The H Security

General discussion about the channel and its contents

security Forums
> The H Security
> NASA JPL Hacked using SQL Injection

Posting
Thread
Reply
E-Mail
New Topic

vinnu (4 postings since 21 Jan 2010)

NASA JPL Hacked using SQL Injection 26 January 2010 16:14

Namaste

Several nasa.gov subdomains have been found vulnerable to SQL
injection.
And their exploitation techniques are step-by-step prescribed on
Orkut in "Ethical Hacking Tutorials" community.

NASA use variety of database servers from Sybase to Oracle and though
the sites seem immune to the attack at first sight, but they have
some parameters unsanitised leading to sites vulnerable to SQL
injection.

Some of vulnerable subdomains are:

http://sbir.nasa.gov
http://www-pds.jpl.nasa.gov
-----
and so many.

Though the injection vectors are not so simple, one of injection
vector for exploitation of Sybase Adaptive server is:

')+OR+1=0+OR+57=rand(convert('NUMERIC,'||(select+@@version))%252b9000
00000000000000000000)--

The password hashes has been grabbed and are in MD5 digest.

"vinnu"
LOX (Legion Of Xtremers) India

Posting
Thread
Reply
E-Mail
New Topic

Threaded View
Flat View

The H Security

General discussion about the channel and its contents

NASA JPL Hacked using SQL Injection 26 January 2010 16:14

The H

The H open source

The H Security

The H Internet Toolkit