[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <20030718014448.23015.qmail@singapore.net>
From: morning_wood at singapore.net (morning_wood Weinerzucker)
Subject: W-Nikto PHP FrontEnd [twice, YAY!!!]
I go start new mail list where we can all frolick with fake exploit and XSS! who wanna join?!! Now 0d4y
------------------------------------------------------------------
- EXPL-A-2003-015 exploitlabs.com Advisory 016 [i dunno what these number mean]
------------------------------------------------------------------
-= w-nikto phpFE =-
Donnie Weinerzucker
July 17, 2003
I release advisory of my own scripts! thats how l33t I am
Vunerability(s):
----------------
1. Remote Commands Execution
2. XSS Vulnerability
3. File PERmission issues
4. Bad Code & Credit Stealing
Product:
--------
Wnikto32 PHP Remote Frontend
http://exploitlabs.com/files/woods/wnikto32-phpfe.zip
Comments:
-------------------
No Blame Me Because I Make Script. I not make nikto
not my fault, i just code bad frontend, blame nikto for
do nothing to protect againt my bad coding.
almost like inf-scan. no blame me for working on code
and putting it out as mine then exploiting it, not my
fault i can not code
Description of product:
-----------------------
"Wnikto32(vuln scanner i compiled, i l33t) with php remote frontend avail at
http://exploitlabs.com/files/woods/wnikto32-phpfe.zip
Author: Donnie Werner
Requirements:
Webspace with PHP support.
have been developed over a Apache + PHP
platform running in Windows XP[me never used unix] and have not been fully tested
because I don't knwo how to code
ummm.. ok hint: it runs on most anything with php installed
VUNERABILITY / EXPLOIT
======================
Another very lame "scanner" frontend type of php script with many flaws...
1. REMOTE COMMAND EXECUTION in the execution of the w-nikto.exe,
the frontend passes all input unfiltered.
2. XSS Vunerabilities lay in everything that give output
"<SCRIPT>alert(document.domain);</SCRIPT><SCRIPT>alert(document.cookie
);</SCRIPT>"
the JS code is rendered / executed in the the users browser.
3. No authentication at all done giving anyone remote command access
4. I can't code and only know XSS
5. I suck and should die
EXPLOIT CODE:
-------
input | or ; surrounding most input
see, I know exploit is. you tell me i no know exploit, hah
Local:
------
everything remote is local!!!
Remote:
-------
yup we got XSS and stuff via remote
Vendor Fix:
-----------
There is no fix on 0day because I don't know how to code(look
at what I call advisories, me code?! HAH)
Vendor Contact:
---------------
Yep, and he got mad and pissed his pants while crying for his mother
Credits:
--------
Donnie Werner (morning_wood@...me4.com)
5685 Eagle Pky #2
Ferndale, Wa 98248
360-312-8011 ~ call me if you want to talk about XSS
visit my sites!
exploitlabs.com (maybe some day i learn more than xss)
nothackers.org (the XSS 0y34r ph34r, "Freedom of voice" till you say something i no like)
and other lame sites that have nothing!
Original advisory may be found at
http://exploitlabs.com/files/advisories/EXPL-A-2003-015-phpfe.txt
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Goodbyes;
I only know XSS, thats why you can look at every script i review and find
alot more holes in them. I can scroll on IRC! I never seen a unix, i think it's
some kinda blackhat thing. I got exploit code! but only fake and exploit for my
own scripts I make. Maybe someone can e-mail me and tell me how to do dns because
I dont know how people can visit my site with www.! lately I complain because
nobody see that im "special"(i lub u mommy!) and servers should never start, I also
release programs but I dont know how to code. Just call me the unpatched xp kid!
I got hacked but i dont know yet... i got lots of porn e-mail me for trade. I got my
chan all logged, ask for logs and you can see how i know nothing.
If anyone saw my post in the "Invaded by morons" discussion, just ignore that
my comments of "And I think most of you may be in for a big supprise sometime
in a few weeks from me.... im so incompitent.. sheesh", I also thought my lame
Zope information disclosure/xss was going to make me famous! Because I want to
speak at defcon on how im so elite at XSS that i release it 0d4y! WOOHOO FOR ME
Greets;
Project cOd, Donnie Weiner, w00w00[u know aim technique, teech aim xss?]
badpack3t(i'm almost as lame as you! nice sploitz!), the cisco kyd, moot bailey,
0D4Y 0D4Y 0D4Y 0D4Y 0D4Y 0D4Y 0D4Y 0D4Y 0D4Y 0D4Y 0D4Y 0D4Y 0D4Y 0D4Y 0D4Y
0D4Y 0D4Y 0D4Y 0D4Y 0D4Y 0D4Y 0D4Y 0D4Y 0D4Y 0D4Y 0D4Y 0D4Y 0D4Y 0D4Y
0d4y thinking caps on!
0D4Y EXPLOIT ON FULL DISCLOSURE ~ THEY MAIL YOU PASSWORD BACK IN CLEARTEXT
HAHAHAH HOW LAME THAT IS?!?!@?!@ HAHAHAHHA-ROFLMFAOHAHAHAHHAA
XSS THE PLANET!!!!!! YEAHHH!!!!!!!!!!! LUCY!!!!!
THE END
--
_______________________________________________
Get your free email from http://www.singapore.net
Get US $10 Now: http://www.resource-a-day.com/members2/rsathyamurthy
Powered by Outblaze
Powered by blists - more mailing lists