|\====================================================================/| 
| \	      SWAT MAGAZINE ISSUE TWENTYONE : September 1999         / |
|  \________________________________________________________________/  |
|  /================================================================\  |
| /===========                 A Exploit.                ============\ |                  	                  
|/==========================    By Smurf   ===========================\|

HI Smurf again with a new exploit that just came out.
its in the Xitami Web Server 2.4 or below. The exploit was first
discovered on 25/09/99 and there should be a lot of machines still vunerable its 
a small and reliable web server and to exploit it. its easy

first you need a server that runs Xitami then when you try to access a protected directory
you get a enter user name and password screen but if you enter two back slashes before
the directory you can get into it.
E.g
www.server.com\secure  -  Have to enter password
www.server.com\\secure -  No password required

Secondly to find vunerable servers goto www.Xitami.com and look on there web ring.

Another Peice Of Information (exploits).

The best hack i think is the simple ones.  so here is a tip.
goto www.hotbot.com or somthing simular and search for service.pwd
Use a browser to goto the url:
http://www.victim.com/_vti_pvt/service.pwd
other password files are...
Administrator.pwd
Administrators.pwd
Authors.pwd
Users.pwd

when you get the sites goto them and download the password file,
it should look somthing like.
# -FrontPage-
admin:kr3IfxP73NRy6

Now to crack it you need to run it throught a Unix password cracker.
but you need to convert it to a linux/Unix password file. so add this to the end of the
line :2:2:binaccount:/bin:/bin/sh so it should look like
admin:kr3IfxP73NRy6:2:2:binaccount:/bin:/bin/sh

Then run the password cracker and you will get the password.

Happy Hacking.

Smurf