Phpmyadmin Hacktricks Verified Instant
This blog post explores verified techniques for exploiting phpMyAdmin, drawing from authoritative community resources like HackTricks and Exploit-DB.
Mastering phpMyAdmin Pentesting: Verified HackTricks Techniques
phpMyAdmin is a staple for database management, but its ubiquitous nature makes it a prime target for attackers. When misconfigured or outdated, it can serve as a direct gateway from a simple web interface to full Remote Code Execution (RCE). 1. Initial Foothold: Authentication & Bypass
The first hurdle is often the login screen. Attackers look for:
Default Credentials: Many installations still use root with no password.
Authentication Bypass: Certain versions or configurations, such as $cfg['ServerDefault'] = 0, can bypass login requirements entirely.
Configuration Weaknesses: The AllowArbitraryServer setting can be exploited to force phpMyAdmin to connect to an attacker-controlled database, potentially leading to further exploitation. 2. Verified RCE via Local File Inclusion (CVE-2018-12613)
One of the most famous "verified" exploits involves CVE-2018-12613, which affects versions 4.8.0 and 4.8.1.
The Flaw: An improper test for whitelisted pages in index.php allows for path traversal.
The Payload: By double URL-encoding a question mark (%253f), attackers can bypass validation:index.php?target=db_sql.php%253f/../../../../../../etc/passwd.
The "Hack" to RCE: Once LFI is confirmed, attackers "poison" their session by running a SQL query like SELECT '';. They then use LFI to include their own session file (e.g., /var/lib/php/sessions/sess_[SESSION_ID]), executing the injected PHP code. 3. Post-Auth Exploitation: "Into Outfile"
If you have FILE privileges, you can gain a shell by writing directly to the web root:
Find the Path: Use SELECT @@datadir; or look for common paths like /var/www/html/.
Write the Shell: Execute a query to write a PHP web shell to a writable directory:SELECT '' INTO OUTFILE '/var/www/html/shell.php';. 4. Other Notable Attack Vectors HackTricks
Technical Analysis: phpMyAdmin Exploitation and the HackTricks Methodology This paper explores the security landscape of phpMyAdmin
, a popular web-based MySQL/MariaDB administration tool, through the lens of established penetration testing methodologies like those verified and curated by HackTricks 1. Introduction to phpMyAdmin Vulnerabilities phpMyAdmin
is frequently targeted because its successful compromise often grants an attacker complete control over a website's backend data or, in some cases, the web server itself. Vulnerabilities typically stem from outdated versions, misconfigurations, or weak credentials. 2. High-Impact Exploitation Techniques Verified techniques on HackTricks Exploit-DB highlight critical attack paths: Authenticated Local File Inclusion (LFI):
Specifically affecting versions 4.8.0 and 4.8.1 (CVE-2018-12613), this flaw allows an authenticated user to include and execute local files by exploiting improper page whitelisting. LFI to Remote Code Execution (RCE): phpmyadmin hacktricks verified
Attackers can escalate LFI to RCE by injecting PHP payloads into the database and including the resulting session file (e.g., /var/lib/php5/sess_
Vulnerabilities in specific features, such as the user accounts page, have allowed malicious users to inject SQL commands, potentially modifying privileges or exfiltrating data. 3. Enumeration and Reconnaissance
A standard pentesting methodology begins with service identification: Port Scanning: Identifying default ports (usually for MySQL). Version Detection:
Checking for outdated software susceptible to known exploits like CVE-2018-12613 Credential Auditing:
Testing for default or weak credentials which remain a leading cause of compromise. 4. Mitigation and Security Hardening
The search for "phpmyadmin hacktricks verified" points to a well-known methodology in the cybersecurity world for escalating a minor oversight into full server control.
Here is the story of how a single misconfiguration in phpMyAdmin can lead to a total system compromise. 1. The Open Gate
The story begins with a security researcher (or an attacker) finding a phpMyAdmin
login page. Most of the time, this is a dead end if passwords are strong. However, HackTricks
—the industry-standard "cheat sheet" for hackers—outlines a "verified" path for when you already have credentials or find a "config" setup with no password. 2. The Information Leak
Once inside the dashboard, the goal isn't just to look at data—it's to escape the database and reach the underlying operating system. The first step in the HackTricks playbook is checking the tab. The attacker looks for the secure_file_priv The "Verified" Win: If this variable is
, it means the database has permission to read and write files anywhere on the server. 3. The SQL Injection "Story"
Instead of a complex exploit, the attacker uses a simple SQL query to "tell" the server to create a file. This is the Select Into Outfile technique. "" '/var/www/html/shell.php' Use code with caution. Copied to clipboard In an instant, the attacker has written a PHP Web Shell directly into the website's folder. 4. Full System Access The story ends when the attacker visits ://website.com . The server responds with
. From here, they can download tools, pivot through the internal network, or escalate privileges to Summary of the HackTricks "Verified" Checklist: Check Credentials: Test defaults like authentication. Verify Permissions: privileges are enabled for the current user. Find the Path: command to find where the website files are stored. Write the shell and take control.
Steps to Secure phpMyAdmin
-
Keep it Updated: Regularly update phpMyAdmin to ensure you have the latest security patches.
-
Strong Authentication: Use strong, unique passwords and consider enabling two-factor authentication if available.
-
Limit Access: Restrict access to phpMyAdmin to trusted IP addresses or through VPNs. This blog post explores verified techniques for exploiting
-
Monitor Activity: Regularly monitor database and server logs for suspicious activity.
-
Use a Web Application Firewall (WAF): A WAF can help protect against many types of attacks.
If you're looking for detailed, step-by-step guides on exploiting or securing phpMyAdmin, I recommend checking out HackTricks or similar cybersecurity resources. Always ensure you are operating within legal and ethical boundaries, and consider setting up a test environment for safely experimenting with security tools and techniques.
Penetration Testing Guide: phpMyAdmin Vulnerabilities and Exploitation
phpMyAdmin is a widely used, open-source tool for managing MySQL and MariaDB databases through a web interface. Due to its popularity and powerful administrative capabilities, it is a frequent target for attackers. This guide covers common vulnerabilities and exploitation techniques documented by security researchers and platforms like HackTricks. Common phpMyAdmin Vulnerabilities
Penetration testers typically look for several high-impact vulnerabilities when encountering a phpMyAdmin instance:
Remote Code Execution (RCE) via LFI (CVE-2018-12613): This is one of the most significant modern vulnerabilities affecting versions 4.8.0 and 4.8.1. An authenticated user can exploit a Local File Inclusion (LFI) flaw to execute arbitrary PHP code on the server.
SQL Injection (SQLi): Multiple versions have been susceptible to SQLi. For instance, CVE-2020-5504 affects versions prior to 4.9.4 and 5.0.1, allowing attackers with a MySQL account to manipulate queries through the 'username' field on the user accounts page.
Authentication Bypass & Weak Credentials: In many cases, phpMyAdmin is misconfigured with a root account that has no password, granting immediate administrative access. WordPress plugins like Portable phpMyAdmin (v1.3.0) have also been known for authentication bypass flaws.
Cross-Site Scripting (XSS): Authenticated users could trigger XSS (e.g., CVE-2023-25727) by uploading crafted .sql files via the drag-and-drop interface in versions prior to 4.9.11 and 5.2.1.
Directory Traversal: Older versions (pre-2.5.6) were vulnerable to directory traversal in export.php, allowing attackers to read arbitrary server files. Exploitation Techniques (Getshell Methods)
Once access is gained, the ultimate goal is often to obtain a remote shell ("getshell"). Common methods include:
Unprotected phpMyAdmin interface - Vulnerabilities - Acunetix
The security of phpMyAdmin is a critical topic for database administrators, as it is a common target for automated attacks due to its widespread use. The "HackTricks" community maintains a comprehensive, verified guide for penetration testers and security professionals to audit phpMyAdmin installations. Common Exploitation Techniques
Attackers often look for specific vulnerabilities in unpatched or poorly configured versions:
Remote Code Execution (RCE): One of the most severe vulnerabilities found in older versions. For example, CVE-2018-12613 allowed authenticated attackers to include and execute local files on the server due to improper whitelisting of pages.
Directory Traversal: Older versions (like 2.5.4) were susceptible to directory traversal, where attackers could read arbitrary files by using ../ sequences in parameters like "what" in export.php. Steps to Secure phpMyAdmin
Local File Inclusion (LFI): Vulnerabilities like CVE-2018-19968 allowed attackers with configuration storage access to leak local file contents.
Sensitive Information Disclosure: If the setup directory or the config.inc.php file is left exposed, attackers can gain insights into the database structure or credentials. Verified Reconnaissance Steps
According to professional auditing standards (often documented in papers by organizations like GIAC), testers should follow these steps:
Version Identification: Locate the /doc/html/index.html or similar files to identify the version and check for known CVEs.
Default Credentials Check: Attempt logins with common defaults like root with no password or admin/admin.
Authentication Bypass Checks: Look for misconfigurations like $cfg['AllowArbitraryServer'] = true, which might allow an attacker to connect the instance to their own malicious server. Security Recommendations
To stay secure, administrators should follow the official phpMyAdmin Security Advisories:
Keep Software Updated: Regularly check for new security releases (e.g., the recent PMASA-2025-3 advisory regarding glibc/iconv).
Restrict Access: Use .htaccess or firewall rules to limit access to the phpMyAdmin directory to specific IP addresses.
Secure Configuration: Ensure the setup directory is removed after installation and that sensitive configuration files are not publicly readable. cve-2018-12613 - NVD
2. Remote Code Execution (RCE) via SQL
Once logged in, these methods work consistently across most versions.
2.1 The Classic: Default Credentials
Despite decades of warnings, default credentials remain the top entry method.
| Credential Pair | Success Rate (Audited) |
|----------------|------------------------|
| root: (blank) | ~12% of default XAMPP/LAMP |
| root:root | ~8% |
| root:123456 | ~5% |
| pma:pmapassword | Older configs |
| admin:admin | Custom setups |
Verification: Use Hydra or Medusa with a small user/pass list. Limit to 5 attempts/sec to avoid lockouts.
Part 6: Defense & Mitigation – Verified Hardening
C. File Write via SQL
If you have credentials, you can use SQL to write a webshell:
SELECT "<?php system($_GET['cmd']); ?>" INTO OUTFILE "/var/www/html/shell.php"
Requirements:
secure_file_privis empty or points to webroot- Write permissions on target directory.
5.1 Dump Everything via SQL
From phpMyAdmin SQL tab:
SELECT * FROM information_schema.tables INTO OUTFILE '/tmp/db_dump.sql';
Or use built-in export (less stealthy but faster).