( ~~~ )
  ))^ ^((
 ((* - *))
   _) (_
 / '--' \     ^
//(_  _)\\   /_\
\\ )__( //   .'
 (( v  ))   (
   \| /\     '-.
    K(  \       )
    |\\  '-._.-'
    ||\\
  *_-P/,P
     '-
Want your PHP application manually audited? Check out Xxor AB's PHP Security Auditing Service

Saturday, July 9, 2011

phpMyAdmin 3.x Swekey RCI Exploit

Someone else submitted a working python exploit to exploit-db. It's already out there so I might as well publish my original exploit written in PHP.
2011-07-20 - Fixed some bugs in the exploit.

Download here

8 comments:

  1. hey nyc bro i want to learn how to find vulnerabilities in phpmyadmin i know sql injection but tht has nothing to do with this thing can u please guide me wht things to check in phpmyadmin to see if it has a hole or not

    ReplyDelete
  2. Hello I downloaded this exploit but i cant find the place where i should writ url can anybody help me

    ReplyDelete
  3. @Grish
    Uhm, what have you tried so far?

    ReplyDelete
  4. I tried to use thie exploit but dont now wehre i will write the Victims address can you help me
    I put php file into local server (denwer) then opend it in browser but i recive the folowing
    [!] Fatal error. Need cURL! [*] Exiting...
    (Sorry for mistakes English isn't my native language;)

    ReplyDelete
  5. @Grish
    Your server does not have cURL.

    ReplyDelete
  6. PHP Notice: Undefined offset: 1 in C:\xampp\php\tttt.php on line 92



    // Extract cookie
    preg_match('/phpMyAdmin=([^;]+)/', $result, $matches);
    $cookie = $matches[1];
    output("[i] Cookie:".$cookie);
    // Extract token
    preg_match('/(token=|token" value=")([0-9a-f]{32})/', $result, $matches);
    $token = $matches[2];
    output("[i] Token:".$token);

    ReplyDelete
  7. http://HOST/setup/index.php always is bloqued by a login (htaccess style)?

    ReplyDelete