Phpmyadmin Hacktricks Verified
Once inside phpMyAdmin (with any user-level access), the attack escalates rapidly.
| Aspect | Summary |
|--------|---------|
| Primary risk | Credential theft → full database compromise → RCE |
| Most common mistake | Public exposure + weak root password |
| Most powerful feature for attackers | INTO OUTFILE + LOAD_FILE |
| Mitigation priority | Restrict network access + update regularly |
This guide follows the HackTricks methodology for pentesting phpMyAdmin
, a common web-based tool for managing MySQL and MariaDB databases. book.hacktricks.xyz 1. Initial Reconnaissance & Enumeration
Before attempting an exploit, identify the environment and version: Version Identification
: Look for version strings in the footer of the login page or in files like Absolute Path Leakage : Check for common error pages or use a SELECT @@datadir;
query once logged in to find where files are stored on the server. Sensitive Files : Search for config.inc.php
, which may contain database credentials or internal configuration secrets. 2. Authentication & Access If the instance is not publicly open, try the following: Default Credentials : Test common combinations like with an empty password. Brute-Forcing : Use tools like to test for weak administrative passwords. Credential Harvesting
: If you have access to the file system (e.g., via another vulnerability), check wp-config.php
(WordPress) or similar CMS configuration files for DB passwords. book.hacktricks.xyz 3. Exploitation Techniques (Verified)
The primary goal in phpMyAdmin pentesting is often to escalate from database access to Remote Code Execution (RCE)
The "HackTricks" reference for phpMyAdmin typically refers to a verified path for gaining Remote Code Execution (RCE) through an authenticated session or by exploiting specific file inclusion vulnerabilities. HackTricks identifies phpMyAdmin as a critical entry point because it often runs with high privileges on a web server. 🚀 Verified RCE via INTO OUTFILE
If you have administrative access (e.g., root credentials), the most direct verified method is writing a PHP shell to the web root using the SELECT ... INTO OUTFILE command. phpmyadmin hacktricks verified
Requirement: The MySQL user must have the FILE privilege and the secure_file_priv global variable must be empty. Payload Example:
SELECT "" INTO OUTFILE "/var/www/html/shell.php"; Use code with caution. Copied to clipboard
Verification: Once executed, you can trigger commands via http://. 🛡️ Verified Vulnerability: CVE-2018-12613 (LFI to RCE)
This is a high-profile authenticated vulnerability found in phpMyAdmin versions 4.8.0 and 4.8.1.
Vulnerability: Local File Inclusion (LFI) through the target parameter.
HackTricks Technique: You can include a session file or a database table that contains malicious PHP code. The Chain:
Execute a query to store code in the database (e.g., SELECT '';). Find your session ID (usually in the phpMyAdmin cookie).
Include the session file (typically /var/lib/php/sessions/sess_) via the vulnerable parameter. 🔍 Discovery and Foothold
HackTricks recommends several checks to find or exploit unmanaged phpMyAdmin installations:
Default Credentials: Check for root with no password or root.
Exposed Setup: Look for /phpmyadmin/setup/index.php, which may allow you to create a new configuration and potentially gain code execution.
Environment Files: Search for config.inc.php in common directories to find hardcoded credentials. phpMyAdmin 4.8.1 - Remote Code Execution (RCE) - Exploit-DB Once inside phpMyAdmin (with any user-level access), the
The air in the dimly lit room was thick with the hum of servers and the smell of stale coffee.
, a penetration tester for a mid-sized fintech firm, was deep into a red-team engagement. His target: a legacy web server that the client’s IT department had "forgotten" to decommission. He pulled up the HackTricks phpMyAdmin guide
, a resource he trusted for its verified, community-tested techniques. He had already identified an exposed /phpmyadmin
directory. It was a classic "low-hanging fruit" scenario, but in cybersecurity, the simplest oversights often lead to the biggest breaches. The Entry Point
Silas started with the basics. He tried common default credentials— with no password, admin/admin
—but the login screen remained stubborn. He pivoted to the "verified" methods listed on HackTricks. He checked for the config.inc.php.swp
file, hoping a developer had left a swap file behind during a late-night edit. No luck.
Then, he noticed something in the server headers: an outdated version of phpMyAdmin. He cross-referenced this with the HackTricks database and found a verified entry for CVE-2018-12613 , a local file inclusion (LFI) vulnerability.
Following the verified steps, Silas crafted a specific URL payload: ://target.com
The browser refreshed. Instead of the login screen, a wall of text appeared—the server's /etc/passwd file. He was in. But LFI wasn't enough; he needed a shell. He remembered a specific trick from the HackTricks documentation
regarding session files. He knew that phpMyAdmin stores session data in /var/lib/php/sessions/
. If he could "poison" his own session with PHP code, he could execute commands via the LFI vulnerability. The Final Move This guide follows the HackTricks methodology for pentesting
Silas went back to the SQL execution tab (accessible even without a full login in some misconfigured setups) and ran: SELECT '';
This small snippet of code was now sitting in a session file on the server's disk. He returned to his LFI payload, pointing it toward his session ID file:
index.php?target=db_sql.php%253f/../../../../../../../../var/lib/php/sessions/sess_[HIS_SESSION_ID]&cmd=whoami The page loaded. At the very top, in plain text, it read:
He had successfully turned a simple database management tool into a doorway for the entire network. He closed his laptop, ready to write the report that would hopefully convince the client to finally hit "delete" on that legacy server. specific technical details
of another vulnerability listed on HackTricks, or should we look into remediation steps for phpMyAdmin?
Since the context appears to be related to cybersecurity research, penetration testing, or a documentation dump, I have provided three different formats depending on your needs:
Attackers first scan for the phpMyAdmin login page. Common URLs:
/phpmyadmin/
/pma/
/dbadmin/
/myadmin/
/phpMyAdmin/
/MySQL-Admin/
/phpmyadmin2/
/phpmyadmin3/
/pma_db/
Some setups hide it under a random or custom path, but default installations are predictable.
After verifying the attacks, here’s how to defend effectively:
To verify if a target is vulnerable, use these tools:
In phpMyAdmin 4.8.0–4.8.4, an LFI vulnerability allowed attackers to read arbitrary files without logging in.
Exploit steps (verified against 4.8.1):
POST /phpmyadmin/index.php?target=db_sql.php%253f/../../../../../../etc/passwd
Why it works: Improper sanitization of the target parameter. Patched in 4.8.5. Test instances still exist.