PaulDotCom mailing list archives

Scanning for phpMyAdmin

From: paul at pauldotcom.com (Paul Asadoorian)
Date: Mon, 03 Aug 2009 13:34:17 -0400

Nessus has several plugins to detect the presense of phpmyadmin and any
vulnerable versions.

I first searched the plugins for phpmyadmin and grabbed the plugin ids:

find . -iname 'phpmyadmin*.nasl' -print0 | xargs -0 grep -i "script_id"
| cut -d\( -f2 | cut -d\) -f1 | tr '\n' ','


Then constructed a nessuscmd to look for them:

/opt/nessus/bin/nessuscmd -o "Global variable settings[checkbox]:Enable
CGI scanning=yes" -U -p 80,443 -V -i
15770,15948,17689,22512,11116,11761,17221,40352,36083,15478,20088,36170,17219,22124,36171,19519,19950,12041,17220
192.168.1.245

The above command will not only detect phpmyadmin, but will also look
for vulnerabilities associated with phpmyadmin, *including* a new plugin
to detect if phpmyadmin is running without the protection of a login
page (plugin id 40352).  Even if phpmyadmin is fully patched, leaving it
wide open without a password is the same as shell :)

My version of phpMyAdmin is password protected and up-to-date, so my
results just informed me that it was running:

+ Results found on 192.168.1.245 :
   - Port http (80/tcp) is open
     [i] Plugin ID 17219
      |
      | Synopsis :
      |
      |
      | The remote web server contains a database management application
      | written in PHP.
      |
<snip>

Most other tools rely on just the banner to detect if its vulnerable.
Nessus will send several tests to see if it is in fact vulnerable (I
counted 19 not including dependencies), regardless of banner.

Also, you can use Local Checks, with credentials, and Nessus will report
the local systems patch status with respects to phpmyadmin packages for
your platform/distro (which is a much better way as it gets around the
backports issue).  You could also, with credentials, write an audit
check to look for phpmyadmin configurations in the Apache configuration
files.

Cheers,
Paul

John Hoyt wrote:

Does anyone know of a method that I can use to scan my network for
servers hosting phpMyAdmin?

I'm potentially looking for vulnerable versions.

Thanks,

John Hoyt


------------------------------------------------------------------------

_______________________________________________
Pauldotcom mailing list
Pauldotcom at mail.pauldotcom.com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com


-- 
Paul Asadoorian
PaulDotCom Enterprises
Web: http://pauldotcom.com
Phone: 401.829.9552

Current thread:

Scanning for phpMyAdmin John Hoyt (Aug 03)
- Scanning for phpMyAdmin Robin Wood (Aug 03)
- Scanning for phpMyAdmin Nathan Sweaney (Aug 03)
  - Scanning for phpMyAdmin Paul Asadoorian (Aug 03)
  - Scanning for phpMyAdmin Paul Asadoorian (Aug 03)
    - Scanning for phpMyAdmin Tom Brennan - Personal (Aug 03)
    - Scanning for phpMyAdmin Paul Asadoorian (Aug 04)
- Scanning for phpMyAdmin Paul Asadoorian (Aug 03)
- Scanning for phpMyAdmin Jim Halfpenny (Aug 03)
- <Possible follow-ups>
- Scanning for phpMyAdmin infolookup at gmail.com (Aug 03)