If you want to check your current setup for specific vulnerabilities like ? Share public link
| Method | Technique | |---|---| | | Append a single quote to a URL parameter (e.g., ?id=1′ ) to trigger a database error revealing the path | | Phpinfo() discovery | Search for /info.php , /test.php , or /phpinfo.php | | File reading (if privileges permit) | SELECT load_file(‘/etc/passwd’); | | Database data directory | SHOW VARIABLES LIKE ‘%datadir%’; | | Google dorking | site:target.com warning OR “fatal error” |
Securing a foothold in phpMyAdmin is often just the beginning of a broader network compromise.
: Check paths like /README or /ChangeLog . The Documentation : Look at /doc/html/index.html .
If you have retrieved hashes from /.git/config , .env , or backup files, try reusing those passwords here. phpmyadmin hacktricks
If direct file writing is restricted by configurations like secure_file_priv , specific CVEs within phpMyAdmin can be exploited to achieve code execution. CVE-2018-12613: Local File Inclusion (LFI)
Identifying the exact phpMyAdmin version is critical for determining which vulnerabilities may be present. Several files often disclose version information:
The most effective defense is making phpMyAdmin inaccessible to the public internet.
| OS | Path | |---|---| | Linux | /etc/phpmyadmin/config.inc.php | | Linux | /usr/share/phpmyadmin/config.inc.php | | Windows (XAMPP) | C:\xampp\phpmyadmin\config.inc.php | | Windows (WAMP) | C:\wamp\apps\phpmyadmin\config.inc.php | If you want to check your current setup
Exploits a preg_replace with /e modifier. Attack vector: SQL table name containing PHP code. exploit/multi/http/phpmyadmin_rce
Older or misconfigured installations sometimes allow unauthorized access if the setup directory was not deleted.
If phpMyAdmin is not on the root domain, network scanners frequently look for it at these common endpoints: /phpmyadmin/ /phpMyAdmin/ /pma/ /admin/phpmyadmin/ /db/phpmyadmin/ 2. Authentication Bypass and Credential Hunting
If default credentials fail, automated tools like Hydra or Burp Suite Intruder are used to perform dictionary attacks against the setup script or the main login form ( index.php ). Configuration Flaws (config Authentication) The Documentation : Look at /doc/html/index
allowed for remote code execution via specially crafted table/database names that triggered issues in PHP's preg_replace Post-Exploitation Reading Files LOAD DATA LOCAL INFILE LOAD_FILE() to read sensitive system files like /etc/passwd Privilege Escalation
Older versions of phpMyAdmin feature an installation assistant accessible at /phpmyadmin/setup/index.php . If left unconfigured or poorly protected, an attacker can manipulate configuration files or point the installation to an external malicious server under their control. 3. Post-Authentication Exploitation (From DB Access to RCE)
In the cybersecurity community, the HackTricks entry for phpMyAdmin is considered a for several reasons: