Phpmyadmin | Hacktricks Verified
This injection could be used to read sensitive information from the database, including user password hashes.
Like any popular software, phpMyAdmin has faced several security vulnerabilities over the years. These can range from SQL injection attacks, cross-site scripting (XSS), and remote code execution, to issues with authentication and authorization.
Execute a query to store code in the database (e.g., SELECT ''; ). Find your session ID (usually in the phpMyAdmin cookie).
Turn on the general log and point the log file to the web root: phpmyadmin hacktricks verified
phpMyAdmin is one of the most widely deployed web interfaces for managing MySQL and MariaDB databases. Because it sits directly in front of critical data, misconfigurations or unpatched vulnerabilities frequently make it a primary target for security auditors and attackers alike.
You can automate login audits using specialized tools like Hydra :
: hydra -L users.txt -P passwords.txt http-post-form "/phpmyadmin/index.php:pma_username=^USER^&pma_password=^PASS^:F=Access denied" This injection could be used to read sensitive
These credentials often have broad privileges.
Once authenticated—either through valid credentials or an authentication bypass—the attack surface expands significantly. Local File Inclusion (LFI) via CVE-2018-12613
In specific configurations where the Signon authentication mode is enabled, attackers can exploit CSRF (Cross-Site Request Forgery) vulnerabilities to log out users or trick the system into authenticating sessions via specially crafted URLs. Checking for Weak Setup Scripts Execute a query to store code in the database (e
This comprehensive guide compiles verified methodologies, enumeration steps, and exploitation vectors inspired by the HackTricks framework to help you systematically assess phpMyAdmin environments. 1. Initial Reconnaissance and Enumeration
A verified SQL injection vulnerability existed in phpMyAdmin versions 4 < 4.9.4 and 5 < 5.0.1 on the server_privileges.php page.
Maya spun up a container and reconstructed the vulnerable phpMyAdmin version and the flawed filter. The payload executed exactly as the logs had suggested — a malformed parameter slipped into a poorly sanitized query and the delete command executed with the privileges of a forgotten admin. She watched the sanitized version of the nonprofit’s database in the sandbox, then wrote a scripted rollback that would piece back rows from unindexed fragments in the binary log and reconstruct the donor transfer record with timestamps kept intact.
If the PHPMyAdmin password is weak or has not been changed from the default, an attacker can easily gain access to the interface.
If the database has write permissions to the web root, deploy a web shell: