Skip to main content

Posts

Showing posts from January, 2012

kutuphane.tuik.gov.tr | data leak, system compromise, HTTP splitting, XSS.

-Data leak- http://kutuphane.tuik.gov.tr/yordambt/liste.php?-skip=0&-atla=0&-sayfa=01&Alan3=&Alan5=&anatur=&bolum=&alttur=&sekil=&ortam=&dil=&yayintarihi=&kgt=&gorsel=&kurumyayini=&cAlanlar=pollo&aa=eseradi&-max=16&universite=&enstitu=&anabilimdali=&bilimdali=&sureliilkharf=&sure=&biryil=&birdergitrh=&birsayi=&biricindekiler= we can see the full path within the errors -> C:\Inetpub\wwwroot\yordambt ex file: _dil.php | index.php | liste.php | _yardim.php | arama.php | anasayfa.php | url.php After getting access through a lfi it's possible to see that we are on a (windows) box with the default configuration, with the permissions for -everybody- in some important folders. It's possible to operate quite like an administrator with a simple -webshell- script There are some shared folders without password on other boxes ------ The scripts available from the web

www.ascension-tech.com | XSS

this xss is locked by the webserver www.ascension-tech.com/searchresults.asp?searWords=<script>alert(document.cookie);</script>&Go.x=0&Go.y=0 this one is working without problems because there's a javascript that is using the input without sanitizing it. It seems that only the first ' single quote is escaped.... and we add another one. http://www.ascension-tech.com/searchresults.asp?searWords=%27%27%3Balert%28%271%27%29%3Bvar+asd%3D%27&Go.x=12&Go.y=12 The problem is within "Search Engine Builder 2010"

www.ovosodo.net | Flash XSS - Sql Injections - possible upload of scripts - administrator privileges escalation (system compromise)

(they are not working anymore - check webcaches) www.ovosodo.net xss in the requests (simple) Sql injection (there's no need to write the injection string ... it's very simple) http://www.ovosodo.net/area_clienti.asp after *login* it's possible to upload anything that will be available in http://www.ovosodo.net/images/upload/originali/