module
PhpMyAdmin Config File Code Injection
| Disclosed | Created |
|---|---|
| 2009-03-24 | 2018-05-30 |
Disclosed
2009-03-24
Created
2018-05-30
Description
This module exploits a vulnerability in phpMyAdmin's setup
feature which allows an attacker to inject arbitrary PHP
code into a configuration file. The original advisory says
the vulnerability is present in phpMyAdmin versions 2.11.x
3.0.1.1.
The file where our payload is written
(phpMyAdmin/config/config.inc.php) is not directly used by
the system, so it may be a good idea to either delete it or
copy the running config (phpMyAdmin/config.inc.php) over it
after successful exploitation.
feature which allows an attacker to inject arbitrary PHP
code into a configuration file. The original advisory says
the vulnerability is present in phpMyAdmin versions 2.11.x
3.0.1.1.
The file where our payload is written
(phpMyAdmin/config/config.inc.php) is not directly used by
the system, so it may be a good idea to either delete it or
copy the running config (phpMyAdmin/config.inc.php) over it
after successful exploitation.
Authors
Greg Ose
pagvac
egypt egypt@metasploit.com
pagvac
egypt egypt@metasploit.com
Platform
PHP
Architectures
php
References
Module Options
To display the available options, load the module within the Metasploit console and run the commands ‘show options’ or ‘show advanced’:
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.