: Locating the absolute webroot path is essential for many "getshell" techniques. 3. Exploitation Techniques (HackTricks Methodology) If authenticated, several paths can lead to Remote Code Execution (RCE) Sensitive Information Disclosure SELECT ... INTO OUTFILE
| Stage | Action | |---|---| | | Exposed phpMyAdmin; attacker sets locale to zh_CN using an AWS Hong Kong IP | | Log poisoning | Enables general query log and redirects it to ../../htdocs/123.php | | Webshell injection | Injects eval($_REQUEST[1]) via query, creating an executable shell | | Post‑exploitation | Uses AntSword for interactive remote access | | Agent deployment | Downloads Nezha agent + config from Cloudflare Pages; establishes C2 communication with over 100 agents | | Final payload | Deploys Ghost RAT with persistence via SQLlite service in System32\SQLlite.exe |
: Enable PMA's built-in 2FA support.
Many setups, especially in development environments, neglect to change default database credentials. Try logging in with: root : (empty password) root : root root : password admin : admin Configuration File Exposure phpmyadmin hacktricks
An authenticated attacker can pass a specially crafted string that executes arbitrary PHP code via the split transformation feature. CVE-2020-5504: SQL Injection Affected Versions: 5.0.0 and prior
Identifying the exact phpMyAdmin version is critical for determining which vulnerabilities may be present. Several files often disclose version information:
By forcing the application to include a session file containing malicious PHP code, an attacker can achieve Remote Code Execution (RCE). Payload Example: : Locating the absolute webroot path is essential
Never allow blank passwords for the root account. Implement multi-factor authentication (MFA) where possible.
Once inside phpMyAdmin, here’s how you turn database access into server compromise.
Once authenticated, your objective shifts from database access to executing operating system commands (Remote Code Execution) or reading sensitive server files. 1. Arbitrary File Read and Write via SQL INTO OUTFILE | Stage | Action | |---|---|
If the database user has write permissions ( FILE privilege) and you know the absolute path of the web root, you can write a PHP web shell to achieve Remote Code Execution (RCE):
: Run SHOW VARIABLES LIKE '%secure_file_priv%'; to see if file exports are restricted. Local File Inclusion (LFI) to RCE :