PaulDotCom mailing list archives
Scanning for phpMyAdmin
From: paul at pauldotcom.com (Paul Asadoorian)
Date: Mon, 03 Aug 2009 13:34:17 -0400
Nessus has several plugins to detect the presense of phpmyadmin and any vulnerable versions. I first searched the plugins for phpmyadmin and grabbed the plugin ids: find . -iname 'phpmyadmin*.nasl' -print0 | xargs -0 grep -i "script_id" | cut -d\( -f2 | cut -d\) -f1 | tr '\n' ',' Then constructed a nessuscmd to look for them: /opt/nessus/bin/nessuscmd -o "Global variable settings[checkbox]:Enable CGI scanning=yes" -U -p 80,443 -V -i 15770,15948,17689,22512,11116,11761,17221,40352,36083,15478,20088,36170,17219,22124,36171,19519,19950,12041,17220 192.168.1.245 The above command will not only detect phpmyadmin, but will also look for vulnerabilities associated with phpmyadmin, *including* a new plugin to detect if phpmyadmin is running without the protection of a login page (plugin id 40352). Even if phpmyadmin is fully patched, leaving it wide open without a password is the same as shell :) My version of phpMyAdmin is password protected and up-to-date, so my results just informed me that it was running: + Results found on 192.168.1.245 : - Port http (80/tcp) is open [i] Plugin ID 17219 | | Synopsis : | | | The remote web server contains a database management application | written in PHP. | <snip> Most other tools rely on just the banner to detect if its vulnerable. Nessus will send several tests to see if it is in fact vulnerable (I counted 19 not including dependencies), regardless of banner. Also, you can use Local Checks, with credentials, and Nessus will report the local systems patch status with respects to phpmyadmin packages for your platform/distro (which is a much better way as it gets around the backports issue). You could also, with credentials, write an audit check to look for phpmyadmin configurations in the Apache configuration files. Cheers, Paul John Hoyt wrote:
Does anyone know of a method that I can use to scan my network for servers hosting phpMyAdmin? I'm potentially looking for vulnerable versions. Thanks, John Hoyt ------------------------------------------------------------------------ _______________________________________________ Pauldotcom mailing list Pauldotcom at mail.pauldotcom.com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
-- Paul Asadoorian PaulDotCom Enterprises Web: http://pauldotcom.com Phone: 401.829.9552
Current thread:
- Scanning for phpMyAdmin John Hoyt (Aug 03)
- Scanning for phpMyAdmin Robin Wood (Aug 03)
- Scanning for phpMyAdmin Nathan Sweaney (Aug 03)
- Scanning for phpMyAdmin Paul Asadoorian (Aug 03)
- Scanning for phpMyAdmin Paul Asadoorian (Aug 03)
- Scanning for phpMyAdmin Tom Brennan - Personal (Aug 03)
- Scanning for phpMyAdmin Paul Asadoorian (Aug 04)
- Scanning for phpMyAdmin Paul Asadoorian (Aug 03)
- Scanning for phpMyAdmin Jim Halfpenny (Aug 03)
- <Possible follow-ups>
- Scanning for phpMyAdmin infolookup at gmail.com (Aug 03)