasa.gov
I want to say that it was very hard to make this injection
The webserver had good protection but wasn’t fully secured.
This kind only works manually , you can’t do it with apps.
In this picture you can see the visible columns:
Main informations:
#Version:5.0.82-log
#User:carwww@localhost
#Database:aerocenter
#Datadir:/var/mysql/
Here we can see all databases:
[1] information_schema
[2] aerocenter
[3] car
[4] test
In this screenshot are all tables from all databases:
I don’t know exactly from which database are the tables… so I think I have not split them very well
Tables from “aerocenter” database:
[1] files
[2] milagro_users
[3] modis_wshop
[4] news
[5] news_files
[6] personnel
[7] siteupdate
[8] test
[9] users
[10] workshop_files
[11] yoram2007
[12] yoram2007_agenda
Tables from “car” database:
[1] car_content
[2] car_data_info
[3] car_data_missions
[4] car_data_overview
[5] car_data_quicklooks
[6] car_files
[7] car_homefeature
[8] car_homefeature_title
[9] car_homeimage
[10] car_homemission
[11] car_images
[12] car_news
[13] car_news_files
[14] car_pers_ordering
[15] car_personal_pages
[16] car_personnel
[17] car_publications,
[18] car_publications_authors
[19] car_publications_coauthors
[20] car_sections
[21] car_siteupdate
[22] car_subsections
[23] car_users
Tables from “test” database:
[1] content
[2] homeimage
[3] hometext
[4] images
[5] news
[6] news_files
[7] personnel
[8] publications
[9] publications_authors
[10] publications_coauthors
[11] sections
[12] siteupdate
[13] subsections
[14] users
Columns from all databases:
Here we have the same situation like with tables…
[1] filename
[2] title
[3] user
[4] actualname
[5] firstname
[6] lastname
[7] username
[8] userpassword
[9] userlevel
[10] status
[11] email
[12] phone
[13] affiliation
[14] focusgroup
[15] flag
[16] date_entered
[17] event_date
[18] time
[19] location
[20] art_title
[21] talk_title
[22] art_content
[23] article_id
[24] rank
[25] cal_lastname
[26] cal_firstname
[27] cal_middlename
[28] cal_email
[29] fax
[30] su_content
[31] last_updated
[32] badge
[33] citizen
[34] country
[35] content
[36] ordering
[37] section_title
[38] subsection_title
[39] header
[40] link_text_before
[41] linked_text
[42] link_url
[43] link_text_after
[44] html
[45] mission_id
[46] flight_number
[47] date
[48] time_flight
[49] time_data
[50] aircraft_type
[51] flight_scientist
[52] lat_long
[53] flight_map_lg
[54] modis_img_lg
[55] goes_img
[56] details
[57] flight_schedule
[58] anim_img_type
[59] static_img_type
[60] modis_credit
[61] flight_track_credit
[62] quicklook_credit
[63] details_credit
[64] modis_anim
[65] modis_aqua
[66] modis_terra
[67] goes_utc
[68] kmz_file
[69] mission_name
[70] year
[71] objective
[72] logo
[73] logo_width
[74] logo_height
[75] table_number
[76] data
[77] flight_num
[78] img_sm
[79] img_lg
[80] content_id
[81] image
[82] image_alt
[83] image_align
[84] active
[85] feature_title
[86] image_caption
[87] image_large
[88] id_ordering
[89] order_id
[90] page_id
[91] pers_id
[92] middlename
[93] profile_active
[94] profile_img
[95] class
[96] onlinestatus
[97] classification
[98] monthdays
[99] found_in
[101] eds
[102] publication
[103] volume
[104] issue
[105] pages
[106] pub_id
[107] author
[108] lab_member_auth
[109] coauthors
[110] lab_member_coauth
[111] sectionTitile
[112] parentSection
[113] cal_login
[114] cal_passwd
[115] profile
[116] profile_img1
[117] profile_img2
Admins accounts:
g****sa:****bb*******8418dfce03f42193***:ghalusa@climate.gsfc.nasa.gov
m***gro:****a4343e0f1c5************0be96:ghalusa@climate.gsfc.nasa.gov
g***usa:ee***81bd*****2baa934eb571c*****:Goran.N.Halusa@gsfc.nasa.gov
kl***man:34a9dbef0*****86d1b71f6662c*****:Richard.Kleidman@nasa.gov
lr***er:******76c7041eae26695ec259aa*****1:Lorraine.A.Remer@nasa.gov
p***ul:**********3f3529e02ff313dcaf49ce*****:paul.d.przyborski@nasa.gov
l****y:*************1fb629d312948e9642f95df*****:Robert.C.Levy@nasa.gov
These hashes are md5() and they can be easily cracked.
Bye, TinKode! :)

Read More

TinKode-US Army full disclosure

7:57 PM  Admin  No comments


US Army full disclosure

Posted by isrtinkode on February 19, 2010
                                                                         _
                                /\                                    (_) |
                               /  \   _ __ _ __ ___  _   _   _ __ ___  _| |
                              / /\ \ | '__| '_ ` _ \| | | | | '_ ` _ \| | |
                             / ____ \| |  | | | | | | |_| |_| | | | | | | |
                            /_/    \_\_|  |_| |_| |_|\__, (_)_| |_| |_|_|_|
                                                      __/ |
                                                     |___/
                                              #full disclosure@c0de.breaker
#Informations:
First Army was established on August 10, 1918 as a field army when sufficient American military manpower had arrived in France during World War I. As an element of the American Expeditionary Force (AEF) in the latter stages of World War I it was the first of three field armies established under the AEF. Serving in its ranks were many figures who later played important roles in World War II. First Army was inactivated in April 1919.
Few time ago I found a website vulnerable to MSSQL Injection (www.onestop.army.mil)… But today I tested another website, and in 2 minutes i found a vulnerable parameter.
Vulnerable link: www.first.army.mil
Testing:


Main Informations:
#Version: Microsoft SQL Server 2005 - 9.00.4035.00 (Intel X86) Nov 24 2008 13:01:59 Copyright (c) 1988-2005 Microsoft Corporation Enterprise Edition on Windows NT 5.2 (Build 3790: Service Pack 2)
#User: Vacancyuser
#Principal Database: FirstArmyVacancies
#Server Name: GIcensoredL02
#Server: Microsoft-IIS/6.0
Version:
All databases from webserver:
[1] FirstArmyVacancies
[2] master
[3] tempdb
[4] model
[5] msdb
[6] ReportServer
[7] ReportServerTempDB
[8] gis_production
[9] 1st_Army_East
[10] FirstArmy_ATLevel_Training
[11] BESMgmt3
[12] 68W
[13] FirstArmy_Common
[14] G5MOB
[15] SpotlightManagementFramework
[16] HQ_Apps
[17] SurgeonsCTT
[18] TrainingOperationsPlanner
[19] UnitMilestone
[20] WheelsUpDown
[21] GFI
[22] CommandersTrainingTool
[23] NetPerfMon
[24] fsweb
Tables from “fsweb” database:
[1] Categories
[2] BuddyList
[3] ApptTypes
[4] DistanceList
[5] AppointmentBook_Properties
[6] AppointmentBook_Locations
[7] Appointmentbook_Holidays
[8] AppointmentBook
[9] AliasChart
[10] Abreviations
[11] UserActivityLog
[12] websafeFONTS
[13] PortalPageContent
[14] ValidFileTypes
[15] VerificationQuestions
[16] websafeFontSize
[17] Ziplist
[18] TimeSchedule
[19] POC
[20] SystemClearance
[21] CELL_CONFTABLE
[22] Messages
[23] States
[24] PortalPageData
[25] portalMENUS
[26] PortalGroups
Columns from table_name “POC
[1] UserName
[2] ClientID
[3] PortalWebsite
[4] Prefix
[5] FirstName
[6] MiddleName
[7] LastName
[8] Suffix
[9] Email
[10] regEmail
[11] Expertise
[12] Fax
[13] City
[14] State
[15] Zip
[16] DisplayZip
[16] Address1
[17] Address2
[18] Phone
[19] Cell
[20] Author
[21] Password
[22] ClearanceLevel
[23] Notes
[24] BranchofService
[25] Ext
[26] RegistrationNumber
[27] LastLogin
[28] FailedLogins
[29] ActiveLogins
[30] VerificationQuestion1
[31] VerificationResponse1
[32] VerificationQuestion2
I want to say, i didn’t extract anything from any database like username,passwords,adresses,etc

Read More