phpMyAdmin is not inherently insecure—it is a powerful tool. However, its power is precisely why it is so dangerous in the wrong hands. In the ecosystem of HackTricks, phpMyAdmin stands out as a high-impact, medium-effort target. Finding it is a strong signal. Exploiting it is often straightforward. Defending it requires discipline, not just software updates.
Remember: the database is the crown jewels. If an attacker reaches phpMyAdmin with admin privileges, the game is already lost.
This essay is for educational and authorized security testing purposes only. Unauthorized access to computer systems is illegal.
The following report outlines common exploitation techniques for phpMyAdmin , based on security research and the HackTricks methodology. 1. Initial Access and Reconnaissance Default Credentials phpmyadmin hacktricks
: Attackers frequently check for default or weak credentials (e.g., with no password). Version Identification
: Identifying the specific phpMyAdmin version is critical, as many older versions are vulnerable to public Remote Code Execution (RCE) URL Obfuscation : Securing an instance often involves changing the default /phpmyadmin URL to prevent automated discovery. Exploit-DB 2. Privilege Escalation & Data Exfiltration Arbitrary File Read : Vulnerabilities like CVE-2018-12613
allow attackers to include files from the server, potentially exposing sensitive /etc/passwd or configuration files via local file inclusion (LFI). Database Dumping : Once authenticated, attackers can use the phpMyAdmin is not inherently insecure—it is a powerful
tab to dump entire databases in formats like SQL, CSV, or XML for offline analysis. Exploit-DB 3. Post-Exploitation: Gaining a Web Shell If the database user has sufficient permissions (e.g.,
privilege), attackers can move from database access to full server compromise: General Log Shell Enable the general log: SET GLOBAL general_log = 'ON'; Set the log file path to a web-accessible directory: SET GLOBAL general_log_file = '/var/www/html/shell.php'; Execute a query containing PHP code: SELECT ""; Access the log file via a browser to execute commands. Slow Query Log Shell : Similar to the general log method, but uses slow_query_log_file
to hide the payload in a file that only records long-running queries. 4. Mitigation and Best Practices To protect phpMyAdmin instances, industry experts recommend: Restricting Access : Use IP whitelisting or place the interface behind a VPN. Two-Factor Authentication : Enable 2FA to prevent credential stuffing. File Permissions : Ensure the database user does not have privileges unless absolutely necessary. Regular Updates : Keep phpMyAdmin updated to the latest stable release to patch known RCE vulnerabilities. for a specific CVE or a remediation checklist for system administrators? This essay is for educational and authorized security
nmap -sV --script http-phpmyadmin-dir-traversal,http-vuln-cve2017-1000251 <target>
HackTricks reminds us that even without credentials, phpMyAdmin itself has had nasty RCE bugs:
These show that a fully patched phpMyAdmin is important, but an exposed, unpatched instance is a disaster waiting to happen.
An attacker scans for common paths: