loading
loading
Passwords
A tool built to brute-force phpMyAdmin authentication.
overview
phpmyadmin-auth-bruteforce targets the login form of a phpMyAdmin install and tries each password from a wordlist against a known username. phpMyAdmin sits directly in front of a MySQL or MariaDB database, so a working credential hands an attacker the data tier outright. The tool automates the form submission and session handling that a manual login attempt would require for every guess.
Point it at a phpMyAdmin URL, give it a username such as root, and supply a password list. It walks the list and reports which credential the panel accepts. Because the attack runs against one exposed panel, it is a focused check on an asset you have already located rather than a wide scan.
On Trickest it is a Passwords node that takes a URL, a username, and a wordlist, and writes a file and a folder of results. Chain it after a discovery stage that finds exposed phpMyAdmin panels so the brute force only runs against confirmed targets.
source github.com/safflower/phpmyadmin-authentication-bruteforce
use cases
Run a password list against a discovered phpMyAdmin login to confirm whether default or weak credentials still guard the database front end.
Check the root or admin account of a phpMyAdmin install against a known-bad password list so a weak credential is caught before an attacker finds it.
Feed URLs of exposed phpMyAdmin instances from a content-discovery or probing stage into this tool so the brute force runs only against real panels.
reference
| Name | Type | Flag | Description |
|---|---|---|---|
| url | STRING | -url | Target phpMyAdmin URL to attack. |
| username | STRING | -user | Username to brute-force passwords against (often root). |
| wordlist | FILE | -dict | Wordlist of passwords to try against the login. |
Showing key inputs. phpmyadmin-auth-bruteforce exposes 3 inputs in total.
example
# brute-force the phpMyAdmin login for the root userpython3 main.py -url https://example.com/phpmyadmin/ -user root -dict /usr/share/wordlists/rockyou.txt[*] Target: https://example.com/phpmyadmin/[*] Username: root[*] Passwords loaded: 14344391[-] root : 123456[-] root : password[-] root : letmein[+] root : Db-Adm1n! -> login accepted[*] Valid credentials: 1[*] Elapsed: 00:03:47guidance
Use this tool when you have located an exposed phpMyAdmin panel and want to test it against a password list. It targets one login form, so pair it with a discovery stage that finds the panels first. For general network login brute forcing across many protocols, use hydra.
General network login cracker covering many protocols. This tool is purpose-built for the phpMyAdmin form.
Builds the candidate wordlist rather than running the attack. Generate a list with pydictor, then feed it here.
Attacks the database through SQL injection instead of the login form. Different entry point on the same data tier.
faq
A panel URL and a password list feed phpmyadmin-auth-bruteforce, which tries each password against the login and writes any valid credential as output.
Facts on this page come from the live Trickest tool library.