Full Disclosure mailing list archives
W-Nikto PHP FrontEnd [twice, YAY!!!]
From: "morning_wood Weinerzucker" <morning_wood () singapore net>
Date: Fri, 18 Jul 2003 09:44:48 +0800
I go start new mail list where we can all frolick with fake exploit and XSS! who wanna join?!! Now 0d4y ------------------------------------------------------------------ - EXPL-A-2003-015 exploitlabs.com Advisory 016 [i dunno what these number mean] ------------------------------------------------------------------ -= w-nikto phpFE =- Donnie Weinerzucker July 17, 2003 I release advisory of my own scripts! thats how l33t I am Vunerability(s): ---------------- 1. Remote Commands Execution 2. XSS Vulnerability 3. File PERmission issues 4. Bad Code & Credit Stealing Product: -------- Wnikto32 PHP Remote Frontend http://exploitlabs.com/files/woods/wnikto32-phpfe.zip Comments: ------------------- No Blame Me Because I Make Script. I not make nikto not my fault, i just code bad frontend, blame nikto for do nothing to protect againt my bad coding. almost like inf-scan. no blame me for working on code and putting it out as mine then exploiting it, not my fault i can not code Description of product: ----------------------- "Wnikto32(vuln scanner i compiled, i l33t) with php remote frontend avail at http://exploitlabs.com/files/woods/wnikto32-phpfe.zip Author: Donnie Werner Requirements: Webspace with PHP support. have been developed over a Apache + PHP platform running in Windows XP[me never used unix] and have not been fully tested because I don't knwo how to code ummm.. ok hint: it runs on most anything with php installed VUNERABILITY / EXPLOIT ====================== Another very lame "scanner" frontend type of php script with many flaws... 1. REMOTE COMMAND EXECUTION in the execution of the w-nikto.exe, the frontend passes all input unfiltered. 2. XSS Vunerabilities lay in everything that give output "<SCRIPT>alert(document.domain);</SCRIPT><SCRIPT>alert(document.cookie );</SCRIPT>" the JS code is rendered / executed in the the users browser. 3. No authentication at all done giving anyone remote command access 4. I can't code and only know XSS 5. I suck and should die EXPLOIT CODE: ------- input | or ; surrounding most input see, I know exploit is. you tell me i no know exploit, hah Local: ------ everything remote is local!!! Remote: ------- yup we got XSS and stuff via remote Vendor Fix: ----------- There is no fix on 0day because I don't know how to code(look at what I call advisories, me code?! HAH) Vendor Contact: --------------- Yep, and he got mad and pissed his pants while crying for his mother Credits: -------- Donnie Werner (morning_wood () frame4 com) 5685 Eagle Pky #2 Ferndale, Wa 98248 360-312-8011 ~ call me if you want to talk about XSS visit my sites! exploitlabs.com (maybe some day i learn more than xss) nothackers.org (the XSS 0y34r ph34r, "Freedom of voice" till you say something i no like) and other lame sites that have nothing! Original advisory may be found at http://exploitlabs.com/files/advisories/EXPL-A-2003-015-phpfe.txt ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Goodbyes; I only know XSS, thats why you can look at every script i review and find alot more holes in them. I can scroll on IRC! I never seen a unix, i think it's some kinda blackhat thing. I got exploit code! but only fake and exploit for my own scripts I make. Maybe someone can e-mail me and tell me how to do dns because I dont know how people can visit my site with www.! lately I complain because nobody see that im "special"(i lub u mommy!) and servers should never start, I also release programs but I dont know how to code. Just call me the unpatched xp kid! I got hacked but i dont know yet... i got lots of porn e-mail me for trade. I got my chan all logged, ask for logs and you can see how i know nothing. If anyone saw my post in the "Invaded by morons" discussion, just ignore that my comments of "And I think most of you may be in for a big supprise sometime in a few weeks from me.... im so incompitent.. sheesh", I also thought my lame Zope information disclosure/xss was going to make me famous! Because I want to speak at defcon on how im so elite at XSS that i release it 0d4y! WOOHOO FOR ME Greets; Project cOd, Donnie Weiner, w00w00[u know aim technique, teech aim xss?] badpack3t(i'm almost as lame as you! nice sploitz!), the cisco kyd, moot bailey, 0D4Y 0D4Y 0D4Y 0D4Y 0D4Y 0D4Y 0D4Y 0D4Y 0D4Y 0D4Y 0D4Y 0D4Y 0D4Y 0D4Y 0D4Y 0D4Y 0D4Y 0D4Y 0D4Y 0D4Y 0D4Y 0D4Y 0D4Y 0D4Y 0D4Y 0D4Y 0D4Y 0D4Y 0D4Y 0d4y thinking caps on! 0D4Y EXPLOIT ON FULL DISCLOSURE ~ THEY MAIL YOU PASSWORD BACK IN CLEARTEXT HAHAHAH HOW LAME THAT IS?!?!@?!@ HAHAHAHHA-ROFLMFAOHAHAHAHHAA XSS THE PLANET!!!!!! YEAHHH!!!!!!!!!!! LUCY!!!!! THE END -- _______________________________________________ Get your free email from http://www.singapore.net Get US $10 Now: http://www.resource-a-day.com/members2/rsathyamurthy Powered by Outblaze _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- W-Nikto PHP FrontEnd [twice, YAY!!!] morning_wood Weinerzucker (Jul 17)
- Re: W-Nikto PHP FrontEnd [twice, YAY!!!] morning_wood (Jul 17)