PhpMyAdmin 4.0.x—4.6.2 Remote Code Execution Vulnerability (CVE-2016-5734)

中文版本(Chinese version)

PhpMyAdmin is a free software tool written in PHP, intended to handle the administration of MySQL over the Web. The vulnerability is in the preg_replace function, because the information submitted by the user can be spliced into the first parameter.

Before PHP 5.4.7, the first parameter of preg_replace could be truncated with \0 and the change search pattern to \e. It can cause remote code execution vulnerability.

Affected versions:

  • 4.0.x version before
  • 4.4.x version before
  • 4.6.x version before 4.6.3 (actually because this version requires PHP5.5+, this vulnerability cannot be reproduced)


Execute following commands to start PHP 5.3 + Apache + phpMyAdmin

docker-compose up -d 

After start, visit http://your-ip:8080 and you will see the login page of phpMyAdmin. Log in with root:root.


This vulnerability requires login and the permission to write data.

We use this POC( to reproduce the vulnerability.

./ -c 'system(id);' -u root -p root -d test http://your-ip:8080/


Copied From: vulhub/phpmyadmin/CVE-2016-5734