> > This really long 'form action' item > http://www.citibank.com:achaaa9uwdtyazjwvwaaaa9p398haaa9uwdtyazjwv > waboundpyw > wgc2l6zt00pjxtvgc2l6zt00pjxywwgc2l6zt00pjxt398haaa9uwdtyazjwvwaaou > ndpywwgc2l > [EMAIL PROTECTED]/login/form.php > > obviously contains the 0x01 exploit. What I'm curious about is the HUGE > amount of crap in between the : and the @ sign. I mean, if the > 0x01 exploit > is 'good enough', what's with the extra characters? >
The above http: line doesn't make use of the 0x01 exploit. In order to make use of that exploit, you NEED "0x01" in there just before the @ symbol. The above link only makes use of of a "feature" of using the @ symbol to pass credentials. All the gibberish that you see in the link is a poor attempt to mask the actual address it's going to. When you click on the link, you'll see "211.239.150.170/login/form.php" in the browser's address bar. If it was using the 0x01 expoilt you'd see "http://www.citibank.com"; in the address bar. Exibar _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
