: If you can enable general logging and change the log file path to a .php file in the web directory, you can inject PHP code into the logs to create a shell. 3. Post-Exploitation via SQL
| CVE | Impact | Fixed in | |-----|--------|----------| | CVE-2016-5734 | Brute force using $cfg['AllowArbitraryServer'] | 4.6.3 | | CVE-2018-12613 | File inclusion via target=db_sql.php?/../../ | 4.8.1 | | CVE-2019-12922 | CSRF + RCE | 4.9.0.1 |
: Use PHP wrappers (like php://filter ) in conjunction with file inclusion vulnerabilities to read the source code of sensitive configuration files. Summary of Common Vulnerabilities Vulnerability Type Description Default Creds Using common login pairs like root:root . CVE-2018-12613 LFI vulnerability in versions 4.8.0-4.8.1 used for RCE. INTO OUTFILE
The most effective defense is making phpMyAdmin inaccessible to the public internet.
If the database user has the FILE privilege and the application allows writing to the web directory, an attacker can write a PHP webshell. phpmyadmin hacktricks
Many setups, especially in development environments, use default or weak credentials. Common combinations include: root : (no password) root : root root : password pma : (no password) Bruteforcing
| Tool | Use Case | |---|---| | | Modern webshell manager; supports PHP, ASP, JSP with encryption | | China Chopper | Simple, lightweight webshell client | | Metasploit web_delivery | Delivers a Meterpreter payload via the webshell |
: Look for wp_users (WordPress) or users tables to crack hashes.
Every executed SQL statement is written to the log file. After injection, the log file functions as a fully‑fledged webshell. : If you can enable general logging and
| Username | Password | |---|---| | root | (empty) | | root | root | | admin | admin | | pma | (empty) | | @@ | (empty) – older AppServ versions |
PhpMyAdmin stores session data in files. Inject malicious content into a session:
Web Application Firewalls may intercept certain SQL keywords. Bypass techniques include:
This payload uses PHP’s allow_url_include and auto_prepend_file directives to execute the POST body as PHP code. If the database user has the FILE privilege
phpMyAdmin is one of the most popular open-source, web-based MySQL database management tools. Due to its widespread adoption, it is a high-value target for attackers during web application penetration testing. This article provides a comprehensive guide to , incorporating techniques inspired by the HackTricks methodology , including common vulnerabilities, enumeration, and mitigation strategies as of 2026. 1. Introduction to phpMyAdmin Enumeration
is one of the most widely used web-based administration tools for MySQL and MariaDB databases . Because it often holds the "keys to the kingdom," it is a prime target for security auditors and attackers alike. This guide compiles essential methodologies, vectors, and techniques for auditing phpMyAdmin installations, drawing from industry-standard security resources like HackTricks. 1. Initial Reconnaissance and Fingerprinting
: Always running the latest version to patch known LFI and RCE vulnerabilities. specific SQL commands used for different types of database takeovers?