phpmyadmin-fpd: phpMyAdmin - Full Path Disclosure

id: phpmyadmin-fpd

info:
  name: phpMyAdmin - Full Path Disclosure
  author: DhiyaneshDk
  severity: low
  description: |
    Detected potential Full Path Disclosure (FPD) via directly accessible phpMyAdmin files that may throw PHP errors revealing filesystem paths when error display is enabled.
  metadata:
    verified: true
    max-request: 1
    shodan-query: html:"phpmyadmin"
  tags: exposure,fpd,phpmyadmin,php

flow: http(1) && http(2)

http:
  - method: GET
    path:
      - "{{BaseURL}}{{paths}}"

    payloads:
      paths:
        - ""
        - "/phpmyadmin/"
        - "/admin/phpmyadmin/"
        - "/_phpmyadmin/"
        - "/administrator/components/com_joommyadmin/phpmyadmin/"
        - "/apache-default/phpmyadmin/"
        - "/blog/phpmyadmin/"
        - "/forum/phpmyadmin/"
        - "/php/phpmyadmin/"
        - "/typo3/phpmyadmin/"
        - "/web/phpmyadmin/"
        - "/xampp/phpmyadmin/"
        - "/phpMyAdmin/"
        - "/phpma/"
        - "/phpMyAdmin/index.php"

    stop-at-first-match: true
    matchers:
      - type: dsl
        dsl:
          - 'contains_any(tolower(body), "alt=\"phpMyAdmin", "name=\"pma_username", "/pmahomme/")'
        internal: true

  - method: GET
    path:
      - "{{BaseURL}}/phpmyadmin/libraries/advisory_rules_generic.php"
      - "{{BaseURL}}/phpmyadmin/libraries/phpseclib/Crypt/AES.php"
      - "{{BaseURL}}/phpmyadmin/libraries/phpseclib/Crypt/Rijndael.php"

    stop-at-first-match: true

    matchers:
      - type: dsl
        dsl:
          - 'status_code == 200 || status_code == 500'
          - 'contains(body, "phpmyadmin")'
          - 'contains_any(body, "Fatal error", "require_once", "Error")'
        condition: and
# digest: 4b0a00483046022100fab26143dee7bd3a7720412de1cf3e8328832d063206599348b87f992139cae5022100900a6b1642514fa35a9a5d02ffb31e1a8979f4b1e34f3ffc295dfeef586f7921:922c64590222798bb761d5b6d8e72950