This article will explain how I got administrative access to a subdomain.
How do I gain admin access using phpMyAdmin?
Initially, I was going through domains and subdomains, where everything looked good, and I did a nuclei scan on target.
subfinder -d example.com | nuclei
During the scan, I got the result under “info” as
[phpmyadmin-panel] [http] [info] https://example.com/phpmyadmin/
What should I do next?
I added.env at the end of the URL.
and I hit a gold mine.
I made an attempt to access phpMyAdmin using the password stored in the.env file.
I was able to log into the database, so it did work.
I was taken right to the login page when I went to the subdomain. I searched all the databases and found the user table.
The previous password should be copied and saved. I pasted the hash value into hashes.com, where it provided the hash type, rather than wasting my time bruteforcing it to know what the password is!
I went to https://appdevtools.com/bcrypt-generator, gave the new password string, and pasted the generated hash.
I added the user name and password, which I changed in the database, and I logged in as admin.
Conclusion: This has not happened to me once; it happens most of the time when I find.env or phpMyAdmin open.
Even the nuclide scan gave you “information” and didn't give you any vulnerability categories like low, medium, or high; don't worry. Check for "info.” It may lead to a gold mine.