lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
From: morning_wood at singapore.net (morning_wood Weinerzucker)
Subject: W-Nikto PHP FrontEnd

I go start new mail list where we can all frolick with fake exploit and XSS! who wanna join?!! Now 0d4y


------------------------------------------------------------------
          - EXPL-A-2003-015 exploitlabs.com Advisory 016 [i dunno what these number mean]
------------------------------------------------------------------
                         -= w-nikto phpFE =-


Donnie Weinerzucker
July 17, 2003
I release advisory of my own scripts! thats how l33t I am


Vunerability(s):
----------------
1. Remote Commands Execution
2. XSS Vulnerability
3. File PERmission issues
4. Bad Code & Credit Stealing


Product:
--------
Wnikto32 PHP Remote Frontend 


http://exploitlabs.com/files/woods/wnikto32-phpfe.zip



Comments:
-------------------
No Blame Me Because I Make Script. I not make nikto
not my fault, i just code bad frontend, blame nikto for
do nothing to protect againt my bad coding. 


almost like inf-scan.  no blame me for working on code 
and putting it out as mine then exploiting it, not my 
fault i can not code



Description of product:
-----------------------
"Wnikto32(vuln scanner i compiled, i l33t) with php remote frontend avail at
http://exploitlabs.com/files/woods/wnikto32-phpfe.zip
 Author: Donnie Werner

Requirements:
Webspace with PHP support.
have been developed over a Apache + PHP
platform running in Windows XP[me never used unix] and have not been fully tested
because I don't knwo how to code

ummm.. ok  hint: it runs on most anything with php installed



VUNERABILITY / EXPLOIT
======================
Another very lame "scanner" frontend type of php script with many flaws...


1. REMOTE COMMAND EXECUTION in the execution of the w-nikto.exe, 
   the frontend passes all input unfiltered.

2. XSS Vunerabilities lay in everything that give output

"<SCRIPT>alert(document.domain);</SCRIPT><SCRIPT>alert(document.cookie
);</SCRIPT>"

the JS code is rendered / executed in the the users browser.

3. No authentication at all done giving anyone remote command access

4. I can't code and only know XSS

5. I suck and should die



EXPLOIT CODE:
-------
input | or ; surrounding most input

see, I know exploit is. you tell me i no know exploit, hah


Local:
------
everything remote is local!!!

Remote:
-------
yup we got XSS and stuff via remote


Vendor Fix:
-----------
There is no fix on 0day because I don't know how to code(look
at what I call advisories, me code?! HAH)



Vendor Contact:
---------------
Yep, and he got mad and pissed his pants while crying for his mother


Credits:
--------

Donnie Werner (morning_wood@...me4.com)
5685 Eagle Pky #2
Ferndale, Wa 98248
360-312-8011 ~ call me if you want to talk about XSS

visit my sites!
exploitlabs.com (maybe some day i learn more than xss)
nothackers.org (the XSS 0y34r ph34r, "Freedom of voice" till you say something i no like)
and other lame sites that have nothing! 

Original advisory may be found at
http://exploitlabs.com/files/advisories/EXPL-A-2003-015-phpfe.txt


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Goodbyes;

I only know XSS, thats why you can look at every script i review and find
alot more holes in them. I can scroll on IRC! I never seen a unix, i think it's
some kinda blackhat thing. I got exploit code! but only fake and exploit for my
own scripts I make. Maybe someone can e-mail me and tell me how to do dns because
I dont know how people can visit my site with www.! lately I complain because
nobody see that im "special"(i lub u mommy!) and servers should never start, I also 
release programs but I dont know how to code. Just call me the unpatched xp kid! 
I got hacked but i dont know yet... i got lots of porn e-mail me for trade. I got my 
chan all logged, ask for logs and you can see how i know nothing.


If anyone saw my post in the "Invaded by morons"  discussion, just ignore that
my comments of "And I think most of you may be in for a big supprise sometime 
in a few weeks from me.... im so incompitent.. sheesh", I also thought my lame
Zope information disclosure/xss was going to make me famous! Because I want to
speak at defcon on how im so elite at XSS that i release it 0d4y! WOOHOO FOR ME



Greets;

Project cOd,  Donnie Weiner, w00w00[u know aim technique, teech aim xss?]
badpack3t(i'm almost as lame as you! nice sploitz!), the cisco kyd, moot bailey,



0D4Y 0D4Y 0D4Y 0D4Y 0D4Y 0D4Y 0D4Y 0D4Y 0D4Y 0D4Y 0D4Y 0D4Y 0D4Y 0D4Y 0D4Y 
   0D4Y 0D4Y 0D4Y 0D4Y 0D4Y 0D4Y 0D4Y 0D4Y 0D4Y 0D4Y 0D4Y 0D4Y 0D4Y 0D4Y
                        0d4y thinking caps on!

0D4Y EXPLOIT ON FULL DISCLOSURE ~ THEY MAIL YOU PASSWORD BACK IN CLEARTEXT
HAHAHAH HOW LAME THAT IS?!?!@?!@ HAHAHAHHA-ROFLMFAOHAHAHAHHAA


                XSS THE PLANET!!!!!!  YEAHHH!!!!!!!!!!! LUCY!!!!!
                
                                   THE END
                        
-- 
_______________________________________________
Get your free email from http://www.singapore.net
Get US $10 Now: http://www.resource-a-day.com/members2/rsathyamurthy

Powered by Outblaze

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ