unina.it/ | blind sql injection, xss, data leak, system compromise etc

There's a sort of WAF on all the websites but it can be easily tricked by not using the most common terms like /passwd, etc.
-
http://www.dieti.unina.it
Ubuntu
Joomla 2.5.8

Admin can be changed (admin takeover) even if there's the external login for the users.
php files  can be uploaded via
administrator/components/com_media/helpers/media.php

com_gcalendar  is vulnerable and should be upgraded to dpcalendar.

---

http://www.digita.unina.it/
wordpress 4.8.1
http://www.digita.unina.it/digita/wp-login.php
sds_dj32f
lizzi

---

http://www.elettrotecnica.unina.it/grupponazionale/vedirisorsa.php?ID=[blind sql]

archived error:http://archive.is/Zw3Ua
/home/httpd/elettrotecnica/grupponazionale/

---
XSS
http://www.comeallacorte.unina.it/ediz_precedenti.php?ediz=2007-2008%3Cscript%3Ealert(document.cookie);%3C/script%3E

---

SQL Injection
http://www.filclass.unina.it/dett_news.php?news_id=[SQL Injection]62&area_id=7

sample error archived: http://archive.is/2SO9a

select DATE_FORMAT(news_data, '%d/%m/%Y') as data ,news_periodo_desc,news_titolo,news_testo,news_allegato_1,news_allegato_2,tnews_id from tnews where news_id = 62

---
Joomla! with several vulnerabilities (no need to list the problems, they are quite common):
http://www.diarc.unina.it/
http://www.ceinge.unina.it
http://www.master-ris.unina.it/
http://www.sicc-it.unina.it

___
http://www.concorsi.unina.it/

Passwords are stored in plain text (not hash) and can be retrieved for all the registered users.

Anybody can register and manipulate other accounts.
(sample fake account)
Codice Fiscale: RDLRLF80A01D247M
Password: RVENDOMIEU
 Nome:    radolfo
Cognome:     radolfo
Data di Nascita:     1/01/1980
Codice Fiscale:     RDLRLF80A01D247M
Password:     RVENDOMIEU
http://www.concorsi.unina.it/dottric/iscrizione/insertUser.jsp

http://www.concorsi.unina.it/dottric/IdentificazioneAmm.jsp
http://www.concorsi.unina.it/dottric/visualizzazione/Elenco.jsp
http://www.concorsi.unina.it/dottric/Amministrazione/recuperaPwd.jsp
http://www.concorsi.unina.it/dottric/visualizzazione/Dettagli.jsp?bando=DOTT131
http://www.concorsi.unina.it/dottric/visualizzazione/Dettagli.jsp?bando=DOTT111
http://www.concorsi.unina.it/dottric/visualizzazione/DettagliLingue.jsp?bando=DOTT131


__
http://www.sba.unina.it
uses the Glizy framework
The framework is outdated http://www.minervaeurope.org/structure/workinggroups/userneeds/prototipo/cms/download.html

/admin/index.php
MW/config/config.xml <--- where you can find the configuration data

______
http://www.medicinacds.unina.itI used the previously registered RDLRLF80A01D247M
 and, as suggested from the errors M3900XXXX, a random "matricola" nr M39001234
Anno: 6
Nome:    radolfo
Cognome:     radolfo

We can also force the booking/"prenotazione"  by choosing a different value for "scelta"
sample: http://www.medicinacds.unina.it/ade/rec_scheda.php?scelta=563

When submitting data we can subscribe/book other people, modify the submitted "matricola", get the user data (including password).


There's no need for an authorization/login to check the calendar
http://www.medicinacds.unina.it/ade/ade_calendarioperanno.php
archived:http://archive.is/9ws87



Several other problems on tomcat, outdated stuff and so on. Quite boring...
Note: I haven't modified any record or dumped/saved any confidential information.