Skip to main content


Showing posts from January, 2012 | data leak, system compromise, HTTP splitting, XSS.

-Data leak-

we can see the full path within the errors
-> C:\Inetpub\wwwroot\yordambt
ex file: _dil.php | index.php | liste.php | _yardim.php | arama.php | anasayfa.php | url.php

After getting access through a lfi it's possible to see that we are on a (windows) box with the default configuration, with the permissions for -everybody- in some important folders. It's possible to operate quite like an administrator with a simple -webshell- script
There are some shared folders without password on other boxes

The scripts available from the website are (also… | XSS

this xss is locked by the webserver<script>alert(document.cookie);</script>&Go.x=0&Go.y=0

this one is working without problems because there's a javascript that is using the input without sanitizing it. It seems that only the first ' single quote is escaped.... and we add another one.

The problem is within "Search Engine Builder 2010" | Flash XSS - Sql Injections - possible upload of scripts - administrator privileges escalation (system compromise)

(they are not working anymore - check webcaches)
xss in the requests (simple)

Sql injection (there's no need to write the injection string ... it's very simple)

after *login* it's possible to upload anything that will be available in