[Full-Disclosure] this is fun?

From: Jeffrey Denton (dentonj_at_gmail.com)
Date: 02/20/05

Next message: Debasis Mohanty: "RE: [Full-Disclosure] 403 - Forbidden Google Error"

Previous message: Frank Knobbe: "Re: [Full-Disclosure] How T-Mobil's network was compromised"
Next in thread: evilninja: "Re: [Full-Disclosure] this is fun?"
Reply: evilninja: "Re: [Full-Disclosure] this is fun?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Sun, 20 Feb 2005 12:10:06 -0700
To: full-disclosure@lists.netsys.com

On Sun, 20 Feb 2005 14:51:48 +0100, Christian <evilninja@gmx.net> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Brandy Simon wrote:
> > http://picserv.on.zoy.org/IM39571.jpg
>
> hm, what exactly is it?
>
> $ wget http://picserv.on.zoy.org/IM39571.jpg
> - --14:45:06-- http://picserv.on.zoy.org/IM39571.jpg
> => `IM39571.jpg'
> Resolving picserv.on.zoy.org... 80.65.228.129
> Connecting to picserv.on.zoy.org[80.65.228.129]:80... connected.
> HTTP request sent, awaiting response... 404 Not Found
> 14:45:06 ERROR 404: Not Found.
>

Sometimes you have to have to use a sniffer. Grabbed with lynx and ethereal:

GET /IM39571.jpg HTTP/1.0
Host: picserv.on.zoy.org
Accept: text/html, text/plain, text/sgml, video/mpeg, image/jpeg,
image/tiff, image/x-rgb, image/png, image/x-xbitmap, image/x-xbm,
image/gif, application/postscript, */*;q=0.01
Accept-Encoding: gzip, compress
Accept-Language: en
User-Agent: Lynx/2.8.5rel.1 libwww-FM/2.14 SSL-MM/1.4.1 OpenSSL/0.9.7e

. . .

POST /index.php HTTP/1.0
Host: picserv.on.zoy.org
Accept: text/html, text/plain, text/sgml, video/mpeg, image/jpeg,
image/tiff, image/x-rgb, image/png, image/x-xbitmap, image/x-xbm,
image/gif, application/postscript, */*;q=0.01
Accept-Encoding: gzip, compress
Accept-Language: en
Pragma: no-cache
Cache-Control: no-cache
User-Agent: Lynx/2.8.5rel.1 libwww-FM/2.14 SSL-MM/1.4.1 OpenSSL/0.9.7e
Referer: http://picserv.on.zoy.org/IM39571.jpg
Content-type: application/x-www-form-urlencoded
Content-length: 28

content=&send=1&refer=&user=

. . .

GET /lm.php HTTP/1.0
Host: picserv.on.zoy.org
Accept: text/html, text/plain, text/sgml, video/mpeg, image/jpeg,
image/tiff, image/x-rgb, image/png, image/x-xbitmap, image/x-xbm,
image/gif, application/postscript, */*;q=0.01
Accept-Encoding: gzip, compress
Accept-Language: en
User-Agent: Lynx/2.8.5rel.1 libwww-FM/2.14 SSL-MM/1.4.1 OpenSSL/0.9.7e
Referer: http://picserv.on.zoy.org/IM39571.jpg

. . .

GET /lm.php?CLICK+ME=CLICK+ME HTTP/1.0
Host: picserv.on.zoy.org
Accept: text/html, text/plain, text/sgml, video/mpeg, image/jpeg,
image/tiff, image/x-rgb, image/png, image/x-xbitmap, image/x-xbm,
image/gif, application/postscript, */*;q=0.01
Accept-Encoding: gzip, compress
Accept-Language: en
User-Agent: Lynx/2.8.5rel.1 libwww-FM/2.14 SSL-MM/1.4.1 OpenSSL/0.9.7e
Referer: http://picserv.on.zoy.org/lm.php

The page lm.php sets a number of variables depending on the User-Agent
string, but only does something different if you are using IE.

var nom = navigator.appName.toLowerCase();
var agt = navigator.userAgent.toLowerCase();
var is_major = parseInt(navigator.appVersion);
var is_minor = parseFloat(navigator.appVersion);
var is_ie = (agt.indexOf("msie") != -1);
var is_ie4up = (is_ie && (is_major >= 4));
var is_nav = (nom.indexOf('netscape')!=-1);
var is_nav4 = (is_nav && (is_major == 4));
var is_mac = (agt.indexOf("mac")!=-1);
var is_gecko = (agt.indexOf('gecko') != -1);
// GECKO REVISION
var is_rev=0
if (is_gecko) {
temp = agt.split("rv:")
is_rev = parseFloat(temp[1])

. . .

And so on... I haven't looked at all of the other .php pages yet.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Next message: Debasis Mohanty: "RE: [Full-Disclosure] 403 - Forbidden Google Error"

Previous message: Frank Knobbe: "Re: [Full-Disclosure] How T-Mobil's network was compromised"
Next in thread: evilninja: "Re: [Full-Disclosure] this is fun?"
Reply: evilninja: "Re: [Full-Disclosure] this is fun?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

Re: how do I send a post string
... Accept-Encoding: deflate, gzip, x-gzip, compress, x-compress ...
(microsoft.public.dotnet.framework.compactframework)
RE: Configure compression in .NET 2.0 WebBrowser request headers
... can you show me if your IE browser enables http1.1? ... Accept-Encoding: gzip, deflate to the IIS. ...
(microsoft.public.dotnet.framework.windowsforms.controls)
Re: apache patch time
... Host: ?:80 ... Accept-Encoding: gzip, compress ... server reached MaxClients setting, consider raising ...
(comp.os.linux.security)
blocking gzip encoded files
... HTML data received with Content-encoding: gzip ...
(Bugtraq)
Doing a post in Linux uing HTTPClient
... lest than 1k in lenght and makes it much bigger. ... URLEncoded data in Netscape's post but can not figure out ... Cache-control: no-cache ... Accept-Encoding: ...
(comp.os.linux.misc)