Phpmyadmin Hacktricks Official
Unlike a blind SQL injection vulnerability—which requires writing custom scripts, dealing with WAFs, and painstakingly extracting data one character at a time—phpMyAdmin offers a full, interactive SQL console. From an attacker’s perspective, this is equivalent to finding an unlocked backdoor into the server room.
The primary attack vectors can be summarized into three categories:
DBA’s don’t like surprises. Clear your steps:
DELETE FROM mysql.general_log WHERE argument LIKE '%OUTFILE%';
DELETE FROM mysql.slow_log WHERE sql_text LIKE '%php%';
7.1. Network-Level Controls
7.2. Authentication & Access Control
7.3. HTTPS & Session Security
7.4. Principle of Least Privilege (PoLP)
7.5. Keep Software Updated
7.6. Disable Unused Features
7.7. File and Upload Protections
7.8. Configuration Management
7.9. Use Read-Only or Limited Interfaces for Routine Tasks
7.10. Backup & Recovery
If you’re hardening phpMyAdmin:
cookie auth method (not http or config).If you’re blocked from accessing /phpmyadmin, try: phpmyadmin hacktricks
Example:
http://example.com/phpmyadmin/libraries/tcpdf/tcpdf.php?tcpdf_import=../../../../etc/passwd
phpMyAdmin remains a low-hanging fruit in many penetration tests. From default credentials and INTO OUTFILE magic to sophisticated UDF injection, the path from login to RCE is often trivial. Use the techniques above only on systems you own or have explicit permission to test.
For the latest attack vectors in newer versions, always refer to the official HackTricks repository and the CVE database. Stay curious, stay legal.
Further Reading:
In 2025 and early 2026, security reports for phpMyAdmin have transitioned from simple misconfigurations to complex edge-case vulnerabilities, such as those involving library interactions and specific feature abuse. While classic "HackTricks" methods like SELECT ... INTO OUTFILE
remain relevant for older systems, modern research focuses on Authenticated XSS Library-Level RCE Current Critical Vulnerabilities (2025-2026)
Recent advisories highlight that even patched systems can be vulnerable due to underlying server libraries: CVE-2024-2961 (glibc/iconv RCE): A critical vulnerability in the glibc/iconv library can potentially lead to Remote Code Execution Condition: Requires the In 2025 and early 2026
extension to be loaded and a specific vulnerable character set used during export. Mitigation: Upgrade to phpMyAdmin 5.2.2 CVE-2025-24530 (XSS in "Check tables"): Authenticated users can trigger an XSS attack by using a specially-crafted table or database name CVE-2025-24529 (XSS in "Insert"):
An authenticated user can execute malicious scripts through the "Insert" tab functionality. CVE-2022-0813 (Information Disclosure):
Validated as a significant risk in early 2026, this flaw allows attackers to leak sensitive configuration data through malformed parameters. SentinelOne Advanced Exploitation Techniques (HackTricks Style) Penetration testers and researchers from platforms like HackTricks categorize phpMyAdmin attacks into three main tiers: Authenticated RCE via Local File Inclusion (LFI) CVE-2018-12613:
Still the most common lab example for version 4.8.0/4.8.1. Attackers use the
parameter to include session files where they have previously injected PHP code. Webshell via SQL Misconfiguration Into Outfile: If the MySQL user has
privileges and the webroot path is known, an attacker can write a shell directly to the server:
SELECT '' INTO OUTFILE '/var/www/html/shell.php' Client-Side Attacks Arbitrary File Read: If you’re blocked from accessing /phpmyadmin
HackTricks notes that if an attacker can force a phpMyAdmin client to connect to a malicious MySQL server, they can read local files from the user's machine. CVE-2025-24530: phpMyAdmin XSS Vulnerability - SentinelOne