Tuesday, 31 January 2012

http://servizi.pdl.it/ | XSS


in the form

Friday, 13 January 2012

kutuphane.tuik.gov.tr | data leak, system compromise, HTTP splitting, XSS.

-Data leak-


we can see the full path within the errors
-> C:\Inetpub\wwwroot\yordambt
ex file: _dil.php | index.php | liste.php | _yardim.php | arama.php | anasayfa.php | url.php

After getting access through a lfi it's possible to see that we are on a (windows) box with the default configuration, with the permissions for -everybody- in some important folders. It's possible to operate quite like an administrator with a simple -webshell- script
There are some shared folders without password on other boxes

The scripts available from the website are (also) interacting with other webservers on the local network where are located other documents

this information can be taken from a simple search
sample url:

where we can clearly see a base64 encoded string ( aHR0cDovLzEwLjEuMi40OS9wZGYvMDAxNjM4NC5wZGY -> ).

and we can easily change the redirect to any other website (the location header)

this example redirects to this website/blog ( http://trueliarx.blogspot.com )

obviously we are facing an HTTP Splitting problem and we can add other malicious stuff instead of redirecting.


I suppose that the website have something to do with a -library-  (?). I cannot understand turkish.

Thursday, 12 January 2012

www.ascension-tech.com | XSS

this xss is locked by the webserver

this one is working without problems because there's a javascript that is using the input without sanitizing it. It seems that only the first ' single quote is escaped.... and we add another one.

The problem is within "Search Engine Builder 2010"

www.ovosodo.net | Flash XSS - Sql Injections - possible upload of scripts - administrator privileges escalation (system compromise)

(they are not working anymore - check webcaches)
xss in the requests (simple)

Sql injection (there's no need to write the injection string ... it's very simple)

after *login* it's possible to upload anything that will be available in