Phpmyadmin Hacktricks !free! Jun 2026

An authenticated attacker can pass a specially crafted string that executes arbitrary PHP code via the split transformation feature. CVE-2020-5504: SQL Injection Affected Versions: 5.0.0 and prior

| Method | Technique | |---|---| | | Append a single quote to a URL parameter (e.g., ?id=1′ ) to trigger a database error revealing the path | | Phpinfo() discovery | Search for /info.php , /test.php , or /phpinfo.php | | File reading (if privileges permit) | SELECT load_file(‘/etc/passwd’); | | Database data directory | SHOW VARIABLES LIKE ‘%datadir%’; | | Google dorking | site:target.com warning OR “fatal error” |

Extract mysql.db → find linked databases and services (wordpress, joomla, custom apps). phpmyadmin hacktricks

If it is a specific directory, your writes are restricted to that path. If it is NULL , file operations are disabled completely.

If you cannot write a shell but have the FILE privilege, you can read local system files and display them in phpMyAdmin. Create a temporary table: CREATE TABLE intermediate_table (content TEXT); Use code with caution. Load the target system file into the table: An authenticated attacker can pass a specially crafted

SELECT sys_exec('whoami > C:\\temp\\out.txt');

Credentials can often be found in configuration files: If it is NULL , file operations are disabled completely

Attackers use this LFI to execute PHP code by running a SQL query containing malicious PHP payload (e.g., SELECT ''; ). The session data is written to the local disk (usually in /var/lib/php/sessions/sess_[SESSION_ID] ), which is then included via the LFI flaw to gain Remote Code Execution . SQL Injection (SQLi)

Old phpMyAdmin versions leave /scripts/setup.php accessible, which can be exploited to execute arbitrary PHP code without authentication.