____ _ _ | _ \ _____ _| |__ (_)_ __ | | | |/ _ \ \/ / '_ \| | '_ \ | |_| | (_) > <| |_) | | | | | |____/ \___/_/\_\_.__/|_|_| |_|
Title:Government Web Vulns Write Up
Created:Jan 8th, 2023
Created by: JohnLynch
Views: 417
Comments: 0
Username: Anonymous - (Login)
Please note that all posted information is publicly available and must follow our TOS.
Notes: I first started doing this out of curiosity, and to my surprise; our governments web infrastructure is F*CKED! I started by looking up government domains on VirusTotal, to see Historic ICMP resolutions. I found a few peculiar NetBlocks that seemed out of place, and decided to scan them. To my surprise - - A SHIT ton of government back-end web servers popped up. Some of them had 403 Forbidden's (listed under Section "Z" in "Misc"). While others had some - - "spicy" surprises (SHIT TONS of XSS Vulns.????????????). Feel free to do whatever you want with these, and enjoy! A:(͟U.S. De͟͟p͟a͟r͟t͟m͟e͟n͟t͟ ͟O͟f͟ ͟V͟e͟t͟e͟r͟a͟n͟s͟)͟ http://52.3.186.159/ [1. Back End IP Accessible! Could be DDosed - Found At: Root (/)] [2. Reflective XSS via URI Request (When URI is set to 1<script>FX50(TEST)</script> the string "TEST" is reflected back inside the text element within the HTML document.) ] [ - Found At: http://52.3.186.159/_next/static/s-_yNRUQssrlD9pB4qguB] [3. No X-Frame-Options Header (Could allow attackers to run arbitrary / foreign code, within the sites HTML structure, via IFrame Attributes) [ - Found In Header Of Webserver] (edited) ------------------------------------------------------- B:U͟n͟i͟t͟e͟d͟ ͟S͟t͟a͟t͟e͟s͟ ͟C͟h͟e͟m͟i͟c͟a͟l͟ ͟W͟e͟a͟p͟o͟n͟s͟ ͟C͟o͟n͟v͟e͟n͟t͟i͟o͟n͟ ͟/͟ ͟C͟W͟C͟ ͟W͟E͟B͟ ͟D͟E͟S͟I͟͟ https://170.110.225.20/$ [1. XSS Vuln (Could be used to run arbitrary / foreign JavaScript code, when Param "IWSessionID"'s value is set to "<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>") inside of HTML Webpage Scructure.] [ - Found At: https://170.110.225.20/$/?BTNCANCEL=1&BTNLOGIN=1&EDITPASSWORD=1&EDTUSERID=1&EDTUSERID=1&IWCBTERMS_CHECKBOX=1&IW_Action=1&IW_ActionParam=1&IW_FormClass=1&IW_FormName=1&IW_height=1&IW_SessionID_=<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))> ] [2. Back End IP Accessible! Could be DDosed - Found At: Root (/)] ------------------------------------------------------- C: U̲͟͟.̲͟͟S̲͟͟.̲͟͟ ̲͟͟D̲͟͟e̲͟͟p̲͟͟a̲͟͟r̲͟͟t̲͟͟m̲͟͟e̲͟͟n̲͟͟t̲͟͟ ̲͟͟o̲͟͟f̲͟͟ ̲͟͟C̲͟͟o̲͟͟m̲͟͟m̲͟͟e̲͟͟r̲͟͟c̲͟͟e̲͟͟ [1. Found / Fuzzed Sensitive Directories (Could be accessed with .htaaccess file)] [https://170.110.225.177/editor/] [https://170.110.225.177/archives/] [https://170.110.225.177/images] [https://170.110.225.177/js] [https://170.110.225.177/scripts] [https://170.110.225.177/upload] [2. Microsoft IIS tilde directory enumeration (Allows attackers to detect and find the names of files, as well as directories, which use an 8.3 file naming scheme [ - Found At: Root (/)] [3. Back End IP Accessible! Could be DDosed - Found At: Root (/)] ------------------------------------------------------- D: U͟n͟i͟t͟e͟d͟ ͟S͟t͟a͟t͟e͟s͟ ͟N͟a͟t͟i͟o͟n͟a͟l͟ ͟T͟e͟l͟e͟c͟o͟m͟m͟u͟n͟i͟c͟a͟t͟i͟o͟n͟s͟ ͟a͟n͟d͟ ͟I͟n͟f͟o͟r͟m͟a͟t͟i͟o͟n͟ ͟A͟d͟m͟i͟n͟i͟s͟t͟r͟a͟tion [1. XSS Vuln (Could be used to run arbitrary / foreign JavaScript code, when Param "Lang"'s value is set to "<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>") inside of HTML Webpage Scructure.] [ - Found At: https://170.110.225.214/bizflow/sessionerror.jsp?lang=%3CIMG%20SRC=javascript:alert(String.fromCharCode(88,83,83))%3E ] [2. Back End IP Accessible! Could be DDosed - Found At: Root (/)] [3. HtaAccess File Exposed - (Could allow attackers to view webpages with a 403 forbidden.) Found At: https://170.110.225.214/bizflow/includes/ckeditor/.htaccess ------------------------------------------------------- Z: Misc Gov Backends https://170.110.225.211/ https://170.110.224.252/ https://170.110.224.239/ https://206.241.31.81/ https://170.110.225.177/ https://170.110.225.196/ ------------------