Aaron
63285f61aa
Some checks failed
Vulhub Format Check and Lint / format-check (push) Has been cancelled
Vulhub Format Check and Lint / markdown-check (push) Has been cancelled
Vulhub Docker Image CI / longtime-images-test (push) Has been cancelled
Vulhub Docker Image CI / images-test (push) Has been cancelled
38 lines
1.3 KiB
Markdown
38 lines
1.3 KiB
Markdown
# PhpMyAdmin 4.0.x—4.6.2 Remote Code Execution Vulnerability (CVE-2016-5734)
|
|
|
|
[中文版本(Chinese version)](README.zh-cn.md)
|
|
|
|
PhpMyAdmin is a free software tool written in PHP, intended to handle the administration of MySQL over the Web. The vulnerability is in the `preg_replace` function, because the information submitted by the user can be spliced into the first parameter.
|
|
|
|
Before PHP 5.4.7, the first parameter of `preg_replace` could be truncated with `\0` and the change search pattern to `\e`. It can cause remote code execution vulnerability.
|
|
|
|
Affected versions:
|
|
|
|
- 4.0.x version before 4.0.10.16
|
|
- 4.4.x version before 4.4.15.7
|
|
- 4.6.x version before 4.6.3 (actually because this version requires PHP5.5+, this vulnerability cannot be reproduced)
|
|
|
|
## Setup
|
|
|
|
Execute following commands to start PHP 5.3 + Apache + phpMyAdmin 4.4.15.6:
|
|
|
|
```
|
|
docker compose up -d
|
|
```
|
|
|
|
After start, visit `http://your-ip:8080` and you will see the login page of phpMyAdmin. Log in with `root`:`root`.
|
|
|
|
## Exploit
|
|
|
|
This vulnerability requires login and the permission to write data.
|
|
|
|
We use this POC(https://www.exploit-db.com/exploits/40185/) to reproduce the vulnerability.
|
|
|
|
```
|
|
./cve-2016-5734.py -c 'system(id);' -u root -p root -d test http://your-ip:8080/
|
|
```
|
|
|
|
Result:
|
|
|
|
|