Phpmyadmin: Hacktricks Verified

Penetration Testing Guide: phpMyAdmin Vulnerabilities and Exploitation

phpMyAdmin is a widely used, open-source tool for managing MySQL and MariaDB databases through a web interface. Due to its popularity and powerful administrative capabilities, it is a frequent target for attackers. This guide covers common vulnerabilities and exploitation techniques documented by security researchers and platforms like HackTricks. Common phpMyAdmin Vulnerabilities

Penetration testers typically look for several high-impact vulnerabilities when encountering a phpMyAdmin instance:

Remote Code Execution (RCE) via LFI (CVE-2018-12613): This is one of the most significant modern vulnerabilities affecting versions 4.8.0 and 4.8.1. An authenticated user can exploit a Local File Inclusion (LFI) flaw to execute arbitrary PHP code on the server.

SQL Injection (SQLi): Multiple versions have been susceptible to SQLi. For instance, CVE-2020-5504 affects versions prior to 4.9.4 and 5.0.1, allowing attackers with a MySQL account to manipulate queries through the 'username' field on the user accounts page.

Authentication Bypass & Weak Credentials: In many cases, phpMyAdmin is misconfigured with a root account that has no password, granting immediate administrative access. WordPress plugins like Portable phpMyAdmin (v1.3.0) have also been known for authentication bypass flaws.

Cross-Site Scripting (XSS): Authenticated users could trigger XSS (e.g., CVE-2023-25727) by uploading crafted .sql files via the drag-and-drop interface in versions prior to 4.9.11 and 5.2.1.

Directory Traversal: Older versions (pre-2.5.6) were vulnerable to directory traversal in export.php, allowing attackers to read arbitrary server files. Exploitation Techniques (Getshell Methods)

Once access is gained, the ultimate goal is often to obtain a remote shell ("getshell"). Common methods include:

Unprotected phpMyAdmin interface - Vulnerabilities - Acunetix

Since the context appears to be related to cybersecurity research, penetration testing, or a documentation dump, I have provided three different formats depending on your needs:

B. Setup Script Misconfiguration

3.3 setup.php Exposure (Old versions)

In very old phpMyAdmin versions (pre-4.0), /setup/ was accessible and could rewrite config files, allowing authentication bypass or code injection.

4.2 Blowfish Secret Cracking

If $cfg['blowfish_secret'] is weak or default, you can decrypt session cookies and impersonate admin.

Verification: Default secrets found in old versions:

Use this to forge a cookie: phpMyAdmin cookie value → decrypt to get username.

Part 2: Authentication Bypass – Verified Techniques

Phpmyadmin: Hacktricks Verified

Penetration Testing Guide: phpMyAdmin Vulnerabilities and Exploitation

phpMyAdmin is a widely used, open-source tool for managing MySQL and MariaDB databases through a web interface. Due to its popularity and powerful administrative capabilities, it is a frequent target for attackers. This guide covers common vulnerabilities and exploitation techniques documented by security researchers and platforms like HackTricks. Common phpMyAdmin Vulnerabilities

Penetration testers typically look for several high-impact vulnerabilities when encountering a phpMyAdmin instance:

Remote Code Execution (RCE) via LFI (CVE-2018-12613): This is one of the most significant modern vulnerabilities affecting versions 4.8.0 and 4.8.1. An authenticated user can exploit a Local File Inclusion (LFI) flaw to execute arbitrary PHP code on the server. phpmyadmin hacktricks verified

SQL Injection (SQLi): Multiple versions have been susceptible to SQLi. For instance, CVE-2020-5504 affects versions prior to 4.9.4 and 5.0.1, allowing attackers with a MySQL account to manipulate queries through the 'username' field on the user accounts page.

Authentication Bypass & Weak Credentials: In many cases, phpMyAdmin is misconfigured with a root account that has no password, granting immediate administrative access. WordPress plugins like Portable phpMyAdmin (v1.3.0) have also been known for authentication bypass flaws.

Cross-Site Scripting (XSS): Authenticated users could trigger XSS (e.g., CVE-2023-25727) by uploading crafted .sql files via the drag-and-drop interface in versions prior to 4.9.11 and 5.2.1. If /setup/ is still accessible (removed after install),

Directory Traversal: Older versions (pre-2.5.6) were vulnerable to directory traversal in export.php, allowing attackers to read arbitrary server files. Exploitation Techniques (Getshell Methods)

Once access is gained, the ultimate goal is often to obtain a remote shell ("getshell"). Common methods include:

Unprotected phpMyAdmin interface - Vulnerabilities - Acunetix Change server configuration Write a malicious config file

Since the context appears to be related to cybersecurity research, penetration testing, or a documentation dump, I have provided three different formats depending on your needs:

B. Setup Script Misconfiguration

3.3 setup.php Exposure (Old versions)

In very old phpMyAdmin versions (pre-4.0), /setup/ was accessible and could rewrite config files, allowing authentication bypass or code injection.

4.2 Blowfish Secret Cracking

If $cfg['blowfish_secret'] is weak or default, you can decrypt session cookies and impersonate admin.

Verification: Default secrets found in old versions:

Use this to forge a cookie: phpMyAdmin cookie value → decrypt to get username.

Part 2: Authentication Bypass – Verified Techniques