NASA earthobservatory Blind SQL Injection

2017.09.15
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: N/A

----------------------------------------------------------------------------------------- | Exploit Title : NASA Blind SQL Injection | Google Dork : site:nasa.gov inurl:.view.php?id= | Date : 15/09/2017 | Exploit Author : nasa.gov | Vendor Homepage : nasa.gov | Software Link : nasa.gov | Version : 1.0 | Tested on : Windows10 , Firefox | |+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ | | | Proof of concept : NASA Blind SQL Injection | | 1 - Search this Google Dork : site:nasa.gov inurl:.view.php?id= | 2 - Find The ( earthobservatory ) Subdomain of NASA | 3 - True Site : ( https://earthobservatory.nasa.gov ) | 4 - Now , We Have a website with low security ! :) | 5 - This Site is using ( PHP Programming Lang ) Ver : 5 | Without Security measures ! | 6 - Step 1 : Test SQL Injection VULNERABILITY , with add ( " or ' ) end of number value in url Like : [ view.php?id=4215' ] | 7 - Step 2 : May you receive unknown errors , Like : 404 , Forbidden , You have not perm to see & .... | 8 - Step 3 : Now , you are be forced to ( Bypass ) This errors to continue Pentesting | 9 - Step 4 : then , may you need to bypass ( Order , group , ... ) & Null to see true data ... | 10 - The End , Complete Your Injection & Enjoy Of Hacking ...! | | | DEMO : | | https://earthobservatory.nasa.gov/IOTD//view.php?id=4215' [Blind SQL Injection VULNERABILITY] | | | | | +++ Discovered by : Mohammad Babaee | Don't forget me ...! | I will come back soon :) | | -----------------------------------------------------------------------------------------


Vote for this issue:
44%
56%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2017, cxsecurity.com

 

Back to Top