How I gained admin access with phpMyAdmin

Overview

This article will explain how I got administrative access to a subdomain.

How do I gain admin access using phpMyAdmin?

Initialy, I was going through domains and subdomains, where everything looked good, and I did a nuclei scan on target.

subdomain -d example.com | nuclei

During the scan, I got the result under “info” as

[phpmyadmin-panel] [http] [info] https://example.com/phpmyadmin/

What to do next?

I added .env at the end of the URL.

https://example.com/.env

and I hit a gold mine.

.env file contains secret details like database username and password, API keys, AWS private keys, secret keys, etc.

I made an attempt to access phpMyAdmin using the password stored in the .env file.
I was able to log into the database, so it did work.

Logged into phpMyAdmin console

I was taken right to the login page when I went to the subdomain. I searched all the databases and found the user table.

Login Page of a website

The previous password should be copied and saved. I pasted the hash value into hashes.com, where it provided the hash type, rather than wasting my time bruteforcing it to know what the password is!

Find the hash type of a hashed string using hashes.com

I went to https://appdevtools.com/bcrypt-generator and gave the new password string and pasted the generated hash.

bcrypt hash genetaring for a string using app.devtools.com

Adding generated password to admin

I added the user name and password, which I changed in the database, and I logged in as admin.

Admin panel of a website

Conclusion: This has not happened to me once; it happens most of the time when I find .env or phpMyAdmin open.

Even nuclie scan gave you “info” and didn't give you any vulnerability categories like Low, medium, or high, don't worry. Check for “info” It may lead to a gold mine.