>
> This really long 'form action' item
> http://www.citibank.com:achaaa9uwdtyazjwvwaaaa9p398haaa9uwdtyazjwv
> waboundpyw
> wgc2l6zt00pjxtvgc2l6zt00pjxywwgc2l6zt00pjxt398haaa9uwdtyazjwvwaaou
> ndpywwgc2l
> 6zt00pjxtvgc2l6zt00pjxvgc2l6zt00pjxt_at_211.239.150.170/login/form.php
>
> obviously contains the 0x01 exploit. What I'm curious about is the HUGE
> amount of crap in between the : and the @ sign. I mean, if the
> 0x01 exploit
> is 'good enough', what's with the extra characters?
>
The above http: line doesn't make use of the 0x01 exploit. In order to make
use of that exploit, you NEED "0x01" in there just before the @ symbol. The
above link only makes use of of a "feature" of using the @ symbol to pass
credentials. All the gibberish that you see in the link is a poor attempt
to mask the actual address it's going to. When you click on the link,
you'll see "211.239.150.170/login/form.php" in the browser's address bar.
If it was using the 0x01 expoilt you'd see "http://www.citibank.com" in the
address bar.
Exibar
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Received on Jan 11 2004
Intro
