CVE-2013-3238

phpMyAdmin <3.5.8 and <4.0.0-rc3 - Authenticated RCE

Title source: llm

Exploitation Summary

EIP tracks 3 public exploits for CVE-2013-3238. PoCs published by Metasploit, Janek, Vind, Ben Campbell, including Metasploit module exploits/multi/http/phpmyadmin_preg_replace.

AI-analyzed exploit summary This Metasploit module exploits a PREG_REPLACE_EVAL vulnerability in phpMyAdmin (CVE-2013-3238) by leveraging the `replace_prefix_tbl` function to execute arbitrary PHP code. It authenticates with provided credentials, retrieves a CSRF token, and injects payload via the `from_prefix` and `to_prefix` parameters.

Description

phpMyAdmin 3.5.x before 3.5.8 and 4.x before 4.0.0-rc3 allows remote authenticated users to execute arbitrary code via a /e\x00 sequence, which is not properly handled before making a preg_replace function call within the "Replace table prefix" feature.

Exploits (3)

exploitdb WORKING POC VERIFIED

by Metasploit · rubyremotephp

https://www.exploit-db.com/exploits/25136

View Code ZIP pw:eip

This Metasploit module exploits a PREG_REPLACE_EVAL vulnerability in phpMyAdmin (CVE-2013-3238) by leveraging the `replace_prefix_tbl` function to execute arbitrary PHP code. It authenticates with provided credentials, retrieves a CSRF token, and injects payload via the `from_prefix` and `to_prefix` parameters.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: phpMyAdmin 3.5.x < 3.5.8.1 and 4.0.0 < 4.0.0-rc3

Auth required

Prerequisites: Valid phpMyAdmin credentials · PHP version <= 5.4.6 · Access to phpMyAdmin interface

MITRE ATT&CK

T1059 - Command and Scripting Interpreter T1190 - Exploit Public-Facing Application

devstral-2 · analyzed Feb 16, 2026 Full analysis →

exploitdb WRITEUP

webappsphp

https://www.exploit-db.com/exploits/25003

View Code ZIP pw:eip

This is a detailed technical writeup describing multiple vulnerabilities in phpMyAdmin, including remote code execution via preg_replace() and local file inclusion. It provides root cause analysis, affected code snippets, and step-by-step exploitation instructions.

Classification

Writeup 100%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: phpMyAdmin 3.5.8 and 4.0.0-RC2

Auth required

Prerequisites: Valid phpMyAdmin user credentials · PHP version < 5.4.7 for preg_replace() exploit · Specific configuration settings for other vulnerabilities

MITRE ATT&CK

T1059 - Command and Scripting Interpreter T1190 - Exploit Public-Facing Application

devstral-2 · analyzed Feb 19, 2026 Full analysis →

metasploit WORKING POC EXCELLENT

by Janek, Vind, Ben Campbell · rubypoc

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/phpmyadmin_preg_replace.rb

View Code ZIP pw:eip

This Metasploit module exploits a PREG_REPLACE_EVAL vulnerability in phpMyAdmin (CVE-2013-3238) by leveraging the `preg_replace` function with the `/e` modifier to execute arbitrary PHP code. It authenticates, retrieves a CSRF token, and injects payload via the `replace_prefix_tbl` functionality.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: phpMyAdmin versions 3.5.x < 3.5.8.1 and 4.0.0 < 4.0.0-rc3

Auth required

Prerequisites: Valid phpMyAdmin credentials · PHP version <= 5.4.6

MITRE ATT&CK