The /e modifier in preg_replace is the classic example. Patched versions of phpMyAdmin no longer rely on eval(), create_function(), or system() within user-controlled flows. Instead, they use:
While the official changelogs claim “security fix applied,” the reality is more nuanced. As a penetration tester, I’ve seen:
As of this review, here are hacktricks that still work on fully patched phpMyAdmin if you have the right conditions:
These are not patched because they are configuration issues, not code bugs.
HackTricks highlights CVE-2018-12613, an authenticated Remote Code Execution (RCE) vulnerability in phpMyAdmin versions 4.8.0 and 4.8.1, as a significant, yet historically patched, Local File Inclusion (LFI) issue. The flaw, allowing attackers to execute PHP code via
, was officially resolved in version 4.8.2, making current, updated versions secure. For a detailed technical breakdown, visit HackTricks.
Securing a phpMyAdmin installation is critical because it is a high-value target for attackers. HackTricks, a popular cybersecurity resource, outlines several vectors used to compromise unpatched or poorly configured versions. 🛠️ Patching and Hardening Guide
The most effective way to prevent "HackTricks-style" exploits is to keep the software updated and restrict access. 1. Update to the Latest Version
Check your current version at the bottom of the phpMyAdmin main page.
Download the latest stable release from the official phpMyAdmin site.
Why: Recent versions include patches for critical vulnerabilities like Local File Inclusion (LFI) and Cross-Site Request Forgery (CSRF). 2. Restrict Access via IP Limit access so only your IP can reach the login page. Apache (.htaccess):
location /phpmyadmin allow [YOUR_IP_ADDRESS]; deny all; Use code with caution. Copied to clipboard 3. Change the Default URL
Attackers use automated bots to scan for /phpmyadmin or /pma.
Rename the directory to something obscure (e.g., /db_manage_xyz).
Update your web server configuration to point to the new folder name. 4. Enable Two-Factor Authentication (2FA) Modern versions support 2FA.
Navigate to Settings > Two-factor authentication within the phpMyAdmin panel to set up Google Authenticator or Hardware keys. 5. Disable Dangerous MySQL Privileges
Attackers often try to use SELECT INTO OUTFILE or general_log to write "WebShells" (malicious scripts) to the server.
Ensure the database user does not have the FILE privilege unless absolutely necessary. phpmyadmin hacktricks patched
Run this SQL command to check: SELECT User, File_priv FROM mysql.user; ⚠️ Common "HackTricks" Attack Vectors
LFI (Local File Inclusion): Exploiting older versions to read sensitive server files like /etc/passwd.
WebShell via Logs: Turning on the general_log and setting the log path to a PHP file in the web directory.
Brute Force: Using default credentials (root/no password) or weak passwords.
Next StepsIf you want to verify your security, I can help you:
Check if your server permissions prevent writing files to the web root.
Draft a configuration file (config.inc.py) that disables the most dangerous features.
Find the exact CVEs (vulnerability IDs) for the version you are currently running. Which of these HackTricks - HackTricks
This report analyzes the security posture of phpMyAdmin in relation to the popular penetration testing resource HackTricks. While HackTricks provides a comprehensive roadmap for exploiting outdated versions, modern patches have effectively neutralized these "classic" attack vectors. ⚡ Executive Summary
The most critical vulnerabilities traditionally associated with phpMyAdmin (such as CVE-2018-12613) have been patched for years. Current security risks are primarily driven by misconfigurations, weak credentials, or server-level vulnerabilities (like glibc issues) rather than flaws in the phpMyAdmin code itself. 🛠️ The "HackTricks" Attack Surface (Patched)
HackTricks details several high-impact techniques that are now blocked in all current, stable versions. 1. Authenticated Remote Code Execution (LFI to RCE)
The Attack: Exploiting CVE-2018-12613 via a session-based Local File Inclusion (LFI) to execute code. Patch Status: Fully Patched since version 4.8.2.
Current State: Modern versions use strict whitelist validation for included files, making this bypass impossible. 2. File Read/Write via SQL (INTO OUTFILE)
The Attack: Using the SELECT ... INTO OUTFILE command to write a web shell to the server or LOAD_FILE() to read sensitive configs. Patch Status: Mitigated via database-level configurations.
Modern Defense: The secure_file_priv global variable in MySQL is now set to NULL by default, blocking all file exports unless explicitly enabled by an admin. 3. Cross-Site Scripting (XSS)
Recent Vulnerabilities: New XSS flaws like CVE-2025-24530 (Check tables) and CVE-2025-24529 (Insert functionality) were recently identified. Patch Status: Patched in version 5.2.2 and later. 🛡️ Modern Security Checklist
To move beyond the vulnerabilities listed on HackTricks, implement these defense-in-depth measures: 🔑 Authentication & Access CVE-2025-24530: phpMyAdmin XSS Vulnerability - SentinelOne The /e modifier in preg_replace is the classic example
The security state of phpMyAdmin is managed through frequent patches released by the development team to address vulnerabilities like Remote Code Execution (RCE), SQL injection, and path traversal. Vulnerability and Patch Guide Vulnerability Type Common CVEs Patch Status Key Mitigation Authenticated RCE CVE-2018-12613 Patched in 4.8.2+ Upgrade to version 4.8.2 or later. Path Traversal CVE-2018-12613, CVE-2025-24530 Restrict the target parameter and update software. SQL Injection CVE-2020-22452 Patched in 4.9.5/5.0.2 Sanitize input in getTableCreationQuery. XSS Multiple (PMASA-2019-5)
Regular updates; developers group these under specific PMASAs. Security Best Practices
To secure your phpMyAdmin installation and defend against common HackTricks pentesting techniques, follow these steps:
Immediate Patching: Ensure you are running the latest stable version. Major security updates, such as the glibc/iconv vulnerability (CVE-2024-2961), are addressed in releases like version 5.2.3 and later. Access Control:
Change Default URL: Move from /phpmyadmin to a custom, unpredictable path.
Restrict by IP: Limit access to known, trusted IP addresses using web server configurations (e.g., .htaccess or Nginx allow directives). Authentication Hardening:
Disable Root Login: Prevent the default MySQL root user from logging in directly through the web interface.
Enable 2FA: Use Two-factor authentication to prevent unauthorized access even if credentials are leaked.
Strong Passwords: Avoid default or empty passwords, which are common targets for dictionary attacks. Server-Level Security:
SSL/TLS: Always use HTTPS to protect credentials from being intercepted in transit.
File Permissions: Ensure the web server does not have write access to critical directories to prevent WebShell uploads.
For the most recent updates, monitor the official phpMyAdmin Security Announcements (PMASA). Linux Hacking Case Studies Part 3: phpMyAdmin - NetSPI
The intersection of phpMyAdmin HackTricks represents a critical case study in web application security
. HackTricks, a renowned cybersecurity resource, meticulously documents exploitation vectors like "Getshell" via log manipulation or configuration abuse, while the phpMyAdmin team counters with patches aimed at neutralizing these specific techniques. The Landscape of phpMyAdmin Vulnerabilities
Historically, phpMyAdmin has been a prime target because it provides a direct bridge to a server's database. Vulnerabilities range from simple credential weaknesses to complex logic flaws that allow for Remote Code Execution (RCE). Remote File Inclusion (RFI) and RCE : A notable historical example is CVE-2018-12613
, which affected versions 4.8.0 and 4.8.1. This flaw allowed authenticated users to include local files, often leading to full system compromise. SQL Injection (SQLi)
: Multiple iterations of SQLi have plagued the platform, such as CVE-2020-5504 As of this review, here are hacktricks that
, where malicious input in the user accounts page could bypass sanitization. Directory Traversal : Older versions like 2.5.4 were susceptible to attacks via export.php , allowing unauthorized reading of sensitive system files. Exploitation Techniques (The "HackTricks" Methods) HackTricks methodology
outlines several sophisticated "Getshell" methods that administrators must defend against: Select Into Outfile
: Attackers attempt to use SQL commands to write a web shell directly into the webroot. Log File Manipulation : By enabling the general_log
and pointing it to a PHP file in a writable directory, attackers can inject malicious PHP code into that log file to create a functional shell. Variable Modification
: In some configurations, attackers can modify global variables (like slow_query_log_file
) to create malicious files even while services are running. Modern Defensive Measures and Patching phpMyAdmin Security Policy highlights that the team issues Security Announcements (PMASA) for every reported flaw. Recent patches have focused on: phpMyAdmin Security policy — phpMyAdmin 6.0.0-dev documentation
"HackTricks" is a popular community-driven knowledge base for penetration testing. In its phpMyAdmin pentesting guide, it details various exploitation techniques, many of which have been mitigated by specific security patches.
Below is a breakdown of common phpMyAdmin vulnerabilities featured in HackTricks and the versions that patched them. Key Patched Vulnerabilities
Many high-profile phpMyAdmin exploits rely on specific versions. The most critical move for security is ensuring you are on a Stable or LTS version. Vulnerability Type Notable CVE Patch Version Description Local File Inclusion (LFI) CVE-2018-12613 4.8.2
Allowed authenticated users to include and execute local files, potentially leading to Remote Code Execution (RCE). SQL Injection CVE-2020-5504 4.9.4 / 5.0.1
Affected the 'username' field in user account pages, requiring a MySQL account to exploit. Cross-Site Scripting (XSS) CVE-2023-25727 4.9.11 / 5.2.1
Triggered via crafted .sql file uploads in the drag-and-drop interface. Arbitrary File Read CVE-2019-6799 4.8.5
Exploited the AllowArbitraryServer configuration to read server files using a rogue MySQL server. Character Set (iconv) CVE-2024-2961 5.2.2
A glibc/iconv vulnerability that could affect phpMyAdmin if specific character set modules were present. "Patched" vs. "Unpatchable" (Misconfigurations)
HackTricks also highlights techniques that are not software bugs but rather results of poor configuration. These cannot be "patched" with a version update alone: Downloads · phpMyAdmin
Ensure certain PHP functions are disabled if not needed:
disable_functions = exec, passthru, shell_exec, system, proc_open, popen, curl_exec, curl_multi_exec