first commit

phpmyadmin/CVE-2016-5734/README.md

@@ -0,0 +1,37 @@
+# PhpMyAdmin 4.0.x—4.6.2 Remote Code Execution Vulnerability (CVE-2016-5734)
+
+[中文版本(Chinese version)](README.zh-cn.md)
+
+PhpMyAdmin is a free software tool written in PHP, intended to handle the administration of MySQL over the Web. The vulnerability is in the `preg_replace` function, because the information submitted by the user can be spliced into the first parameter.
+
+Before PHP 5.4.7, the first parameter of `preg_replace` could be truncated with `\0` and the change search pattern to `\e`. It can cause remote code execution vulnerability.
+
+Affected versions:
+
+- 4.0.x version before 4.0.10.16
+- 4.4.x version before 4.4.15.7
+- 4.6.x version before 4.6.3 (actually because this version requires PHP5.5+, this vulnerability cannot be reproduced)
+
+## Setup
+
+Execute following commands to start PHP 5.3 + Apache + phpMyAdmin 4.4.15.6:
+
+```
+docker compose up -d 
+```
+
+After start, visit `http://your-ip:8080` and you will see the login page of phpMyAdmin. Log in with `root`:`root`.
+
+## Exploit
+
+This vulnerability requires login and the permission to write data.
+
+We use this POC(https://www.exploit-db.com/exploits/40185/) to reproduce the vulnerability.
+
+```
+./cve-2016-5734.py -c 'system(id);' -u root -p root -d test http://your-ip:8080/
+```
+
+Result:
+
+![](1.png)

phpmyadmin/CVE-2016-5734/README.zh-cn.md

@@ -0,0 +1,35 @@
+# phpMyAdmin 4.0.x—4.6.2 远程代码执行漏洞（CVE-2016-5734）
+
+phpMyAdmin是一套开源的、基于Web的MySQL数据库管理工具。在其查找并替换字符串功能中，将用户输入的信息拼接进`preg_replace`函数第一个参数中。
+
+在PHP5.4.7以前，`preg_replace`的第一个参数可以利用\0进行截断，并将正则模式修改为e。众所周知，e模式的正则支持执行代码，此时将可构造一个任意代码执行漏洞。
+
+以下版本受到影响：
+
+- 4.0.10.16之前4.0.x版本
+- 4.4.15.7之前4.4.x版本
+- 4.6.3之前4.6.x版本（实际上由于该版本要求PHP5.5+，所以无法复现本漏洞）
+
+## 环境搭建
+
+运行如下命令启动PHP 5.3 + Apache + phpMyAdmin 4.4.15.6：
+
+```
+docker compose up -d 
+```
+
+启动后，访问`http://your-ip:8080`，即可看到phpMyAdmin的登录页面。使用`root`:`root`登录。
+
+## 漏洞复现
+
+这个功能需要登录，且能够写入数据。
+
+因为目标环境使用root，所以我们可以创建一个临时数据库和数据表，进行漏洞利用。这里，我们使用POC https://www.exploit-db.com/exploits/40185/ 来复现漏洞。
+
+```
+./cve-2016-5734.py -c 'system(id);' -u root -p root -d test http://your-ip:8080/
+```
+
+![](1.png)
+
+-d是已经可以写的数据库，-c是待执行的PHP语句，如果没有指定表名，这个POC会创建一个名为`prgpwn`的表。

phpmyadmin/CVE-2016-5734/config.inc.php

@@ -0,0 +1,29 @@
+<?php
+/*
+ * Generated configuration file
+ * Generated by: phpMyAdmin 4.6.2 setup script
+ * Date: Mon, 07 May 2018 10:48:03 +0000
+ */
+
+/* Servers configuration */
+$i = 0;
+
+/* Server: mysql [1] */
+$i++;
+$cfg['Servers'][$i]['verbose'] = 'mysql';
+$cfg['Servers'][$i]['host'] = 'mysql';
+$cfg['Servers'][$i]['port'] = 3306;
+$cfg['Servers'][$i]['socket'] = '';
+$cfg['Servers'][$i]['connect_type'] = 'tcp';
+$cfg['Servers'][$i]['auth_type'] = 'cookie';
+$cfg['Servers'][$i]['user'] = 'root';
+$cfg['Servers'][$i]['password'] = '';
+
+/* End of servers configuration */
+
+$cfg['blowfish_secret'] = '5af02eda401ae8.69737537';
+$cfg['DefaultLang'] = 'en';
+$cfg['ServerDefault'] = 1;
+$cfg['UploadDir'] = '';
+$cfg['SaveDir'] = '';
+?>

phpmyadmin/CVE-2016-5734/docker-compose.yml

@@ -0,0 +1,15 @@
+version: '2'
+services:
+ web:
+   image: vulhub/phpmyadmin:4.4.15.6
+   volumes:
+    - ./config.inc.php:/var/www/html/config.inc.php
+   ports:
+    - "8080:80"
+   depends_on:
+    - mysql
+ mysql:
+   image: mysql:5.5
+   environment: 
+    - MYSQL_ROOT_PASSWORD=root
+    - MYSQL_DATABASE=test