Phpmyadmin Hacktricks - Verified

PHPMyAdmin Hacktricks: Verified Methods to Exploit and Secure

PHPMyAdmin is a popular open-source tool used to manage and administer MySQL databases. While it's a powerful tool, its widespread use also makes it a prime target for attackers. In this blog post, we'll explore verified Hacktricks for PHPMyAdmin, including methods to exploit and secure your installation.

Introduction to PHPMyAdmin

PHPMyAdmin is a web-based interface that allows users to manage MySQL databases, perform queries, and execute administrative tasks. Its ease of use and feature-rich interface make it a favorite among developers and system administrators.

Hacktricks: Exploiting PHPMyAdmin

The following Hacktricks have been verified to work on PHPMyAdmin:

1. Basic Information

phpMyAdmin is a free software tool written in PHP, intended to handle the administration of MySQL/MariaDB over the web. It is frequently targeted by attackers due to its prevalence and potential for privilege escalation.

• Default Paths: /phpmyadmin/, /pma/, /dbadmin/, /mysql/, /phpMyAdmin/, /phpmyadmin2/, /phpmyadmin3/, /phpmyadmin4/, /admin/mysql/, /admin/phpmyadmin/
• Default Login Attempts: root:root, root:"" (blank password), root:password, pma:"", mysql:mysql

7. Key Takeaways for Pentesting

1. Always check for default login (root:blank) – it’s extremely common.
2. If you have valid creds, try INTO OUTFILE immediately.
3. Read config.inc.php via LFI or compromised host – it contains the blowfish secret and MySQL credentials.
4. Old versions (4.x) are often vulnerable to authenticated RCE or LFI.

Note: This information is for authorized security testing only. Always follow responsible disclosure. phpmyadmin hacktricks verified

3.2 Privilege Escalation via MySQL UDF (User Defined Functions)

Verified Technique:

1. Compile a malicious UDF (e.g., sys_exec, sys_eval).
2. Upload via INTO DUMPFILE to plugin directory (SHOW VARIABLES LIKE 'plugin_dir';).
3. Create function: CREATE FUNCTION sys_eval RETURNS STRING SONAME 'udf.so';
4. Run OS commands: SELECT sys_eval('id');

HackTricks Note: Metasploit module exploit/linux/mysql/mysql_udf_payload automates this for MySQL < 5.1, but modern versions require manual patch.

7. Arbitrary File Read

phpMyAdmin allows arbitrary file reads when the "open_basedir" restriction is not enabled. An attacker can read sensitive files to extract sensitive information.

• Exploitation Steps:
  • Access the phpMyAdmin URL in a browser (e.g., http://example.com/phpmyadmin)
  • Enter malicious file read code in the "Server" field
  • Click on the "Go" button to read the file

Mitigation Steps:

1. Use Strong Passwords: Use strong passwords for phpMyAdmin accounts.
2. Enable Two-Factor Authentication: Enable two-factor authentication to add an extra layer of security.
3. Disable Unauthenticated Access: Disable unauthenticated access to the phpMyAdmin interface.
4. Enable open_basedir Restriction: Enable the "open_basedir" restriction to prevent LFI attacks.
5. Disable AllowArbitraryServer Option: Disable the "AllowArbitraryServer" option to prevent SQL injection and code execution attacks.
6. Use a Web Application Firewall (WAF): Use a WAF to detect and prevent common web attacks.

By following these hacktricks and mitigation steps, you can improve the security of your phpMyAdmin installation and protect against common attacks.

References:

• Hacktricks - phpMyAdmin
• phpMyAdmin Documentation - Security

This is based on real-world penetration testing findings and documented techniques (aligned with content from sources like HackTricks). Default Paths: /phpmyadmin/ , /pma/ , /dbadmin/ ,

1.1 Default Paths (Verified)

Scanning for these paths yields results in >70% of default installations:

/phpmyadmin/
/pma/
/dbadmin/
/myadmin/
/phpMyAdmin/
/MySQL/
/phpmyadmin2/
/phpmyadmin3/
/pma_db/

Verification tip: Use curl -k -I https://target/phpmyadmin/ and look for the Set-Cookie: phpMyAdmin= header. That header is unique to phpMyAdmin.

General phpMyAdmin Exploits and Countermeasures

• SQL Injection: This typically involves an attacker injecting malicious SQL code into a web application's database to extract or modify sensitive data. Ensure you are using the latest version of phpMyAdmin and your MySQL server is configured securely.

• Authentication Bypass: Some vulnerabilities have allowed attackers to bypass authentication mechanisms. Make sure to follow best practices for user authentication and keep phpMyAdmin updated.

• Remote Code Execution (RCE): RCE vulnerabilities allow attackers to execute arbitrary code on the server. Regularly updating phpMyAdmin and restricting access to it can mitigate such risks.

Part 7: Automated Verification Tools

To verify if a target is vulnerable, use these tools: use these tools:

1. sqlmap – with --os-shell (requires valid credentials)

   sqlmap -u http://target/phpmyadmin/ --data="pma_username=root&pma_password=root" --os-shell
   

2. pma-brute (Python script)

   python3 pma_brute.py -t http://target/phpmyadmin/ -w passwords.txt
   

3. Metasploit module: auxiliary/scanner/http/phpmyadmin_login (still reliable)

1. LFI (Local File Inclusion) Vulnerability

PHPMyAdmin is vulnerable to LFI attacks due to improper input validation. An attacker can exploit this vulnerability to read sensitive files on the server.

Exploitation Steps:

• Access PHPMyAdmin and navigate to the "Import" tab.
• In the "File to import" field, enter the path to a sensitive file on the server (e.g., /etc/passwd).
• Click "Go" to execute the import.

Mitigation:

• Update PHPMyAdmin to the latest version.
• Enable the allow_url_fopen directive in php.ini.