Phpmyadmin Hacktricks [WORKING]

SELECT '' INTO OUTFILE '/var/www/html/shell.php'; Use code with caution.

What and web server (Apache, Nginx, Docker) you are running?

Before attempting any exploit, a security professional must identify where phpMyAdmin lives and what version it is running. Directory Brute-Forcing and Common Paths

/etc/my.cnf , ~/.my.cnf [HackTricks].

phpMyAdmin is frequently installed via package managers or manual zip extractions, often leaving predictable web roots. Standard directory fuzzing tools like gobuster , dirsearch , or ffuf should target the following common directories: /phpmyadmin/ /phpMyAdmin/ /pma/ /admin/pma/ /dbadmin/ /mysql/ /database/ Fingerprinting the Version

: In versions 4.8.0 and 4.8.1, attackers can use a path traversal flaw in the parameter.

Older versions (3.1.3.1) allowed remote attackers to inject arbitrary PHP code into a configuration file via the setup.php script, leading to RCE. phpmyadmin hacktricks

: Locating the absolute webroot path is essential for many "getshell" techniques. 3. Exploitation Techniques (HackTricks Methodology) If authenticated, several paths can lead to Remote Code Execution (RCE) Sensitive Information Disclosure SELECT ... INTO OUTFILE

The oldest trick: write a PHP shell into the web root.

: Restrict access to specific IP addresses via .htaccess or Nginx config. SELECT ' ' INTO OUTFILE '/var/www/html/shell

Look at the footer of the login page or the main dashboard after authentication.

Older versions of phpMyAdmin are famous for LFI vulnerabilities.

: If you have low-privileged access, check mysql.user or information_schema.USER_PRIVILEGES to identify high-privilege accounts to target. 2. Escalating to RCE Directory Brute-Forcing and Common Paths /etc/my

By forcing the application to include a session file containing malicious PHP code, an attacker can achieve Remote Code Execution (RCE). Payload Example:

Once inside, the game is over if you achieve RCE.