How I gained admin access with phpMyAdmin

Overview

This article will explain how I got administrative access to a subdomain.

How do I gain admin access using phpMyAdmin?

Initially, I was going through domains and subdomains, where everything looked good, and I did a nuclei scan on target.

subfinder -d example.com | nuclei

During the scan, I got the result under “info” as

[phpmyadmin-panel] [http] [info] https://example.com/phpmyadmin/

What should I do next?

I added.env at the end of the URL.

https://example.com/.env

and I hit a gold mine.

.env file contains secret details like database username and password, API keys, AWS private keys, secret keys, etc.

I made an attempt to access phpMyAdmin using the password stored in the.env file.
I was able to log into the database, so it did work.

Logged into phpMyAdmin console

I was taken right to the login page when I went to the subdomain. I searched all the databases and found the user table.

Login Page of a website

The previous password should be copied and saved. I pasted the hash value into hashes.com, where it provided the hash type, rather than wasting my time bruteforcing it to know what the password is!

Find the hash type of a hashed string using hashes.com

I went to https://appdevtools.com/bcrypt-generator, gave the new password string, and pasted the generated hash.

bcrypt hash genetaring for a string using app.devtools.com

Adding generated password to admin

I added the user name and password, which I changed in the database, and I logged in as admin.

Admin panel of a website

Conclusion: This has not happened to me once; it happens most of the time when I find.env or phpMyAdmin open.

Even the nuclide scan gave you “information” and didn't give you any vulnerability categories like low, medium, or high; don't worry. Check for "info.” It may lead to a gold mine.