A flaw in the page filtering utility allows an authenticated user to bypass string validation and include arbitrary files from the server. Exploitation Steps: Log in to phpMyAdmin. Execute a query to seed the MySQL session with PHP code: SELECT ''; Use code with caution. Find your session ID cookie ( phpMyAdmin ).
If secure_file_priv points to a specific directory (e.g., /var/lib/mysql-files/ ), you can only write files to that specific folder. If the web server cannot execute PHP files from that directory, look for alternative RCE vulnerabilities. 4. Verified Vulnerabilities (CVEs)
: This is one of the most significant modern vulnerabilities affecting versions 4.8.0 and 4.8.1 . An authenticated user can exploit a Local File Inclusion (LFI) flaw to execute arbitrary PHP code on the server. phpmyadmin hacktricks verified
to other databases using stored credentials in config.inc.php
Modern MySQL caches authentication plugin data – but authentication_string still yields hash cracking (cached SHA256 or mysql_native_password). A flaw in the page filtering utility allows
If the administrator enabled the AllowNoPassword directive in config.inc.php , any database user without a password set can log in remotely. This frequently grants access to low-privilege users who can then look for local privilege escalation vectors. Brute Force Attacks
: By executing a SQL query containing PHP code, an attacker can include the session file (stored in /var/lib/php/sessions/sess_ ) to trigger code execution. CVE-2020-5504: SQL Injection Find your session ID cookie ( phpMyAdmin )
Look for /phpmyadmin/themes/pmahomme/img/logo_left.png . Combined with doc/html/index.html or README , you can extract the exact version. Version matters because exploits differ widely between 2.x, 3.x, 4.x, and 5.x.
