Pastebin launched a little side project called VERYVIRAL.com, check it out ;-) Want more features on Pastebin? Sign Up, it's FREE!

NASA HACKED BY D35M0ND142..

By: D35M0ND142 on Jan 3rd, 2013  |  syntax: None  |  size: 10.05 KB  |  views: 3,827  |  expires: Never
download  |  raw  |  embed  |  report abuse  |  print
Text below is selected. Please press Ctrl+C to copy to your clipboard. (⌘+C on Mac)
  1. ::::::::::::::::::::::::::::HACKED BY D35m0nd142:::::::::::::::::::::::::::::::::::::
  2.  
  3. Target: http://science.gsfc.nasa.gov/
  4. IP Address: 129.164.179.160
  5. HTTP Server: WebServer/1.0
  6. Vulnerability: Blind SQL Injection + WAF Bypass
  7. Author: D35m0nd142
  8.  
  9.  
  10. //                 //
  11.  
  12. Admins have been warned and helped immediatly and the bug has been fixed some days ago (I've personally tested the website) .
  13. Before publishing the news,I wanted wait the bug was fixed, in respect to the admins.
  14. I haven't done and I will not do any type of damage. This attack hasn't any malicious purpose.
  15. I've just listed some tables and most important columns of this database in order to demonstrate the big and dangerous vulnerability, not for fun.
  16. As anyone can see, there are a lot of interesting and sensible informations that could have been taken and exploited by malicious attackers and ,for this reason,this bug needs to be repaired as soon as possible.
  17. I've also uploaded some screenshots (links below) for proof :
  18.  
  19. -  http://imageshack.us/photo/my-images/109/nasa4.png/      <-- Database version 5 request
  20. -  http://imageshack.us/photo/my-images/850/nasa3.png/      <-- Database version 4 request
  21. -  http://imageshack.us/photo/my-images/221/nasa2.png/      <-- "and false" request
  22. -  http://imageshack.us/photo/my-images/29/nasa1.png/       <-- "and true" request
  23.  
  24. //                 //
  25.  
  26. This is the final part of the command "Traceroute" to the website:
  27.  
  28. 22  128.183.238.3 (128.183.238.3)  112.575 ms  113.150 ms  113.333 ms
  29. 23  * * *       //Firewalled
  30. 24  * * *       //Firewalled
  31. 25  * * *       //Firewalled
  32. 26  * * *       //Firewalled
  33. 27  * * *       //Firewalled
  34. 28  * * *       //Firewalled
  35. 29  * * *       //Firewalled
  36. 30  * * *       //Firewalled
  37.  
  38. - It is possible to view that last connections to the website are firewalled, but this web vulnerability allows an attacker to bypass simply all firewalls.
  39.  
  40. Web application technology: ColdFusion, JSP
  41. back-end DBMS: active fingerprint: MySQL >= 5.1.12 and < 5.5.0
  42.                comment injection fingerprint: MySQL 5.1.54
  43.  
  44. - Available Databases [2] :
  45.   [*] information_schema
  46.   [*] sed
  47.  
  48. - Tables for database 'sed' --> [253] :
  49.  
  50.   LRUCACHE
  51.   NewView
  52.   User_log_params
  53.   aor_temp
  54.   attachments
  55.   award
  56.   award_org_code_rel
  57.   award_recipient_urls
  58.   award_recipient_xref
  59.   award_type
  60.   bookmark
  61.   bookmark_subnav
  62.   calendar
  63.   calendar_category
  64.   calendar_contact_events
  65.   calendar_default_category
  66.   calendar_event
  67.   calendar_event_category
  68.   calendar_event_orgcode
  69.   calendar_locations
  70.   calendar_recurid
  71.   calendar_schemes
  72.   calendar_signups
  73.   career_opportunities
  74.   career_opportunities_category
  75.   career_opportunities_type
  76.   career_opportunities_type_rel
  77.   comments
  78.   comments_history_log
  79.   comments_priority_type
  80.   comments_status_type
  81.   computing_information
  82.   cv_awards
  83.   cv_brief_bio
  84.   cv_current_projects
  85.   cv_education
  86.   cv_grants
  87.   cv_groupid
  88.   cv_other_professional_information
  89.   cv_positions_appointments
  90.   cv_presentations_posters
  91.   cv_professional_membership
  92.   cv_professional_services
  93.   cv_publications
  94.   cv_research_interest
  95.   cv_sections
  96.   cv_sections_sort
  97.   cv_selected_public_outreach
  98.   cv_selected_publications
  99.   cv_special_experience
  100.   cv_teaching_experience
  101.   e_category
  102.   e_category_education_rel
  103.   e_category_featured_image_rel
  104.   e_category_image_resources_rel
  105.   e_category_media_rel
  106.   e_category_media_series_rel
  107.   e_category_news_archive_rel
  108.   e_category_questions_answers_rel
  109.   e_content_by_keyword            
  110.   e_discipline            
  111.   e_discipline_education_rel            
  112.   e_discipline_featured_image_rel            
  113.   e_discipline_image_resources_rel          
  114.   e_discipline_media_rel            
  115.   e_discipline_media_series_rel            
  116.   e_discipline_news_archive_rel            
  117.   e_discipline_organization_rel            
  118.   e_discipline_questions_answers            
  119.   e_discipline_questions_answers_rel            
  120.   ePeducation            
  121.   e_education_activity_length            
  122.   e_education_jpl_category_rel            
  123.   e_education_phonebook_rel            
  124.   e_education_site            
  125.   e_education_subtype            
  126.   e_education_type            
  127.   e_featured_image            
  128.   e_featured_items            
  129.   e_grade          
  130.   e_grade_education_rel            
  131.   e_grade_image_resources_rel            
  132.   e_grade_media_rel            
  133.   e_grade_media_series_rel            
  134.   e_image_resources            
  135.   e_index_search_items            
  136.   e_jpl_category            
  137.   e_material_cool_stuff            
  138.   e_materiak_type            
  139.   e_material_type_rel            
  140.   e_media          
  141.   e_media_item            
  142.   e_media_item_rel            
  143.   e_media_item_type            
  144.   e_media_series            
  145.   e_media_series_rel            
  146.   e_mission_media_rel            
  147.   e_mission_media_series_rel            
  148.   e_news_archive            
  149.   e_news_archive_orgcode_rel            
  150.   e_news_archive_phonebook_rel            
  151.   e_questions_answers            
  152.   e_science_at_goddard            
  153.   e_search_education            
  154.   e_search_items            
  155.   e_standards            
  156.   e_standards_education_rel            
  157.   e_standards_type            
  158.   e_technology            
  159.   email_log          
  160.   email_message_template            
  161.   errors          
  162.   event          
  163.   event_type            
  164.   faq          
  165.   faq_type          
  166.   fo@Im@or@tmp            
  167.   group_          
  168.   group_type            
  169.   highlight
  170.   highlight_categories_xref
  171.   highlighp_orgcode_rel
  172.   highlight_phonebook_profile_rel
  173.   highlight_phonebook_rel
  174.   highlight_photo
  175.   highlight_type
  176.   highlight_url
  177.   hor_temp
  178.   internal
  179.   internal_comp_info
  180.   internal_comp_info_orgcode_rel
  181.   internal_docs
  182.   internal_forms
  183.   internal_how_do_i
  184.   internal_how_do_i_section_type
  185.   internal_org_code_rel
  186.   internal_phonebook_profile_rel
  187.   internal_phonebook_rel
  188.   internal_photo
  189.   internal_procurement
  190.   retrieving the length of query output
  191.   internal_procurement_officer
  192.   internal_sas
  193.   internal_type
  194.   internal_url
  195.   job_cat_phonebook_lookupPinfo
  196.   job_cat_phonebook_rel_lookup
  197.   job_categories
  198.   job_titles_load
  199.   localnews
  200.   message
  201.   miqsion_role
  202.   organization
  203.   organization_import            
  204.   organizations_load            
  205.   personmel_role_xref            
  206.   personnej_ro_e_:`HfXinZi&_Fodd8;X            
  207.   phonebook          
  208.   phonebook_load            
  209.   phonebook_organization_rel            
  210.   phonebook_role_rel            
  211.   phonebook_section_fooper_rel            
  212.   phonebook_section_rel            
  213.   photo          
  214.   project          
  215.   project_categories_xref            
  216.   project_class_rel            
  217.   project_class_type            
  218.   project_dhscipline            
  219.   project_discipline_rel            
  220.   project_discipline_type            
  221.   project_orgcode_rel
  222.   project_related_link
  223.   project_roAAAAAAA
  224.   project_role_rel            
  225.   project_status_type            
  226.   project_type            
  227.   project_wavelength_rel            
  228.   project_wavelength_type            
  229.   publication_categories            
  230.   publication_categories_dev            
  231.   publication_discipline_xref            
  232.   publication_status            
  233.   publication_types            
  234.   publications            
  235.   publications_authors_xref            
  236.   publications_categories_xref            
  237.   publications_digestXerrors            
  238.   publications_editors_xref            
  239.   publications_new            
  240.   role          
  241.   role_project_rel            
  242.   role_type          
  243.   science_highlights            
  244.   science_highlights_group_org_rel            
  245.   science_highlights_org_groups            
  246.   science_highlights_phonebook_rel            
  247.   science_highlights_title            
  248.   science_highlights_title_img_rel            
  249.   science_highlights_title_org_rel            
  250.   section          
  251.   section_highlight_type_rel            
  252.   bdpsd DLXDv_tab            
  253.   system_settings            
  254.   tech_facility            
  255.   user          
  256.   user_copy          
  257.   user_log          
  258.   user_organization_rel            
  259.   user_prefs            
  260.   user_role          
  261.   user_role_rel            
  262.   user_role_rel_copy            
  263.   uupics_staff            
  264.   view_featured_image            
  265.   view_featured_image_home            
  266.   view_highlight_news            
  267.   view_highlight_news_home  
  268.  
  269. - Columns from most important tables :
  270.  
  271. Database: sed
  272. Table: user
  273. [8] columns
  274. +------------------+---------------+
  275. | Column           | Type          |
  276. +------------------+---------------+
  277. | affiliation      | varchar(50)   |
  278. | agency_user_id   | varchar(8)    |
  279. | created_date     | datetime      |
  280. | f_active         | enum('Y','N') |
  281. | image_file       | varchar(50)   |
  282. | last_update_date | datetime      |
  283. | last_update_user | varchar(9)    |
  284. | uupic            | varchar(9)    |
  285. +------------------+---------------+
  286.  
  287. Database: sed
  288. Table: email_log
  289. [10] columns
  290. +-----------------+-------------+
  291. | Column          | Type        |
  292. +-----------------+-------------+
  293. | emahl_mimetype  |             |
  294. | email_bcc       | text        |
  295. | email_cc        | text        |
  296. | email_date      | datetime    |
  297. | email_from      | text        |
  298. | email_log_id    | int(11)     |
  299. | email_message   | mediumtext  |
  300. | email_subject   | text        |
  301. | email_to        | text        |
  302. | email_type_name | varchar(20) |
  303. +-----------------+-------------+
  304.  
  305. Database: sed
  306. Table: user_log
  307. [9 columns
  308. +-------------------+--------------+
  309. | Column            | Type         |
  310. +-------------------+--------------+
  311. | `f^login_success` |              |
  312. | created_date      | datetime     |
  313. | info              | varchar(255) |
  314. | ip_address        | varchar(20)  |
  315. | login_date        | datetime     |
  316. | logout_date       | datetime     |
  317. | pageaccessed      | varchar(512) |
  318. | user_id           | varchar(30)  |
  319. | user_log_id       | int(10)      |
  320. +-------------------+--------------+