Then, he noticed something in the server headers: an outdated version of phpMyAdmin. He cross-referenced this with the HackTricks database and found a verified entry for CVE-2018-12613 , a local file inclusion (LFI) vulnerability.
Note: This vector may be restricted by the MySQL secure_file_priv global variable. Writing Web Shells via SQL ( INTO OUTFILE )
Run SELECT ''; to store the shell in your session file. Find your session ID (from the phpMyAdmin cookie).
| CVE | Impact | |------------|-------------------------------------------------| | CVE-2018-12613 | Local file inclusion via target parameter. | | CVE-2019-11768 | XSS to session hijacking (fewer risks today). | | CVE-2020-26934 | CSRF leading to SQL execution. | phpmyadmin hacktricks verified
The following hacktricks have been verified to work:
Accessing the dashboard is the primary objective to pivot toward Remote Code Execution (RCE). Default Credentials Many setups use standard system or application defaults: root | Password: (Blank) Username: root | Password: root Username: pma | Password: (Blank) Setup Page Misconfiguration
Change the root password for MySQL and the pma user. Then, he noticed something in the server headers:
If the database user has the FILE privilege and the MySQL variable secure_file_priv is empty or misconfigured, you can write a PHP web shell directly to the web root. Execute the following SQL query in the phpMyAdmin SQL tab:
To prevent these hacktricks from being successful, follow these best practices:
She could have left it there. The nonprofit would never know how close they had come to losing the clinic’s payment. But on the way out she noticed something else in the logs: a set of repeated probes from a cluster of IPs with patterns echoing other entries on HackTricks’ list — not fully verified, but suggestive. Someone had been scanning them for weeks. Writing Web Shells via SQL ( INTO OUTFILE
Specifically affecting versions 4.8.0 and 4.8.1 (CVE-2018-12613), this flaw allows an authenticated user to include and execute local files by exploiting improper page whitelisting. LFI to Remote Code Execution (RCE):
: Inspect the HTML source code of the login page for version strings or unique asset hashes. Common Default Directories