Comprehensive Guide to phpMyAdmin Penetration Testing: The HackTricks Approach
https://target.com/phpmyadmin/ (version 4.8.1) Step 1: Found accessible via dirb . Step 2: Weak credentials admin:admin succeed. Step 3: Run SHOW VARIABLES LIKE 'secure_file_priv' → empty value (good). Step 4: Write shell via INTO OUTFILE to /var/www/html/uploads/cmd.php . Step 5: Access https://target.com/uploads/cmd.php?cmd=id → uid=33(www-data) . Step 6: Read /etc/passwd , find another DB password, pivot to production server. Outcome: Full internal compromise.
: Look for config.inc.php in common directories or through Local File Inclusion (LFI). This file often contains cleartext credentials.
During a routine authorized assessment, Alex found a web server with a standard login page at /phpmyadmin phpmyadmin hacktricks
Note: This technique requires the MySQL global variable secure_file_priv to be empty or pointing to an accessible directory. 3. Notable phpMyAdmin Vulnerabilities (RCE)
If default credentials fail, automated tools like Hydra or Burp Suite Intruder are used to perform dictionary attacks against the setup script or the main login form ( index.php ). Configuration Flaws (config Authentication)
Inspection of the HTML source code on the login page frequently exposes version strings in scripts or meta tags. Sensitive File Discovery Step 4: Write shell via INTO OUTFILE to
Check secure_file_priv :
SELECT LOAD_FILE('/var/www/html/config.inc.php'); SELECT LOAD_FILE('../../wp-config.php');
Before attempting any exploit, a security professional must identify where phpMyAdmin lives and what version it is running. Directory Brute-Forcing and Common Paths Outcome: Full internal compromise
Highly rated for being , and bundled with most hosting providers like cPanel. Security
HackTricks reminds us that even without credentials, phpMyAdmin itself has had nasty RCE bugs:
Attackers can use php://filter or zip:// wrappers to bypass read protections and read sensitive configuration files. 4. Securing phpMyAdmin: Mitigation Strategies
This technique helps attackers harvest system configurations, database credentials, or SSH keys. Achieving RCE via INTO OUTFILE (Web Shell Upload)
Before attempting any active exploitation, you must gather information about the phpMyAdmin instance. Version Detection