StudioPress

Forum navigation

Are You Using The WordPress Block Editor?

Genesis now offers plugins that help you build better sites faster with the WordPress block editor (Gutenberg). Try the feature-rich free versions of each plugin for yourself!

Genesis Blocks Genesis Custom Blocks

Phpmyadmin Hacktricks Verified -

In the penetration testing and red-teaming life cycle, phpMyAdmin functions as a "golden gate." If you find an exposed instance, your verification process should follow this checklist:

If current user has CREATE USER and GRANT privileges:

If user input is not properly sanitized, an attacker can inject malicious SQL code.

The following hacktricks have been verified to work:

A significant number of phpMyAdmin installations are left with default or weak credentials. During an assessment, testers should always attempt a set of common credential combinations: phpmyadmin hacktricks verified

Many instances rely on default administrative credentials set during installation. Standard combinations include: root : root root : (no password) pma : (no password) admin : admin Configuration Flaws (AllowNoPassword)

If the MySQL user has the FILE privilege and you know the absolute path of the webroot, you can write a PHP shell directly to the server.

When manual configuration flaws are not present, unpatched phpMyAdmin installations can be compromised using public exploits. CVE-2018-12613: Local File Inclusion (LFI) to RCE 4.8.0 to 4.8.1

Requires FILE privilege and appropriate OS permissions (e.g., MySQL running as root, or weak directory permissions). In the penetration testing and red-teaming life cycle,

The application uses a whitelist check for the page parameter but fails to properly sanitize input before processing it through include . Verification Payload:

Note: This requires the secure_file_priv variable to be empty or pointing to the webroot. B. CVE-2018-12613 (Local File Inclusion)

Check for exposed .htpasswd via path traversal (see later).

# phpMyAdmin - HackTricks Verified Checklist Standard combinations include: root : root root :

Since phpMyAdmin uses standard HTTP POST requests for authentication, it is highly susceptible to brute-forcing if rate limiting is not enforced. Tools like Hydra can be utilized effectively:

Then call: POST /shell.php with cmd=system('id');

Based on actual breach post-mortems, these work:

Check if the /setup/ directory was left accessible. In older or misconfigured setups, this allows attackers to reconfigure the database connection.

This information is for authorized security testing only. Always follow responsible disclosure.