Exploiting the vulnerability in NASA
The title may confuse you a little bit because I know, you’re not expecting NASA. But I promise if you follow me without skipping a single line I’ll make my point perfect 😉. If you understand the logic you can forget about the myths. The concept is simple, No one can sanitize million lines of code without a vulnerability even if they’re master tech Giants, because they’re human beings 😊. First of all, I’m not directing to an illegal path & the intention behind this article is to prove everything is vulnerable in most cases we’re not aware of that. So let’s start,
Before a month I penetrate NASA’s domain just because of curiosity & as a result, I found a subdomain .jpl, I hope it’s quite famous. Into the into is my classy step, & I succeed to find .aviris in .jpl domain. So I’m little more closer. By going through the source code I found another direction.
locator implies A place’s absolute location on Earth. This information is enough for generating custom word-list , right ??
“alt_locator” strikes in my mind so I start brute forcing & my word-list hits & response was 200 for /alt_gulf. (OK success status response code indicates that the request has succeeded)
The page was blank but I’m not ready to quit. I’ve a lot experience before, I exactly know what to do after. By reading the source code I found a link, that was another directory : /gulfoilspill_adv.html
This condition was worse but interesting, I visit that page & it seems to be partitioned. the left side shows Warning, Year AND Month, Pixel Size Image Display, bla bla bla. The other end shows “Not Found error”.
while checking through the page source I found another interesting parameters.
filter_viz ,fn_contains , spatial, ul_lat, ul_lon etc.
After that, I clicked on the button “Images” (left side) then, another error caused on right part.
Warning: Illegal string offset ‘Name’ in /websites/aviris/www/alt_gulf/gulf_fusion_table_image.php on line 49
Warning: Illegal string offset ‘FileSize_Gb’ in /websites/aviris/www/alt_gulf/gulf_fusion_table_image.php on line 53
Warning: Illegal string offset ‘FileSize_b’ in /websites/aviris/www/alt_gulf/gulf_fusion_table_image.php on line 54
Warning: Illegal string offset ‘Name’ in /websites/aviris/www/alt_gulf/gulf_fusion_table_image.php on line 55
after reading the errors, I guess I’ve to switch somewhere else 😂.
After visiting the directory gulf_fusion_table_image.php, My mind whispered about the parameter I found before. And now it’s time to penetrate 😌😌. After a few minutes of response checking I combined the parameters filter_viz and fn_contains. The entered input is visible to the page itself
The only condition is:
value of filter_viz=2 (other numbers didn’t works), and fn_contains=”your INPUT”.
Here I used “hehe” as my input value & it succeed. !! Now it’s time for signature move → Exploit the vulnerable point. The <a> tag defines a hyperlink, which is used to link from one page to another. I successfully injected & link’s destination is my medium profile (POC is given below).
after this, I also tried XSS & injected at same point, The result is shown below :)
BOOM….!!! the desired aim is Done.
you can check out the video I uploaded on youtube (POC)
Feel free to connect on Twitter @7h3h4ckv157
