maddo/Regalamiunsorriso
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages 1 Wiki Activity Actions

Reconnaisance update

Browse source
This commit is contained in:
MaddoScientisto 2026-04-18 12:19:43 +02:00
commit 85d6dff580
3 changed files with 102 additions and 86 deletions
Download patch file Download diff file Expand all files Collapse all files

20
.github/instructions/regalamiunsorriso-83-149-164-4.instructions.md vendored
View file

@ -57,22 +57,26 @@ ssh -tt -i C:\Users\Maddo\.ssh\id_rsa -p 410 marco@83.149.164.4 "sudo tcsh -c 'c
- Older duplicate trees: `/home/sites/regalamiunsorriso/wwwLang/mailMessage` and `/home/sites/regalamiunsorriso/wwwOld/www/mailMessage`
- During the 2026-04-16 reconnaissance, representative checksums differed between `www/mailMessage` and `wwwLang/mailMessage`, so they are not interchangeable copies.
- The Java application configuration lives under `/home/sites/regalamiunsorriso/rus/WEB-INF`.
- `web.xml` defines the main application DB connection as `dbDriver=3`, `database=//localhost/pg`, `user=root`, `password=root`.
- `rus/WEB-INF/web.xml` defines an older or alternate application DB connection as `dbDriver=3`, `database=//localhost/pg`, `user=root`, `password=root`.
- `www/WEB-INF/web.xml` contains the stronger live SQL lead: `dbDriver=17`, `database=//192.168.10.250/pg`, `catalog=pg`, `user=root`, `password=root`, with a description hint `250658#` that corresponds to the server password and an alternate endpoint hint `//localhost:3308/pg`.
- `truckservice.properties` defines a second DB connection as `dbDriver=3`, `dbName=//localhost/truckservice`, `user=root`, `password=root`.
- In this codebase, `dbDriver=3` maps to MySQL Connector/J, not to a legacy non-MySQL driver.
- `dbcomuni.properties`, `rus.properties`, and `truckservice.properties` all set `USE_PARM_HT=true`, which means runtime values are expected to come from the application `Parm` store.
- In code, `DBAdapter.getDocBase()` resolves to `getParm("DOCBASE").getTesto()`, and mail-template lookups use `Parm` values such as `MAIL_REG`, `MAIL_NO_MORE`, `MAIL_NO_MORE_SCAD`, and `MAIL_MSG_PATH_MAILER`.
- In code, `Parm.findByCodice()` reads from `PARM` with `select A.* from PARM AS A where A.codice='...'`, so the live `PARM` table is the authoritative lookup point for these values.
- `pg_src/com/ablia/pg/Users.java` seeds defaults for `MAIL_MSG_RINNOVO` as `mailMessage/rinnovoMsg.html` and `MAIL_MSG_COUPON_OMAGGIO` as `mailMessage/couponOmaggioMsg.html` when the parameters are missing.
- Read-only validation plus later DBeaver confirmation established that the reachable live SQL path is `192.168.10.250:3306`, database `pg`, user `root`, password `root`.
- The `250658#` value should be treated as the server password hint noted in `www/WEB-INF/web.xml`, not as the database password.
- The validated live `PARM` rows included:
- `DOCBASE=/home/www/regalamiunsorriso/do`
- `MAIL_MSG_PATH_MAILER=phpmailer/regala_un_sorriso/`
- `MAIL_NO_MORE=mail_no_more.html`
- `MAIL_NO_MORE_SCAD=mail_no_more_scad.html`
- `MAIL_REG=mail_reg.html`
- Because of that indirection, changing files under a `mailMessage` directory is not sufficient proof that outbound mail content will change. The effective `DOCBASE` and mail-template parameter values must also be checked in the live `Parm` data.
- For mail-template reconnaissance, avoid recursing into `/mnt/da1/foto` via the `RUS` symlink unless the task explicitly concerns photo storage. It adds permission noise and did not help identify the email-template source.
- Read-only DB access notes from 2026-04-16:
- The host has PHP CLI at `/usr/local/bin/php` with both `mysqli` and `pdo_mysql` enabled.
- A piped PHP script over SSH is a reliable way to run read-only DB probes without creating files on the server.
- `mysqli('localhost', ...)` fails with `No such file or directory`, which indicates PHP tries a Unix socket path that is not present or not configured.
- `mysqli('127.0.0.1', ...)` fails with `Connection refused`, and `sockstat` showed no listener on port `3306` and no visible MySQL Unix socket under `/var/run`, `/tmp`, or `/usr/local/var`.
- No `mysql` or `mariadb` client binary was found in the shell path.
- Result: the app configuration clearly points at MySQL, but direct DB access from the current shell remains unresolved and must be revalidated before relying on live SQL queries.
- `127.0.0.1:3308` refused connections from the shell during the same investigation, so the localhost hint in `www/WEB-INF/web.xml` should not be treated as the current working shell path without revalidation.
- Do not upload, stage, or leave ad hoc PHP or SQL helper scripts on the server during reconnaissance. Any future live DB query method must be explicitly approved first.
## MCP Limitation