Sometimes an attacker only gets low-priv database access but no file write. Still dangerous.
/var/lib/phpmyadmin/config.inc.php /etc/phpmyadmin/config.inc.php /usr/share/phpmyadmin/config.inc.php phpmyadmin hacktricks verified
SELECT user, host, authentication_string FROM mysql.user; Sometimes an attacker only gets low-priv database access
After getting shell or RCE:
| CVE | Impact | |------------|-------------------------------------------------| | CVE-2018-12613 | Local file inclusion via target parameter. | | CVE-2019-11768 | XSS to session hijacking (fewer risks today). | | CVE-2020-26934 | CSRF leading to SQL execution. | authentication_string FROM mysql.user
phpMyAdmin is a widely used, open-source tool for managing MySQL and MariaDB databases through a web interface. Due to its popularity and powerful administrative capabilities, it is a frequent target for attackers. This guide covers common vulnerabilities and exploitation techniques documented by security researchers and platforms like . Common phpMyAdmin Vulnerabilities