cbcvebase.
CVE-2016-5734
published 2016-07-03

CVE-2016-5734: phpMyAdmin 4.0.x before 4.0.10.16, 4.4.x before 4.4.15.7, and 4.6.x before 4.6.3 does not properly choose delimiters to prevent use of the preg_replace e (aka…

PriorityP188critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
81.37%
99.6th percentile
phpMyAdmin 4.0.x before 4.0.10.16, 4.4.x before 4.4.15.7, and 4.6.x before 4.6.3 does not properly choose delimiters to prevent use of the preg_replace e (aka eval) modifier, which might allow remote attackers to execute arbitrary PHP code via a crafted string, as demonstrated by the table search-and-replace implementation.

Affected

64 ranges· showing 25
VendorProductVersion rangeFixed in
debianphpmyadmin< phpmyadmin 4:4.6.3-1 (bookworm)phpmyadmin 4:4.6.3-1 (bookworm)
phpmyadminphpmyadmin
phpmyadminphpmyadmin
phpmyadminphpmyadmin
phpmyadminphpmyadmin
phpmyadminphpmyadmin
phpmyadminphpmyadmin
phpmyadminphpmyadmin
phpmyadminphpmyadmin
phpmyadminphpmyadmin
phpmyadminphpmyadmin
phpmyadminphpmyadmin
phpmyadminphpmyadmin
phpmyadminphpmyadmin
phpmyadminphpmyadmin
phpmyadminphpmyadmin
phpmyadminphpmyadmin
phpmyadminphpmyadmin
phpmyadminphpmyadmin
phpmyadminphpmyadmin
phpmyadminphpmyadmin
phpmyadminphpmyadmin
phpmyadminphpmyadmin
phpmyadminphpmyadmin
phpmyadminphpmyadmin

Detection & IOCsextracted from sources · hover to see the quote

url/import.php
url/tbl_find_replace.php
commandfind=0/e\0&replaceWith=<payload>&useRegex=on
filenametbl_find_replace.php
filenameimport.php
bytes
302F6500
  • Exploit targets the table search-and-replace feature via POST to /tbl_find_replace.php with a regex 'find' value containing a null-byte-terminated /e modifier pattern (0/e\0). Monitor POST requests to this endpoint with 'useRegex=on' and suspicious 'find' field values.
  • Exploit requires prior authentication; attacker POSTs credentials to /?lang=en to obtain a CSRF token before launching the RCE payload. Correlate login events with subsequent /tbl_find_replace.php exploitation attempts from the same session.
  • Exploit creates a staging table (default name 'prgpwn') containing the hex value 0x302F6500 (ASCII '0/e' + null byte) via /import.php before triggering the preg_replace /e eval. Alert on SQL INSERT statements with UNHEX('302F6500') or table creation of 'prgpwn'.
  • Vulnerability is only exploitable on PHP versions 4.3.0 through 5.4.6; PHP 5.4.7+ rejects null bytes in regex patterns. Verify PHP version on phpMyAdmin hosts as part of triage.
  • The Metasploit module for this CVE is 'exploits/multi/http/phpmyadmin_null_termination_exec'. Presence of this module's traffic patterns or User-Agent strings in web logs should be treated as an active exploitation attempt.
  • ·Exploit only works against PHP versions 4.3.0–5.4.6; PHP 5.4.7+ blocks null bytes in regex, rendering the /e modifier injection ineffective.
  • ·Exploitation requires valid phpMyAdmin credentials (authenticated RCE); unauthenticated attackers cannot trigger the vulnerability directly.
  • ·Affected versions are phpMyAdmin 4.0.x before 4.0.10.16, 4.4.x before 4.4.15.7, and 4.6.x before 4.6.3. Instances already patched to these versions are not vulnerable.

CVSS provenance

nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv9.8CRITICAL
vulncheck9.8CRITICAL
vendor_debian9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.