|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
phpMyAdmin Pentesting & Exploitation Guide (HackTricks Style) phpMyAdmin is a widely used, open-source web-based administration tool for MySQL and MariaDB. Due to its popularity and elevated privileges, it is a prime target for penetration testers and attackers. A successful compromise of phpMyAdmin often leads to full database access and, in many cases, remote code execution (RCE) on the underlying server. This article provides a structured approach to pentesting phpMyAdmin, mirroring the methodology found on resources like HackTricks . 1. Discovery and Enumeration The first step is locating the phpMyAdmin installation. It is often hosted in common, predictable paths. Common Paths: /phpMyAdmin /phpmyadmin /pma /mysql /db /phpMyAdmin-3.x.x Enumeration Methods: Directory Brute Forcing: Use tools like Gobuster, Dirb, or Dirbuster with a specialized webapp wordlist [NetSPI]. Search Engine Dorking: site:example.com inurl:phpmyadmin Fingerprinting: Examine HTTP headers for specific Apache or PHP configurations [NetSPI]. 2. Authentication Bypass & Credential Attacks Once located, the goal is to gain access to the login interface. Default Credentials: Many installations use default credentials. Test combinations like: root / (blank) root / root admin / password Brute Force: If a login page is exposed, brute-forcing the pma_username and pma_password fields is a common approach. Configuration File Leaks: Sometimes, the config.inc.php file is accessible, revealing database credentials. 3. Vulnerability Exploitation (RCE) If credentials are obtained, or if the version is outdated, you can escalate privileges. A. CVE-2018-12613 (RCE via File Inclusion) phpMyAdmin 4.8.1 is vulnerable to a remote code execution vulnerability [Exploit-DB]. Mechanism: The flaw allows an attacker to include files via the target parameter. Exploitation: By crafting a specific URL, an attacker can include a local file (e.g., a file they have previously uploaded or a session file) and execute PHP code within it [Exploit-DB]. B. Misconfigured UploadDir or SaveDir If phpMyAdmin is configured to allow file uploads (e.g., to import SQL dumps), you might be able to upload a PHP shell. 4. Post-Exploitation: Database to System Once logged into phpMyAdmin, the goal is to pivot to operating system control. A. Writing a Webshell via SQL If the MySQL user has FILE privileges, you can use SELECT ... INTO OUTFILE to write a file to the web root. SELECT ' ' INTO OUTFILE '/var/www/html/shell.php'; Use code with caution. Note: The MySQL user must have write permissions to the destination directory. B. Exploiting User-Defined Functions (UDF) If you can upload a shared library ( .so or .dll ) file to the server, you can create a function that allows you to execute system commands. Upload udf.so to /usr/lib/mysql/plugin/ . Execute: CREATE FUNCTION sys_eval RETURNS STRING SONAME 'udf.so'; Execute: SELECT sys_eval('whoami'); C. Dumping Database Data Using the SQL interface to export users , hashes , or config tables. Useful MySQL Files to Target: /etc/my.cnf , ~/.my.cnf [HackTricks]. Command History: Checking ~/.mysql.history for previous sensitive queries [HackTricks]. 5. Remediation and Hardening To protect phpMyAdmin, implement the following security measures: Update Regularly: Always use the latest version of phpMyAdmin to patch vulnerabilities like CVE-2018-12613 [Exploit-DB]. Disable FILE Privilege: Ensure the MySQL user used by phpMyAdmin does not have the FILE privilege. Restrict Access: Place phpMyAdmin behind a VPN or use IP whitelisting in the Apache/Nginx configuration. Change Default Path: Rename /phpmyadmin to a non-obvious name. Disable UploadDir : Set UploadDir to a secure, non-public directory, or disable it entirely in config.inc.php . Ethical security testing requires a focus on authorization and the improvement of defensive postures. Security professionals utilize these methodologies to identify weaknesses before they can be exploited maliciously. For further research into securing database administration tools, the following areas are recommended for study: Log Analysis: Reviewing web server and database logs to identify unauthorized access attempts or suspicious SQL patterns. Network Segmentation: Implementing strict firewall rules to isolate database management interfaces from the public internet. Identity and Access Management (IAM): Implementing multi-factor authentication (MFA) and the principle of least privilege for all administrative accounts. Web Application Firewalls (WAF): Configuring WAF rules to detect and block common injection and file inclusion attacks directed at management interfaces. Maintaining a secure environment involves continuous monitoring and adherence to industry-standard hardening guides. 3306 - Pentesting Mysql - HackTricks
Comprehensive Guide to phpMyAdmin Exploitation and Enumeration phpMyAdmin is a widely used web-based interface for managing MySQL and MariaDB databases. Because it often has direct access to sensitive data, it is a frequent target for security auditors and attackers alike. This guide compiles essential enumeration techniques, configuration flaws, and exploitation vectors associated with phpMyAdmin, structured similarly to the popular HackTricks information security wiki. 1. Initial Enumeration and Reconnaissance Before attempting any active exploits, you must gather information about the phpMyAdmin installation to identify its version and configuration. Version Detection Identifying the exact version of phpMyAdmin narrows down the list of applicable Public Exploits (CVEs). Documentation Files: Check for publicly accessible documentation or changelog files. /README /Documentation.html /Documentation.txt /ChangeLog Login Page Source: Inspect the HTML source code of the login page. Meta tags or commented JavaScript files often reveal version strings. Common URL Paths If phpMyAdmin is not on the root directory, look for it using automated directory brute-forcing tools (like Gobuster or Dirsearch) with the following common paths: /phpmyadmin/ /pma/ /admin/phpMyAdmin/ /mysql/ /db/ 2. Authentication Bypass and Credential Hunting Gaining access to the phpMyAdmin dashboard is the most straightforward path to database control. Default and Weak Credentials Many setups suffer from weak or default credentials. Test combinations such as: root : root root : (blank) pma : (blank) admin : admin Configuration File Leaks If the server has a Local File Inclusion (LFI) vulnerability or an exposed backup directory, look for the phpMyAdmin configuration file: File Name: config.inc.php Common Paths: Linux: /etc/phpmyadmin/config.inc.php or /var/www/html/phpmyadmin/config.inc.php Windows (XAMPP): C:\xampp\phpMyAdmin\config.inc.php What to look for: Look for hardcoded database passwords or the blowfish_secret passphrase used for cookie encryption. 3. Post-Authentication Exploitation Once you have valid credentials or an authenticated session, your goal shifts from database access to Remote Code Execution (RCE) on the underlying server. Exploiting SELECT ... INTO OUTFILE (RCE) If the database user has the FILE privilege and the MySQL configuration allows writing to the web root, you can write a PHP web shell to the server. Navigate to the SQL tab in phpMyAdmin. Execute a query to write a simple PHP payload: SELECT ' ' INTO OUTFILE '/var/www/html/shell.php'; Use code with caution. Access your shell via the browser: http:// /shell.php?cmd=whoami Note: This technique requires knowing the absolute path of the web directory and relies on the MySQL secure_file_priv variable being empty or misconfigured. Reading Files via LOAD DATA INFILE If you cannot write a shell but have the FILE privilege, you can read local system files and display them in phpMyAdmin. Create a temporary table: CREATE TABLE intermediate_table (content TEXT); Use code with caution. Load the target system file into the table: LOAD DATA INFILE '/etc/passwd' INTO TABLE intermediate_table FIELDS TERMINATED BY '\n'; Use code with caution. Query the table to read the contents: SELECT * FROM intermediate_table; Use code with caution. 4. Notable Historical Vulnerabilities (CVEs) When dealing with older, unpatched versions of phpMyAdmin, specific CVEs offer reliable vectors for exploitation. CVE-2018-12613: Local File Inclusion (LFI) Affected Versions: 4.8.0 to 4.8.1 Mechanism: A flaw in the page redirection and inclusion handling allows an authenticated user to include arbitrary files from the server. Exploit Vector: Attackers can execute code by session poisoning (inserting PHP code into a database query so it logs to the session file) and then including that session file:
This guide outlines penetration testing techniques and security best practices for phpMyAdmin , drawing on common methodologies documented by researchers and platforms like HackTricks . I. Vulnerability Identification & Reconnaissance The first step involves identifying the specific version of phpMyAdmin and discovering the server's file paths. Version Detection: Attackers often check for sensitive files to determine the version, such as README , changelog.php , or Documentation.html . Path Discovery: Knowing the absolute web path is critical for many exploits. Common methods include: Checking phpinfo() pages if accessible. Fuzzing for web error messages that reveal directory structures. Querying the database for the data directory using show variables like '%datadir%'; . II. Common Exploitation Techniques Once an instance is identified, several techniques can be used to gain deeper access. Default Credentials: Many instances remain vulnerable to common default logins (e.g., root with no password). Remote Code Execution (RCE) via LFI: Specific versions (like 4.8.0 and 4.8.1) have known Local File Inclusion (LFI) vulnerabilities, such as CVE-2018-12613 , which can be leveraged for RCE by authenticated users. Writing Webshells (Into Outfile): If the secure_file_priv variable is empty and the user has sufficient privileges, attackers can write a PHP webshell directly to the webroot. Example: SELECT " " INTO OUTFILE "/var/www/html/shell.php"; . Log File Manipulation: If direct file writing is restricted, attackers may enable the General Query Log , set the log file path to a .php file in the webroot, and execute a query containing PHP code to "poison" the log. III. Security Hardening Best Practices To mitigate these risks, administrators should implement layered security controls. Restrict Access: IP Whitelisting: Use web server configurations (Apache/Nginx) to only allow trusted IP addresses. VPN/SSH Tunneling: The most secure method is to make phpMyAdmin accessible only via a VPN or SSH tunnel . Authentication & Credential Security: Extra Login Layer: Implement .htaccess or HTTP Basic Authentication to add a prompt before the phpMyAdmin login page. Two-Factor Authentication (2FA): Enable 2FA for all user accounts. Disable Root Login: Create specific user accounts with limited privileges instead of using the root account for daily tasks. Environment Hardening: Change Default URL: Rename the /phpmyadmin directory to a random, non-obvious string to deter automated bots. Keep Updated: Regularly patch to the latest version to protect against known CVEs. Configure PHP Settings: Set secure_file_priv in my.cnf to a specific, restricted directory to prevent unauthorized file writes. Linux Hacking Case Studies Part 3: phpMyAdmin
For those looking to assess the security of phpMyAdmin installations, HackTricks provides a comprehensive guide focused on reconnaissance and exploitation techniques. The methodology generally follows a path from basic identification to gaining Remote Code Execution (RCE). 1. Initial Reconnaissance & Login Version Identification : Locate the version by checking the /README or /ChangeLog files, or look for the PMA_VERSION string in the page source. Default Credentials : Always test common defaults like root:root , root:admin , or root with no password. Some systems may also have anonymous login enabled. Weak Credentials : If defaults fail, attempt a dictionary attack. Note that many environments may lack rate limiting, though some may require a rate-limit bypass using headers like X-Forwarded-For . 2. Post-Authentication Exploitation Once logged in, the primary goal is often to pivot from database access to server-level access. Writing a Web Shell ( SELECT ... INTO OUTFILE ) : If the database user has FILE privileges and you know the absolute web path (e.g., /var/www/html ), you can write a PHP shell directly to the disk. Prerequisite check : Run SHOW VARIABLES LIKE '%secure_file_priv%'; to see if file exports are restricted. Local File Inclusion (LFI) to RCE : Vulnerability Example : Specific versions like 4.8.0 and 4.8.1 are vulnerable to a path traversal flaw (CVE-2018-12613). Technique : Execute a SQL query containing PHP code (e.g., SELECT ' '; ). Then, include the session file (located at /var/lib/php/sessions/sess_[YOUR_SESSION_ID] ) via the vulnerable target parameter to trigger the code. 3. Advanced Persistence and Attacks Configuration Files : Check for config.inc.php which may contain hardcoded credentials for other services or the root database user. PHP Wrappers : Use PHP wrappers (like php://filter ) in conjunction with file inclusion vulnerabilities to read the source code of sensitive configuration files. Summary of Common Vulnerabilities Vulnerability Type Description Default Creds Using common login pairs like root:root . CVE-2018-12613 LFI vulnerability in versions 4.8.0-4.8.1 used for RCE. INTO OUTFILE Writing malicious scripts to the web root if permissions allow. Setup Scripts Older versions may have a /setup directory left accessible which can be used to reconfigure the server. phpmyadmin hacktricks
In 2025 and early 2026, security reports for phpMyAdmin have transitioned from simple misconfigurations to complex edge-case vulnerabilities, such as those involving library interactions and specific feature abuse. While classic "HackTricks" methods like SELECT ... INTO OUTFILE remain relevant for older systems, modern research focuses on Authenticated XSS Library-Level RCE Current Critical Vulnerabilities (2025-2026) Recent advisories highlight that even patched systems can be vulnerable due to underlying server libraries: CVE-2024-2961 (glibc/iconv RCE): A critical vulnerability in the glibc/iconv library can potentially lead to Remote Code Execution Condition: Requires the extension to be loaded and a specific vulnerable character set used during export. Mitigation: Upgrade to phpMyAdmin 5.2.2 CVE-2025-24530 (XSS in "Check tables"): Authenticated users can trigger an XSS attack by using a specially-crafted table or database name CVE-2025-24529 (XSS in "Insert"): An authenticated user can execute malicious scripts through the "Insert" tab functionality. CVE-2022-0813 (Information Disclosure): Validated as a significant risk in early 2026, this flaw allows attackers to leak sensitive configuration data through malformed parameters. SentinelOne Advanced Exploitation Techniques (HackTricks Style) Penetration testers and researchers from platforms like HackTricks categorize phpMyAdmin attacks into three main tiers: Authenticated RCE via Local File Inclusion (LFI) CVE-2018-12613: Still the most common lab example for version 4.8.0/4.8.1. Attackers use the parameter to include session files where they have previously injected PHP code. Webshell via SQL Misconfiguration Into Outfile: If the MySQL user has privileges and the webroot path is known, an attacker can write a shell directly to the server: SELECT ' ' INTO OUTFILE '/var/www/html/shell.php' Client-Side Attacks Arbitrary File Read: HackTricks notes that if an attacker can force a phpMyAdmin client to connect to a malicious MySQL server, they can read local files from the user's machine. CVE-2025-24530: phpMyAdmin XSS Vulnerability - SentinelOne
A feature on phpMyAdmin exploitation, as often detailed on resources like HackTricks , focuses on leveraging a database management interface to escalate privileges or gain a shell on the underlying server. Key Exploitation Techniques If you have access to a phpMyAdmin instance (via weak credentials or misconfiguration), several vectors can lead to a full compromise: RCE via SELECT ... INTO OUTFILE :If the database user has the FILE privilege and the server's secure_file_priv is empty or permits writing to the web directory, you can write a PHP web shell directly to the server. 3306 - Pentesting Mysql - HackTricks SELECT " " INTO OUTFILE '/var/www/html/shell.php'; Use code with caution. Copied to clipboard
user wants a comprehensive article on "phpmyadmin hacktricks". This likely refers to penetration testing techniques, vulnerabilities, and security misconfigurations related to phpMyAdmin. I need to provide a long, detailed article. I should search for relevant information covering various aspects like default credentials, exploits, file inclusion, SQL injection, privilege escalation, and post-exploitation techniques. I'll follow the search plan provided in the hints. search results for "phpMyAdmin hacktricks" returned some results, but not all are directly from hacktricks.xyz. The search for "site:hacktricks.xyz phpMyAdmin" didn't return any results. I need to gather more specific information. I'll also search for "phpMyAdmin hacktricks" directly. 0 from the search "phpMyAdmin hacktricks" seems to be a page about PHP tricks from hacktricks, which might include phpMyAdmin-related information. I'll open it. Result 9 might be relevant. I'll also search for "phpMyAdmin LFI RCE" and "phpMyAdmin webshell". hacktricks page seems to be about PHP tricks in general, not specifically phpMyAdmin. The other search results provide various pieces of information. I need to structure the article. I'll cover reconnaissance, default credentials, authentication bypass, LFI/RCE, SQL injection, file inclusion to RCE, privilege escalation, post-exploitation, and security recommendations. I'll also look for more recent vulnerabilities. I'll search for "phpMyAdmin 2024 vulnerability" and "phpMyAdmin 2025 exploit". need to write a comprehensive article. I'll structure it with an introduction, sections on reconnaissance, default credentials, authentication bypass, LFI to RCE, SQL injection, privilege escalation (UDF), post-exploitation (webshell, logs), recent CVEs, and defense. I'll cite sources where applicable. Now I'll write the article. phpMyAdmin Hacktricks: A Comprehensive Penetration Testing Guide phpMyAdmin is a popular web-based administration tool for MySQL and MariaDB databases. It is offered by most hosting providers and can be found on roughly every second website, making it a tempting target for attackers. This guide provides a detailed overview of techniques for identifying, exploiting, and mitigating security weaknesses in phpMyAdmin instances. This article provides a structured approach to pentesting
1. Reconnaissance and Initial Access Locating phpMyAdmin Common paths to check for phpMyAdmin include:
/phpmyadmin/ /pma/ /dbadmin/ /mysql/ /phpMyAdmin/ /admin/mysql/
Use directory brute-forcing tools like Gobuster, Dirb, or ffuf to discover hidden phpMyAdmin endpoints. Cookie and Session Locations phpMyAdmin typically uses the PHPSESSID cookie for session management. Session files are stored in common locations such as: It is often hosted in common, predictable paths
/var/lib/php/sessions/ /var/lib/php5/ /tmp/
Understanding these paths can be useful for session hijacking or local file inclusion attacks.
|
|
Copyright © 2026 Vital Crate Report Privacy Policy / Contact Us |
