SELECT '' INTO OUTFILE '/var/www/html/shell.php'; Use code with caution.
phpMyAdmin should never be exposed to the public internet. Access should be restricted using:
The landscape of phpMyAdmin vulnerabilities is constantly evolving, from the SQL injections of the early 2010s to the sophisticated XSS chains and LFI-to-RCE techniques documented by the HackTricks community today. The 2025 patches for CVE-2025-24529, CVE-2025-24530, and CVE-2024-2961 mark important milestones in securing this critical database management tool.
have largely been addressed in current versions. Modern security for phpMyAdmin now focuses on preventing Remote Code Execution (RCE) through file inclusion and securing Two-Factor Authentication (2FA) Key Patched Vulnerabilities (Commonly Cited in HackTricks) Authenticated RCE via Local File Inclusion (CVE-2018-12613) : A failure in the Core::checkPageValidity phpmyadmin hacktricks patched
Securing Your Databases: The Ultimate Guide to phpMyAdmin Hardening and HackTricks Patches
The phpMyAdmin development team has demonstrated commitment to security through regular patch releases and security advisories. For administrators running older systems, Debian and other distributions provide LTS support with backported security fixes, as seen with the 2025 updates for Debian 11 (bullseye).
sudo apt-get update && sudo apt-get --only-upgrade install phpmyadmin Use code with caution. SELECT ' ' INTO OUTFILE '/var/www/html/shell
The admin downloads and runs the "patch", which is actually a reverse shell.
Similarly, this XSS vulnerability allowed attackers to use a crafted table or database name to trigger malicious script execution within the check tables functionality. The flaw impacted all phpMyAdmin 5.x versions before 5.2.2. The patch was incorporated into the same version 5.2.2 release, which also included a fix for a potential denial-of-service issue in the SQL parser component.
: Attackers could execute arbitrary PHP code by including session files containing malicious payloads. : Patched in versions For administrators running older systems, Debian and other
While not a direct phpMyAdmin vulnerability, CVE-2024-2961 affected the underlying glibc/iconv library used by phpMyAdmin for character set conversions. This buffer overflow vulnerability could potentially lead to arbitrary code execution. phpMyAdmin is not vulnerable by default, but because the software uses the iconv library, the development team issued PMASA-2025-3 to include full details and mitigation guidance. The vulnerability was addressed in phpMyAdmin 5.2.2 and is also patched in updated Linux distributions such as openSUSE and Fedora.
An attacker would authenticate to phpMyAdmin (or find a publicly accessible instance with weak credentials). They would then execute a SQL query containing malicious PHP code, such as SELECT ''; . This query payload would be saved in the server's session file (typically located in /var/lib/php/sessions/sess_[SESSION_ID] ). By exploiting the LFI flaw, the attacker would include their own session file, triggering the execution of the PHP payload and gaining a shell on the underlying operating system.
Hardened. Modern config.inc.php sets AllowNoPassword = false by default. Moreover, modern phpMyAdmin enforces the MySQL server’s authentication plugin (e.g., caching_sha2_password ), making empty passwords impossible unless explicitly overridden.