Hacktricks: Phpmyadmin

: In phpMyAdmin 4.x before 4.9.5, a SQL injection vulnerability can be exploited through retrieving and displaying results, potentially triggering XSS attacks.

: Accessing /phpmyadmin/Documentation.html or /phpmyadmin/README . The ChangeLog : Checking /phpmyadmin/ChangeLog .

Administrators often leave phpMyAdmin on predictable directories. Security professionals use fuzzing tools like gobuster , dirsearch , or ffuf to scan for common endpoints: /phpmyadmin/ /pma/ /admin/pma/ /mysql/ /phpMyAdmin/ /dbadmin/ Version Fingerprinting phpmyadmin hacktricks

Extract password hashes from the mysql.user table. Run these hashes through cracking tools like Hashcat or John the Ripper to find reusable passwords.

https://target.com/phpmyadmin/ (version 4.8.1) Step 1: Found accessible via dirb . Step 2: Weak credentials admin:admin succeed. Step 3: Run SHOW VARIABLES LIKE 'secure_file_priv' → empty value (good). Step 4: Write shell via INTO OUTFILE to /var/www/html/uploads/cmd.php . Step 5: Access https://target.com/uploads/cmd.php?cmd=id → uid=33(www-data) . Step 6: Read /etc/passwd , find another DB password, pivot to production server. Outcome: Full internal compromise. : In phpMyAdmin 4

Highly rated for being , and bundled with most hosting providers like cPanel. Security

If the value is , you can write files anywhere the OS user permissions allow. https://target

If the MySQL user has FILE privileges, you can use SELECT ... INTO OUTFILE to write a file to the web root.

In the cybersecurity community, the HackTricks entry for phpMyAdmin is considered a for several reasons:

| Vulnerability | Impact | Affected Versions | |---|---|---| | | LFI → RCE | 4.8.0, 4.8.1 | | CVE-2016-5734 | RCE via preg_replace | 4.3.0 – 4.6.2 | | CVE-2025-24529 | XSS on Insert tab | 5.x < 5.2.2 | | CVE-2025-24530 | XSS on check tables | 5.x < 5.2.2 | | CVE-2020-5504 | SQL injection | 4 < 4.9.4, 5 < 5.0.1 | | Setup script exposure | Unauthenticated config | Old versions |

Exploits ?target=db_datadict.php chained with a crafted SQL query. Steps:

GitHub repo
Website by the napari team, original design by CZI. Go to napari main website.