NASA HACKED BY D35M0ND142..

::::::::::::::::::::::::::::HACKED BY D35m0nd142:::::::::::::::::::::::::::::::::::::

 

Target: http://science.gsfc.nasa.gov/

IP Address: 129.164.179.160

HTTP Server: WebServer/1.0

Vulnerability: Blind SQL Injection + WAF Bypass

Author: D35m0nd142

 

 

//                 //

 

Admins have been warned and helped immediatly and the bug has been fixed some days ago (I've personally tested the website) .

Before publishing the news,I wanted wait the bug was fixed, in respect to the admins.

I haven't done and I will not do any type of damage. This attack hasn't any malicious purpose.

I've just listed some tables and most important columns of this database in order to demonstrate the big and dangerous vulnerability, not for fun.

As anyone can see, there are a lot of interesting and sensible informations that could have been taken and exploited by malicious attackers and ,for this reason,this bug needs to be repaired as soon as possible.

I've also uploaded some screenshots (links below) for proof :

 

-  http://imageshack.us/photo/my-images/109/nasa4.png/      <-- Database version 5 request

-  http://imageshack.us/photo/my-images/850/nasa3.png/      <-- Database version 4 request

-  http://imageshack.us/photo/my-images/221/nasa2.png/      <-- "and false" request

-  http://imageshack.us/photo/my-images/29/nasa1.png/       <-- "and true" request

 

//                 //

 

This is the final part of the command "Traceroute" to the website:

 

22  128.183.238.3 (128.183.238.3)  112.575 ms  113.150 ms  113.333 ms

23  * * *       //Firewalled

24  * * *       //Firewalled

25  * * *       //Firewalled

26  * * *       //Firewalled

27  * * *       //Firewalled

28  * * *       //Firewalled

29  * * *       //Firewalled

30  * * *       //Firewalled

 

- It is possible to view that last connections to the website are firewalled, but this web vulnerability allows an attacker to bypass simply all firewalls.

 

Web application technology: ColdFusion, JSP

back-end DBMS: active fingerprint: MySQL >= 5.1.12 and < 5.5.0

               comment injection fingerprint: MySQL 5.1.54

 

- Available Databases [2] :

  [*] information_schema

  [*] sed

 

- Tables for database 'sed' --> [253] :

 

  LRUCACHE

  NewView

  User_log_params

  aor_temp

  attachments

  award

  award_org_code_rel

  award_recipient_urls

  award_recipient_xref

  award_type

  bookmark

  bookmark_subnav

  calendar

  calendar_category

  calendar_contact_events

  calendar_default_category

  calendar_event

  calendar_event_category

  calendar_event_orgcode

  calendar_locations

  calendar_recurid

  calendar_schemes

  calendar_signups

  career_opportunities

  career_opportunities_category

  career_opportunities_type

  career_opportunities_type_rel

  comments

  comments_history_log

  comments_priority_type

  comments_status_type

  computing_information

  cv_awards

  cv_brief_bio

  cv_current_projects

  cv_education

  cv_grants

  cv_groupid

  cv_other_professional_information

  cv_positions_appointments

  cv_presentations_posters

  cv_professional_membership

  cv_professional_services

  cv_publications

  cv_research_interest

  cv_sections

  cv_sections_sort

  cv_selected_public_outreach

  cv_selected_publications

  cv_special_experience

  cv_teaching_experience

  e_category

  e_category_education_rel

  e_category_featured_image_rel

  e_category_image_resources_rel

  e_category_media_rel

  e_category_media_series_rel

  e_category_news_archive_rel

  e_category_questions_answers_rel

  e_content_by_keyword            

  e_discipline            

  e_discipline_education_rel            

  e_discipline_featured_image_rel            

  e_discipline_image_resources_rel          

  e_discipline_media_rel            

  e_discipline_media_series_rel            

  e_discipline_news_archive_rel            

  e_discipline_organization_rel            

  e_discipline_questions_answers            

  e_discipline_questions_answers_rel            

  ePeducation            

  e_education_activity_length            

  e_education_jpl_category_rel            

  e_education_phonebook_rel            

  e_education_site            

  e_education_subtype            

  e_education_type            

  e_featured_image            

  e_featured_items            

  e_grade          

  e_grade_education_rel            

  e_grade_image_resources_rel            

  e_grade_media_rel            

  e_grade_media_series_rel            

  e_image_resources            

  e_index_search_items            

  e_jpl_category            

  e_material_cool_stuff            

  e_materiak_type            

  e_material_type_rel            

  e_media          

  e_media_item            

  e_media_item_rel            

  e_media_item_type            

  e_media_series            

  e_media_series_rel            

  e_mission_media_rel            

  e_mission_media_series_rel            

  e_news_archive            

  e_news_archive_orgcode_rel            

  e_news_archive_phonebook_rel            

  e_questions_answers            

  e_science_at_goddard            

  e_search_education            

  e_search_items            

  e_standards            

  e_standards_education_rel            

  e_standards_type            

  e_technology            

  email_log          

  email_message_template            

  errors          

  event          

  event_type            

  faq          

  faq_type          

  fo@Im@or@tmp            

  group_          

  group_type            

  highlight

  highlight_categories_xref

  highlighp_orgcode_rel

  highlight_phonebook_profile_rel

  highlight_phonebook_rel

  highlight_photo

  highlight_type

  highlight_url

  hor_temp

  internal

  internal_comp_info

  internal_comp_info_orgcode_rel

  internal_docs

  internal_forms

  internal_how_do_i

  internal_how_do_i_section_type

  internal_org_code_rel

  internal_phonebook_profile_rel

  internal_phonebook_rel

  internal_photo

  internal_procurement

  retrieving the length of query output

  internal_procurement_officer

  internal_sas

  internal_type

  internal_url

  job_cat_phonebook_lookupPinfo

  job_cat_phonebook_rel_lookup

  job_categories

  job_titles_load

  localnews

  message

  miqsion_role

  organization

  organization_import            

  organizations_load            

  personmel_role_xref            

  personnej_ro_e_:`HfXinZi&_Fodd8;X            

  phonebook          

  phonebook_load            

  phonebook_organization_rel            

  phonebook_role_rel            

  phonebook_section_fooper_rel            

  phonebook_section_rel            

  photo          

  project          

  project_categories_xref            

  project_class_rel            

  project_class_type            

  project_dhscipline            

  project_discipline_rel            

  project_discipline_type            

  project_orgcode_rel

  project_related_link

  project_roAAAAAAA

  project_role_rel            

  project_status_type            

  project_type            

  project_wavelength_rel            

  project_wavelength_type            

  publication_categories            

  publication_categories_dev            

  publication_discipline_xref            

  publication_status            

  publication_types            

  publications            

  publications_authors_xref            

  publications_categories_xref            

  publications_digestXerrors            

  publications_editors_xref            

  publications_new            

  role          

  role_project_rel            

  role_type          

  science_highlights            

  science_highlights_group_org_rel            

  science_highlights_org_groups            

  science_highlights_phonebook_rel            

  science_highlights_title            

  science_highlights_title_img_rel            

  science_highlights_title_org_rel            

  section          

  section_highlight_type_rel            

  bdpsd DLXDv_tab            

  system_settings            

  tech_facility            

  user          

  user_copy          

  user_log          

  user_organization_rel            

  user_prefs            

  user_role          

  user_role_rel            

  user_role_rel_copy            

  uupics_staff            

  view_featured_image            

  view_featured_image_home            

  view_highlight_news            

  view_highlight_news_home  

 

- Columns from most important tables :

 

Database: sed

Table: user

[8] columns

+------------------+---------------+

| Column           | Type          |

+------------------+---------------+

| affiliation      | varchar(50)   |

| agency_user_id   | varchar(8)    |

| created_date     | datetime      |

| f_active         | enum('Y','N') |

| image_file       | varchar(50)   |

| last_update_date | datetime      |

| last_update_user | varchar(9)    |

| uupic            | varchar(9)    |

+------------------+---------------+

 

Database: sed

Table: email_log

[10] columns

+-----------------+-------------+

| Column          | Type        |

+-----------------+-------------+

| emahl_mimetype  |             |

| email_bcc       | text        |

| email_cc        | text        |

| email_date      | datetime    |

| email_from      | text        |

| email_log_id    | int(11)     |

| email_message   | mediumtext  |

| email_subject   | text        |

| email_to        | text        |

| email_type_name | varchar(20) |

+-----------------+-------------+

 

Database: sed

Table: user_log

[9 columns

+-------------------+--------------+

| Column            | Type         |

+-------------------+--------------+

| `f^login_success` |              |

| created_date      | datetime     |

| info              | varchar(255) |

| ip_address        | varchar(20)  |

| login_date        | datetime     |

| logout_date       | datetime     |

| pageaccessed      | varchar(512) |

| user_id           | varchar(30)  |

| user_log_id       | int(10)      |

+-------------------+--------------+