[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re[2]: [Full-disclosure] Oh noes, the 0x90 NOP crew have been NOP'd!

To: full-disclosure@xxxxxxxxxxxxxxxxx
Subject: Re[2]: [Full-disclosure] Oh noes, the 0x90 NOP crew have been NOP'd!
From: n0fear@xxxxx
Date: Wed, 7 Dec 2005 17:28:44 +0300


> Hah.  That's a weird script anyways.  Who's crazy enough to punch in
> their password into some guys' "analyzer" knowing good and well it
> could be used against them or at least wind up in someone's private
> wordlist?

> On 12/7/05, cranium pain <coardump@xxxxxxxxx> wrote:
>>
>>  ---------------------------------------
>>  !!!0-Day Alert  0-Day Alert!!!
>>  ---------------------------------------
>>  Who Is Vulnerable:   0x90.org
>>  Who Are They:         Developers of Web Based security tools
>>  Impact:                    Red Faces For l33t Haxxors
>>  Time Line:               Today
>>  ---------------------------------------
>>
>>  0x90.org is a site ran by a bunch of hacker wanna-be's that write stuff to
>> audit web sites and web applications, stuff like XXS / Java script
>> injection, HTML injection and SQL injection.
>>
>>  They are also the proud developers of Absynth. No, not that favorite
>> alchoholic beverage that you use to intoxicate helpless females on a
>> Saturday night, dulling their senses so that you can more easily social
>> engineer them in to believeing that you are really a hot sex puppy and a mad
>> leet haxxor that speaks at all the cons while wearing your "I read your
>> mail" t-shirt, rather than the noob you are!
>>
>>  Absynth is the web auditing tool which is commonly used by many CCISP
>> certified security professionals and professional penetration testers, 99%
>> of whom release top notch, serious remote 0day exploits to the community
>> daily.
>>
>>  Well, these jokers obviously never run their tools on their own web site,
>> as such they have left their self open to some injection flaws of their own:
>>
>>  POC:
>>  --------
>>
>>  POST http://www.0x90.org/passwd/index.php?password=";>Oh
>> Noooeeessssss!!!
>>
>>
>>  doh..
>>
>> _______________________________________________
>> Full-Disclosure - We believe in it.
>> Charter:
>> http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
>>
>>


> --
> Robert Wesley McGrew
> http://cse.msstate.edu/~rwm8/
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/

Or in case of coardump@xxxxxxxxx, who *maybe* trying to retrieve some 0day local
sploits from FD readers, who got local unpriv shell through this form.

(Form is now closed, i know)



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

References:
- [Full-disclosure] Oh noes, the 0x90 NOP crew have been NOP'd!
  - From: cranium pain
- Re: [Full-disclosure] Oh noes, the 0x90 NOP crew have been NOP'd!
  - From: Robert Wesley McGrew

Prev by Date: Re: [Full-disclosure] Checkpoint SecureClient NGX Security Policy can easily be disabled
Next by Date: RE: [Full-disclosure] to start a career in security is ccsp(ciscocertified security professional) good enough?
Previous by thread: Re: [Full-disclosure] Oh noes, the 0x90 NOP crew have been NOP'd!
Next by thread: [Full-disclosure] Appfluent Batabase IDS Local Root
Index(es):
- Date
- Thread