Full Disclosure mailing list archives
Re: W-Nikto PHP FrontEnd [twice, YAY!!!]
From: "morning_wood" <se_cur_ity () hotmail com>
Date: Thu, 17 Jul 2003 19:29:28 -0700
b0iler... go away and find someone to pick on on IRC, as that is what you enjoy most.. Donnie ----- Original Message ----- From: "morning_wood Weinerzucker" <morning_wood () singapore net> To: <full-disclosure () lists netsys com> Sent: Thursday, July 17, 2003 6:44 PM Subject: [Full-disclosure] W-Nikto PHP FrontEnd [twice, YAY!!!]
I go start new mail list where we can all frolick with fake exploit and
XSS! who wanna join?!! Now 0d4y
------------------------------------------------------------------ - EXPL-A-2003-015 exploitlabs.com Advisory 016 [i dunno what
these number mean]
------------------------------------------------------------------ -= w-nikto phpFE =- Donnie Weinerzucker July 17, 2003 I release advisory of my own scripts! thats how l33t I am Vunerability(s): ---------------- 1. Remote Commands Execution 2. XSS Vulnerability 3. File PERmission issues 4. Bad Code & Credit Stealing Product: -------- Wnikto32 PHP Remote Frontend http://exploitlabs.com/files/woods/wnikto32-phpfe.zip Comments: ------------------- No Blame Me Because I Make Script. I not make nikto not my fault, i just code bad frontend, blame nikto for do nothing to protect againt my bad coding. almost like inf-scan. no blame me for working on code and putting it out as mine then exploiting it, not my fault i can not code Description of product: ----------------------- "Wnikto32(vuln scanner i compiled, i l33t) with php remote frontend avail
at
http://exploitlabs.com/files/woods/wnikto32-phpfe.zip Author: Donnie Werner Requirements: Webspace with PHP support. have been developed over a Apache + PHP platform running in Windows XP[me never used unix] and have not been
fully tested
because I don't knwo how to code ummm.. ok hint: it runs on most anything with php installed VUNERABILITY / EXPLOIT ====================== Another very lame "scanner" frontend type of php script with many
flaws...
1. REMOTE COMMAND EXECUTION in the execution of the w-nikto.exe, the frontend passes all input unfiltered. 2. XSS Vunerabilities lay in everything that give output "<SCRIPT>alert(document.domain);</SCRIPT><SCRIPT>alert(document.cookie );</SCRIPT>" the JS code is rendered / executed in the the users browser. 3. No authentication at all done giving anyone remote command access 4. I can't code and only know XSS 5. I suck and should die EXPLOIT CODE: ------- input | or ; surrounding most input see, I know exploit is. you tell me i no know exploit, hah Local: ------ everything remote is local!!! Remote: ------- yup we got XSS and stuff via remote Vendor Fix: ----------- There is no fix on 0day because I don't know how to code(look at what I call advisories, me code?! HAH) Vendor Contact: --------------- Yep, and he got mad and pissed his pants while crying for his mother Credits: -------- Donnie Werner (morning_wood () frame4 com) 5685 Eagle Pky #2 Ferndale, Wa 98248 360-312-8011 ~ call me if you want to talk about XSS visit my sites! exploitlabs.com (maybe some day i learn more than xss) nothackers.org (the XSS 0y34r ph34r, "Freedom of voice" till you say
something i no like)
and other lame sites that have nothing! Original advisory may be found at http://exploitlabs.com/files/advisories/EXPL-A-2003-015-phpfe.txt ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Goodbyes; I only know XSS, thats why you can look at every script i review and find alot more holes in them. I can scroll on IRC! I never seen a unix, i
think it's
some kinda blackhat thing. I got exploit code! but only fake and exploit
for my
own scripts I make. Maybe someone can e-mail me and tell me how to do dns
because
I dont know how people can visit my site with www.! lately I complain
because
nobody see that im "special"(i lub u mommy!) and servers should never
start, I also
release programs but I dont know how to code. Just call me the unpatched
xp kid!
I got hacked but i dont know yet... i got lots of porn e-mail me for
trade. I got my
chan all logged, ask for logs and you can see how i know nothing. If anyone saw my post in the "Invaded by morons" discussion, just ignore
that
my comments of "And I think most of you may be in for a big supprise
sometime
in a few weeks from me.... im so incompitent.. sheesh", I also thought my
lame
Zope information disclosure/xss was going to make me famous! Because I
want to
speak at defcon on how im so elite at XSS that i release it 0d4y! WOOHOO
FOR ME
Greets; Project cOd, Donnie Weiner, w00w00[u know aim technique, teech aim xss?] badpack3t(i'm almost as lame as you! nice sploitz!), the cisco kyd, moot
bailey,
0D4Y 0D4Y 0D4Y 0D4Y 0D4Y 0D4Y 0D4Y 0D4Y 0D4Y 0D4Y 0D4Y 0D4Y 0D4Y 0D4Y
0D4Y
0D4Y 0D4Y 0D4Y 0D4Y 0D4Y 0D4Y 0D4Y 0D4Y 0D4Y 0D4Y 0D4Y 0D4Y 0D4Y 0D4Y 0d4y thinking caps on! 0D4Y EXPLOIT ON FULL DISCLOSURE ~ THEY MAIL YOU PASSWORD BACK IN
CLEARTEXT
HAHAHAH HOW LAME THAT IS?!?!@?!@ HAHAHAHHA-ROFLMFAOHAHAHAHHAA XSS THE PLANET!!!!!! YEAHHH!!!!!!!!!!! LUCY!!!!! THE END -- _______________________________________________ Get your free email from http://www.singapore.net Get US $10 Now: http://www.resource-a-day.com/members2/rsathyamurthy Powered by Outblaze _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- W-Nikto PHP FrontEnd [twice, YAY!!!] morning_wood Weinerzucker (Jul 17)
- Re: W-Nikto PHP FrontEnd [twice, YAY!!!] morning_wood (Jul 17)