Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Tenable Blog

  • Twitter
  • Facebook
  • LinkedIn

Auditing Your Network For phpMyAdmin Using Nessus

Finding the Needle in the Haystack

It is important to know what applications and services are in your environment to properly evaluate risk. Recently, a question was posed about detecting phpMyAdmin, a popular application for managing MySQL databases. We've previously explored how this application could be used to take over a system, demonstrating the risk this application may pose. There are several actions to perform when searching for applications on your network (in this case we are searching for a web application). This blog post describes how Nessus can be used to perform the following actions:

  1. Detect if the application is running
  2. Test for known vulnerabilities
  3. Detect if the application is patched
  4. Evaluate the authentication mechanism
  5. Find any unknown flaws
  6. Check the security configuration of the host

1. Detect if the application is running

The plugin titled "phpMyAdmin Detection (plugin ID 17219) checks for the presence of phpMyAdmin in several ways, including looking for the web directory name and searching text on the page for specific strings associated with the software. Be sure to enable "Thorough Tests" as this will search for a few variations of the directory name (e.g., "pma" and "phpmyadmin"). When Nessus finds this application running, you will see the following in the Nessus output:


2. Test for Known Vulnerabilities

To detect many known vulnerabilities in a particular application, first find all of the plugins that are associated with the application. The search for this application and associated vulnerabilities should be very targeted and fast. For example, if the application you are scanning for is phpMyAdmin, only enable the plugins that relate to phpMyAdmin. I first did this on the command line of my Linux system in the "/opt/nessus/lib/nessus/plugins/" directory:

find . -iname 'phpmyadmin*.nasl' -print0 | xargs -0 grep -i "script_id" | cut -d\( -f2 | cut -d\) -f1 | tr '\n' ','

Some of the NASL scripts were named as "phpmyadmin" and some were named as "phpMyAdmin", so I had to use "-iname" for case insensitive searching (NASL script filenames can vary depending on the author of the plugin). I then used "grep" to grab the "script_id" field from the NASL script, which is the same thing as the plugin ID. The "cut" and "tr" commands put the plugin IDs into a comma delimited list, which is the format expected by "nessuscmd".

I constructed a nessuscmd command, specifying the plugins and options required for the scan to run properly:

/opt/nessus/bin/nessuscmd -o "Global variable settings[checkbox]:Enable CGI scanning=yes" \
-o "Global variable settings[checkbox]:Thorough tests (slow)=yes" \
-U -p 80,443 -V \
-i 15770, 15948, 17689, 22512, 11116, 11761, 17221, 40352, 36083, 15478, 20088, 36170, 17219, 22124, 36171, 19519, 19950, 12041, 17220 \

The above command will not only detect phpMyAdmin, but will also look for associated vulnerabilities covered by the plugins listed. The version of phpMyAdmin is password protected and up-to-date in the test network used for the scan, so the results just showed that it was running on the target host:

+ Results found on :

- Port http (80/tcp) is open

[i] Plugin ID 17219


| Synopsis :



| The remote web server contains a database management application

| written in PHP.



The above operations can also be performed using the NessusClient. The NessusClient contains a search feature that allows you to find plugins that match given criteria. In this example we need to edit the policy, go to the "Plugin Selection" tab and click "Disable all". This will uncheck all of the plugins, allowing us to start fresh and only enable the plugins that will result from our search. Next, click on the "Find..." button:


From the pull-down menu select "name", indicating we want to search the plugins by name. Enter "phpmyadmin" in the "contains" field as shown above (note: searches in NessusClient are not case sensitive). Click on "OK" and you will then see a list of plugins that contain "phpmyadmin":


If there are known vulnerabilities, Nessus will find many of them using existing plugins. For example, this instance of phpMyAdmin contained an XSS vulnerability identified by plugin ID 19519:

CAUTION: Dependencies Matter

When running scans for specific plugins you may want to disable "Silent Dependencies", located on the "Plugin selections" tab in the NessusClient:


This option removes the output from plugins that were run due to a dependency. From the command line you can add the switch "-o silent_dependencies=no", which will disable this option when running "nessuscmd". You will see results from some of the other plugins, such as:


The above plugin, Web Server Directory Enumeration, provides information on the directories that are available in the web server root directory. When scanning a smaller number of hosts it is often useful to review the dependency plugin results as well, as they may yield additional information, and/or expose additional vulnerabilities.

3. Detect if the Application is Patched

You can use Nessus Local Checks with credentials and report the patch status of phpMyAdmin packages on the local systems for your platform and distribution. This solves the problem with backports, where the distribution leaves the version number in the banner, and "backports" the patch into the existing version. There are several plugins for many different platforms, that will look for phpMyAdmin packages that contain vulnerabilities.

4. Evaluate the Authentication Mechanism

A new plugin has been released to detect if phpMyAdmin is running without the protection of a login page (plugin ID 40352). Even if phpMyAdmin is fully patched, leaving it open to the world without a password can be the same as granting shell access because it provides the ability to run SQL queries against the database. So, even if the instance of phpMyAdmin has been fully patched, missing authentication could lead to an unauthorized remote attacker gaining access to the system.

5. Find Unknown Flaws

Nessus's improved web application testing scripts enable testing for potentially unknown flaws. The foundation of this testing is performed by the web mirror process, which finds several applications and parameters to test:


These results are passed to the newly improved web application testing modules. In the case of phpMyAdmin, Nessus was able to find both XSS and SQL injection:


The SQL injection "vulnerability" found by Nessus may just be a normal function of phpMyAdmin as it provides the end user the ability to execute SQL statements from a web form. However, Nessus was also able to find a XSS vulnerability as a result of the generic CGI testing, different from the vulnerability found in plugin 19519.


6. Check the Security Configuration of the Host

Credentials can also be used with a custom audit file to look for phpMyAdmin directives in the Apache configuration files. This would indicate which servers are running the product, and how they are configured. An example of how to do this was shown in a previous post where we wrote a custom audit file to check for Apache servers using Base64 encoded passwords.


Nessus contains several methods to detect applications in your environment, and enumerate associated vulnerabilities. The vulnerabilities are either the traditional ones that are documented in vulnerability databases (VDBs), or the result of mis-configurations such as missing authentication. Nessus can also be used to audit local patches and configurations. This will detect backports and search through your configurations (Apache and MySQL in this case) to look for anomalies. To detect this software on an ongoing basis you can use Tenable Security Center to schedule scans and email you the results. The Passive Vulnerability Scanner can also be used to both detect and find vulnerabilities in applications using just network traffic.


Related Articles

Are You Vulnerable to the Latest Exploits?

Enter your email to receive the latest cyber exposure alerts in your inbox.

Try for Free Buy Now
Tenable.io FREE FOR 30 DAYS

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Sign up now.

Tenable.io BUY

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

65 assets

Choose Your Subscription Option:

Buy Now
Try for Free Buy Now

Try Nessus Professional Free


Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy Nessus Professional

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, community and chat support 24 hours a day, 365 days a year. Full details here.

Try for Free Buy Now

Try Tenable.io Web Application Scanning


Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable.io platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Buy Tenable.io Web Application Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.



Buy Now

Try for Free Contact Sales

Try Tenable.io Container Security


Enjoy full access to the only container security offering integrated into a vulnerability management platform. Monitor container images for vulnerabilities, malware and policy violations. Integrate with continuous integration and continuous deployment (CI/CD) systems to support DevOps practices, strengthen security and support enterprise policy compliance.

Buy Tenable.io Container Security

Tenable.io Container Security seamlessly and securely enables DevOps processes by providing visibility into the security of container images – including vulnerabilities, malware and policy violations – through integration with the build process.

Try for Free Contact Sales

Try Tenable Lumin


Visualize and explore your Cyber Exposure, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Buy Tenable Lumin

Contact a Sales Representative to see how Lumin can help you gain insight across your entire organization and manage cyber risk.