Phpmyadmin Hacktricks 2021 ❲Windows❳

Here are some helpful write-ups and tricks related to phpMyAdmin:

phpMyAdmin Hacktricks

phpMyAdmin is a popular open-source tool for managing MySQL databases. While it's a powerful tool, it's also a common target for attackers. Here are some helpful write-ups and tricks to help you secure and exploit phpMyAdmin:

Securing phpMyAdmin

• Change the default login URL: By default, phpMyAdmin's login URL is /phpmyadmin. Change this to a custom URL to prevent automated attacks.
• Use a strong password: Use a strong password for the MySQL root user and other database users.
• Limit access: Limit access to phpMyAdmin to only trusted IP addresses or networks.
• Keep phpMyAdmin up-to-date: Regularly update phpMyAdmin to the latest version to patch known vulnerabilities.

Exploiting phpMyAdmin

• Unauthenticated access: If phpMyAdmin is not properly configured, an attacker may be able to access the login page without authentication.
• SQL injection: If phpMyAdmin is vulnerable to SQL injection, an attacker may be able to execute arbitrary SQL queries.
• File inclusion: If phpMyAdmin is vulnerable to file inclusion, an attacker may be able to include arbitrary files.

Useful phpMyAdmin URLs

• Login URL: /phpmyadmin (or custom login URL)
• phpMyAdmin interface: /phpmyadmin/index.php
• phpMyAdmin config file: /phpmyadmin/config.inc.php

phpMyAdmin Commands

• List databases: SHOW DATABASES;
• List tables: SHOW TABLES FROM <database_name>;
• Describe table: DESCRIBE <table_name>;
• Dump database: mysqldump -u <username> -p<password> <database_name>

phpMyAdmin Tools

• SQL query box: Execute arbitrary SQL queries.
• Designer: Visualize and manipulate database schema.
• Variables: View and edit MySQL variables.

Common phpMyAdmin vulnerabilities

• CVE-2014-8959: Unauthenticated access vulnerability.
• CVE-2016-5734: SQL injection vulnerability.

Resources

• phpMyAdmin documentation: Official phpMyAdmin documentation.
• Hacktricks phpMyAdmin page: Comprehensive guide to phpMyAdmin exploitation.

By following these tips and being aware of common vulnerabilities, you can help secure your phpMyAdmin installation and prevent exploitation.

This guide outlines penetration testing techniques and security best practices for phpMyAdmin, drawing on common methodologies documented by researchers and platforms like HackTricks. I. Vulnerability Identification & Reconnaissance

The first step involves identifying the specific version of phpMyAdmin and discovering the server's file paths.

Version Detection: Attackers often check for sensitive files to determine the version, such as README, changelog.php, or Documentation.html.

Path Discovery: Knowing the absolute web path is critical for many exploits. Common methods include: Checking phpinfo() pages if accessible.

Fuzzing for web error messages that reveal directory structures.

Querying the database for the data directory using show variables like '%datadir%';. II. Common Exploitation Techniques phpmyadmin hacktricks

Once an instance is identified, several techniques can be used to gain deeper access.

Default Credentials: Many instances remain vulnerable to common default logins (e.g., root with no password).

Remote Code Execution (RCE) via LFI: Specific versions (like 4.8.0 and 4.8.1) have known Local File Inclusion (LFI) vulnerabilities, such as CVE-2018-12613, which can be leveraged for RCE by authenticated users.

Writing Webshells (Into Outfile): If the secure_file_priv variable is empty and the user has sufficient privileges, attackers can write a PHP webshell directly to the webroot.

Example: SELECT "" INTO OUTFILE "/var/www/html/shell.php";.

Log File Manipulation: If direct file writing is restricted, attackers may enable the General Query Log, set the log file path to a .php file in the webroot, and execute a query containing PHP code to "poison" the log. III. Security Hardening Best Practices

To mitigate these risks, administrators should implement layered security controls. Restrict Access:

IP Whitelisting: Use web server configurations (Apache/Nginx) to only allow trusted IP addresses. Here are some helpful write-ups and tricks related

VPN/SSH Tunneling: The most secure method is to make phpMyAdmin accessible only via a VPN or SSH tunnel. Authentication & Credential Security:

Extra Login Layer: Implement .htaccess or HTTP Basic Authentication to add a prompt before the phpMyAdmin login page.

Two-Factor Authentication (2FA): Enable 2FA for all user accounts.

Disable Root Login: Create specific user accounts with limited privileges instead of using the root account for daily tasks. Environment Hardening:

Change Default URL: Rename the /phpmyadmin directory to a random, non-obvious string to deter automated bots.

Keep Updated: Regularly patch to the latest version to protect against known CVEs.

Configure PHP Settings: Set secure_file_priv in my.cnf to a specific, restricted directory to prevent unauthorized file writes. Linux Hacking Case Studies Part 3: phpMyAdmin

3.3 MySQL User-Defined Functions (UDF) – System Command Execution

Compile a shared library and load it to execute OS commands. Change the default login URL : By default,

1. Find MySQL plugin dir:

   SHOW VARIABLES LIKE 'plugin_dir';
   

2. Write UDF binary to disk (using INTO DUMPFILE).
3. Create function:

   CREATE FUNCTION sys_exec RETURNS INT SONAME 'udf.so';
   SELECT sys_exec('id');
   

1.3 Setup Page (Critical Misconfiguration)

Some installations forget to remove /setup. Check: /phpmyadmin/setup/ If accessible, you can configure the server, which may lead to RCE (more in Part 3).

PHPMyAdmin Hacktricks